App Management Using Microsoft Store for Business
In today’s Ask the Admin, I’ll look at the prerequisites for setting up Microsoft Store for Business and show you how to set up your own private store.
Curated app stores have been all the rage in the consumer space for years. Popularized first by Apple, and becoming commonplace thanks to the prevalence of Android. App stores aren’t only for consumers. Windows 10 has a built-in consumer store but Microsoft also offers a business store that can be set up to restrict the distribution of apps to your company’s users.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Microsoft Store for Business allows organizations to purchase apps and manage licenses for users. Not only can IT purchase apps published in the public Windows Store, but Microsoft Store for Business allows administrators to invite developers to publish line-of-business Universal Windows Platform (UWP) apps. They can tag them for private use so that only the company’s users can install them.
In addition to providing an easy way to license and assign apps, Microsoft Store for Business manages app updates. When an app update is submitted by a developer, Windows automatically downloads and installs the new version of the app, potentially doing away with the need for an on-premises solution, such as System Center Configuration Manager (SCCM), to distribute and manage software updates.
App Distribution Options
Microsoft Store for Business offers several ways to distribute apps. Creating a private store is one of them. Users can download all apps in the private store. Alternatively, you can assign apps directly to users without placing them in the private store. Once an app is assigned to a user, they’ll receive an email telling them that the app is available and ready to install. Apps assigned to users also appears under Work Apps in the My Library section of the Windows Store app in Windows 10.
The third option is to distribute offline apps. Offline apps are intended for users that don’t have Azure AD accounts, no Internet connection, or for when your organization uses Windows image-based deployment. Apps that are licensed for offline distribution can be installed using the Deployment Image Servicing and Management (DISM) command-line tool in Windows. This is used for mounting images before they are deployed. Offline apps can also be integrated into provisioning packages created with the Windows Imaging and Configuration Designer (ICD) or distributed using a Mobile Device Management (MDM) solution like Microsoft System Center Configuration Manager (SCCM) or Microsoft Intune.
Set Up and Prerequisites
Setting up Microsoft Store for Business is remarkably easy. The only prerequisite is that you must have an Azure Active Directory tenant and the account you use to sign into the Microsoft Store for Business should be an Azure AD Global Administrator. If you are a tenant administrator of Office 365, then you already meet these requirements. If you don’t use Office 365 or just want to experiment with Microsoft Store for Business using a separate account, you can sign up for Azure AD for free here. Office 365 admins can activate Azure AD using the instructions here.
The first step is to sign into Microsoft Store for Business using your Azure AD Global Administrator account. Microsoft Store for Business is administered via the store website, although users can install apps assigned to them using the Windows Store app. Once you have access to Microsoft Store for Business, you can purchase apps for your organization and manage licensing. Purchased apps can optionally be added to a private store, which allows your organization’s users to browse and install those apps.
To purchase an app, navigate to your chosen app in the store and click Get the app, just like in the regular Windows Store. A menu to the side of Install then gives you the Add to private store option. You may need to wait up to 24 hours before apps become available in the private store. To access your private store, click the name of your organization at the top of Microsoft Store for Business.
Select Manage at the top of the Microsoft Store for Business page in the browser and you get access to a set of tools that allow you to manage apps in the private store, licensing, billing, order history, permissions, and other settings.
Adding Line-of-Business Apps to Microsoft Store for Business
Apps in the public Windows Store can be added to your private store in Microsoft Store for Business. But what if you would like to add UWP apps developed in-house or by third-party? Microsoft refers to these apps as line-of-business (LOB) apps and they can be made available in Microsoft Store for Business. Just like the public Windows Store, developers of LOB apps must submit apps to Microsoft Store for Business before they can be distributed to users. Apps submitted to Microsoft Store for Business by developers that you invite are only available to your company.
Developers submit apps to Microsoft Store for Business using the Windows Dev Center on MSDN. Developers can sign up for the Windows Dev Center here. There is a small one-off fee for the Dev Center: $19 for individuals and $99 for companies. Microsoft Store for Business admins can invite Windows Dev Center developers to become LOB publishers for their organization. Developers then submit apps to Microsoft Store for Business and tag their apps for use by only your company.
To invite a developer to act as a line-of-business publisher for your organization, click Manage, Permissions, and then Line-of-business publishers. On this page, click Invite and type the email address of the developer you would like to invite. The address used must match what was registered by the developer in Windows Dev Center.
Developers can create new app submissions for your company once they’ve accepted your invitation. During the submission process, under Distribution and visibility, developers must check Line-of-business (LOB) distribution and select which companies can access the app. The only other requirement is that under Organizational licensing, Store-managed (online) volume licensing must be selected.
After the app is submitted by the developer, all that’s left to do is for a Microsoft Store for Business administrator to accept the app, which can be done by clicking Manage, Apps and Software. Then New LOB apps. Find the new app in the list, click the ellipses under Action and click Add to inventory. At this point, you can choose how to distribute the app, for example, adding it to your private store.
Manage Legacy Win32 Apps
It might seem that the selection and quality of Windows Store apps is too limited to warrant using Microsoft Store for Business. But it is worth remembering that more legacy desktop apps are being made available in the store, like Slack and Evernote. Microsoft Office 2016 will also be making its way to the store soon. It’s currently available in the store to a limited group of testers. If your organization has legacy win32 business apps that it would like to manage using Microsoft Store for Business, those apps can be packed for distribution with Microsoft’s Desktop App Converter (Desktop Bridge).
Using Microsoft Store for Business to distribute apps is advantageous from a security and management standpoint. Users don’t need administrative privileges to install store apps and updates are handled automatically. For more technical details about Microsoft Store for Business, see Microsoft’s website here.