Apps for the new Office and SharePoint IT admin guide

Editor’s note: Brian Jones and Cyrielle Simeone rejoin Office Next for a final post on the apps and extensibility in the new Office. You can learn more by visiting the Apps for SharePoint and Office blog.

On Monday, we covered the new set of scenarios and user experiences that apps will offer to users in the new Office and SharePoint. If you haven’t watched it already, I recommend you do so by checking out the Medal Tracker video that showcase apps for Office in action. On Wednesday, we talked about the new and enhanced developer experience we are enabling in this release to move the platform to the cloud, and make it more open and accessible.

Today we want to talk to you about deployment, management and security of apps for Office and SharePoint for enterprises.


A little bit of a background

If you are in IT, or just help out around the office with managing machines and accounts, you know how difficult it is to get a handle on what apps folks are using. The problem scenarios often go like this… there is someone in the finance group who builds a spreadsheet and writes a few macros to help that spreadsheet bind to some backend data. The set of macros continues to grow, and that spreadsheet becomes a full blown app. More folks in the org are using the app including the VP of finance. No-one in IT is aware of this app, and as a result, there isn’t anyone on point to help support it and make sure it keeps running. One day someone is cleaning up the databases and gets rid of a few sprocs they didn’t think anyone was using. Turns out the spreadsheet used one of those sprocs and so it breaks. The VP of finance makes an urgent call to IT saying their app is broken, and IT now needs to get a copy of the spreadsheet, debug it, and eventually discover why it’s no longer working.

As a result of challenges like this, we often see IT set a significant amount of their discretionary spend aside to help them deal with these surprises that pop up. In the new Office, we’ve done a lot of work to help give IT much more visibility into what people are using within Office and SharePoint so that they can be better prepared going forward.


A new deployment model

Apps for Office and SharePoint come with two main components: a web app and a manifest file. The manifest file is what is used to “deploy“ the apps, they’re managed through the Office Store, or for internal apps the app catalog. Users then hit the Office Store and App Catalog when they look for an app, and the manifest file is returned. The manifest points to the actual web app, which can run on the developer’s favorite hosting service (Azure, IIS, LAMP, etc…).


For SharePoint apps we even provide an option for developers who don’t want to host the web app on their own servers. They can package the web app files with the manifest and submit the full package into the Office Store. When the app is installed we will automatically deploy the server code directly into Windows Azure.


The store is optimized for organizations

The Office store has been optimized to make it easier for organizations to purchase, consume and manage apps. There are four key reasons why an organization will love the Office Store:

Discovery: The Office and SharePoint stores represent a great opportunity for business users looking for apps solving daily tasks or frequent business processes shared among organizations. Looking for an efficient way to manage expense reports, assets, or event planning? Check out the store before you start building something or calling IT.

Acquisition: Once acquired by a user, all apps are linked to his Microsoft account. As soon as the user logins to Office with their Microsoft account all their apps are ready and available for use. Think of how much time can be saved setting up a user’s machine after a PC refresh or an upgrade. With the Office Store licensing model, apps don’t just follow the machine, they follow the user and hence are available instantly no matter what device a user decides to use.

Deployment: Apps aren’t installed in the regular sense. Instead of embedding the app code into the document or into SharePoint, the app is deployed as a pointer (a URL) to the web server hosting the app. This could be in the cloud, or a server in your datacenter. This model introduces a new decoupled way of managing app lifecycle and Office/SharePoint upgrade cycles independently of each other.

Control: With SharePoint, administrators can see and manage all the apps for SharePoint purchased by the users in their organization. Administrators can also configure Store access so that users can browse for apps and submit a purchase request to their IT department. The admin can then approve (and purchase) or reject the request based on the business need. Once an app is purchased by an IT admin, the admin can then decide which users within the organization would have access to the app subject to the number of seats covered by the purchase. When an admin assigns an app to a user the user can use the app directly within their SharePoint sites without any additional hurdles. Should and organization decide they want complete control over the apps users can install they can switch off the public store (through group policy for Office) and only provide access to approved apps (both in-house and 3rd party).

Security: In addition to testing all apps that are listed on the Office Store, we also have flexible reactive systems in place that allow us to shut down an app if it is identified to be malicious. Shutting down an app removes the listing from the Office Store and deactivates the app within Office and SharePoint next time it’s run. This ongoing reactive process helps ensure users are protected from rogue apps.


Managing the App Catalog

The app catalog is how you make apps available to the users in your org. In the simplest sense, it’s a SharePoint library that contains all of the apps you have for your org. The Office clients all point to this library, so if you want to give your users access to a new app for Office, just add the manifest file it to the library, and the app will automatically show up for everyone right from Office. The same is true for apps for SharePoint, just add the app package to library and it will start showing up for everyone. Since the app catalog is a SharePoint library you can easily manage who gets access to what app, and quickly make updates when needed. Apps for Outlook require Exchange Server 2013 and use Exchange as a catalog to upload manifest files.



Learn more about how to deploy and manage apps for Office and SharePoint in the following articles:

The diagram below summarize the different channels for developers and ISVs to reach Office users.



Security and isolation

We have baked security and isolation into the heart of the new cloud app model.

Apps for Office no longer run in the same process as your document, this app isolation is an important change because it helps protect your experience with Office from misbehaving apps. No more frustration from slow or locked up documents while an extension runs.



The figure above depicts an Excel workbook with three apps, these are running across the red dotted line in a separate process (there is one of these app runtime processes per document) and they do not have direct access to the data in the host process or even the same integrity level, making them safer to run than previous extensibility models.

From the security perspective there are three major controls:

  1. The Office file format is clean – we never store the app inside the document, instead we store a pointer to the catalog that holds the app definition, or manifest file. So apps cannot sneak in across firewalls and any nuisance apps can be turned off quickly without having to purge them from existing documents.
    Our new app marketplace provides the ability for our customers to feedback on apps. We’ll be looking at all feedback and using it to work with developers to constantly improve the quality.
  2. The Administrator is in control – both of the app capability itself and of any external catalogs. By default the Office Store is enabled, and we take a lot of care to ensure the apps from the Office Store come from verified developers and add value to our customers.
  3. The User has the final say – if the user opens a document that contains an app that they haven’t seen before then we will prompt before we start it – and we always prompt for all apps if we recognize the document as coming from an external source. And remember, an app can’t just insert itself into a document, it always has to be added by someone with edit permissions.

We’ve done a lot of other things under the covers to keep the user as safe as (or safer than) browsing to web sites, an upcoming whitepaper will explain this work in a lot more detail.

Apps for Office are integrated into the new monitoring tools described in the next section, so you can quickly see which apps your users are using in which documents and if these apps are having problems.

Learn more about security with apps for Office and SharePoint by reading the following articles:

Monitoring and managing apps lifecycle

Apps for Office and SharePoint usage can also be monitored by administrators.

Office Telemetry is a new feature that gives IT Pros visibility into what apps, documents, and add-ins are actually used and how well they perform in Office 2013. By giving customers the option of logging how Office is being used, it can answer questions like:

  • What documents are used by the most people?
  • What documents host apps?
  • What are the most popular apps? Are they running properly and not, for example, consuming too much CPU time?
  • Are solutions loading from the local disk? SharePoint? As mail attachments?
  • How long do add-ins slow down the loading of Office apps and how can I manage solutions centrally?




It works by having each PC save logs to a network folder. From there the Telemetry Processor aggregates the logs into a SQL Server or SQL Server Express database where it can then be reported on it in Excel. Look for the Telemetry Dashboard under the Microsoft Office Tools folder in the Start menu after installing the Office 2013 Customer Preview.  An agent is also included to report on document and add-in usage in Office 2003, 2007 or 2010. Developers can also use Office Telemetry to see the order that solutions are loaded and any flagged issues. Just start the Telemetry Log, also under the Microsoft Office Tools folder. Learn more about the Office Telemetry tool in Makoto Yamagishi’s article: Introducing Office Telemetry in the new Office on the Office IT Pro Blog.

Administrators can track the usage of apps for SharePoint by using the app monitoring features built into SharePoint. App monitoring tracks information like:

  • How many times was an app launched and by how many unique users?
  • How many times has an app been installed or uninstalled?
  • Are users hitting install, runtime, or upgrade errors?

App monitoring works for apps in the app catalog or acquired from the Store.


Call to Action!

We’ve told you about the advantages of the new cloud app model and we know that you’ll be excited about the new scenarios that Office.Next opens up, as well as the opportunity to reduce your existing applications total cost of ownership, so where to start?

  • Provision a free Office 365 Developer Site, this will only take a moment and we’ve made the process as painless as we can, you can then download the Office client preview from your new site (or get it from here)
  • Use the Office clients to evaluate the Office Store, does this make sense for your organization? It’s open in preview mode right now and has a host of free applications that span the Office client applications, so take a look and decide if you want to enable these for your enterprise.
  • Work with your developers to evaluate the new cloud app model for Office and SharePoint, if you have home-grown applications built already that might be ported to the new model, or you are starting a new project then investigating the new model will pay dividends.
  • And even if you aren’t in a position to do a full investigation we recommend taking a look at the Office Telemetry tools, these open up what is happening on your user’s desktops like never before and will help you deliver a better service to your enterprise, and remember, these tools work all the way back to Office 2003.



As you can see, it’s now easier to understand and monitor what is used within your organization! In addition of the new monitoring capabilities, this new deployment model will give both developers and IT Pros much more flexibility that before.

By now, we hope you have a pretty good understanding of the new cloud app model and its benefits for end users, developer and IT administrators. We will continue the conversation on our dedicated developer blog, don’t hesitate to let us know what you would like us to cover.

Thanks for reading us!