As many enterprises nearly complete their migrations to Windows 10, IT pros are turning their attention to optimizing the Windows 10 platform. One of the Windows 10 features that organizations can leverage is the Windows 10 user experience including interacting with the Microsoft Store…applications downloaded from the store install quickly, and automatically update from the cloud. This article will walk through deploying a common title, “Slack” collaboration software from Slack Technologies, Inc. using the Microsoft Store, Microsoft Store for Business (MSfB), and MSfB connector to Microsoft System Center Configuration Manager (SCCM).
BYOD and the Microsoft Stores for Business and for Education
The Microsoft Store can help organizations that incorporate the Bring Your Own Device (BYOD) practice. For example, employees or students supply their own laptop or other computer, and each user installs the same applications to get their work or studies accomplished. Legacy methods of getting this done include distributing a list of web links (URLs) for software downloads to users along with installation instructions. This is an expensive and error-prone way to help a user BYOD.
Figure 1 contrasts the old way and the new way: the download page from slack.com on the left, with the Windows 10 button linking to the Microsoft Store on the right.
Figure 1 – Apps for Windows 10 can install directly from the Microsoft Windows Store (on right), bypassing the need to visit multiple vendor web sites.
Rather than direct users to vendor software download sites, Windows 10 organizations can direct users to the Microsoft Store where all needed applications are easy to find and in one place. The default public Microsoft Store is an end-user facing experience, that is, it serves individual consumers. Your users can access software titles like Slack directly from the public-facing Microsoft Store by searching for them in the marketplace.
Azure Active Directory (Azure AD) for your organization is a prerequisite
For a business or education organization, Microsoft makes available tailored versions of the Microsoft Store called Microsoft Store for Business or Microsoft Store for Education. These features are a free service to Microsoft business and education customers that use Azure Active Directory (AD). You can use Microsoft Store for Business to find, acquire, distribute, and manage apps for your organization.
Before you sign up for Microsoft Store for Business or Microsoft Store for Education, you’ll need an Azure Active Directory (AD) or Office 365 account for your organization, and you’ll need to be the global administrator for your organization.
Online vs. Offline App Licenses
When you click Shop for my group while logged into the store, then browse for and locate an app you want your users to install, you will find a button Get the app as seen in Figure 2 below. Pressing the button will have different behavior based on the type of license(s) the app is available for.
Figure 2- Adding an app in the Microsoft Store to your organization’s inventory.
- If the app is only available for Online License, the app is immediately added to your applications inventory. An online app is one installed directly from the Microsoft store UI, not using any organizational infrastructure to install and update. (These online apps can be added to the private store, but not downloaded separately or to System Center Configuration Manager (SCCM)).
- If the app is also available for Offline License, you can toggle from Online to Offline selection, then pressing the Get the app button again also adds the app to your applications inventory, but in the offline license mode. (These offline apps cannot be added to the private store, but can be downloaded separately or to SCCM.)
Figure 3 below shows your app inventory (Manage -> Products & services -> Apps & software), which can consist of online and offline licenses:
Figure 3 – Managing the app inventory for the “CloudLab” organization in the Microsoft Store for Business.
Notice that if a vendor makes both online and offline licenses available, both can co-exist in your inventory. The online apps will be for your BYOD computers that access the store over the Internet. The offline apps will be those your organization downloads for manual install or for automatic installation by SCCM, which does not require that your domain computers have direct Internet access to the store.
BYOD Model: Activate and leverage your organization’s private store
Consider making it easier for your users to locate just the right apps by creating and using the private store feature of the Microsoft Store. If your users are going to be able to connect their computers or BYOD devices to the Microsoft Store over the Internet, this is the right option.
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. Your private store is available as a tab in Microsoft Store portal (“CloudLab” in Figure 3), and is usually named for your company or organization. Only apps in your inventory with online licenses can be added to the private store.
You can further restrict users from seeing apps in the Microsoft Store other than the apps in your Private Store using MDM Policy or AD domain Group Policy Object (GPO). Figure 4 shows how clear this makes things for your users when they go to the store. Just the apps–and only the apps–they need for your business or school are listed, and user just needs to click on them one at a time for quick installation.
Figure 4 – User view of the store portal can be restricted only to the private store via MDM policy or AD domain GPO.
Use security groups with Private store apps
On the details page for apps in your private store, you can set Private store availability. This allows you to choose which Azure AD user security groups can see an app in the private store.
Locked-down Enterprise Model: Connect System Center Configuration Manager (SCCM) to the Microsoft Store for offline app deployment
Being able to point a user to the Microsoft Store, have them login with their Office 365 identity (integrated with Azure AD) and quickly get the right apps for their device to do work or study is a sweet deal for the BYOD and smaller enterprise. But lots of high security and larger enterprises don’t allow direct connection from their domain Windows 10 computers to the Microsoft Store, or sometimes there is no connection to the entire Internet.
For these customers Microsoft makes available a Microsoft Store for Business to SCCM Connector that serves as an intermediary between your domain computers and the Internet-based Microsoft Store. Broadly there are three steps in getting this running:
STEP 1 – Configure Azure services for use with Configuration Manager
This involves creating an App registration in your Azure AD to be used by SCCM in lieu of a regular Azure AD user account to log into the Microsoft Store and download apps on your behalf. You give this Azure AD App registration permission to manage your Microsoft store. Figure 5 shows the Azure AD app used by SCCM.
Figure 5 – Azure AD App registration used by SCCM.
Figure 6 shows Azure Services configured in the SCCM console. You make SCCM aware of the Client Secret you created in the Azure AD app as a means of authentication. The Client ID of the Azure AD app and the Tenant ID of your Azure AD directory are the other key identifiers.
Figure 6 – Configure Azure Services in SCCM to use the Azure AD App registration when synchronizing with the Microsoft Store.
STEP 2 – Setup synchronization of the list of Microsoft Store for Business apps acquired by your organization
Configure the suite of offline apps you want to deploy in the Microsoft Store portal. Then perform a Sync from Microsoft Store for Business with the Azure service. After a successful sync, in the Software Library area of the SCCM console, the License Information for Store Apps branch will populate with data from the Microsoft Store. Figure 7 shows an offline license for Slack has been acquired and synchronized.
Figure 7 – After synchronizing with the Microsoft Store, your organizations app inventory is ready to work with.
STEP 3 – Create an SCCM application and deploy the app
Notice in Figure 7 (above) that by right-clicking on an app with an offline license type, you reveal a Create Application button. Clicking that starts a Create Application Wizard that creates an SCCM application from the licensed store app you selected. Figure 8 below exposes details on where and how the app’s Windows 10 setup files are downloaded.
Figure 8 – Importing an application from the Microsoft Store into the SCCM server’s file system.
At this point, you will be ready to deploy your downloaded app to SCCM client computers like any conventional software application. Figure 9 shows Slack ready to distribute to Distribution Points (DPs) then deploy to SCCM client computer collections. The client Windows 10 computers do not need Internet connection or permission to connect to the Microsoft Store.
Figure 9 – Windows 10 app downloaded from Microsoft Store for Business ready to deploy to internal computers.
Tip: Use the Microsoft Store for Business integrated with SCCM solution to remove built-in apps for Windows 10 using SCCM and Microsoft Store for Business. Microsoft MVP Martin Benstsson shows you how.
In sum, the Microsoft Store is a great resource for the Windows 10 platform. From small to medium to large enterprise, no matter how many Windows 10 computers you manage, the Microsoft Store for Business or Education should be your friend.
Tags: #MVPBuzz #HybridCloud #Azure #sysctr #SCCM #Windows10 #netadmin #networkadmin #Slack