Apps are new to Windows 8. Apps can be purchased in the
Windows Store and installed over the Internet. They also can be
developed in-house or by third-party developers and deployed using
Group Policy. Although apps can be managed using techniques similar to
desktop programs, apps have many distinct characteristics.
Working with Apps: The Essentials
On Windows 8, the Start
screen replaces the traditional Start menu. Desktop apps are
automatically added to Start when you install them and will have a
Start tile. A Start tile makes it easy to start and manage the app. You
can press and hold or right-click the tile to display management
options. Management options for tiles depend on the type of tile. Live
tiles can update their contents, and these updates can be turned on or
off. Some tiles can be displayed in several sizes, and you may be able
to make a tile smaller or larger. If you no longer want a tile to be
displayed on Start, you can choose the Unpin From Start option.
You can start and manage apps that you unpin in several ways. One way is via the All
Apps list. All Apps is the Windows 8 equivalent to the All Programs
menu in earlier releases of Windows. From the Start screen, you can
display All Apps by pressing and holding or right-clicking in an empty
area of the Start screen and then selecting All Apps.
When working with apps and tiles, there are a few handy keyboard shortcuts, which work with desktop programs as well:
-
Windows key + Left Arrow or Right Arrow
Toggles the screen snap position of the app. Snap splits the screen, so
if the app is being displayed normally, Windows key + Left Arrow snaps
it to the left and Windows key + Right Arrow snaps it to the right.
-
Windows key + Up Arrow Displays the app in Full Screen mode.
-
Windows key + Down Arrow Exits Screen Mode and returns the app to its original window state.
Configuring Trusted Apps and Windows Store Access
Generally, apps are installed and updated over a network or the
Internet. By default, computers running Windows 8 can install only
trusted app packages that come from the Windows Store. If you want to
install trusted
apps developed in-house or by third-party developers, you’ll need to
enable the Allow All Trusted Apps To Install policy in the
Administrative Templates policies for Computer Configuration under
Windows Components\App Package Deployment.
You can manage user access to the Windows Store in several ways. You can:
-
Control the use of Microsoft accounts on a computer by enabling the
Accounts: Block Microsoft Accounts policy. This policy is found in the Security
Options policies for Computer Configuration under Windows
Settings/Security Settings/Local Policies. When you enable this policy,
you have two options. You can use the Users Can’t Add Microsoft
Accounts setting to prevent users from creating Microsoft accounts. Or
you can use the User Can’t Add Or Log On With Microsoft Accounts
setting to block users from logging on with and creating Microsoft
accounts.
-
Prevent users from accessing the Windows Store by enabling Turn Off
The Store Application in the Administrative Templates policies for
Computer Configuration under Windows Components\Store.
-
Prevent computers from automatically downloading app updates by
enabling Turn Off Automatic Download Of Updates in the Administrative
Templates policies for Computer Configuration under Windows
Components\Store.
Enhancing Security for Apps and Overriding Default Settings
Apps run in a unique context and have a lower integrity level than desktop
programs. The lower integrity level may allow apps to perform tasks
that could compromise security because you’d otherwise need to provide
consent to continue, and you don’t need to provide consent in these
instances with apps. For example, by default, apps can open a file in a
desktop program. With an unhandled file type or protocol, users see an
Open With dialog box and can select a local application to open the
unknown file type or protocol or use the Store service to find an
application to do the same.
You can use several policies to enhance security and prevent these behaviors:
-
To prevent an app from opening a desktop program associated with a
file type automatically, enable Block Launching Desktop Programs
Associated With A File in the Administrative Templates policies for
User Configuration or Computer Configuration under Windows
Components\App Runtime.
-
To prevent an app from opening a desktop program associated with a
protocol automatically, enable Block Launching Desktop Programs
Associated With A Protocol in the Administrative Templates policies for
User Configuration or Computer Configuration under Windows
Components\App Runtime.
-
To remove the Windows Store option in the Open With dialog box,
enable Turn Off Access To The Store in the Administrative Templates
policies for Computer Configuration under System\Internet Communication
Management\Internet Communication Settings.
It’s also important to point out that some apps can display notifications on the lock
screen and that a notification history is maintained by default. The
notification history allows users to log off and then log back on later
and see the tile just as they did prior to logging off. To block notifications on the lock screen, enable Turn Off App Notifications On the Lock Screen
in the Administrative Templates policies for Computer Configuration
under System\Logon. To clear the notification history when a user logs
off, enable Clear History Of Tile Notifications On Exit in the
Administrative Templates policies for User Configuration under Start
Menu And Taskbar.
Apps receive notifications through the Windows Push Notification Service (WNS). Live apps
use WNS to update the content on their tile, to display notifications,
and to receive notifications. Using Administrative Templates policies
for User Configuration under Start Menu And Taskbar\Notifications you
can control the use of WNS in several ways:
-
To block the display of alerts that pop up on the screen (known as toast notifications) in Windows, generally you can enable Turn Off Toast Notifications. This setting doesn’t affect taskbar notification balloons.
-
To block the display of alerts that pop up on the lock screen, you can enable Turn Off Toast Notifications On The Lock Screen.
-
To block updating of tiles and tile badges on the Start screen, you can enable Turn Off Tile Notifications.
-
To block updating of files and tile badges in the Start screen, you can enable Turn Off Tile Notifications.
-
To block apps from sending notifications for updates and alerts, you
can enable Turn Off Notifications Network Usage. Enabling this setting
turns off the connection Windows and WNS.
Note
REAL WORLD Microsoft tracks
app usage in several ways, and you can control the tracking of app
usage using the Administrative Templates policies for User
Configuration under Windows Components\Edge UI.
Enhancing Networking Security for Apps
Windows 8 supports several new networking features related to applications in general and apps specifically. Windows 8 uses a feature called Windows Network Isolation to automatically discover proxies and private
network hosts when a computer is connected to a domain. By default, any
proxy detected is considered authoritative and any network host can be
discovered via the private subnets available to the computer.
Proxy discovery and private host discovery are separate features.
You control the proxy discovery process using policies in the
Administrative Templates policies for Computer Configuration under
Network\Network Isolation. Enable the Internet Proxy Servers For Apps
policy and then enter a comma-separated list of authorized proxies that
apps running on domain-connected computers can use for accessing the
Internet. By default, this list of proxies is merged with the list of
automatically discovered proxies. If you want only your listed proxies
to be authoritative, enable Proxy Definitions Are Authoritative.
You can use the Intranet Proxy Servers For Apps policy to define authorized private
network proxies. Enable this policy and then enter a comma-separated
list of proxies that provide access to intranet resources. If you want
only your listed proxies to be authoritative, enable Proxy Definitions
Are Authoritative.
Policies in the Administrative Templates policies for Computer
Configuration under Network\Network Isolation are also used to control
private host discovery. Hosts discovered in this way are designated as
private. Normally, private host discovery will not go across subnet
boundaries.
You can enhance the discovery process by enabling the Private Network Ranges For Apps policy and then entering a comma-separated list of your company’s IPv4 and IPv6 subnets. This tells Windows
about the available subnets so that they can be used for private host
discovery. By default, this list of subnets is merged with the list of
automatically discovered subnets. If you enable Subnet Definitions Are
Authoritative, only network hosts within address ranges specific in
Group Policy will be discovered and considered private.
