An IT Pro Guide for Deploying and Managing SharePoint 2013 Apps. Randy Williams randy.williams@avepoint.com @tweetraw

An IT Pro Guide for Deploying and Managing SharePoint 2013 Apps Randy Williams randy.williams@avepoint.com

Randy Williams Author Director of ACS

Our Agenda Understanding 2013 Apps Provisioning Support for 2013 Apps Managing 2013 Apps Deploying Providerhosted Apps

UNDERSTANDING 2013 APPS

So - what exactly is an app? An application whose interface is launched from or surfaced through SharePoint but code is executed elsewhere Can contain some declarative SharePoint artifacts External app can provide UI through SharePoint IFrame or full screen External app uses CSOM or REST (OData) to call back No custom server-side code running on SharePoint servers

How an app runs

Host web & app web The host web is where app is added, removed, upgraded If app contains SharePoint artifacts, a sub-web is created underneath the host web This sub-web is called the app web App web is only accessible using isolated domain name https://{appprefix}-{id}.{appdomain}/path/{appname} https://teams.contoso.com https://app-af48d482118ab1.appscontoso.com/myapp

Understanding the app web url https://<app prefix> <app id>.<app domain>/<host web relative url>/<app name> https://app-af48d482118ab1.appscontoso.com/sites/projects/foo/myapp The app prefix is defined when you configure support for SharePoint apps The app id is an app-unique hex string automatically generated The app domain is the DNS name you configure The host web relative url is the portion of the url that is relative to the web application The app name is set by the developer

App principal A 2013 app uses a new security principal called, app principal The developer sets the permissions the app will need Permissions are delegated to app principal when app is provisioned If user does not have the permissions the app needs, it cannot be provisioned

App policies The developer sets the app permission policy in the app manifest <AppPermissionRequests AllowAppOnlyPolicy="true false"> Policy type Attribute value What it means User & app policy App only policy false (default) true Both the user and the app must have permissions to perform an action. Only the app needs permissions to perform an action. You must be a site collection admin to provision apps of this type. (Think of this as an elevation of privileges)

App permission scope Permissions are not inherited like user principals Permissions are granted to one of four scopes Tenancy (meaning all web apps if not using multi-tenancy) Site collection Web (meaning host web) List (by default, all lists in host web) App receives the requested permission to all objects contained in this scope

Reviewing app web url DEMO

PROVISIONING SUPPORT FOR 2013 APPS

Four steps to host apps on premises 1. Create an app tenancy 2. Configure app url settings 3. Configure redirection web app 4. Configure DNS

1 Creating an app tenancy Create App Management Service app Tracks app instances, licenses, app principals Create Subscription Settings Service app Provides app isolation Do not use the farm account for the app pools The account does not need to be a local admin Start these services on the designated server(s)

Scripting the app tenancy $dbserver="sql1" $wfe="wfe1" $acct = "contoso\sp.apppool $subpool = New-SPServiceApplicationPool -name "SubscriptionSettingsAppPool" account $acct $apppool = New-SPServiceApplicationPool -name "AppManagementAppPool" -account $acct $name = "App Management Service" $svc = New-SPAppManagementServiceApplication -ApplicationPool $apppool -Name $name - ` DatabaseName "AppManagement" -DatabaseServer $dbserver New-SPAppManagementServiceApplicationProxy -ServiceApplication $svc -Name "$name Proxy" $name = "Subscription Settings Service" $svc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $subpool -Name $name ` -DatabaseName "SubscriptionSettings" -DatabaseServer $dbserver New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $svc Get-SPServiceInstance where {$_.typename -in ("App Management Service", ` "Microsoft SharePoint Foundation Subscription Settings Service") -and $_.Parent -like ` "*$wfe"} Start-SPServiceInstance

2 Configure app url settings There are two settings you need to specify App Prefix and App Domain Security wise, it is best to have app domain be a top-level domain (e.g. appscontoso.com) Set in Central Administration or PowerShell Set-SPAppDomain "appscontoso.com" Set-SPAppSiteSubscriptionName ` -Name "apps" -Confirm:$false

3 Configure redirection web app Create a dedicated SP web application Make sure host header is blank No content database needed It is only used for app redirection Bind IIS web site to a dedicated IP address SSL strongly recommended Use a wildcard certificate (e.g. *.appscontoso.com) Bind certificate to this IIS web site

Sample IIS bindings Type Host name Port IP Address SSL certificate Description https teams.contoso.com 443 10.0.0.10 teams.contoso.com https portal.contoso.com 443 10.0.0.11 portal.contoso.com https <blank> 443 10.0.0.12 *.appscontoso.com Regular SP web application Regular SP web application SharePoint web application used for app redirection

4 Configure DNS Create an authoritative zone for the app domain Dynamic hostname resolution is needed, so you ll need a wildcard A record For example: *.appscontoso.com Host ( A record) points to the IP address for the redirection web app 10.0.0.12 from previous slide

Provisioning support for SharePoint 2013 apps DEMO

MANAGING 2013 APPS

Creating an app catalog Two primary purposes Manages internally-developed apps Manage app requests Web app can only have one app catalog App catalog is associated with just one web app New-SPSite -Url http://teams.contoso.com/sites/appcatalog -OwnerAlias ` "contoso\admin" -Name "Contoso App Catalog" -Template "APPCATALOG#0" Update-SPAppCatalogConfiguration -site ` http://teams.contoso.com/sites/appcatalog

Managing app requests If users cannot directly install apps, they must request Requests are stored in the app catalog Add an alert to the App Requests list to be notified of new requests Grant site collection admin on app catalog to delegate to others

Managing licenses By default, only farm admin can manage licenses Management can be delegated out on a license-bylicense basis

Common questions Who can provision apps? Site owners (Create Sites + Manage permissions) Provisioning user must have permissions requested by app Can I disable the SharePoint Store? Not completely. You can restrict whether users must request apps or not Editing AddAnApp.aspx page is a workaround to remove the link

Managing SharePoint 2013 apps DEMO

DEPLOYING CUSTOM PROVIDER- HOSTED APPS

Provider-hosted apps Server-side code runs remotely, outside SharePoint Each app has an app principal For on-premises farm, you can use a S2S trust or Azure ACS (O365 tenancy) SSL is strongly recommended for remote web Integrated Windows auth on remote web is required if using Visual Studio helper class

Configuring OAuth in SharePoint Scenario: SPOL and on-premises app Use AppRegNew.aspx to register app principal Generate App Id and App Secret For app domain, use host header of remote web Redirect URI is optional Configure remote web using values from AppRegNew <add key="clientid" value=" " /> Use App Id value <add key="clientsecret" value=" " /> use App Secret value Add the.app package into the app catalog

Configuring S2S in SharePoint Scenario: On-premises farm and app Create a X.509 cert Export to.cer (without private key) Export to.pfx (with private key) and store on remote server Run New-SPTrustedSecurityTokenIssuer Run Register-SPAppPrincipal Add the.app package into the app catalog

S2S configuring SharePoint $certpath = "c:\temp\app.cer" $spurl = "https://teams.contoso.com" $appname = "My app name" $stsname = $appname + " STS" $issuerid = [System.Guid]::NewGuid().ToString().ToLower() $spweb = Get-SPWeb $spurl $realm = Get-SPAuthenticationRealm -ServiceContext $spweb.site $cert = Get-PfxCertificate $certpath New-SPTrustedRootAuthority -Name "STS cert" -Certificate $cert ` $fullappidentifier = $issuerid + '@' + $realm New-SPTrustedSecurityTokenIssuer -name $stsname -Certificate $cert ` -RegisteredIssuerName $fullappidentifier -IsTrustBroker $appprincipal = Register-SPAppPrincipal -NameIdentifier $fullappidentifier ` -Site $spweb -DisplayName $appname

S2S - configuring remote web Store.pfx export of cert in a local folder Reference cert in configuration (e.g. web.config) For ClientId, use $issuerid value from previous script (from SharePoint) ClientId and IssuerId can be the same <add key="clientid" value="a63e90ea-289d-469b-8b35-c5748779c1b4" /> <add key="clientsigningcertificatepath" value="{path}\app.pfx" /> <add key="clientsigningcertificatepassword" value="pass@word1" /> <add key="issuerid" value=" a63e90ea-289d-469b-8b35-c5748779c1b4" />

Quick recap Understanding 2013 Apps Provisioning Support for 2013 Apps Managing 2013 Apps Deploying Providerhosted Apps

Q&A For more information, see chapter 15

Additional reading Topic App permissions Deploying apps with PowerShell OAuth authorization flow App principal registration Package and publish high trust apps Url bit.ly/1g3w5wb bit.ly/1ijtgsw bit.ly/1g3wjea bit.ly/1j49dz9 bit.ly/rmaneh

Thank Thank You You randy.williams@avepoint.com