The Microsoft Store for Business enables you to acquire, manage, and distribute applications in bulk. If you use Workspace ONE UEM to manage your Windows 10+ devices, integrate the two systems. After integration, acquire applications from the Microsoft Store for Business, distribute them, and manage their updated versions with Workspace ONE UEM.For information on Microsoft Store for Business processes, refer to https://technet.microsoft.com/itpro/windows/manage/windows-store-for-business.

Requirements common for both Offline and Online Licensing Model

  • Windows 10+ Devices - Use Windows Desktop (Windows 10 devices) when assigning applications. The OG you select must be of a customer type.
  • Azure Active Directory Services - Configure Azure Active Directory services in Workspace ONE UEM to enable the communication between the systems. This configuration enables Workspace ONE UEM to manage Windows devices and applications on these devices.

    You do not need an Azure AD Premium account to integrate with the Microsoft Store for Business. This integration is a separate process from the automatic MDM enrollment.

    Important: Integration only works when the targeted organization group (OG) is a customer type OG where you configured Azure Active Directory Services.
  • Microsoft Store for Business Admin Account with Global Permissions - Acquire applications with a Microsoft Store for Business admin account. Global permissions enable administrator to access all systems to acquire, manage, and distribute applications.
  • File Storage is enabled for on-premises Workspace ONE UEM stores Microsoft Store for Business applications on a secure file storage system. On-premise environments must enable this feature in the Workspace ONE UEM console by adding the tenant identifier and tenant name on the Directory Services page. This requirement is part of the process to configure Azure AD Services.

Requirements for Online License Model

Azure Active DirectoryDevice users must use Azure Active Directory to authenticate to content.

Requirements for Offline License Model

Workspace ONE UEM imports all the application packages and deactivates assignment actions while the process is in progress. When you re-import packages for purposes such as updates, Workspace ONE UEM downloads only those packages that changed. If you do not restrict the use of the app store on devices, then application updates push to devices from the Microsoft Store for Business. If you restrict the use of the app store on devices, then import updated applications in Workspace ONE UEM. Then, notify device users to install the updated version from the AirWatch Catalog.

Comparison of the Online and Offline Licensing Models of the Microsoft Store for Business

Online and offline models of the Microsoft Store for Business offer different capabilities. Select the model depending on how you want to manage your deployment. Capabilities include what system manages licenses, where app packages are stored, and what system authenticates to resources.

Table 1. Online and Offline Model Comparison - Different Capabilities
Feature Online License Model Offline License Model
License control Licenses managed by the Microsoft Store for Business.

Users can receive applications and claim licenses outside of your Workspace ONE UEM deployment.

 Licenses managed by the enterprise.

Use the offline licensing model to control application packages and updates.

This model offers flexibility but requires attention to ensure that applications stay updated and licenses get renewed.

App package host App package hosted by the Microsoft Store for Business. App package hosted by the Workspace ONE UEM file storage for on-premises or in the Workspace ONE UEM SaaS environment.
Azure Active Directory Devices must use your Azure Active Directory system to authenticate.

Enable the Azure Active Directory system so Workspace ONE UEM and the Microsoft Store for Business can communicate.

 Devices do not have to use the Azure Active Directory system to authenticate.

However, you must enable the Azure Active Directory system so Workspace ONE UEM and the Microsoft Store for Business can communicate.
Restrict the app store Devices cannot install applications because the restriction prevents the Microsoft Store for Business on the device. Devices can still install applications because the app packages are hosted in the Workspace ONE UEM environment.
Table 2. Online and Offline Model Comparison - Same Capabilities
Feature Online License Model Offline License Model
Level where licenses are claimed Licenses claimed by Workspace ONE UEM for the application at the user level. Licenses claimed by Workspace ONE UEM for the application at the user level.
License reuse Admins can revoke licenses through Workspace ONE UEM and reuse them. Admins can revoke licenses through Workspace ONE UEM and reuse them.

Import Public Applications Acquired from the Microsoft Store for Business

You can import public applications acquired from the Microsoft Store for Business to Workspace ONE UEM console. The process is the same for the online and offline license models. For the offline license model, plan to import these applications when your corporate network is not busy. Due to the number of applications concerned, the import process can use more bandwidth than other Workspace ONE UEM systems.

  1. Go to the organization group where you set your Azure Active Directory services.
  2. Navigate to Resources > Apps > Native > Public and select Add Application.

  3. Select the Platform.
  4. Select Import from BSP and choose Next.
  5. View a list of the applications that Workspace ONE UEM imports from your Microsoft Store for Business account.You cannot edit this list in the Workspace ONE UEM console.
  6. Select Finish.
    • Offline license model - The system downloads applications to the remote file storage system.
    • Online license model - The system stores the applications in the Microsoft Store for Business and awaits an install command.

Deploy Public Applications acquired from the Microsoft Store for Business

You can assign public applications acquired from the Microsoft Store for Business to apply them to devices with the flexible deployment feature. You can assign online and offline licenses depending on your license management strategy.

  1. Navigate to Resources > Apps > Native > Public.
  2. Select the application and choose Assign.
  3. Complete the Add Assignment options to add a rule.
    Setting Description
    Assignment - Online Licenses Assign groups to the application with online licenses.

    If devices are part of your Azure Active Directory system and your deployment has online licenses available, devices receive the application.

    If you assign both online and offline licenses to the group, the system gives preference to online licenses.
    Assignment - Offline Licenses Assign groups to the application with offline licenses.

    If your deployment has offline licenses available, devices receive the application.

    If you assign both online and offline licenses to the group, the system gives preference to online licenses.
    Deployment - App Delivery Method View the delivery method. On demand deploys content to a deployment agent and lets the device user decide if and when to install the content.
    Deployment - DLP Configure a device profile with a Restrictions profile to set data loss prevention policies for the application.

    Select Configure. The system navigates to the Profiles area. Select Add > Add Profile > Windows > Windows Desktop > Device Profile > Restrictions. Enable options that apply to the data you want to protect
  4. Select Add and prioritize assignments if you have more than one assignment rule.
  5. Deploy the application with Save & Publish.

Reclaiming and Reassigning your Applicaton License

When you assign Microsoft Store for Business applications to devices, the assignment process claims the corresponding licenses before the system initiates the installation of the application. The details view provides you with the list of user devices and the associated, claimed license.You can also delete the application assignment to reclaim and reassign the licenses. Synchronizing the offline and online licenses in the application details view provides you with the corresponding users of the licenses.

You can navigate to Resources > Applications > List View > Public and select the Microsoft Store for the Business application. This action displays the details view. In this view, use the Sync License action to import the list of users that correspond to claimed licenses. To see the claimed licenses, select the Licenses tab.

Note: Workspace ONE UEM also imports the license associations when you select the Import from BSP option upon the initial import of your Microsoft Store for Business applications. This sync is performed asynchronous to the application package sync.

You can reclaim and reuse the licenses displayed on the Licenses tab by deleting the assignment of the application to the user's device. Workspace ONE UEM includes several methods to delete assignments. Deletion results in the removal of the application from the device.

Table 3. Methods to Reclaim Licenses
Method Description
Details View Select the Delete Application function in the details view of the application.

This action removes the application off devices in groups assigned to the application.
Device Delete the applicable device from the console.
Organization Group Delete the organization group.This action impacts all assets and devices in the organization group.
Assignment Group Delete the smart or user group assigned to the application.This action impacts every device in the group.
User Delete the applicable user account from the console.

Configure Azure AD Integration

To configure your Azure AD, use an Azure admin account to sign up with the store and to activate the Workspace ONE UEM management tool.
  1. Create an Azure admin account for Workspace ONE UEM.Configure an admin account with global admin roles in your Default Directory in Microsoft Azure. Use this account to acquire applications in the Microsoft Store for Business. You do not need an Azure premium account to create an admin account for the Microsoft Store for Business.
    1. In Azure, navigate to your Azure Active Directory.
    2. Select Users and groups and + New user.
    3. Configure the Directory role as Global administrator.
    4. Create a temporary password so you can log in to the Microsoft Store for Business.
  2. Activate Workspace ONE UEM in the Microsoft Store for Business and acquire apps.Activate the Workspace ONE UEM management tool in the Microsoft Store for Business with your Azure admin account credentials. If you use offline licensing, enable the acquirement of offline license applications.
    1. Navigate to the Microsoft Store for Business and log in with your Azure admin account.
    2. Navigate to Manage > Settings > Distribute > Management tools and activate the Workspace ONE UEM by VMware tool.
    3. For offline licenses, go to Manage > Settings > Shop > Shopping experience and enable Show offline licensed apps to people shopping in the store.
    4. In the Store for Business, add applications to your inventory. You can add applications with either offline or online licenses depending on your license management strategy.