The enterprise sideloading story on Windows 8? It's complicated

The enterprise sideloading story on Windows 8? It's complicated

Summary: Now that businesses can buy Windows 8 and RT devices how do you run your own apps on them? It should be easy, but licensing issues add complexity...

SHARE:
TOPICS: Windows
27

One of the central ideas in a post-PC device is "full trust". What this boils down to is making it as difficult as possible to install software without some form of top-down control. By restricting software that can be installed, platforms owners can gain some control over the general splurging of malware that's been the bane of users and IT managers for years.

However, if you go out of your way to buy tablets for use within your organization - whether you buy 10 or ten-thousand, it's reasonable to expect that you can install apps that you build to support whatever it is that you want to do. Hence "sideloading", the process that lets you install whatever you want on your own devices.

(For what it's worth, for me, the more restrictive you can possibly be in terms of which software you can install on a device the better, especially on post-PC devices.)

But on Windows 8 and Windows RT the sideloading story is quite difficult to get your head around, and it has the feeling of having been slapped together at the last minute. Let's look at what you need to do.

Android and iOS

I'll frame the discussion by talking about how this works on Android and on iOS.

Android is not designed in a "security from the top down" way. Apps are not validated as they go onto the Google Play store. Out-of-the-box, Android devices can only download apps from Google Play. You can go into the settings and switch on an option to allow you to install apps from any source that you like -- i.e. "allow sideloading".

The risk here is once you've opened that door, you can chuck anything you want onto an Android device. More to the paint, any entity can slap anything they want onto any Android device that you manage which is in that state. It opens a gaping security hole in the device.

Apple has perhaps the most famously restrictive app store. When you sign up for a developer account you're allowed to push out builds of apps that you write to up to 100 devices. But you categorically cannot run production apps in this mode -- you can only allow testing.

Apple offers a program called the iOS Developer Enterprise Program. Membership of this costs $299 per year. Its through this that you can distribute private apps. There's no upper or lower limit to devices. The actual process of deploying apps is the same whether you're a developer pushing out test builds, or using the enterprise program to push out production builds.

A key point about this process is that it skips the App Store validation entirely. You can just put stuff up there and -- whoosh -- users can install it. You will likely want to use a third-party mobile device management (MDM) tool to actually manage the deployment process. Not least because any device used for business should be properly managed within the IT systems process, including good things like encryption and remote wipe.

Unlike the Android sideloading process where switching on sideloading opens the device right up, on Apple this process relies on users installing a "provisioning profile" on the device that pairs it with the owner's enterprise program membership. Each device has a special profile for the Apple App Store, which you cannot change. Any app that gets installed is checked against a matching profile. No matching profile, no installation.

All in all, although I've been harsh on the mechanics of doing it, Apple's sideloading story is just about perfect. It enables you to keep the devices secure while also enabling custom line-of-business apps to be deployed to users.

Back to Windows…

Strap in -- this is going to be a long ride.

The first thing you have to know is that this process is different in Windows 8 to Windows RT. I'm going to explain it for Windows 8 first, as it's easier.

By default when you build a Windows Store apps they are signed using a temporary key for local testing. This requires developers to obtain a "developer license" from Microsoft, something which is free-of-charge and freely available to everyone (providing you register).

Any machine that has a developer license installed is wide open - it's a global sideloading flag much like Android's. This is detailed in the MSDN article Get a developer license. They even say in that article: "if you acquire and run Windows Store apps from sources other than the Windows Store, take the same precautions you normally do when acquiring desktop apps from the web".

They also talk in that article about "fraudulent use of a developer license". What they're actually saying here is "don't use a developer license to sideload". They want you to use the "proper" sideloading approach.

What Microsoft ideally wants here is a Windows 8 Enterprise client that's domain joined. If you do that, you're home and dry. All you have to do is turn on a group policy item called Allow all trusted applications to install and you're away. Although "Trusted" is the key-word in all that. What this means is that you have to have an certificate on the device that matches the one use to sign the app. 

This roughly maps to Apple's idea of a provisioning profile. Within the organisation you would either create or obtain a code signing key that you deploy to all of the devices that had to run your app. In an enterprise setting creating the certificates and managing the trust chain is not unduly difficult and likely already done for other reasons. (However, by extension, if you have a nefarious certificate that matches a nefarious app, turning on sideloading will also allow that nefarious app to install. The worrying vector here would be spear phishing.) Similar to Apple, every Windows 8 and Windows RT device is able to validate apps that come from the Windows Store out-of-the-box.

So what if you don't use Windows 8 Enterprise, or run Windows 8 Pro but don't want to join it to the domain?

Licensing

Whereas Apple's approach is "buy the devices, buy the enterprise program, you're done", Microsoft's approach is more "let's whack the sideloading stuff right in the middle of our licensing stuff!" This adds a tremendous level of logistical complication. No one likes Microsoft's licensing, apart from the legal and accountancy elves over at Microsoft HQ.

You can find a TechNet article on sideloading here.

The general idea is that if you're not running a device with Windows 8 Pro, or a device with Windows 8 Enterprise that's not domain joined you need to buy an "enterprise sideloading product key". You apply that key to the device, redo Windows activation, and you should be good to go.

(This product key is sold in packs of 100, and you can find it by Googling for its internal code "J7S-00005". Cost to you? $3,000 per 100, so $30 per device. Unless you have 101 devices, in which case it'll cost $59 per device.)

You should know that I'm not an expert on Microsoft licensing, and I don't give advice on it to anyone, especially people I don't know. Getting Microsoft licensing right is intensely difficult and you should always seek specialised advice. But I do need to say something…

There are, broadly, two ways two buy Microsoft licenses. You can either buy them at retail (e.g. a boxed product form a shop, or an OEM version installed by a system vendor), or you can buy them on a "volume license" (VL) program from Microsoft. The idea of VL is that it makes it easier to license your whole organisation. You also get some benefits in terms of extra rights and tools if you go down the VL route.

Microsoft describes sideloading as a benefit of something they call Software Assurance (SA). SA is a way of buying Microsoft software on a quasi-subscription basis. The sideloading product keys that I described above only work with copies of Windows 8 that are SA-licensed copies, or that fit into other programs that make them more "SA-like". (Windows RT is a little different, and I'll come onto that.)

What appears to be the case is that if you go and buy 50 laptops from Dell, Lenovo, or whoever, those will come with retail copies of Windows 8 Pro. Because that's a retail license and not a SA license, either the sideloading product key won't work, or it will work and your license will be invalid.

Clear? Well, it still get's more confusing. You can at this point re-license those new laptops under an SA license, either as Pro (where you still need the sideloading product key), or as Enterprise (where you need the sideloading product key if you're not putting them on the domain). Or, you can still enable sideloading using the sideloading product key if the device has an active Windows Intune subscription. (If you don't know what Intune is, Mary Jo Foley has a good explanation : Windows Intune is Microsoft's cloud-based PC management and security service. Intune users get rights to current and future versions of Windows — similar to what they’d get if they signed up for Microsoft’s Software Assurance volume-licensing program.)

Still want more? OK, if that device is covered under a VDA license, you can apply the sideloading product key. Don't know what VDA is? Well, in the three previous drafts of this article I tried to explain it less than a thousand words and failed - it's related to virtualization and VDI. Still more? OK -- if the device is covered by a Windows Companion Device License (CDL), you can apply the sideloading sideloading key. (CDL is related to Microsoft's VDA licensing.) You can find a good write-up that adds some color to this here, although you'll need to go through a free registration.

Remember Windows RT? Well, with that the basic licensing is much simpler -- only one version of the Windows RT license exists, which is an OEM license. Moreover, you can't domain join them.

The upshot of this is as follows:

- Sideloading on Windows RT? You'll need a sideloading product key. Buy it, apply it, and off you go.

- Sideloading on Windows 8? Uh… seek specialist advice.

Conclusion

Sideloading is absolutely essential to any organisation looking to deliver custom line-of-business to tablets, whether they're BYOD or ones that you own. To me, it's shocking that Microsoft have made what should be a simple thing tremendously difficult and, actually, quite expensive.

Microsoft has managed to create a system that puts an undue amount of load on the IT department. First off there's the certificates. Although many IT departments already manage PKI, I'm sure they're not going to thank Microsoft for increasing the burden.

But the real problem here is the licensing. No one likes dealing with Microsoft's tortuous licensing arrangements and you essentially can't do sideloading without having someone check your calculations before you push the button.

And there's the cost. $30 a unit isn't a great deal of money, but for an Windows RT device (where you can't avoid it), that's 5% on top of a $600 unit price. Buy 10,000 units and -- OK you're likely to get a good discount -- that's an extra $300k on your order just for the privilege of running your own apps. Compare that to Apple, who will charge you $300 per year.

Thanks very much to Wes Miller and to Richard Eatonfor their invaluable help with this article.

What do you think? Post a comment, or talk to me on Twitter: @mbrit.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Wow

    Love my job, since I've been bringing in $5600… I sit at home, music playing while I work in front of my new iMac that I got now that I'm making it online(Click on menu Home)
    ......http://goo.gl/ayTHp
    EminemSwift
    • $5,600...

      Wow, are you special! LOL!!
      ryork272
  • "..undue amount of load on the IT department"

    But, but... Microsoft is helping those poor guys have job.
    Microsoft created these jobs in the first place, turning lots of otherwise fine people into zombies.

    It's good there is life outside of Windows, much simpler and more productive.
    danbi
    • Obviously you're not in IT

      "It's good there is life outside of Windows, much simpler and more productive"

      You'd understand how wrong that sentence is.
      William Farrel
      • I am in IT

        First off, I am the IT manager at my work, so I know a bit about computers. i actually agree with the statement "It's good there is life outside of Windows, much simpler and more productive".

        Honestly, we have several Macs here that run Windows through Parallels for the few programs that there are not Mac equivalents for. And yes, it took a little bit to get the setup down just right, but now that they are setup, if there is a problem with Windows, it's a simple restore to a snap shot and they are back up and running within 5 minutes, no matter how badly messed up Windows becomes. As for the Mac side, well there are so few issues that it's just not an issue for us.


        We are a small enough firm that we simply install software on a machine by machine basis, so this whole idea of side loading is enough to make my head hurt.
        cmwade1977
        • And if you had Linux

          You'd get the same low stress life with more security and less cost. The world outside of Windows is beautiful indeed.

          Get some fresh air people!

          (Typing this from a company owned Ubuntu laptop :-D)
          T1Oracle
  • Corporate IT is always complicated.

    Apple products are mere toys...no news there.

    Enterprise is dealing with MS license stuff for more than two decades...they will easily manage the side loading complexities... people working in enterprise IT are well paid and highly educated, so no big deal here.
    owlllnet
    • Spoken like a true shill

      Nothing like dismissing a serious blog with a few lines of fluff.
      D.T.Long
      • Not true

        All I said was that IT can deal with it, nothing more and nothing less.
        owlllnet
      • No, it was an uninformed blog post

        I'm not sure any part of the post was accurate or complete, and it doesn't show much experience with enterprise development or licensing.
        Schoolboy Bob
      • Spoken like a true frightened person

        you never say anything productive, just post to throw in digs against MS and anyone who says something positive about their products.

        it's obvious you're frightened, but why? Just don't use MS products, and be on your way, easy as that.
        William Farrel
    • That attitude s the downfall of MSFT

      Sure it is just more of the same. IT departments can cope right? Well what if they have had enough? What if the competition is better or cheaper or both?

      IBM used to dominate and thought that they could push around their mainframe customers and gouge their PC buyers but you know where that got them. They are still around but have long since lost the total dominance they once had.

      Now look at what the post PC market looks like. Microsoft is a pipsqueak. Even RIM after it imploded still has much bigger share than msft. Android and apple are now prominent and established and all of them do sideloading better easier and cheaper. MSFT cannot rely on its brand or market share of desktops and unless they completely blow away this scheme and replace it with something sensible they are fast approaching an epic decline.

      Check out the market for web servers and cloud services and such where MSFT is an also ran mostly against those leveraging Linux and other open technology. Price isn't actually the main motivator for their customers. Ultimately it us the freedom from the most retarded EULA and licensing/activation/DRM setup on the planet that drives business away from MSFT. They better appreciate that if we are heading into a post PC market where traditional machines no longer dominate because MSFT will also no longer dominate.
      Mark Hayden
      • Not getting it.

        I would hardly call 90% dominance in the market for PC's pipsqueak. We are not talking phones here. We're talking PC. By the way, sideloading an app in Windows 8 pro is as easy as sideloading and app in Windows 7. All you do is run setup.exe and BOOM! And, the developers tools are free too (Visual Studio Express). The article is basically telling you what it would take to sideload an app to the tiled/metro/modern side of Windows. No one in the corporate world is going to mess with that side of Windows. That is the consumer side that will be reserved for games, social networking, surfing, music, video...etc. The real work is still going to be done on the desktop side just like it always has. There's no change there. You'll understand that real soon. I promise. The AH-HA moment is coming for a lot of people real soon.
        MCTronix
  • The enterprise sideloading story on Windows 8? It's complicated

    You made it complicated. Sounds easy, you buy the side loading key no matter if your Microsoft Windows 8 device is on the domain or not. I simplified your whole article for you.
    Loverock Davidson-
  • If you allow someone to grab you by the b@lls.....

    maybe you have no business complaining when they squeeze. ;-)
    D.T.Long
  • Let me guess

    That there will not be a lot of internal business apps development and it doubly kills Windows RT as not only do you need the side-loading license key to side-load business apps but you'll also need to provide an Enterprise key for Office RT to be legally used in a business.

    Adds quite a lot to the price of a device which is already overpriced to start with!
    lepoete73
  • Microsoft is struggling, nothing new here, but this licensing is a noose

    When Microsoft managers sit around the table and try and design a policy for their products, the results always seem to appear like the US Senate vs House of Representatives. There's all kinds of bickering and bargaining it seems. They seem to all be sure that their BU is the next to get cuts, and so they try and wire in all kinds of stuff to keep themselves afloat.

    MS used to be able to do anything, because the MS zombies just bought whatever was held up in front of their face by the sales team (the all-in-one license has been a big money maker for medium to large campuses it would seem).

    But now that there is a decade or more of experience with other OSes in the enterprise, and people are using non-MS stuff at home for personal use, the door is pushing closed.

    It doesn't seem that Microsoft has figured out that they need to deliver a quality product at a great value, but instead are focused on, "here's how much money we need to pay the bills", and then only arranging their pricing to "pay the bills".

    People are value shopping in this day and age, even more so. If the value is not right, the price will be immaterial in the long run.
    greggwon@...
  • MS Store, Sideloading keys & all that Crap!

    In the beginning there was IBM, Burroughs, DataGeneral, DigitalEquipmentCord, etc. They all had propietary hardware & software incompatible with each other. Then came the IBM 5160 later on called the IBM PC. All its openess brought us to the point we are now. But I guess history repeats itself every so often. Now we are going BACKWARDS. I predict & hope the Windos 8/RT, etc. turns into the new VISTA!
    medbiller@...
  • So how does

    So how does an independant developer that DOES NOT want to give Microsoft a slice of the sale via their store get his / her app. installed on customers machines?

    Seems to me that under the guise of "security" both Apple and Microsoft are determined to either control all developers, or push them out of the picture.
    NoAxToGrind
    • Simple

      You don't. They developed their system, invested a lot into putting it into it's place, are maintaining it and are selling it. If you don't want to play that game, it is up to you.
      Andrej.G.