X
Tech

The enterprise sideloading story on Windows 8? It's complicated

Now that businesses can buy Windows 8 and RT devices how do you run your own apps on them? It should be easy, but licensing issues add complexity...
Written by Matt Baxter-Reynolds, Contributor

One of the central ideas in a post-PC device is "full trust". What this boils down to is making it as difficult as possible to install software without some form of top-down control. By restricting software that can be installed, platforms owners can gain some control over the general splurging of malware that's been the bane of users and IT managers for years.

However, if you go out of your way to buy tablets for use within your organization - whether you buy 10 or ten-thousand, it's reasonable to expect that you can install apps that you build to support whatever it is that you want to do. Hence "sideloading", the process that lets you install whatever you want on your own devices.

(For what it's worth, for me, the more restrictive you can possibly be in terms of which software you can install on a device the better, especially on post-PC devices.)

But on Windows 8 and Windows RT the sideloading story is quite difficult to get your head around, and it has the feeling of having been slapped together at the last minute. Let's look at what you need to do.

Android and iOS

I'll frame the discussion by talking about how this works on Android and on iOS.

Android is not designed in a "security from the top down" way. Apps are not validated as they go onto the Google Play store. Out-of-the-box, Android devices can only download apps from Google Play. You can go into the settings and switch on an option to allow you to install apps from any source that you like -- i.e. "allow sideloading".

The risk here is once you've opened that door, you can chuck anything you want onto an Android device. More to the paint, any entity can slap anything they want onto any Android device that you manage which is in that state. It opens a gaping security hole in the device.

Apple has perhaps the most famously restrictive app store. When you sign up for a developer account you're allowed to push out builds of apps that you write to up to 100 devices. But you categorically cannot run production apps in this mode -- you can only allow testing.

Apple offers a program called the iOS Developer Enterprise Program. Membership of this costs $299 per year. Its through this that you can distribute private apps. There's no upper or lower limit to devices. The actual process of deploying apps is the same whether you're a developer pushing out test builds, or using the enterprise program to push out production builds.

A key point about this process is that it skips the App Store validation entirely. You can just put stuff up there and -- whoosh -- users can install it. You will likely want to use a third-party mobile device management (MDM) tool to actually manage the deployment process. Not least because any device used for business should be properly managed within the IT systems process, including good things like encryption and remote wipe.

Unlike the Android sideloading process where switching on sideloading opens the device right up, on Apple this process relies on users installing a "provisioning profile" on the device that pairs it with the owner's enterprise program membership. Each device has a special profile for the Apple App Store, which you cannot change. Any app that gets installed is checked against a matching profile. No matching profile, no installation.

All in all, although I've been harsh on the mechanics of doing it, Apple's sideloading story is just about perfect. It enables you to keep the devices secure while also enabling custom line-of-business apps to be deployed to users.

Back to Windows…

Strap in -- this is going to be a long ride.

The first thing you have to know is that this process is different in Windows 8 to Windows RT. I'm going to explain it for Windows 8 first, as it's easier.

By default when you build a Windows Store apps they are signed using a temporary key for local testing. This requires developers to obtain a "developer license" from Microsoft, something which is free-of-charge and freely available to everyone (providing you register).

Any machine that has a developer license installed is wide open - it's a global sideloading flag much like Android's. This is detailed in the MSDN article Get a developer license. They even say in that article: "if you acquire and run Windows Store apps from sources other than the Windows Store, take the same precautions you normally do when acquiring desktop apps from the web".

They also talk in that article about "fraudulent use of a developer license". What they're actually saying here is "don't use a developer license to sideload". They want you to use the "proper" sideloading approach.

What Microsoft ideally wants here is a Windows 8 Enterprise client that's domain joined. If you do that, you're home and dry. All you have to do is turn on a group policy item called Allow all trusted applications to install and you're away. Although "Trusted" is the key-word in all that. What this means is that you have to have an certificate on the device that matches the one use to sign the app. 

This roughly maps to Apple's idea of a provisioning profile. Within the organisation you would either create or obtain a code signing key that you deploy to all of the devices that had to run your app. In an enterprise setting creating the certificates and managing the trust chain is not unduly difficult and likely already done for other reasons. (However, by extension, if you have a nefarious certificate that matches a nefarious app, turning on sideloading will also allow that nefarious app to install. The worrying vector here would be spear phishing.) Similar to Apple, every Windows 8 and Windows RT device is able to validate apps that come from the Windows Store out-of-the-box.

So what if you don't use Windows 8 Enterprise, or run Windows 8 Pro but don't want to join it to the domain?

Licensing

Whereas Apple's approach is "buy the devices, buy the enterprise program, you're done", Microsoft's approach is more "let's whack the sideloading stuff right in the middle of our licensing stuff!" This adds a tremendous level of logistical complication. No one likes Microsoft's licensing, apart from the legal and accountancy elves over at Microsoft HQ.

You can find a TechNet article on sideloading here.

The general idea is that if you're not running a device with Windows 8 Pro, or a device with Windows 8 Enterprise that's not domain joined you need to buy an "enterprise sideloading product key". You apply that key to the device, redo Windows activation, and you should be good to go.

(This product key is sold in packs of 100, and you can find it by Googling for its internal code "J7S-00005". Cost to you? $3,000 per 100, so $30 per device. Unless you have 101 devices, in which case it'll cost $59 per device.)

You should know that I'm not an expert on Microsoft licensing, and I don't give advice on it to anyone, especially people I don't know. Getting Microsoft licensing right is intensely difficult and you should always seek specialised advice. But I do need to say something…

There are, broadly, two ways two buy Microsoft licenses. You can either buy them at retail (e.g. a boxed product form a shop, or an OEM version installed by a system vendor), or you can buy them on a "volume license" (VL) program from Microsoft. The idea of VL is that it makes it easier to license your whole organisation. You also get some benefits in terms of extra rights and tools if you go down the VL route.

Microsoft describes sideloading as a benefit of something they call Software Assurance (SA). SA is a way of buying Microsoft software on a quasi-subscription basis. The sideloading product keys that I described above only work with copies of Windows 8 that are SA-licensed copies, or that fit into other programs that make them more "SA-like". (Windows RT is a little different, and I'll come onto that.)

What appears to be the case is that if you go and buy 50 laptops from Dell, Lenovo, or whoever, those will come with retail copies of Windows 8 Pro. Because that's a retail license and not a SA license, either the sideloading product key won't work, or it will work and your license will be invalid.

Clear? Well, it still get's more confusing. You can at this point re-license those new laptops under an SA license, either as Pro (where you still need the sideloading product key), or as Enterprise (where you need the sideloading product key if you're not putting them on the domain). Or, you can still enable sideloading using the sideloading product key if the device has an active Windows Intune subscription. (If you don't know what Intune is, Mary Jo Foley has a good explanation : Windows Intune is Microsoft's cloud-based PC management and security service. Intune users get rights to current and future versions of Windows — similar to what they’d get if they signed up for Microsoft’s Software Assurance volume-licensing program.)

Still want more? OK, if that device is covered under a VDA license, you can apply the sideloading product key. Don't know what VDA is? Well, in the three previous drafts of this article I tried to explain it less than a thousand words and failed - it's related to virtualization and VDI. Still more? OK -- if the device is covered by a Windows Companion Device License (CDL), you can apply the sideloading sideloading key. (CDL is related to Microsoft's VDA licensing.) You can find a good write-up that adds some color to this here, although you'll need to go through a free registration.

Remember Windows RT? Well, with that the basic licensing is much simpler -- only one version of the Windows RT license exists, which is an OEM license. Moreover, you can't domain join them.

The upshot of this is as follows:

- Sideloading on Windows RT? You'll need a sideloading product key. Buy it, apply it, and off you go.

- Sideloading on Windows 8? Uh… seek specialist advice.

Conclusion

Sideloading is absolutely essential to any organisation looking to deliver custom line-of-business to tablets, whether they're BYOD or ones that you own. To me, it's shocking that Microsoft have made what should be a simple thing tremendously difficult and, actually, quite expensive.

Microsoft has managed to create a system that puts an undue amount of load on the IT department. First off there's the certificates. Although many IT departments already manage PKI, I'm sure they're not going to thank Microsoft for increasing the burden.

But the real problem here is the licensing. No one likes dealing with Microsoft's tortuous licensing arrangements and you essentially can't do sideloading without having someone check your calculations before you push the button.

And there's the cost. $30 a unit isn't a great deal of money, but for an Windows RT device (where you can't avoid it), that's 5% on top of a $600 unit price. Buy 10,000 units and -- OK you're likely to get a good discount -- that's an extra $300k on your order just for the privilege of running your own apps. Compare that to Apple, who will charge you $300 per year.

Thanks very much to Wes Miller and to Richard Eatonfor their invaluable help with this article.

What do you think? Post a comment, or talk to me on Twitter: @mbrit.

Editorial standards