Creating and renewing Application Enrollment Tokens (AET) for Windows Phone 8 Internal Application management

NOTE: For all of the below stated information please reference the Windows Phone 8.1 Protocol document.

Creating and renewing Application Enrollment Tokens via AirWatch

When a device installs an AET, it is valid until its expiration date, which by default is one year. Once the AET expires, the device won’t be able to run any apps signed and distributed by the company—including hub apps—until a new, valid AET is installed. Note that expired AET prevents installing apps as well as new enrollments of Windows Phone 8 devices.

If the AET is installed via an unmanaged process—email or Internet Explorer—the new AET will need to be installed manually by the user as the user won’t be able to run any apps from the company, including the hub app, once the AET expires. It is a good practice to create and distribute a new AET before the original expires. This will prevent the user from losing access to company apps.

If you are using AirWatch to manage your devices, an updated AET can be published to the devices directly from the AirWatch Console. You can do this by uploading the new token directly into the console by navigating to Devices & Users / Windows / Windows Phone 8 / Agent Settings then clicking upload under Enterprise App Management. This will help to minimize the impact of the expiration of the original AET on the devices.

NOTE:  Changing the token requires device re-enrollment to access internal applications.  When renewing your AET, make sure you do not create a new token.

Workflows to Follow

Use Case I: All apps are Installed on all devices - I will never be enrolling new devices

  • Renew the Code Signing Certificate.
  • Generate a new AET using AETGenerator.
  • Upload new AET to AirWatch console.
  • All devices will receive new AET and apps already install will continue to function (For added peace of mind you may also want to increment the app version, to repush with new token).

Note: Devices will be unable to download/install apps, if you need this done refer to Use Case II.

Use Case II: All apps (old & new) will continue to function and download/install - New devices may be enrolled in the future

  • Renew the Code Signing Certificate.
  • Generate a new AET using AETGenerator.
  • Precompile any managed assemblies that are included in the XAP or APPX into native code.
  • Sign the XAP or APPX with the new PFX file that is exported from the enterprise certificate.
  • Upload new AET to AirWatch console.
  • All devices will receive new AET and apps already installed will continue to function.
  • Upload (add version if a previous version of the app already exists) the newly signed application to the AirWatch console.
  • When the application is sent to the device, the AET token is sent with it, thus allowing for the new application to be successfully installed.
  • You can choose to retire the old version of the application or have then end-user choose when they want to upgrade to the new version.

Helpful Hints

There are some general steps that organizations must follow to establish a company account, enroll devices, and distribute apps to their enrolled devices. The following sections provide an overview of this process: 

  1. The organization registers a company account on Windows Phone Dev Center and acquires an enterprise certificate from Symantec.
  2. The organization creates an application enrollment token (AET).
  3. The organization develops an app.
  4. The organization prepares their apps for distribution.
  5. Employees (or other users) enroll for company app distribution on their phones and install the company apps by using the Company Hub app.

Registering on Windows Phone Dev Center and acquiring the enterprise certificate

To begin, you must establish a company account on Windows Phone Dev Center. As part of establishing the account, your company is validated by Symantec. 

After a company account is established, you must acquire an enterprise mobile code signing certificate from Symantec. You need this certificate to generate an Application Enrollment Token (AET) and sign company apps.

To acquire the certificate:

  • Obtain the Publisher ID for the company as provided on the company’s Dev Center account page.
  • Visit the Symantec Enterprise Mobile Code Signing Certificate Website, and complete the required steps to acquire an enterprise mobile code signing certificate. When requested, specify the Publisher ID provided by Dev Center for your company. When this process is complete, Symantec will deliver a certificate that can be imported into the certificate store on a computer. For instructions to import the certificate, see How to install the Windows Phone Private Enterprise Root and Intermediate certificates on the Symantec Web site.
  • In the Certificates snap-in on the computer where the certificate is imported, export the certificate in PFX format. Be sure to export the private key with the certificate. The PFX file will be used to generate an application enrollment token (AET) and sign company apps. For more information about exporting the certificate in PFX format, see Export a Certificate with the Private Key.

Creating the application enrollment token (AET)

After you acquire an enterprise mobile code signing certificate from Symantec and exports a PFX file from the certificate, you can use the AETGenerator tool provided by the Windows Phone development tools to generate an application enrollment token (AET). The AET is used to enroll phones in the company account, which is a prerequisite for installing apps published by the company.

For more information about creating the AET, see How to generate an application enrollment token for Windows Phone.

Preparing company apps for distribution

Before distributing an app or a Company Hub app to users, you must prepare the app for distribution by performing the following tasks:

  • Precompile any managed assemblies that are included in the XAP or APPX into native code.
  • Sign the XAP or APPX with the PFX file that is exported from the enterprise certificate.

The Windows Phone development tools provide command-line tools that you can use to perform either of these tasks separately, and it also provides a Windows PowerShell script that can optionally be used to automate both of these tasks. For more information, see Preparing company apps for distribution for Windows Phone.

After preparing company apps for distribution, you should store the apps in a secure location, such as a secure web site that users can access from their phones or a server that provides access to the XAP or APPXs through a service.

Enrolling users for company app distribution

After the company apps are ready for distribution, users can enroll their phones for company app distribution and install the apps:

  • You can distribute the AET (AET.aetx file) and the XAP or APPX to users via email or a secure web site that users can access from their phones. If you use email to distribute the XAP or APPX, per Microsoft's best practices you should apply IRM protection to the email. AirWatch additionally recommends that you rename the AET file to make the purpose of the file clearer to users (for example, AppEnrollment.aetx).
  • Users tap the AET (or the link to the AET) from their phone to enroll their phone for company app distribution. Note: Windows Phones are not restricted to a single company account. Users can enroll a phone in multiple company accounts by installing different AETs.
  • Users tap the XAP or APPX to install the application.
Have more questions? Submit a request

0 Comments

Article is closed for comments.