An IT Pro Guide to Deploying and Managing SharePoint 2013 Apps


Published on

As a SharePoint administrator managing your on-premises environment, building and managing environments to support 2013 apps is far from trivial. In this IT-Pro centric topic, we’ll bypass all of the developer ballyhoo and hone in on what matters most to you. Topics will include provisioning service applications and an app catalog; understanding and configuring OAuth and Server-to-Server (S2S) scenarios; understanding the app model’s security strengths and weaknesses; and developing governance policies to ensure you can properly manage and control these next-generation solutions.

Published in: Travel, Technology, Design
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

An IT Pro Guide to Deploying and Managing SharePoint 2013 Apps

  1. 1. An IT Pro Guide for Deploying and Managing SharePoint 2013 Apps Randy Williams @tweetraw
  2. 2. Randy Williams Director of ACSAuthor
  3. 3. Our Agenda Understanding 2013 Apps Provisioning Support for 2013 Apps Managing 2013 Apps Deploying Provider- hosted Apps
  5. 5. #espc14@tweetraw So - what exactly is an app? • Can contain some declarative SharePoint artifacts • External app can provide UI through SharePoint IFrame or full screen • External app uses CSOM or REST (OData) to call back • No custom server-side code running on SharePoint servers An application whose interface is launched from or surfaced through SharePoint but code is executed elsewhere
  6. 6. How an app runs
  7. 7. #espc14@tweetraw Host web & app web • The host web is where app is added, removed, upgraded • If app contains SharePoint artifacts, a sub-web is created underneath the host web • This sub-web is called the app web • App web is only accessible using isolated domain name – https://{AppPrefix}-{ID}.{AppDomain}/path/{AppName}
  8. 8. #espc14@tweetraw Understanding the app web url • The app prefix is defined when you configure support for SharePoint apps • The app id is an app-unique hex string automatically generated • The app domain is the DNS name you configure • The host web relative url is the portion of the url that is relative to the web application • The app name is set by the developer https://<app prefix>–<app id>.<app domain>/<host web relative url>/<app name>
  9. 9. #espc14@tweetraw App principal • A 2013 app uses a new security principal called, app principal • The developer sets the permissions the app will need • Permissions are delegated to app principal when app is provisioned If user does not have the permissions the app needs, it cannot be provisioned
  10. 10. #espc14@tweetraw App policies The developer sets the app permission policy in the app manifest <AppPermissionRequests AllowAppOnlyPolicy="true|false"> Policy type Attribute value What it means User & app policy false (default) Both the user and the app must have permissions to perform an action. App only policy true Only the app needs permissions to perform an action. You must be a site collection admin to provision apps of this type. (Think of this as an elevation of privileges)
  11. 11. #espc14@tweetraw App permission scope • Permissions are not inherited like user principals • Permissions are granted to one of four scopes – Tenancy (meaning all web apps if not using multi-tenancy) – Site collection – Web (meaning host web) – List (by default, all lists in host web) • App receives the requested permission to all objects contained in this scope
  12. 12. DEMO Reviewing app web url
  14. 14. #espc14@tweetraw Four steps to host apps on premises 1. Create an app tenancy 2. Configure app url settings 3. Configure redirection web app 4. Configure DNS
  15. 15. #espc14@tweetraw Creating an app tenancy • Create App Management Service app – Tracks app instances, licenses, app principals • Create Subscription Settings Service app – Provides app isolation • Do not use the farm account for the app pools • The account does not need to be a local admin • Start these services on the designated server(s) 1
  16. 16. Scripting the app tenancy $dbserver="sql1" $wfe="wfe1" $acct = "contosoSP.AppPool“ $subPool = New-SPServiceApplicationPool -name "SubscriptionSettingsAppPool" –account $acct $appPool = New-SPServiceApplicationPool -name "AppManagementAppPool" -account $acct $name = "App Management Service" $svc = New-SPAppManagementServiceApplication -ApplicationPool $appPool -Name $name - ` DatabaseName "AppManagement" -DatabaseServer $dbserver New-SPAppManagementServiceApplicationProxy -ServiceApplication $svc -Name "$name Proxy" $name = "Subscription Settings Service" $svc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $subPool -Name $name ` -DatabaseName "SubscriptionSettings" -DatabaseServer $dbserver New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $svc Get-SPServiceInstance | where {$_.typename -in ("App Management Service", ` "Microsoft SharePoint Foundation Subscription Settings Service") -and $_.Parent -like ` "*$wfe"} | Start-SPServiceInstance
  17. 17. #espc14@tweetraw Configure app url settings • There are two settings you need to specify – App Prefix and App Domain • Security wise, it is best to have app domain be a top-level domain (e.g. • Set in Central Administration or PowerShell Set-SPAppDomain "" Set-SPAppSiteSubscriptionName ` -Name "apps" -Confirm:$false 2
  18. 18. #espc14@tweetraw Configure redirection web app • Create a dedicated SP web application – Make sure host header is blank – No content database needed – It is only used for “app redirection” • Bind IIS web site to a dedicated IP address • SSL strongly recommended – Use a wildcard certificate (e.g. * – Bind certificate to this IIS web site 3
  19. 19. #espc14@tweetraw Sample IIS bindings Type Host name Port IP Address SSL certificate Description https 443 Regular SP web application https 443 Regular SP web application https <blank> 443 * SharePoint web application used for app redirection
  20. 20. #espc14@tweetraw Configure DNS • Create an authoritative zone for the app domain • Dynamic hostname resolution is needed, so you’ll need a wildcard “A” record – For example: * • Host (“A” record) points to the IP address for the “redirection” web app – from previous slide 4
  21. 21. DEMO Provisioning support for SharePoint 2013 apps
  22. 22. Book giveaway question
  23. 23. MANAGING 2013 APPS
  24. 24. #espc14@tweetraw Creating an app catalog • Two primary purposes – Manages internally-developed apps – Manage app requests • Web app can only have one app catalog – App catalog is associated with just one web app New-SPSite -Url -OwnerAlias ` "contosoadmin" -Name "Contoso App Catalog" -Template "APPCATALOG#0" Update-SPAppCatalogConfiguration -site `
  25. 25. #espc14@tweetraw Managing app requests • If users cannot directly install apps, they must request • Requests are stored in the app catalog • Add an alert to the App Requests list to be notified of new requests • Grant site collection admin on app catalog to delegate to others
  26. 26. #espc14@tweetraw Managing licenses • By default, only farm admin can manage licenses • Management can be delegated out on a license-by- license basis
  27. 27. #espc14@tweetraw Common questions • Who can provision apps? – Site owners (Create Sites + Manage permissions) – Provisioning user must have permissions requested by app • Can I disable the SharePoint Store? – Not completely. You can restrict whether users must request apps or not – Editing AddAnApp.aspx page is a workaround to remove the link
  28. 28. DEMO Managing SharePoint 2013 apps
  30. 30. #espc14@tweetraw Provider-hosted apps • Server-side code runs remotely, outside SharePoint • Each app has an app principal • For on-premises farm, you can use a S2S trust or Azure ACS (O365 tenancy) • SSL is strongly recommended for remote web • Integrated Windows auth on remote web is required if using Visual Studio helper class
  31. 31. #espc14@tweetraw Configuring OAuth in SharePoint • Scenario: SPOL and on-premises app • Use AppRegNew.aspx to register app principal – Generate App Id and App Secret – For app domain, use host header of remote web – Redirect URI is optional • Configure remote web using values from AppRegNew <add key="ClientId" value="…" /> Use App Id value <add key="ClientSecret" value="…" /> use App Secret value • Add the .app package into the app catalog
  32. 32. #espc14@tweetraw Configuring S2S in SharePoint • Scenario: On-premises farm and app • Create a X.509 cert – Export to .cer (without private key) – Export to .pfx (with private key) and store on remote server • Run New-SPTrustedSecurityTokenIssuer • Run Register-SPAppPrincipal • Add the .app package into the app catalog
  33. 33. S2S – configuring SharePoint $certPath = "c:tempapp.cer" $spUrl = "" $appName = "My app name" $stsName = $appName + " STS" $issuerId = [System.Guid]::NewGuid().ToString().ToLower() $spweb = Get-SPWeb $spUrl $realm = Get-SPAuthenticationRealm -ServiceContext $spweb.Site $cert = Get-PfxCertificate $certPath New-SPTrustedRootAuthority -Name "STS cert" -Certificate $cert ` $fullAppIdentifier = $issuerId + '@' + $realm New-SPTrustedSecurityTokenIssuer -name $stsName -Certificate $cert ` -RegisteredIssuerName $fullAppIdentifier -IsTrustBroker $appPrincipal = Register-SPAppPrincipal -NameIdentifier $fullAppIdentifier ` -Site $spweb -DisplayName $appName
  34. 34. #espc14@tweetraw S2S - configuring remote web • Store .pfx export of cert in a local folder • Reference cert in configuration (e.g. web.config) • For ClientId, use $issuerId value from previous script (from SharePoint) • ClientId and IssuerId can be the same <add key="ClientId" value="a63e90ea-289d-469b-8b35-c5748779c1b4" /> <add key="ClientSigningCertificatePath" value="{path}app.pfx" /> <add key="ClientSigningCertificatePassword" value="pass@word1" /> <add key="IssuerId" value=" a63e90ea-289d-469b-8b35-c5748779c1b4" />
  35. 35. Quick recap Understanding 2013 Apps Provisioning Support for 2013 Apps Managing 2013 Apps Deploying Provider- hosted Apps
  36. 36. For more information, see chapter 15 Q&A
  37. 37. #espc14@tweetraw Additional reading Topic Url App permissions Deploying apps with PowerShell OAuth authorization flow App principal registration Package and publish high trust apps
  38. 38. Thank You Thank You @tweetraw