18 windows phone 8.1 for the enterprise developer
-
Upload
windowsphonerocks -
Category
Technology
-
view
591 -
download
0
description
Transcript of 18 windows phone 8.1 for the enterprise developer
Windows Phone 8.1 for the Enterprise Developer
Windows Phone 8.1Building Apps for Windows Phone 8.1
Jump Start
2
Overview for Windows Phone 8.1 which is interesting for Enterprise Developer• Overview of the Enterprise enhancements for Windows
Phone 8.1• Why would you build Enterprise apps for Windows?• The Windows Phone 8.1 Converged Developer Platform• Security• Authentication• Company Portal• Deploying and distributing applications• Some other thoughts for Enterprise Developers
This module…
3
Windows Phone is even better for Businesses
Windows core and security architecture
Large choice of devices at the right cost
Anywhere productivity with familiar Office apps built-in
A converged app platform and familiar developer tools
Uncompromising security and management
Windows Phone is consistent and predictable
NOKIA LUMIA 925
NOKIALUMIA 920
NOKIALUMIA 625
NOKIALUMIA 720
NOKIALUMIA 620
NOKIA LUMIA 520
NOKIA LUMIA 1020
NOKIALUMIA 820
NOKIA LUMIA 1520
NOKIA LUMIA 1320
NOTE: Availability of particular products may vary by region and by service provider.
Nokia Lumia for BusinessDon’t compromise on Choice, Price, Consistency
New and Unique user scenarios
Your phone is with your employees all the timeSome sample scenarios areFinancial informationProduct CatalogCRM DataDashboardsWorkflow managementPeople finderHelper ApplicationsField employee systems
Demo
Sample Enterprise apps
SSL 3.0 with AES 128 and AES256
Code-signed chainof trustUEFI Secure Boot
TPM 2.0 – all phonesCertified hardware
App Containers Secure browser
IRM & SMIME built-inData protection API
Encryption based on BitLocker technologyDevice-Lock0101
1001
Single source updates
Developer platformDrivers
Fixes from MSRC
Security Networking Graphics
Servers and Cloud Services
Internal Storage
User Partition
OS Partition
Apps
Files and data
UEFI FirmwareHardware
Windows NT Kernel
Common Core + Layered Security Architecture
SECURITY FROM THE CORE TO THE
CLOUD
Putting IT in control
IT p
rofe
ssio
nals
Anywhere productivity
Busi
ness
use
rs
Included in Windows Phone 8.1• Mobile Device
Management (MDM)• Configuration
management• Certificate management • Application management• Secure Access• S/MIME
Windows Phone enterprise features
How do you build Enterprise apps
• Using Visual Studio and the Windows Phone SDK• It’s the same but not quite • Mobile is hot and everybody wants the silver
bullet• Is HTML5 the answer? Sometimes.
Building apps
• Storing and syncing data (SQL Lite)• Identity Management• Authentication and Authorisation• Push Notifications• Integration with cloud and backend services• Integration with enterprise systems• MDM, MAM, MCM etc• Distribution and testing• Monitoring
Enterprise features
Considerations
X-PlatformOffline Access Location
Sensors Search Telemetry
Touch Store Offline
Mobility
Battery Life
Roaming
Variable Displays
KeyboardMouse
Hardware
Legacy Code
NUISmall Factor
04/12/2023 14
Authentication
04/12/2023 15
• Basic• NTLM• Client Certificates• No Kerberos• SSO through VPN• ADFS• Oauth• Web Authentication Broker
Authentication supported in Windows Phone 8.1
App/location triggered with tunneling flexibilityIPsec (IKEv2) gateway support (in-box)SSL-VPN gateway support via Store (plug-in-model)Split tunnel or forced tunneling
Simplicity with SSO for intranet & auto-reconnect Apps declare “EnterpriseAuthentication” Capability
In-box authentication optionsEAP-MSCHAPv2, EAP-TLS, proprietary SSL-VPN auth
MDM provisioned or user configurable
VPN Support
04/12/2023 17
• App/location triggered with tunneling flexibility• IPsec (IKEv2) gateway support (in-box)• SSL-VPN gateway support via Store (plug-in-model)• Split tunnel or forced tunneling
• Simplicity with SSO for intranet & auto-reconnect• Apps declare “EnterpriseAuthentication” Capability
• In-box authentication options• EAP-MSCHAPv2, EAP-TLS, proprietary SSL-VPN auth
• MDM provisioned or user configurable
VPN Support
04/12/2023 18
Web Authentication Broker
• Many apps connect to popular online services• Authentication is usually required• Identity providers typically implement OAuth
for authentication and authorization
Web authentication broker
Typical Oauth flow
Online Service1. Authorization Request (Start URL)
2. Login page
3. Credentials
4. A
utho
rizat
ion
page
5. U
ser d
ecisio
n
6. Authorization token (Redirect URL)
7. Data access
User
App
• No single sign-on• No credential isolation• Inconsistent user experience• Will not work in low memory situations
Problems
• Use WAB to authenticate to OAuth identity providers
• Benefits• Single sign-on• Simple API• Credential Isolation
• Windows.Security.Authentication.Web• API similar to Windows but optimized to handle
low memory situations
Web authentication broker
Example SSO with Facebook
User experience when using SSO with Facebook on Windows Phone
Example SSO with Facebook
app1
app3
app2
app4
Example SSO with Company portal
app1
app3
app2
app4
ADAzure
AD
login
login
login
login
VPN
04/12/2023 26
Demo WAB
04/12/2023 27
Security
• Use Credential Locker to securely store credentials and roam across the user’s trusted devices
• Windows.Security.Credentials• PasswordVault (and related) are supported• WebAccount* not supported on Phone
• Benefits• Roaming via Microsoft account• Secure Storage• Credential isolation (apps can only access their own credentials)
Storing credentials
Credential Locker sample code
void SaveCredential(string username, string password) { PasswordVault vault = new PasswordVault(); PasswordCredential cred = new PasswordCredential(“MyAppResource”, username, password); vault.Add(cred); }
IReadOnlyList<PasswordCredential> RetrieveCredential(string resource) { PasswordVault vault = new PasswordVault(); return vault.FindAllByResource(resource); }
• WinRT platform convergence• Support for the following namespaces
• Windows.Security.Cryptography• Windows.Security.Cryptography.Certificates• Windows.Security.Cryptography.Core• Windows.Security.Cryptography.DataProtection
• Major features enabled• Many common crypto algorithms supported by the platform• Client certificate authentication• Data protection API allows encrypting secrets in memory
Crypto and Certs
04/12/2023 31
Crypto Demo
• Enable hardware-based, two-factor authentication for S/MIME and Secure Browsing scenarios
• Keys are bound to the hardware and can only be accessed when user PIN is provided
• VSC is built on top of the Trusted Platform Module (TPM)
Virtual Smart Card
• No APIs, but app developers can opt-out through setting
• Encryption of app files on SD card (different keys for program and data folder)
• Access control for FAT (!) for additional isolation
Apps on SD
Certificates Demo
View list of available apps.View list of installed apps.Launch app.IT alerts and notifications.
Company Portal
04/12/2023 36
Building a company portalInstall Apps
result = InstallationManager.AddPackageAsync(selectedApp.Title, selectedApp.XapPath);result.Completed = InstallCompleted;result.Progress = InstallProgress;
Find AppsIEnumerable<Package> packages = InstallationManager.FindPackagesForCurrentPublisher();package.Launch(string.Empty);
Company portal APIs
API feature WP 8 WP 8.1
Enumerate apps Yes Yes
Launch apps Yes Yes
Install enterprise signed apps Yes Yes
Get enterprise metadata No Yes
Renew an enterprise enrollment No Yes
Unenroll from the current enterprise No Yes
Trigger enterprise phone home No Yes
NEW
NEW
NEW
NEW
Company portals must be Silverlight apps
Create a Windows Phone 8 Company Hub App MSDN article by Tony Champion - http://aka.ms/E7c6xc
How do you distribute apps to your users
App deployment options
Through the store (public distribution)beta appshidden apps with deeplinkpublic apps
Sideloading (private distribution)MDM like Intune, Airwatch, Mobile Iron etcWebsite or email
Managed and unmanaged enrollment
Feature Managed Unmanaged
Enrollment method Workplace app + MDM Email/browser
Number of enrollments Limited to 1 Unlimited
Policy management Yes No
App install method MDM/company hub Email/browser/company hub
App inventory MDM/company hub Company hub
Push app install MDM No
Push app uninstall MDM No
Push app updates MDM No
Unenroll Remote and local Local NEW
NEW
NEW
Public apps versus Private apps
SimilaritiesStandard WP appsSame API SetSame app security modelFamiliar tools (C#, XAML, Visual Studio)
DifferencesCreate by and for companyAvailable only for company employeesNot distributed via the storeNot certified by Microsoft
Overview
Company 12
3 5
4 6
8
Symantec
7
Microsoft
Windows Phone Dev Center
Account creation and cert acquisition
Must be a Company accountPublisher name displayed on phone
Company approval requiredPrivate key, CSR, cert are local to PC
Enterprise certificate
Issuer
Validity period
Publisher name
Publisher ID
Enterprise apps EKU
Creating the certificate .pfx file
1. Install two Symantec CA certs
2. Export with complete cert chain
Application Enrollment Token (AET)
Secure data storage
.aetx
.aet
MDM SERVER
Code signing certificate
.aetx
Distribute through email or secure website
AET cannot be deleted through phone UI
Distribute during enrollment
Upload
AETGENERATOR TOOL
C:\temp2>"c:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\AETGenerator\AETGenerator.exe"
c:\temp\Cert.pfx password
The Enterprise Id is XXXXXXXAET.xml, AET.aet and AET.aetx file generated
Generating an AET
Code signing certificate
AET.aetx
Publisher ID
AET on the phone
.aetxPublisher ID
.xap.appx
Publisher ID
.xap.appx
AET allows all apps from the same publisher to be installed and run on the phone
.aetx12 months
AET is valid for one year and must be renewed after expiration
App is packaged, signed, and published to the company’s store
Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub
Validated for signature, an associated AET, and allowed capabilities
App deployment
Windows Phone 8
Email/Browser/MDM/
Company Hub
2
1
2Enterprise Service
AppApp
NEWXAPAPPX
3
User launches an enterprise app via the shell or an API
Publisher ID is extracted and used to find the associated AET
AET must be present and valid (not expired, revoked or disabled)
App launch
Windows Phone 8
Execution Manager
2
1
Enterprise Service
3
Phone home• Phone sends device ID,
publisher IDs, and enterprise app IDs
• Phone receives status for each enterprise
• Apps of invalid enterprises are blocked from being installed or launched
• Scheduled daily, plus each enrollment and app install
• After 7 consecutive failed attempts, the install of enterprise apps is blocked, but the launch of installed apps still works
Windows Phone
Services
1 2
Phone home – sample protocol
Response
Request
App signing – Store vs. private
Store
.xap.appxMicrosoft
signed
.xap.appx
Enterprise signed
Verify with Microsoft certificates
Verify with Application Enrollment Token (AET).aetx
MDM and Unmanaged
SSP.xap
fabk.xap fabk.xap1 MDIL compile
Company developed
hub
IL code
Automatic MDIL compile
Microsoft signature
2 Sign
MDIL code
MDM Company
Portal
SSP.xap1 Sign
MDIL code
MDIL code
Preparing company apps
Machine-dependent Intermediate Language (MDIL)
Precompile and sign Silverlight 8.0 company app
PS C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\MDILXAPCompile>
.\BuildMDILXap.ps1 -xapfilename C:\temp\fabk.xap -pfxfilename "C:\temp\cer 02.pfx“-password mypasswordfabk.xap
Company IT developed
app
IL code
Code signing certificate
Combined precompile+sign
script
Precompile and sign Silverlight 8.1 company app
PS C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.1\Tools\MDILXAPCompile>
.\BuildMDILXap.ps1 -xapfilename C:\temp\fabk.xap -pfxfilename "C:\temp\cer 02.pfx“-password mypasswordfabk.xap
Company IT developed
app
IL code
Code signing certificate
Combined precompile+sign
script
Precompile and sign Store company app
PS C:\Program Files (x86)\Microsoft SDKs\WindowsPhoneApp\v8.1\Tools\MDILXAPCompile>
.\BuildMDILAPPX.ps1 -appxfilename C:\temp\fabk.xap -pfxfilename "C:\temp\cer 02.pfx“-password mypassword
fabk.appx
Company IT developed
app
IL code
Code signing certificate
Combined precompile+sign
script
Managed deploymentMDM Server
1. Enroll phone to MDM
.aetx MDM provides AET
.xap MDM installs Company Portal
2. Use Company Portal to install and view installed company apps
Unmanaged deployment1. Install AET (email, web page)
2. Install Company Hub (email, web page)
3. Use Company Hub to view and install company apps
Managed vs. UnmanagedManaged
• Purchase ready made MDM solution
• Automatic AET and Company Hub delivery
• Full MDM capabilities
• Un-enrollment through management client
• Can enroll only to one MDM system at a time
• Automatic app updates
• Built-in private app inventory
Unmanaged
• Distribute from Intranet Server
• Manual AET and Company Hub delivery
• Only app distribution + EAS
• Un-enrollment through phone reset
• Can enroll to multiple companies simultaneously
• Manual app updates
• No automatic private app inventory
• Restrict UX using Allow List• Applications Settings
Notifications Search button re-map
• Reinforce Brand Identity • Start Layout Lockscreen
Background Custom Theme
Enterprise Lockdown
• Read/Write NDEF • Format!• 3rd party API to read and write NFC cards
through APDU (ISO 7816-4) command set is supported.• MiFare Ultralight, MiFare Classic, MiFare DesFire and Felica are supported for low level
access.
Trusted NFC apps!
NFC
• Windows & Windows Phone automatically adjust screen brightness to help maximize readability
• Windows Phone 8.1 allows apps to get ambient light readings (in LUX)
Light Sensor
IE11 web platform across Windows form factorsCSS 2D Transforms
CSS 3D Transforms
CSS Animations
CSS Backgrounds & Borders
CSS Border-Image
CSS Color
CSS Device Adaptation*
CSS Device Fixed Position*
CSS Flexbox (unprefixed)
CSS Fonts
CSS Grid*
CSS Image Values (Gradients)
CSS Media Queries
CSS Multi-Column Layout*
CSS Namespaces
CSS OM Views
CSS Regions And Exclusions*
CSS Selectors
CSS Transitions
CSS Values And Units
Custom Data Attributes
Data URI
devicepixelratio
DOM Element Traversal
DOM Level 3 Core
DOM Level 3 Events
DOM Style
DOM Traversal And Range
DOMParser And XMLSerializer
Dynamic TextTrack
ECMAScript 5
ECMAScript 6 (partial)
HTML5 Application Cache
HTML5 Async Scripts
HTML5 BlobBuilder
HTML5 Canvas
HTML5 Canvas 2D
HTML5 Device Orientation
HTML5 Drag And Drop
HTML5 Forms And
Validation
HTML5 Full Screen API*
HTML5 Geolocation
HTML5 History API
HTML5 Parser
HTML5 Sandbox
HTML5 Screen Orientation*
HTML5 Selection
HTML5 Semantic Elements
HTML5 Video And Audio
JavaScript Typed Array
ICC Color Profiles
IndexedDB
Input Method Editor API*
Internationalization API
Lazyload attribute
Media Source Extensions
MPEG-DASH
Mutation Observers
Page Visibility
Pointer Events (unprefixed)
Prefetch
Prerender
RequestAnimationFrame
Navigation Timing 2
Selectors API Level 2
SPDY/3
SVG Filter Effects
SVG, Standalone And In HTML
Tracking Preference Exp.
TTML Simple Delivery Prof.
WebCrypto API*
WebGL
Web Messaging
Web Sockets
Web Workers
XHTML/XML
XHR (Level 2) + CORS
XHR Stream Control*
©2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.