Prepare devices for app deployment

  • Article

August 13, 2015

Windows Embedded 8.1 Handheld enables companies to bypass Windows Store and publish and distribute applications directly to employee devices. Enterprise applications must be signed with an enterprise code signing certificate from Symantec. This certificate generates an application enrollment token (AET) that allows applications to be deployed to the device. You must deploy the AET before you can distribute the application.

Handheld 8.1 attempts to confirm that the AET is valid at various times during the application lifecycle, including when the app is installed and when it is started. This validation process is a security measure that can be used to disable harmful applications that are associated with a specific application enrollment token. If the AET fails validation or the device cannot reach the server to confirm it within three attempts, Handheld 8.1 disables the certificate and blocks applications signed with this certificate until the certificate can be revalidated. For more information about enterprise application deployment, see Company app distribution for Windows Phone.

You can choose to allow your devices to validate certificates so that Microsoft can shut down unauthorized applications at your request, or you can opt out of certificate validation:

  • To take advantage of certificate validation, make sure that your devices have access to: Enterprise Application Service validation

  • To opt out of certificate validation, you will need to set the value of HKLM\software\microsoft\enterpriseappmanagement\appmanagementvalidation\config\DisabledByEnterprise to 1. Recognize that opting out of certificate validation means that Microsoft cannot disable harmful applications at your request.

Disable certificate validation during start up

To disable certificate validation during start up, use the DisableEnterpriseValidation characteristic in EnterpriseExt configuration service provider. To do this, add the following to the using the Prov.xml file.

<characteristic type="EnterpriseExt">
   <characteristic type="Pfx">
      <parm name="DisableEnterpriseValidation" value="true" datatype="boolean"/>
   </characteristic>
</characteristic>

Disable certificate validation after start up

To disable certificate validation after startup, set the value of the following registry key to 1: HKLM\software\microsoft\enterpriseappmanagement\appmanagementvalidation\config\DisabledByEnterprise

For example, if you use System Center 2012 R2 Configuration Manager as your mobile device management (MDM) server, you would create a configuration item with the following information and deploy it by using a baseline:

  • OMA URI: ./vendor/MSFT/EnterpriseExt/Pfx/DisableEnterpriseValidation

  • Data type: Boolean

  • Value: 0x1

For information about how to create a configuration item, see How to create Windows configuration items for compliance settings in Configuration Manager.