After a user enrolls a phone for company app distribution, the AET is installed to a secure data store on the phone. Once a day, the phone sends the Publisher ID from the AET to a Microsoft service that confirms that the company account is still valid.
During the following scenarios, the phone automatically attempts to validate the AET:
During the initial enrollment process.
Before an attempt to install an app published and signed by the company.
Before an attempt to start a company app that is installed on the phone.
When the phone contacts the Microsoft service to determine whether the company account is still valid.
The validation of the AET includes a signature validation, a certificate chain validation to a specific root certificate, and a date check on the validity period of the certificate. If the AET fails to validate during any of these scenarios, the task associated with the scenario fails.
After a user manually enrolls a phone for company app distribution by tapping an AET.aetx file on their phone, the phone is automatically enrolled for as long as the certificate is valid (one year). After enrolling for company app distribution by this process, users cannot unenroll their phone by using the phone UI.