Internal apps that are developed at Microsoft undergo a certification process that is based on corporate security, privacy, quality, and governance standards. To better support mobile app development, Microsoft IT looked at ways to integrate the tools that our app developers use and how the Enterprise Mobility Management ecosystem is evolving. We designed and built a new Enterprise Mobile App Publishing (EMAP) solution using Microsoft Azure services and Azure Logic Apps to transform our application certification and publishing processes. EMAP enables our digital transformation by helping us:
- Manage our resources better. EMAP supports cross-platform app releases, and automation is saving time and reducing manual process costs.
- Meet faster release requirements. EMAP has helped reduce our 10-business-day app publishing SLA (service level agreement) to 90 minutes. We can keep pace with the Agile app development processes that are used across Microsoft.
- Be future ready. The work we have done with EMAP is part of a larger roadmap that includes the release of Visual Studio Mobile Center with better integration of platform-specific app stores, mobile device management capabilities, and improved analytics. All of which opens the possibility of using EMAP for certifying and publishing consumer apps.
Now we have automated workflows that we created with Azure Logic Apps, and we are better able to integrate our app certification and publishing process with the tools that developers at Microsoft use to build and test their apps. These tools include Visual Studio Team Services and HockeyApp, a platform that provides beta app distribution, crash reporting, user metrics, feedback, and powerful workflow integrations.
Before EMAP, our publishing SLA was longer than many of the development cycles. We needed to meet a faster app release cadence and support cross-platform app releases better. Our original process accommodated all types of application development, and we had many manual processes. Now, app development teams across the company have adopted Agile methodologies, and development cycles are shorter.
Before EMAP, we used an application publishing process that centered around a developer portal called IT Dev Center. The IT Dev Center was created using Microsoft Azure Cloud Services and SharePoint Online to manage the app certification and publishing process for SharePoint and mobile apps. It used a series of steps and checklists to guide developers through certifying and publishing internal apps. The IT Dev Center portal contained development guidance, links to development resources, and a long checklist of manual steps to help developers meet security, privacy, compliance, and standardization guidelines. This solution was hitting its scalability limits.
Moving to Azure and optimizing our process
Before we built EMAP, we looked at what we were offering in the IT Dev Center. The IT Dev Center was built to be an all-in-one developer portal. It was content heavy because it offered comprehensive guidance for app design and development. The checklists and workflows were long and cumbersome.
We decided that it would be better to direct developers to other resources, such as an internal mobile development site and the developer center, and use EMAP only for certification and publishing. The EMAP portal focuses on certification and publishing tasks and the process is simpler. Replacing manual processes with automated workflows and integrating app development tools has helped our certification and publishing processes become as agile as the teams that depend on them.
We designed EMAP to align with current development tools. Figure 1 shows a high-level view of EMAP architecture.
EMAP feature overview
For pre-release publishing, EMAP integrates with Visual Studio Team Services and HockeyApp, which app developers at Microsoft use for Agile development, continuous deployment, and their beta test tools. EMAP offers the ability to promote or publish apps directly from HockeyApp into the pre-publication certification workflow. We also included a better mechanism for security and privacy compliance checking.
We replaced the manual certification process of iOS, Android, and Windows apps with automated workflows for security, privacy, malware scanning, and code signing. EMAP offers end-to-end mobile application life cycle management, and we can now publish production-ready apps from HockeyApp to the Company Portal within 90 minutes—a significant improvement over the 10-business-day app publishing SLA we had before EMAP.
Integration with HockeyApp
We made some minor changes to HockeyApp before we began using it to publish to our Company Portal. The Company Portal is an enterprise store catalog for System Center Configuration Manager and Microsoft Intune, which makes internal apps available for employees to download. We added a custom “Publish to Company Portal” button to the HockeyApp UI that routes to the app certification checklist. EMAP uses the checklist to confirm app certification before publishing. The completed checklist includes the application name, version number, description, target distribution groups, and search keywords. The checklist also collects the unique ID number that application owners receive after the security review of their app, and the contact information for the employee that performed the privacy review. To reduce duplication and manual data input errors, all the app data from HockeyApp flows right into EMAP.
When a developer completes and submits the app certification checklist, app certification begins. The app certification process is built on Azure Logic Apps, which provides out-of-the-box connectors and a visual interface that helped us easily create automated workflows.
Code signing and malware scanning
During the certification and publishing process, EMAP code signs and runs a malware scan on Windows and Android apps as part of the Azure Logic Apps workflow. The malware scan and code signing services are hosted by the Product Release and Security Services team at Microsoft.
Security and privacy review
For privacy and security certification, the Azure Logic Apps automated workflow checks the validity of the unique security ID that is issued after an app passes its Microsoft internal security review. The process requires the email alias of the person that performed the privacy review.
Other checks are performed to ensure that the app package meets distribution criteria before it is submitted to Microsoft Intune. The certification process includes other Azure Logic Apps-automated workflows to verify that the version number is greater than the last published version and that there is an application description.
Publishing to the Company Portal
After the app is certified, EMAP sends the app package through another internal tool to the Company Portal for publishing. While we can publish directly to the Company Portal, we use a different tool because we need to accommodate other internal requirements and it helps us control capacity.
Using dashboards for reporting and managing the service
We designed the EMAP system with several personas in mind. We created separate dashboards for the portfolio owner and EMAP engineer. These dashboards are built on Azure, HockeyApp, PowerBI, Microsoft Operations Management Suite (OMS), and Azure Application Insights.
Application-specific analytics are available in HockeyApp using HockeyApp software development kit (SDK) to collect telemetry data. Platform-specific HockeyApp SDKs for iOS, Android, Windows Phone, or Maccollect analytics data for application owners, including information about application crashes and usage. App owners can integrate the HockeyApp SDK into their app to send analytics back to HockeyApp. Using the HockeyApp portal, owners can view application performance information, user information, user count, app crashes, downloads, and session data in their app dashboard. We do not require app owners to use the HockeyApp SDK to collect telemetry data, but we recommend it as it offers useful analytics to measure the health, adoption, and use of their application.
EMAP integrates with Power BI to provide service-level views and business metrics for portfolio owners. For example, the dashboard provides data about the number of applications that were published, the number of new applications versus updated applications, application certification pass and fail rate, and the time it took to publish. It also provides EMAP service-level views, including usage metrics for the different EMAP pages in the portal and whether EMAP is meeting SLAs.
Managing the service
To manage EMAP, we use an OMS dashboard that we customized to report on system-level service health. For example, the dashboard provides virtual machine performance counters, server logs, requests, custom events, and other system availability information.
Application publication is now an end-to-end automated process that uses Azure services as a scalable platform and Azure Logic Apps for automation. We have drastically reduced the number of manual steps that an app owner must take to certify and publish an app to the Company Portal, reducing effort and cost. Our current year budget for application certification and publishing has been reduced by more than 50 percent over previous years, and we expect to see even more reductions moving forward as support costs level out. We have been meeting our 90-minute publishing SLA with an almost 90 percent success rate since the release of EMAP. And Power BI makes it easy for us to monitor and report on our process efficiency.
Our move to EMAP for mobile application publishing is part of a larger roadmap. We look forward to using what we’ve learned and our new capabilities in the upcoming release of Visual Studio Mobile Center. We have a better understanding of the challenges of application testing, signing, and publishing applications, and we are working with product teams to help improve future products and ease pain points that small, medium, and large organizations face in the real world.
We hope that next-generation products in the Visual Studio Mobile Center with SDK will integrate out-of-the-box, without requiring any custom code, for these platforms:
- Google Play Store
- Apple Store
- Windows Store
- Company Portal (via Microsoft Intune API)
For more information
© 2019 Microsoft Corporation. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.