Can a developer legally distribute a Windows Store app (formerly known as a "Metro" app) to everyone on the internet without first getting permission from Microsoft?
The answer to this question is unequivocally no. It does not matter whether you have Windows RT or Windows 8 or Windows 8 Pro, the answer is no on all versions of Windows thus far announced.
In order to ensure the accuracy of this statement, I called Microsoft's public relations contact for developers and requested a fact check. I asked:
Can you distribute applications that use the Metro interface without going through the Windows Store? In other words, if a developer wants to distribute applications directly to the consumer, without the Windows Store, is there a mechanism for them to do this, or is the Windows Store the only way for consumers to install Metro interface-enabled apps?
- Casey Muratori
Their public relations firm was very responsive, pleasant, and quite helpful. They took the time to research the answer, and here is the relevant part of their response:
No, you cannot distribute Windows Store apps without going through the Windows Store. The exception to this is for enterprise apps (see this blog post). Developers can, however, create and offer desktop apps the same way they always have -- through their own site or distribution point.
- Waggener Edstrom Worldwide on behalf of Microsoft Developer Relations
This statement confirms the policies as I stated them in the article proper: the desktop remains open, but the new Windows 8 UI is closed. For those interested in additional documentation supporting this conclusion, I have included a detailed walkthrough of the relevant Microsoft publications below.
A good place to start is a Microsoft publication about Windows 8 called How to Add and Remove Apps. In the introduction, they specifically state the following:
Typically, Windows Store apps are available only through the Windows Store.
Apps that aren't signed by Windows Store can only be installed on sideloading-enabled devices.
That's certainly definitive, but unfortunately it uses the term "sideloading-enabled devices", which has to be fully understood before it's clear what this statement means. "Sideloading", which is not originally a Microsoft term, typically means the transferring of something from one local machine to another, ie., something distinct from uploading or downloading. Unfortunately, certain vendors (including Microsoft) have mutated this meaning, and the term is now often used to describe the manual installation of an application on a device which has some other default method of installation (such as a store).
To understand Microsoft's specific definition, look at their FAQ question "What is sideloading? Does the Windows Store allow it?" on their page Managing Client Access to the Windows Store, where they define the term as:
Sideloading, which is available in both Windows 8 and Windows Server 2012, refers to installing apps directly to a device without going through the Windows Store.
Thus sideloading is what we really care about in the debate about openness for Windows Store apps.
So if the only way to install a Windows Store app on Windows 8 without the Windows Store is to sideload, and in order to sideload you have to enable sideloading on your device, the obvious question is, can everyone enable sideloading on their devices for all Windows Store apps without Microsoft's permission, thus making the platform effectively open?
Back to How to Add and Remove Apps:
You can enable sideloading on Windows 8 Enterprise or Windows Server 2012 by joining the computer to a domain. To enable sideloading on a Windows 8 Enterprise computer that is not domain-joined or on any Windows 8 Pro computer, you must use a sideloading product activation key. To enable sideloading on a Windows RT device, you must use a sideolading [sic] product activiation key.
Here, Microsoft has listed two different sideloading methods: one that requires domain joining, and one that requires a product key.
Insofar as it is discussed in Microsoft's current publications, the domain-joining method is actually much more like traditional open distribution. From Deploying Metro style apps to businesses, Microsoft explains:
On an enterprise sideloading enabled edition, the IT admins need to verify: the PC is domain joined, the group policy is set to 'Allow all trusted apps to install', [and] the app is signed by a CA that is trusted on the target PCs.
Thus if you are running Windows 8 Enterprise or Windows Server 2012, if you are actively joined to a particular domain, you can manually install Windows Store apps without Microsoft's permission if those apps were signed by a certificate trusted by your device. Since you can, in theory, install any certificates you want, this effectively makes app sideloading work with no Microsoft intervention.
But there are two big problems. First, it only works if the user is domain-joined to an enterprise network, as mentioned above. Second, it only works if the user is running Windows 8 Enterprise or Windows Server 2012, because they are the only SKUs which support domain-joined sideloading as clients. For all the users running Windows 8, Windows 8 Pro, and Windows RT, this method is unavailable. From How to Add and Remove Apps:
You can enable sideloading on Windows 8 Enterprise or Windows Server 2012 just by joining the device to a domain. To enable sideloading on a Windows 8 Enterprise device that is not domain-joined, you must use a sideloading product activation key.
NOTE: To enable sideloading on [a] Windows 8 Pro device, you must use a sideloading product activation key.
and from the handy diagram on page 12 of the Windows 8 and Windows RT Volume Licensing Guide:
So unfortunately, this method does not allow distribution of Windows Store apps freely on the internet to all Windows 8 users. But there is still the second method which we have not yet discussed, the one that requires a product key. Deploying Metro style apps to businesses describes the steps for this method as well, step three of which is:
Activate a special product key by using a script on the target machine to enable sideloading. We'll go into more detail about how the IT admin will acquire the product keys in an upcoming blog post. The product key only needs to be install [sic] and activated once on the PC.
So the question becomes, can a developer get these required product keys without Microsoft's permission? Product keys are supplied through something called a "Volume Licensing Multiple Activation Key (MAK)", as is explicitly stated on page 12 of the Windows 8 Volume Licensing Guide for Partners:
Customers will also be able to enable Enterprise Sideloading of trusted Windows 8 apps on Windows RT, Windows 8 Pro, or Windows 8 Enterprise devices that are not domain-joined using a Volume Licensing Multiple Activation Key (MAK)...
which it later explains:
Medium or enterprise sized customers with Software Assurance for Windows or Windows VDA subscriptions in the following Volume Licensing programs will be granted Enterprise Sideloading rights and provided with the MAK keys as an SA benefit at no additional cost. Product keys for Enterprise Sideloading will be made available through the Volume License Service Center (VLSC).
So, this contorted method is definitely not open, because it will still require you to request product keys from Microsoft Volume Licensing, and Microsoft can simply refuse to issue those keys for any reason that they choose. In terms of openness, it is no different than going through the Windows Store, in the sense that you must check with Microsoft before distributing the app. It is also restricted a priori in that not all developers are even allowed to request such keys, since eligibility depends on your organization being in one of the special categories listed on Page 14 of Windows 8 Volume Licensing Guide for Partners.
So is that it for Windows Store apps? Not quite. Microsoft has publicly disclosed one more method for sideloading apps on Windows 8: developer licenses. From Get a Developer License (Windows Store apps):
A developer license for Windows 8 lets you install, develop, test, and evaluate Windows Store apps before the Windows Store tests and certifies them. Developer licenses are free, and you can get as many as you need if you already have a Microsoft account.
And from that same page:
When you run or debug a Windows Store app for the first time on a remote machine or on a device that's directly connected to your development machine, you're prompted to download a separate developer license for that machine or device. Because you can't install a developer license on a machine remotely, you must use the machine or device itself to get the license. After you install a developer license on that remote machine or device, you can install, run, and debug packages that haven't been certified.
That actually sounds pretty open, if a bit onerous: when I want to distribute a Windows Store app without Microsoft's permission, I can send an unsigned app to end users, and they'd all install developer licenses and run it.
Unfortunately, reading the details reveals that this is explicitly disallowed by Microsoft. Although Microsoft allows an end user to obtain a developer license for the purposes of testing an app pre-certification, it explicitly disallows them from using a developer license to circumvent certification through the Windows Store, and claims that it will be monitoring for violations. Again, from Get a Developer License (Windows Store apps):
The license is provided on a per-machine basis and for a fixed amount of time. After the developer license on your local machine expires, you won't be able to run uncertified apps...
Microsoft can detect fraudulent use of a developer license on a registered machine. If Microsoft detects fraudulent use or another violation of the software license terms, we might revoke your developer license. The monitoring process helps ensure the overall health of the app marketplace.
With that, we've come to the end of the road for sideloading. So far, I have not seen any discussion by Microsoft of any legal method by which a developer can distribute a Windows Store app to an end user without Microsoft's explicit permission, and that permission is not only legally required, but is enforced in the software directly via signing and authorization monitoring.
Hopefully, that definitively answers any speculation on this subject. Barring further publications from Microsoft describing new options for legal end-user sideloading, I contend that there is no way someone could reasonably construe that a Windows Store app could be legally distributed by a software developer to the internet at large without first asking Microsoft for explicit, digital permission to do so.