Standardized certification for internal apps improves security, privacy, and productivity

  • Article

Technical Case Study

Published June 2015

New trends, including "bring your own device" and the demand for small, task-focused apps, have made it harder for companies to apply security, privacy, branding, and distribution standards to internal apps. To meet these needs, Microsoft IT developed an internal app certification process that all developers must follow. By providing tools to help developers and enforcing standards through certification, IT can manage its growing app portfolio. The solution also enables developers to be more agile and creative in the apps they create in response to ever-changing business needs.

Download

DownloadTechnical Case Study, 1.06 MB, Microsoft Word file

Situation

Solution

Benefits

Products & Technologies

Developers at Microsoft build apps of all sizes to meet various business needs. As users have grown to expect new apps on a regular basis, developers have committed to more rapid cycles, producing an increased risk to security, privacy, and usability on the corporate network. To keep pace with development and streamline the delivery of high-quality apps to users across multiple device types and platforms, Microsoft IT needed to standardize internal app quality control.

Microsoft IT developed a certification process requiring all internal apps to meet standards for security, privacy, and quality factors before the apps can be made available. IT delivered and now manages the certification process by using developer-friendly documentation and customized tools that support a variety of app types, targeted test cycles, and distribution channels.
  • Compliant app development at scale
  • High-quality app stability and user experiences
  • Improved app governance
  • Developer community support
  • Microsoft Azure Web Services
  • Microsoft SharePoint Online
  • Microsoft Intune
  • Windows Store
  • Microsoft System Center Configuration Manager
  • Microsoft Visual Studio Online

Situation

Modern businesses face an ever-growing number of information technology (IT) difficulties. IT departments in companies of every size seek to provide the best possible support to the businesses and individual workers that they support, and to do so in efficient ways that respect the company’s bottom line. As business groups request new technology that will help to achieve business success and customer satisfaction, IT looks for the best ways to fulfill each request with the resources it has available. Balancing IT efficiencies with user productivity and business success can be a critical challenge: without efficiency, the business risks failure; but without productivity, there is no business.

The internal apps that a company produces to run its business are crucial to overall success. Large line-of-business (LOB) apps—apps created expressly to support a single business function—are the lifeblood of daily productivity in many business environments. For each business function to perform, the data that these apps produce, consume, manipulate, and report must be reliable and readily available. In recent years, the range of LOB apps has expanded to include many smaller, task-focused apps that developers create rapidly to meet specific user needs.

As these smaller apps have proliferated and gained popularity, some companies, such as Microsoft, have established internal app portals where users can download the apps. At Microsoft, IT maintains quality and compliance standards for the internal apps that developers create and distribute through the corporate portal. Originally, these standards took the form of network security controls and basic usability tests to prevent the apps from causing more problems than they solved. Over time, however, the standards expanded to include compliance factors for privacy, quality control, corporate branding, and other important considerations.

This systematic approach, though effective for small numbers of apps, posed problems for Microsoft IT as the portfolio of internal apps in its portal expanded. Business users came to expect new apps on a regular basis, to assist with the manual duties and tasks that the users perform. As more and more apps were created, standardizing the apps became increasingly difficult. For example, IT had difficulty tracking the usage of each app to determine which apps were still useful to workers and which were safe to retire from the portal.

And the complexity didn’t stop there: the "bring your own device" phenomenon expanded the use of traditional desktop computer–based apps to multiple platforms and screen sizes on user-provided devices. Cross-platform, multi-device app testing became necessary. Besides growing in number, the internal apps also provided various user experiences on the different devices, making app security on the Microsoft corporate network difficult to achieve. Ensuring this level of security meant achieving the private, secure distribution of internal apps at scale, in multiple testing scenarios, across multiple device types and platforms. However, a new process could not be so rigorous that it made compliance impractical or overly restrictive for app creators.

Establishing this scalable process also required a careful balance of IT efficiencies with developer flexibility. Across the company, developers were aware of ever-increasing security and privacy requirements, but they lacked definitive guidance or resources to help them comply. Microsoft needed to provide extensive built-in documentation and tools to help developers create compliant apps for the full range of devices and business needs. Ideally, the process would also integrate with app quality assurance best practices, including support for gathering feedback from app users. Finally, the process should provide a parallel path for testing and certifying apps that are intended for internal use, but that may eventually become publicly available, such as in the Windows Store.

To maintain app quality and to fulfill its mandate of enabling a secure, productive environment for all business users, Microsoft IT needed a centralized, scalable app certification solution. By efficiently guiding internal app development through a single process for compliance with corporate standards, IT could achieve the optimal balance: developers would be free to work in a regulated, clearly documented environment; users would have high-quality experiences on the devices of their choice; and IT could efficiently govern an operational, scalable, secure, up-to-date ecosystem of customized internal software.

Solution

Internal app development at Microsoft follows a certification process that was designed to satisfy corporate policies for standardization, based on the following certification factors:

  • Security. The Microsoft IT app certification process protects internal apps from common vulnerabilities such as unencrypted data transmission and cross-site scripting. Security is the primary concern of app developers at Microsoft and most other large enterprises.

  • Privacy. To safeguard against exposure of sensitive data, Microsoft IT maintains privacy standards that all apps must comply with to receive certification. Because privacy is a global concern, Microsoft rigorously implements its privacy guidelines, even for internal apps. No code or features are released for internal use unless they meet privacy standards that are appropriate for public release.

  • Quality control. For apps to be useful to business workers, they must be tested for quality control. Both internally and among its various stakeholders and business partners, Microsoft IT requires cross-platform, cross-device testing of all internal apps for functionality, usability, and consistency. This uniform level of testing helps ensure that users have a positive, productive experience.

  • Governance. By requiring developers to include specific code in each internal app before the certification, Microsoft IT can collect data insights about the app, including its type, usage, and session durations. IT can use this data to make decisions about increasing or decreasing the visibility of each app within the corporate app portal while still maintaining the company’s stringent privacy requirements.

In addition to these factors, Microsoft IT is working to integrate corporate branding guidelines into all internally published apps. By adhering to these standards, apps will provide a more uniform perception and experience to business users, thereby enhancing usability. Consistent branding will also make it easier for developers to use previous user interface designs; they will not have to start from scratch each time they build a new app.

The section, "Certifying internal apps," describes how each of these factors is implemented in the Microsoft IT app certification process.

Using a central toolset

To deliver factors that are required for certification of internal apps, Microsoft IT uses a centralized, custom-built developer toolset. The toolset comprises the following components:

  • IT Dev Center. To become certified for privacy and compliance, all apps must pass through a central gateway, Microsoft IT Dev Center (see Figure 1). IT Dev Center is a developer portal that Microsoft IT created using Microsoft Azure Web Services and SharePoint Online. It uses a sequence of procedures and checklists to guide developers through the internal app certification and publication process, including:

    • Understanding the need for certification.

    • Accessing helpful developer tools and resources.

    • Following guidelines and requirements for app certification.

    • Building and testing apps before certification submission.

    • Working with specialty privacy and security certification teams within Microsoft IT.

    • Submitting apps for certification.

    • Managing apps (both pre-certification and post-certification) by using a personalized dashboard.

Figure 1. IT Dev Center main menu
Figure 1. IT Dev Center main menu

  • Application Catalog. Workers throughout Microsoft can use Application Catalog, the self-service company portal for internal apps, to search, review, and install certified apps. IT can use business intelligence (BI) data to edit the list of apps on an ongoing basis, removing apps that are no longer useful or that have not been downloaded recently.

  • Coding and distribution accelerators. To facilitate standardized compliance with security and privacy factors, and to help save developers time, IT Dev Center provides access to customized tools—for example:

    • LinkShare. IT developed LinkShare to automate the distribution of a friendly URL each time a newly certified app is published in Application Catalog. Workers who subscribe to these notifications can click the link to view the information and installation page for the new app, regardless of the device that the worker is using at the time. LinkShare also enables promotion and awareness of new and updated apps by making it easy for workers to share their LinkShare URLs in targeted Microsoft IT internal communications.

    • NuGet. To simplify multiple compliance factors for developers who want to certify internal apps, IT created packages using NuGet , a tool that bundles compliance-related code into functional packages. As developers begin creating an app, they can check IT Dev Center for any relevant NuGet packages, and combine those packages with the custom code packages that they are developing. NuGet packages make it easy for developers to embed helpful capabilities in internal apps, including a feedback mechanism so that users can provide comments and rate the app; standardized privacy statements and disclaimers; and preformatted app pages where developers can write a brief app description that will appear on the app’s information page in Application Catalog.

  • Developer documentation and training. The IT Dev Center portal offers end-to-end, step-by-step guidance for developers, from early coding guidelines and requirements, all the way to final self-publication of the certified app. The guidance is supplemented by code samples and other tools to save developers time and help them comply with certification standards.

    Microsoft IT also offers two-day training sessions to help developers understand the certification process. The second day of each session focuses on tools and shortcuts to help developers efficiently achieve app compliance. To generate awareness for the trainings, IT circulates regular email and social media communications within the company’s internal developer community.

Promoting and supporting a rigorous process

Microsoft IT determined that it must follow three key best practices to maintain app quality in all of the certification factors. First, IT must establish a rigorous process that all development teams are required to follow. Second, the more IT can automate this process by using its toolset and procedures, the more successful it will be at managing the growing scale of internal app development. Third, IT must promote this process within its internal developer community, so that the process will run smoothly with minimal delays. By training developers to use the process, IT can achieve quality for all internal apps while respecting the needs of developers and of the users who want to access new apps.

At the end of the process, after all certification criteria are met, IT must sign off on the app code and approve it for publication in Application Catalog. After an app is certified, IT requires up to one day for its device management solution to publish the app in Application Catalog.

Mapping to the application life cycle

Much of the toolset design and the certification process that developers must use when publishing internal apps at Microsoft is based on the principle of application life cycle management (ALCM). ALCM has many definitions in the software development community, but its core tenet is the holistic understanding of an app’s relevance to various individuals and teams during key, sequential phases of its existence. These phases form the app life cycle, which consists of the following steps:

  1. Ideate. Form the goals of the app, and gather requirements for its use.

  2. Build. Design and write code to meet the stated goals and requirements.

  3. Test. Ensure the quality of the app by imagining and simulating all the ways it will be used.

  4. Deploy. Make the app available to users.

  5. Operate. Use the app to perform work-related tasks.

  6. Support. Promote awareness of the app, and provide resolution of user issues.

  7. Monitor. Learn who uses the app, how useful they find it, and what improvements they suggest.

  8. Update. Make changes to the app based on user feedback and other intermediate input.

Understanding ALCM was critical to the rise of rapid development practices, which broke down traditional software development practices into iterative stages to get the most important and/or achievable functionality to more users, sooner. In turn, rapid development has been critical for IT organizations to embrace, to meet the pace of user demands in an increasingly complex app deployment landscape.

Through the design of IT Dev Center and its related tools, Microsoft IT combined app development and app usage into a single ALCM model that benefits not only developers and users, but also the company. Developers strengthen their skills as individuals and as a community by adopting and adhering to standards. Users at every level of the corporate organization benefit from timely access to job-related tools through a rational, up-to-date app catalog interface. And users feel secure, knowing that productivity and operations are protected by an internal software compliance process.

Certifying internal apps

IT Dev Center is the official location where developers initiate and manage certification for their apps. In addition to providing detailed steps for certification, IT Dev Center includes planning checklists, answers to frequently asked questions, developer community support links, and links to other relevant software publishing portals within the corporate network. The tool also provides a library of developer resources, such as application extensions and other code samples that are relevant to the internal app certification process.

Step 1: Reviewing the checklist

The IT Dev Center checklist allows developers to track apps through the certification and publication process. Each action in the checklist includes two pieces of information: the expected result of the action and a link to the IT Dev Center procedure that describes how the action should be performed.

The checklist includes the following actions, which are grouped into five stages:

  1. Preliminary actions that developers must complete when they start, such as reserving the app name and initiating the security and privacy compliance sign-off arrangements with authorized Microsoft IT teams.

  2. Build Your App actions help developers while they write app code, including installing tools, and using LinkShare and NuGet packages, together with specific subpackages that are required for the app type. It includes guidelines for creating an icon for the app that will appear in Application Catalog and guidance for creating a new NuGet package.

  3. Test Your App actions support app quality for all certification factors, including security, privacy, branding, and governance, and functional quality and consistency of user experience across multiple devices and platforms.

  4. Create Distribution or Security Groups actions indicate what business or other groups within Microsoft will receive notification of the app’s availability in Application Catalog post-certification.

  5. Submit Your App actions that guide developers through the final steps of compressing the app packages, submitting them by using IT Dev Center, completing submission forms, and tracking the certification progress.

Step 2: Security and privacy compliance

All certification factors are important, but security and privacy are the most important, and require the most scrutiny from specialized Microsoft IT teams before an internal app is approved for publication. Because IT applies these requirements so rigorously, security and privacy compliance are the most common failure points for apps that are submitted to IT Dev Center. For this reason, IT sends notifications directly to developers to inform them when an app fails security or privacy compliance, and points them to resources that can help them fix the issues as quickly as possible.

To understand security and privacy compliance, it is important to understand the specific threats to security and privacy that may be posed by publishing a new application on a corporate (or public) network. To be secure, apps must contain code that has been protected from illicit tampering via hacking or other malicious activity. IT maintains the safety of code in its internal apps by observing these three principles:

  • If the application stores data internally on the device where it is running, the data must be encrypted according to corporate data security standards.

  • Apps must include a code signature that indicates IT approval that the app has passed all security and privacy checks.

  • Apps are not distributed by any method other than Application Catalog, which requires user authentication for app downloads, and which each user device must be enrolled with separately.

To conform to privacy requirements, apps must answer basic questions and concerns from users about how Microsoft protects their personal information. Therefore, IT requires developers to include:

  • Code that fully and correctly declares which native capabilities the app will have access to in all user operations, including any locally stored personal user data, such as email or pictures.

  • User interface components that provide links to up-to-date information about privacy policies.

  • User interface contact links for users to send questions or concerns about their privacy.

Like the security requirements, the privacy requirements are met because the app downloads are available exclusively from Application Catalog. By visiting the corporate app portal and understanding that it is the only location where they can download apps, users are assured that they are the only ones who will have access to the data that the app produces and displays on their devices.

To help developers comply with security and privacy requirements, IT Dev Center guides developers through the following sequential process:

  1. Review the latest guidelines. In the early design stages for their apps, developers can review all current Microsoft IT internal security-related and privacy-related guidance and checklists, which are maintained by corporate legal, data security, and operations authorities and programs.

  2. Generate application code. Developers can build their apps using the following resources:

    • Step-by-step guidance in the IT Dev Center portal interface.

    • Additional training as needed from regular Microsoft IT educational sessions.

    • Code samples and application programming interfaces (APIs) that Microsoft IT provides, including APIs to facilitate authentication with various enterprise services, such as SharePoint Online, Microsoft Yammer, Microsoft Azure, and SAP Enterprise Resource Planning.

    • NuGet packages, which are organized in IT Dev Center so that developers can easily find them and determine which are relevant for their app projects.

    • Corporate branding support guidelines, including user interface design visual standards, logos and other visual identity markers, and trademarks.

    These resources, together with the business requirements and data sources that the app connects to, provide the framework for quickly building apps that are highly usable and fully compliant with Microsoft IT security and privacy standards.

    IT Dev Center is organized to provide easy access to information that developers need as they develop apps. For example, sections for the Windows Store describe detailed procedures for code that complies with corporate standards for desktop computers and modern devices. The portal also includes a section called "Mobility Dev Kit" (see Figure 2), which provides guidance for enabling mobile capabilities on various platforms and devices.

    Mt224990.image002(en-us,TechNet.10).jpg
    Figure 2. Example IT Dev Center Mobility Dev Kit page

    IT Dev Center includes resources that are optimized for Visual Studio Online, the Microsoft Azure–based coding environment and toolset that many internal developers prefer to use to create cross-platform apps.

  3. Perform ongoing security testing. IT Dev Center provides the full details of all security checks that an app must pass to be certified. Every company will have its own security requirements that internal apps must follow. At Microsoft, different security checks can apply, depending on the app’s intended function, user base, and integration with data sources.

    Throughout development of a new app, developers at Microsoft are encouraged to consider targeting the app testing cycles in specific ways, depending on the app’s state of stability, intended user base, use of corporate data, or possible expansion beyond internal-only use. For example, an app that will be used internally at first but is intended for eventual public distribution in the Windows Store can be targeted first for testing by a small pilot group of internal users. Later, the app can be distributed to the whole company, where it can be tested further for stability and user experience quality before it is publicly released.

  4. Add privacy compliance content. For mobile development, a key privacy provision involves understanding the app’s use of native capabilities on the device where it is installed, because these native features might contain locally stored private user information. As part of its privacy checks, Microsoft IT requires all apps to declare the native capabilities that they will interact with.

    To help users understand their privacy when they use an app, developers must include a standard, approved Microsoft privacy statement or data protection notice link in the app, even if the app does not collect, track, or use any personally identifiable information. They must also provide a contact email address for users’ privacy-related questions.

    As a global company, Microsoft recognizes that privacy regulations vary from one country and region to the next. Microsoft IT is careful to maintain and enforce relevant local privacy compliance standards wherever users download an app.

  5. Schedule and conduct security and privacy review activities. IT Dev Center guides developers through the process of creating service requests with the Microsoft IT security and privacy compliance testing teams who will provide the final reviews of their code. An internal Microsoft team, called the Information Security & Risk Management (ISRM) team, is responsible for these reviews and assigns each app project a unique ISRM number that can be used to communicate the app’s compliance status to Microsoft IT at the time of certification. To review the app, this team installs the app on each of the targeted devices, and manually ensures that it meets security requirements and that all privacy information is properly included.

    Currently, of the apps that are submitted via IT Dev Center, most that do not pass certification fail because of security- and privacy-related errors. Common errors are the inclusion of out-of-date privacy information, such as a link to an outmoded privacy policy description page, and failure to use NuGet packages to provide authentication capabilities in the app that meet corporate requirements.

Step 3: Adding app components

To expedite certification and support faster development cycles for internal apps, Microsoft IT offers ready-to-use app components that help developers create compliant apps. These include:

  • NuGet for packaging apps in code wrappers that contain standardized compliance information.

  • User authentication components for enabling connectivity between apps and data sources.

  • Compliance certification components for indicating that the app is compliant after it is published.

  • Push notification components for enabling various cloud-based updates to published apps.

Depending on the Microsoft team that will use it, an app may also be subject to additional business-specific app component requirements.

Step 4: Submitting for publication

In the last step of the certification process, the developer officially submits the app to Microsoft IT for final code review and sign-off. Developers provide the following information:

  • Basic app information, including the app name, the team members who developed the app, the app owner, and the appropriate privacy contact.

  • The unique ISRM number provided by the ISRM team during security validation checks.

  • A description of the app and its intended user base, including the targeted list of users that the app should be distributed to.

To be approved for certification and publication, internal apps at Microsoft must meet the following criteria:

  • Apps must run and pass all certification tests that are required by Microsoft IT.

  • App manifest declarations must meet Microsoft guidelines for all languages, including C#, Microsoft Visual Basic, C++, and Extensible Application Markup Language (XAML).

  • Apps that access corporate data must implement authentication controls.

  • Apps must use the approved LOB app components.

  • All app builds, bug fixes, and updates must have sign-off from Microsoft IT security and privacy authorities.

  • App images and graphics must be internally consistent, socially acceptable, and brand compliant.

  • Privacy statements must be included with all apps.

After an app meets these criteria, the developer can submit the app for publication. IT Dev Center provides an interface where developers can complete an app submission form, submit all packages for an app, submit a partial manifest of packages for an app, access a previously submitted partial manifest of packages to complete app submission, check the submission status, or cancel an app submission. Developers can also save their work in IT Dev Center at any point during the submission process.

After Microsoft IT approval and code signing, the development team is notified of certification success, and the app is automatically published to the appropriate distribution channels, according to the submission information that the developer provided.

Step 5: Managing apps (post-certification/publication)

In addition to helping developers coordinate the app certification process and find helpful resources and tools, IT Dev Center also provides an app management dashboard (see Figure 3), where developers can view apps that are in development or that they have previously published. Developers use the app management dashboard to:

  • Review the list of apps that they have published.

  • Update a published app without requiring recertification from Microsoft IT.

  • Track the progress toward certification of apps that they have recently submitted.

  • Unpublish one or more apps.

Mt224990.image003(en-us,TechNet.10).png
Figure 3. IT Dev Center dashboard

The dashboard also provides information about exception errors that have occurred in each published app. IT Dev Center user authentication ensures that the dashboard shows each developer only information about his or her own apps, not information about apps that are owned by other developers.

Standardized certification: A continuing journey

Microsoft IT research and experience have yielded internal app certification best practices, but not all of these practices are fully implemented. This is partly because of various ongoing changes to the network security landscape, including internal business and IT changes, and also new external threats. In addition, evolution takes time; bringing an enterprise-level organization into consensus about and conformity with app development standards is a time-consuming process.

Several key areas of interest that are on the horizon for app certification in Microsoft IT include:

  • Additional support for non–Microsoft Windows operating systems, including Google Android and Apple iOS.

  • Stricter branding standards to enforce the look and feel of apps across devices and platforms.

  • New efforts to simplify and streamline the app certification experience for developers.

  • Extension of the existing processes to test and certify external apps before public release.

In addition to these areas, IT is also examining the requirements of upcoming Microsoft technologies, and the opportunities that these technologies will offer. For example, a developer who creates apps by using Microsoft Windows 10 will build a single application package that automatically detects the user’s device at the time of download and installs the correct components. This capability will simplify the certification process for developers and IT by requiring only one certificate this is distributed to each supported device type.

IT is also expanding its application of the BI metadata that is inserted as part of the certification process. In the near future, IT will use Microsoft Power BI to communicate with app owners and other ALCM stakeholders about app details, such as:

  • App unique identifier

  • App certification status

  • Last modification date/time in IT Dev Center

  • App exception errors

  • App session count

  • App session duration

Examining this data will help identify trends that are related to app usage and the popularity of specific app platforms and types.

Benefits

Implementing a standard process for internal app certification has brought benefits to Microsoft IT in the areas of security, privacy, quality control, and efficient governance of the app portfolio. The process has also benefited the internal developer community, and Microsoft as a whole, by mapping the needs of users, developers, and IT throughout the application life cycle for internal apps.

Benefits include the following:

  • Built-in support for current security and privacy standards. By following the certification process and allowing IT to enforce it, Microsoft helps its developers provide the best possible safeguards against unencrypted data transmission, cross-site scripting, loss of sensitive data, and other network-related software vulnerabilities.

  • Developer community support. The developer tools and guidance that are included with the solution make it easy and fast to follow the Microsoft IT certification process. In addition, the process provides a consistent set of guidelines that can be shared among developers and used to train new developers who join the company.

  • Improved user experience. Users of internal apps at Microsoft feel secure that the apps have been fully tested and certified for their specific devices, and that they conform with strict corporate privacy standards.

  • Rapid development support. By mapping to the ALCM, the certification process ensures that users’ and developers’ needs are met, including the rapid delivery of consistent, high-quality experiences across multiple user devices and platforms.

  • Simplified cross-platform development and distribution. IT Dev Center includes separate processes for developing apps for Windows and non-Windows operating systems and devices, including tools and resources to help developers and advance their apps through a unified certification and distribution mechanism, regardless of the project’s device and platform characteristics.

  • Optimized app quality and experience. No matter how rapidly internal apps are developed, they meet the corporate threshold for stability and user experience—for example, by exhibiting consistent behavior across apps, devices, and platforms.

  • Diagnostic support for app errors. Metadata that is encoded in each app as part of the certification requirements gives IT and app owners visibility into issue details and trends when errors occur.

  • Robust application catalog support. The centralized download portal provides a categorized user interface, where users can easily find and download the apps that they need, no matter what device they need the apps for.

  • Unified distribution channel for internal and public apps. The internal app development practices that are described in this case study also provide benefits to Microsoft developers who intend their apps for eventual distribution in public venues such as the ITunes Store and the Windows Store. By validating internal compliance with strict Microsoft security and privacy regulations, developers can confidently use the same channel to certify their internally approved apps for external release.

  • Platform for ongoing improvement. The establishment of a clear, structured process for certifying apps gives IT a basis for making future process updates to conform to evolving security and privacy concerns and strategies, and also other improvements.

Best practices

  • Certify apps to ensure software quality and network safety. Maintain rigorous security and privacy standards for all internal apps, and enforce those standards by using a single certification process that all internal apps must follow before they can be used on the corporate network.

  • Use certification to unify and support the internal developer community. A well-designed certification process should make it easy for developers to take the first steps toward creating internal apps. Through uniform messaging, regular training opportunities, and a variety of guidance and tools, including code samples and API documentation, Microsoft IT supports its developers by providing centralized access to certification support and enabling peer-to-peer support via shared best practices. IT Dev Center features carousels of rotating banners (see Figure 4) that keep the community of internal app developers throughout the company engaged and informed.

Figure 4. Examples of informational banners for the internal developer community in the IT Dev Center user interface
Figure 4. Examples of informational banners for the internal developer community in the IT Dev Center user interface

  • Align app certification with ALCM principles. When certification is an intentional process that considers stakeholders throughout the app life cycle, those stakeholders will benefit. Microsoft IT uses IT Dev Center to support multiple kinds of targeted testing for various publishing venues, such as pilot testing within small user segments to ensure quality before wider release. IT also uses the required prepackaged code modules that are provided to developers during the certification process to enable feedback from the user community and give the feedback to developers. This feedback can inform developers of the need for additional test and release cycles, and helps improve overall app quality.

  • Differentiate the certification process by app type and target users. Streamlining the certification process for apps that go to specific user groups helps expedite development. For example, the certification guidelines for apps that simply render public web data on a device are much less strict than the guidelines for apps that use locally stored data.

  • Centralize access to the inventory of certified internal apps. Microsoft workers don’t need to search in multiple locations to find the apps that they need. Application Catalog provides a portal where users can search for, learn about, and install apps. The portal is organized to clearly show what apps are available on which platforms and devices, and what business roles and functions each app is most relevant to.

  • Get new apps to the right users. Microsoft IT more efficiently delivers apps to users who want them by providing an enrollment system that pushes notifications to users when a new or updated app is available.

  • Insert metadata for app governance and BI. Microsoft IT uses BI metadata that is embedded in all apps to track the health, relevance, and availability of all the apps in the corporate portfolio. In addition, this metadata enables app owners to receive feedback from users about each app’s weaknesses and strengths. IT also builds tools to examine app-embedded usage metadata, and uses the results to identify apps that are candidates for updates or retirement.

  • Develop a shared process for certifying internal and public apps. Organizations that develop apps for public marketplaces such as the iTunes Store or the Windows Store can follow a single process to certify apps internally before public distribution. For example, developers at Microsoft use IT Dev Center to conduct pilots of certain apps. In this way, the developers can share their apps with a limited test base before they publish the apps for wide distribution to all users. This unified distribution channel conforms with ALCM principles by using a single system and process to centralize multiple aspects of the app development cycle regardless of the distribution scope, such as supporting rapid development, providing user support, gathering user feedback, and prioritizing app improvements.

  • Gather and analyze certification metrics. To enable ongoing improvements to its certification process and internal developer community communications, Microsoft IT uses IT Dev Center to report on statistics and trends that are related to portal usage, including the following:

    • How many apps have passed certification, and at what rate have they been created?

    • What types of apps are being created, and for what platforms and devices?

    • What types of issues are causing apps to fail certification, and how quickly are they resolved?

    • How many users have downloaded each app, and what is the average user session duration?

  • Maintain timely error notifications between IT and developers. To maintain the rapid pace of development, app owners must know as quickly as possible when an app that they have submitted by using IT Dev Center fails to pass certification. IT uses personalized user interface elements in the IT Dev Center dashboard to display known errors with a developer’s apps, based on the developer’s logon credentials. The portal also sends notifications to team members about app errors and other certification statuses, based on information that is provided at the time of submission.

Resources

Introduction to Universal Windows Platform (UWP) apps for designers
https://msdn.microsoft.com/library/windows/apps/dn958439

Make great Windows Store apps
https://msdn.microsoft.com/library/windows/apps/hh464920.aspx

Design UWP apps
https://dev.windows.com/en-us/design

Microsoft IT prepares LOB apps for Windows
https://www.microsoft.com/itshowcase/Article/Content/520

Five IT Strategies for App Creation and Delivery
https://www.microsoft.com/itshowcase/Article/Content/2

Aligning the IT Organization to Deliver Modern Applications
https://www.microsoft.com/itshowcase/Article/Content/7

Responsive Web Design for Enterprises
https://www.microsoft.com/itshowcase/Article/Content/482

Transforming a Legacy LOB Application into a Microsoft IT Modern App
https://www.microsoft.com/itshowcase/Article/Content/374

For more information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:

www.microsoft.com

www.microsoft.com/ITShowcase

© 2015 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.