Dave, first part is correct. Company signs the XAP themselves. Other scenario is publish to the MS store (no signing needed, MS does that) but you need to provide a way to only allow them access to the app via a login or something. You don't enroll in the MS store. That's Always available for users.
A 3rd option could be you sign the XAP and provide the XAP and the AET to the customer but they need to manually distribute the AETx file and the XAP to the users.