Sign line-of-business apps so they can be deployed to Windows devices with Intune
As an Intune administrator, you can deploy line-of-business (LOB) Universal apps to Windows 8.1 Desktop or Windows 10/11 Desktop & Mobile devices, including the Company Portal app. To deploy .appx apps to Windows 8.1 Desktop or Windows 10/11 Desktop & Mobile devices you can use code-signing certificate from a public certification authority already trusted by your Windows devices, or you can use your own certificate authority. This process is called sideloading. Sideloading is installing, and then running or testing an app that isn't certified by the Microsoft Store. For example, an app that is internal to your company only.
Note
Microsoft Intune will be ending support on October 21, 2022 for devices running Windows 8.1. Intune will no longer support Windows 8.1 sideloading.
Windows 8.1 Desktop requires either an enterprise policy to enable sideloading or the use of Sideloading Keys (automatically enabled for domain-joined devices). For more information, see Windows 8 sideloading.
Windows 10/11 sideloading
In Windows 10/11, sideloading is different than in earlier versions of Windows:
You can unlock a device for sideloading using an enterprise policy. Intune provides a device config policy called "Trusted app installation". Setting this to allow is all that is needed for devices that already trust the certificate used to sign the appx app.
Symantec Phone certificates and Sideloading License keys aren't required. However if an on-premises certificate authority isn't available then you may need to obtain a code signing certificate from a public certification authority. For more information, see Introduction to Code Signing.
Code sign your app
The first step is to code sign your appx package. For details, see Sign app package using SignTool.
Upload your app
Next, you must upload the signed appx file. For details, see Add a Windows line-of-business app to Microsoft Intune.
If you deploy the app as required to users or devices then you don't need the Intune Company Portal app. However if you deploy the app as available to users, then they can either use the Company Portal app from the Public Microsoft Store, use the Company Portal app from the Private Microsoft Store for Business, or you'll need to sign and manually deploy the Intune Company Portal app.
Upload the code-signing certificate
If your Windows 10/11 device doesn't already trust the certificate authority, then after you've signed your appx package and uploaded it to the Intune service, you need to upload the code signing certificate to Intune using the following steps:
- Sign in to the Microsoft Intune admin center.
- Click Tenant administration > Connectors and tokens > Windows enterprise certificates.
- Select a file under Code-signing certificate file.
- Select your .cer file and click Open.
- Click Upload to add your certificate file to Intune.
Now any Windows 10/11 Desktop & Mobile device with an appx deployment by the Intune service will automatically download the corresponding enterprise certificate and the application will be allowed to launch after installation.
Intune only deploys the latest .cer file that was uploaded. If you have multiple appx files created by different developers that aren't associated with your organization, then you'll need to either have them provide unsigned appx files for signing with your certificate, or provide them with the code signing certificate used by your organization.
How to renew the Symantec enterprise code-signing certificate
The certificate used to deploy Windows Phone 8.1 mobile apps was discontinued on February 28 2019 and is no longer available for renewal from Symantec. Also, Intune has ended support for Windows 10 mobile as of August 10, 2020.
How to install the updated certificate for line-of-business (LOB) apps
Windows Phone 8.1
The Intune service can no longer deploy LOB apps for this platform once the existing Symantec Mobile Enterprise code-signing certificate expires.
Windows 8.1 Desktop/Windows 10 Desktop & Mobile
If the cert period has expired, then the appx files may stop launching. You should obtain a new .cer file and follow the instructions to code-sign each deployed appx file and reupload all appx files and the updated .cer file to the Windows Enterprise Certificates section of the Intune in the Microsoft Intune admin center.
Manually deploy Windows 10 Company Portal app
If you don't want to provide access to the Microsoft Store, you can manually deploy the Windows 10 Company Portal app directly from Intune even if you haven't integrated Intune with the Microsoft Store for Business (MSFB). Alternatively, if you've integrated, then you could deploy the Company Portal app using deploy apps using MSFB.
Note
This option will require deploying manual updates each time an app update is released.
Sign in to your account in the Microsoft Store for Business and acquire the offline license version of the Company Portal app.
Once the app has been acquired, select the app in the Inventory page.
Select Windows 10 all devices as the Platform, then the appropriate Architecture and download. An app license file isn't needed for this app.
Download all the packages under "Required Frameworks". This must be done for x86, x64, ARM, and ARM64 architectures – resulting in a total of 9 packages as shown below.
Before uploading the Company Portal app to Intune, create a folder (for example, C:\Company Portal) with the packages structured in the following way:
- Place the Company Portal package into C:\Company Portal. Create a Dependencies subfolder in this location as well.
- Place the nine dependencies packages in the Dependencies folder.
If the dependencies aren't placed in this format, Intune won't be able to recognize and upload them during the package upload, causing the upload to fail with the following error.
- Place the Company Portal package into C:\Company Portal. Create a Dependencies subfolder in this location as well.
Return to Intune, then upload the Company Portal app as a new app. Deploy it as a required app to the desired set of target users.
See Deploying an appxbundle with dependencies via Microsoft Intune MDM for more information about how Intune handles dependencies for Universal apps.
How do I update the Company Portal on my users' devices if they've already installed the older apps from the store?
If your users have already installed the Windows 8.1 Company Portal apps from the Store, then they should be automatically updated to the new version with no action required from you or your user. If the update doesn't happen, ask your users to check that they have enabled autoupdates for Store apps on their devices.
How do I upgrade my sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the deployment for the Windows 8.1 Company Portal app by setting the deployment action to "Uninstall". Once this is done, the Windows 10 Company Portal app can be deployed using any of the above options.
If you need to sideload the app and deployed the Windows 8.1 Company Portal without signing it with the Symantec Certificate, follow the steps in the Deploy directly via Intune section above to complete the upgrade.
If you need to sideload the app and you signed and deployed the Windows 8.1 Company Portal with the Symantec code-signing certificate, follow the steps in the section below.
How do I upgrade my signed and sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the existing deployment for the Windows 8.1 Company Portal app by setting the deployment action to "Uninstall". Once this is done, the Windows 10 Company Portal app can be deployed normally.
Otherwise, the Windows 10 Company Portal app needs to be appropriately updated and signed to ensure that the upgrade path is respected.
If the Windows 10 Company Portal app is signed and deployed in this way, you'll need to repeat this process for each new app update when it's available in the store. The app won't automatically update when the store is updated.
Here's how you sign and deploy the app in this way:
- Download the Microsoft Intune Signing Script for Windows 10 Company Portal. This script requires the Windows SDK for Windows 10 to be installed on the host computer. To download the Windows SDK, see Windows SDK for Windows 11.
- Download the Windows 10 Company Portal app from the Microsoft Store for Business, as detailed above.
- Run the script with the input parameters detailed in the script header to sign the Windows 10 Company Portal app (extracted below). Dependencies don't need to be passed into the script. These are only required when the app is being uploaded to the Microsoft Intune admin center.
| Parameter | Description |
|---|---|
| InputWin10AppxBundle | The path to where the source appxbundle file is located. |
| OutputWin10AppxBundle | The output path for the signed appxbundle file. |
| Win81Appx | The path to where the Windows 8.1 Company Portal (.APPX) file is located. |
| PfxFilePath | The path to Symantec Enterprise Mobile Code Signing Certificate (.PFX) file. |
| PfxPassword | The password of the Symantec Enterprise Mobile Code Signing Certificate. |
| PublisherId | The Publisher ID of the enterprise. If absent, the 'Subject' field of the Symantec Enterprise Mobile Code Signing Certificate is used. |
| SdkPath | The path to the root folder of the Windows SDK for Windows 10. This argument is optional and defaults to ${env:ProgramFiles(x86)}\Windows Kits\10 |
The script will output the signed version of the Windows 10 Company Portal app when it has finished running. You can then deploy the signed version of the app as an LOB app via Intune, which will upgrade the currently deployed versions to this new app.
Feedback
Submit and view feedback for