How to Create and Deploy Applications for Mobile Devices in Configuration Manager

 

Updated: October 9, 2015

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Mobile apps that are deployed using Configuration Manager appear in the company portal on mobile devices. You can deploy sideloaded apps or links to application stores to enrolled devices. Use the information in the following sections to help you create and deploy applications to mobile devices.

Important

To deploy software to Android, iOS, Windows Phone, and enrolled Windows 8.1 devices, these devices must be enrolled into Microsoft Intune. For information about how to get your devices enrolled, see Manage mobile devices with Microsoft Intune.

Note

Currently, end-users cannot install corporate apps from the Microsoft Intune Company Portal app for iOS. This is due to restrictions placed on apps that are published in the iOS App Store (see App Store Review Guidelines, Section 2). Users can install corporate apps (including managed App Store apps and line-of-business app packages) by browsing to the Intune Web Portal on their device (portal.manage.microsoft.com). For more information about the mobile management capabilities enabled by the Intune Company Portal app, see Mobile device management capabilities in Microsoft Intune.

Steps to Create and Deploy an application

The following table provides the steps, details, and more information for creating and deploying apps for mobile devices.

Step

More Information

Step 1: Create a Configuration Manager application that contains the mobile app.

Use the Create Application Wizard to create an application for the mobile device.

Step 2: Deploy the application.

Use the Deploy Software Wizard to deploy the application to mobile devices. For more information, see To deploy an application to mobile devices.

Create an application

You can use the Create Application Wizard to create an application to that you can deploy to mobile devices.

Device Type

Supported Files

Windows Phone 8

*.xap

Windows Phone 8.1

*.xap, *.appx, *.appxbundle

Windows RT and Windows RT 8.1

*.appx, *.appxbundle

Windows 8.1 enrolled as a mobile device

*.appx, *.appxbundle

iOS

*.ipa

Note

For line of business iOS apps that you deploy with this file type, you must also specify a corresponding property list (plist) file that you create when you build the app. For more information, see your Apple developer documentation.

Android

*.apk

To create an application for sideloading a line-of-business app

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, click Create Application.

  4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files.

  5. In the Type drop-down list, select the supported file type.

  6. Click Browse to select the app package you want to import, and then click Next.

  7. On the General Information page of the wizard, enter the descriptive text and category information that you want users to see in the company portal.

  8. Complete the wizard.

The new application is displayed in the Applications node of the Software Library workspace.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, click Create Application.

  4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files.

  5. In the Type drop-down, select the app package for your device type.

  6. Click Browse to open the store, select the app you want to include, and then click Next.

  7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal.

  8. Complete the wizard.

The new application is displayed in the Applications node of the Software Library workspace.

To create a link to the Windows Store for Windows RT, the app must be installed on a Windows 8 or Windows computer. You must first configure WinRM for HTTPS on the Windows 8 computer.

Configure WinRM for HTTPS for the Windows 8 computer that has the app installed

  1. Create an HTTPS-based listener by running winrm qc –Transport:HTTPS.

  2. Run the command enable-psremoting to allow PowerShell remoting.

  3. Run the command winrm delete winrm/config/Listener?Address=*+Transport=HTTP to remove the HTTP-based listener that was automatically created by the enable-psremoting command.

  4. Open Windows Firewall and add an inbound rule for port 5986, which is the default HTTPS port for Windows Remote Management (WinRM).

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, click Create Application.

  4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files.

  5. In the Type dropdown, select Windows app package (in the Windows Store)

  6. Click Browse and then, in the Browse Windows App Packages dialog box, connect to a computer that runs Windows 8 and that has the required app installed, select the app, and then click Next.

  7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal.

  8. Complete the wizard.

    Note

    For applications containing a link to the Windows Store, you must create a requirement that adds the value Windows RT to the Operating system condition.

Deploying an Application to Mobile Devices

Use the information in the following section to deploy applications to mobile devices.

To deploy an application to mobile devices

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Applications list, select the application that you want to deploy, on the Home tab, in the Deployment group, click Deploy.

  4. On the General page of the Deploy Software Wizard, specify the following information:

    - 
    
      <div class="section">
    
      **Software** – To display the applications that you want to deploy. You can click **Browse** to select a different application to deploy.
    
      </div>
    
    - 
    
      <div class="section">
    
      **Collection** – Click **Browse** and select the user or device collection to which you want to deploy the app.
    
      </div>
    
  5. Click Next.

  6. On the Content page of the wizard, select Manage.Microsoft.com as your distribution point. Click Next.

  7. On the Deployment Settings page of the Deploy Software Wizard, specify the following information:

    - 
    
      <div class="section">
    
      **Action** – From the drop-down list, select **Install** to install the application.
    
      </div>
    
    - 
    
      <div class="section">
    
      **Purpose** – From the drop-down list, select the purpose using the table below.
    
      <table style="width:100%;">
      <colgroup>
      <col style="width: 16%" />
      <col style="width: 16%" />
      <col style="width: 16%" />
      <col style="width: 16%" />
      <col style="width: 16%" />
      <col style="width: 16%" />
      </colgroup>
      <thead>
      <tr class="header">
      <th><p>Deployment scenario</p></th>
      <th><p>Windows 8.1</p></th>
      <th><p>Windows Phone 8 and Windows Phone 8.1</p></th>
      <th><p>Windows RT</p></th>
      <th><p>iOS</p></th>
      <th><p>Android</p></th>
      </tr>
      </thead>
      <tbody>
      <tr class="odd">
      <td><p><strong>Available Install</strong> deployed to users</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes</p></td>
      <td><p>Yes. Users can view all available apps regardless if the apps are available to personal or company devices.</p></td>
      </tr>
      <tr class="even">
      <td><p><strong>Required Install</strong> of sideloaded apps that are deployed to users and devices1</p></td>
      <td><p>Automatically installed</p></td>
      <td><p>Available on Windows Phone 8.1</p></td>
      <td><p>Automatically Installed</p></td>
      <td><p>User is prompted and must consent before app is installed</p></td>
      <td><p>User is prompted and must consent before app is installed</p></td>
      </tr>
      <tr class="odd">
      <td><p><strong>Remote Uninstall</strong> for sideloaded apps deployed to users and devices</p></td>
      <td><p>Automatically uninstalled</p></td>
      <td><p>Available on Windows Phone 8.1</p></td>
      <td><p>Automatically uninstalled</p></td>
      <td><p>Yes</p></td>
      <td><p>User is prompted and must consent before app is uninstalled</p></td>
      </tr>
      </tbody>
      </table>
    
      1Additionally, free apps for iOS that are specified as a link to the iTunes store and free apps for Android that are specified as a link to the Google Play store can be deployed with a purpose of Required.
    
      </div>
    
  8. Specify your preferred settings for the Scheduling and Alerts pages. The User Experience page is not relevant to mobile devices.

  9. Beginning with System Center 2012 Configuration Manager SP2, when you deploy a managed app, on the Application Management page, select the application management policy to use for the managed app, and then complete the wizard. For more information, see Control apps using mobile application management policies with Microsoft Intune

Supersedence

Supersedence works the same for mobile apps as it does for other apps with the exception of the Windows Phone 8 company portal app.

For more information about superseding applications, see How to Use Application Supersedence in Configuration Manager.

Steps to Deploy the latest Windows Phone Company Portal App with Supersedence

The following table provides the steps, details, and more information for creating and deploying the latest Windows Phone 8 company portal app.

Step

More Information

Step 1: Get the latest company portal app.

Download the Windows Phone 8 company portal app.

Step 2: Sign the company portal app with your Symantec certificate.

For information on how to sign the company portal app, see Prepare for Mobile Device Enrollment.

Step 3: Create a new application with the latest version of the company portal app and specify a supersedence relationship.

For more information, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager and How to Use Application Supersedence in Configuration Manager.

Step 4: Add the application to the Microsoft Intune Subscription Wizard.

Add the application Windows Phone 8 page of the Microsoft Intune Subscription Wizard. For more information, see Configuring the Microsoft Intune Subscription.

Step 5: Delete the deployment that is automatically created when you added the company portal app to the Microsoft Intune Subscription Wizard.

The Microsoft Intune subscription has created an automatic deployment of this app, as this deployment will not support supersedence.

Step 6: Create a new deployment of the application and check Automatically upgrade any superceded versions of this application on the Deployment Settings page of the Deploy Software Wizard.

Create a new deployment with supersedence using the application you created with the supersedence relationship.

Step 7 (Optional): The superseding apps would install on devices after 7 days by default. To deploy the company portal app sooner to previously enrolled devices, you can change the schedule re-evaluation for deployments setting to a lower value.

Important

Setting this value to a lower value than the default may negatively affect the performance of your network and client computers.

For more information, see Software Deployment.

Approval for Apps

Users can request approval to download an app from their devices. The following table contains information on how to request approval in order to download an app.

Platform

Users can request approval to download an app from the company portal.

Windows Phone 8

Yes

Windows RT or Windows RT 8.1

A user can only request approval to download an app from a Windows-based computer or a Windows RT device. If you deploy an app that requires approval from an administrative user, the user must request approval from the Application Catalog on a Windows-based computer. As soon as the user requests approval, the app appears in the company portal.

Windows 8.1

Yes

iOS company portal app

Not available

Android company portal app

Not available

Requirements

Requirements specify conditions that must be met before a deployment type can be installed on a client device. The requirements that are specific to mobile devices are listed in the following table:

Platform

Requirements available

Windows Phone 8

Not available

Windows RT, Windows RT 8.1, Windows 8.1, Windows 8.1 Pro

Operating system version, device ownership, and language requirements are supported.

Important

For applications containing a link to the Windows Store, you must create a requirement that adds the value Windows RT to the Operating system condition.

If you create a deployment type for a Windows app package (*.appx) file with any additional requirements, those rules will not be evaluated.

iOS

iOS operating system, device ownership, language requirements, and chassis (iPad or iPhone) are supported.

Android

Not available

For more information about requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

Deny apps for Windows Phone 8.1

To deny apps for Windows Phone 8.1, do the following:

  1. Create a configuration item to deny apps for Windows Phone 8.1, the procedure is below.

  2. Create a configuration baseline using the configuration item you created in step 1.

  3. Deploy the configuration baseline with Remediate noncompliant rules when supported to a user or device collection.

To create a configuration item to deny apps for Windows Phone 8.1

  1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings > Configuration Items > Create Configuration item.

  2. Name the Configuration Item, select Mobile Device for the type of configuration item, and click Next.

  3. Check Configure additional settings that are not in the default setting groups and click Next.

  4. Click Add… and click Create Setting…

  5. Fill in the following fields with the values in the table:

    Field

    Input Value

    Setting type

    OMA URI

    Data type

    String

    OMA-URI

    ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions

    Click OK.

  6. Select the setting just created from the Available settings list and click Select…

  7. In Create Rule, for Rule type select Value. For the setting, select Equals, add “<AppPolicy Version="1" xmlns="https://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{product ID}"/></Deny></AppPolicy>”

    Note

    The product ID is found in the app URL in the Windows Phone store. The app URL is in this format www.windowsphone.com/language/store/app/ app name/product ID 

  8. Close the Browse Settings dialog, the rule should appear in the Additional settings list. Click Next.

  9. In Supported Platforms, check All Windows Phone 8.1 and finish the wizard.

Expired Certificates for Mobile Device Apps

On iOS, Windows Phone 8, and Windows RT, if the certificate that is used to sign apps expires, apps are no longer available for users to download.

Platform

Expired certificate consequences

Resolution

iOS

Users can no longer install apps

Renew the APNs certificate and locate the Microsoft Intune Subscription iOS page to upload the new certificate.

The new certificate must be generated by renewing the existing certificate with same Apple ID so that devices do not need to be enrolled again.

Windows Phone 8

Users can no longer install apps

Renew the code signing certificate and go the Microsoft Intune Subscription page to upload the certificate. All apps signed with the previous certificate and the new certificate will run.

Windows RT

Users can no longer install apps

Renew the code signing certificate and open the Microsoft Intune Subscription Wizard Windows RT page to upload the new certificate.