Windows Phone 8 SDK: Enterprise Application Deployment

This is a step by step guide to preparing your organisation so that you can sign and deploy enterprise applications.

Certificate Acquisition

Get your Publisher ID/Symantec Id and Approver Email Address

First up you’re going to need your Publisher ID (also referred to as Symantec Id) and Approver Email Address.

These can both be retrieved from your Dev Center account (Must be Company account type)


– Type (Blue box): This has to be Company

– Symantec Id (Green box): This is your publisher Id or Symantec Id (as distinct from your Publisher GUID)

– Email (Purple box): This is not necessarily your approver email address

Click Edit (under Contact info) and scroll to bottom of page


– Email address (Blue box): This is the approver email address

Request Certificate

Navigate to

Enter Publisher ID and Approver Email Address


Complete Billing information



Agree to terms


Confirmation of order completion


Approve your Certificate Request

You’ll need to monitor the approver email address for “Enterprise Code Signing Certificate Order Approval”. If this is someone else in the organisation you must warn them – if they receive this and accidentally click the “I Do Not Approve” option it will result in significant delays.

Click appropriate link to website to review and approve/reject order


Click “I Approve” button


Confirmation of approval


Retrieve your Certificate

You should receive confirmation email that the order has been approved.


Follow the link to retrieve the certificate. This should be done on the same computer and in same browser that the initial request was made.


Click Continue to retrieve the certifcate

Review certificates for the browser. Eg Firefox it’s in Options > Advanced > View Certificates


Click Backup and save the certificate (eg companyappcert.p12 or companyappcert.pfx) complete with private key (you need to set a password)

Open Certificate Manager management console (Start > Run > Certmgr.msc) and confirm that certificate exists and that the full Certification Path exists. This is a common error – only the leaf node is exported. Make sure you have the full path as illustrated in the screenshot below.


Signing and Deploying Applications

Create Application

Create your application as normal. When you want to deploy your application, take a copy of the XAP file that can be located in the BinRelease folder of your application.

Sign Application

Open “Developer Command Prompt for VS2012”.

Warning: Make sure you open the correct command prompt as not all of them have the same environment parameters set. This may prevent some of the tools running correctly.

Run the XapSignTool supplying the name of the XAP file as a parameter:

"C:Program Files (x86)Microsoft SDKsWindows Phonev8.0ToolsXapSignToolXapSignTool.exe" sign /v c:tempProvisioningSimpleCompanyApp.xap


/v Indicates verbose output – this will be necessary if you have multiple certificates that could be used for signing (which is more than likely)

The next step can be skipped if signing completed correctly. If there are multiple certificates found you’ll need to identify which one you want to use (hence the /v option so that it lists them)


Locate the Symantec Enterprise Mobile CA for Microsoft and copy the SHA1 Hash value (right-click command window and select Mark, select SHA1 value and press Enter to copy value).

Now run XapSignTool again with SHA1 hash value specified

"C:Program Files (x86)Microsoft SDKsWindows Phonev8.0ToolsXapSignToolXapSignTool.exe" sign /v /sha1 XXXX……hash value……….XXXX c:tempProvisioningSimpleCompanyApp.xap


If successfully run then the original XAP will be replaced by the signed XAP. This file can be hosted on a server for downloading directly to device. Should be protected by credentials and available only over SSL. Whilst it is signed it is not encrypted so can be decompiled.

Warning: The permissions on the file may be changed as part of this process. You may need to reset permissions on the file in order for it to be able to be downloaded to the device.

Generate Application Enrolment Token

From command prompt run AetGenerator (first parameter is the backed up certificate; second parameter is corresponding password).

"c:Program Files (x86)Microsoft SDKsWindows Phonev8.0ToolsAETGeneratorAetGenerator.exe" companyappcert.p12 mypassword


Deployment of Application Enrolment Token

This can be emailed to the device as an attachment


Click on attachment to download. Once downloaded, click on attachment again to open.


Deployment of Signed Application

Open url of hosted XAP file in Internet Explorer


When prompted confirm installation by clicking Install. Application will then install silently (unlike Store that takes the user to where the application is installed in applications list).


Leave a comment