For the people who start playing with the certificates part. Unfortunately due to a last minute change, currently it's not possible to deploy an app on a device when you specify the Shared User Certificates capability. We are working on fixing this in the near future.
Ben, you need to get a new certificate, create a new AET and distribute the new AET to all your users. You don't need to resign your xap's. The runtime extracts the publisher id from the signed apps and checks if the phone has a valid AET, if yes, the app launches.
Dave, first part is correct. Company signs the XAP themselves. Other scenario is publish to the MS store (no signing needed, MS does that) but you need to provide a way to only allow them access to the app via a login or something. You don't enroll in the MS store. That's Always available for users.
A 3rd option could be you sign the XAP and provide the XAP and the AET to the customer but they need to manually distribute the AETx file and the XAP to the users.
David you need to provide the XAP to the 3rd party or publish it to the store and create some way to give them access by an account or token etc. There is no volume license kind of thing at the moment.