MSIX requires packages to be signed in order to be deployed. This helps us to offer integrity on the package being deployed and to ensure the contents being deployed are what was packaged from the developer or IT Pro. While this is great, some customers found it problematic acquiring certificates within their enterprise. We heard that from our customers loud and clear! In an upcoming Windows release will improve the tooling to enable signing of MSIX packages from your Azure Active Directory tenant.
How does it work?
Starting with the Windows Insider SDK 18945 we will have changes and additions to signtool.exe. These changes will allow signtool to interact with Device Guard Signing to remotely sign packages specific to your Azure AD tenant. A user can be enabled with signing permissions and can then auth with their Azure AD identity and sign their packages.
How do I enable this?
To sign packages there are a few steps required to setup your Azure AD users and environment, its a onetime setup. You will also need an updated SDK (version 18945 or later) for signtool and some additional files to interact with the signing service.
To deploy packages you will need to deploy an intermediate certificate to your devices so the will trust the apps being signed. You download this certificate from the Microsoft Store for Business portal. You can easily deploy this certificate with System Center Configuration Manager, Microsoft Intune, via scripting or most management products to your devices root store. The certificate is specific to your Azure AD tenant so it won't enable other enterprises apps to be deployed. If your users are working across multiple Azure AD environments then just add the certificate for each tenant to enable the apps to install.