Microsoft Intune - install and manage applications

Application Management

• App management overview

We can use Microsoft Intune to manage client applications used by our employees. Mobile Application Management refers to a set of features that enable publishing, installing, configuring, securing, monitoring, and updating applications. MAM allows managing and protecting organizational data within the application.

Intune MAM supports two configurations:

• MDM + MAM - MAM application management on devices registered to Intune
• Unregistered devices with MAM-managed applications - on devices not registered to Intune, we can manage organizational data and accounts

Intune offers various platform-specific capabilities, more details in App management capabilities by platform.

Application Lifecycle in Intune

• Adding an app to Intune - we can add many different types of applications to Intune to manage them further
• Deployment - we assign the app to users and devices we manage, which can result in installation, and we can monitor deployment success; for some app stores, we can bulk purchase licenses and track their usage
• Configuration and updates - typically, new versions of applications are regularly released, so we need to update the deployed apps to these new versions; for some apps, we can configure additional features - this applies to iOS/iPadOS and Android App configuration policies
• Protection - we have various options to protect data in applications, we can use Conditional Access and App protection policies
• Retirement and uninstallation - an app may become obsolete or we want to stop using it, then it needs to be removed (uninstalled)

Supported Application Types

• App types in Microsoft Intune

Microsoft divides applications supported in Intune into a number of types. When creating (adding) an app, we must select the correct type. A brief description of the categories and application types is provided below.

• Store apps
  • Store app, these are apps uploaded to the Microsoft Store, iOS/iPadOS Store or Android Store, the user must have an account in the store to install the app
  • For Windows apps, it's best to choose the new deployment method (Microsoft Store app (new)), where we select the app from the Microsoft Store
  • For iOS apps, we select from the Apple App Store
  • For Android Enterprise apps, we select from Managed Google Play
  • If we choose the older Windows app deployment method (Microsoft Store app (legacy)), we enter the link to the Microsoft Store
  • For Android apps, we enter the link to Google Play
  • Also included are Microsoft 365 Apps for Windows and macOS (formerly Microsoft Office 365 ProPlus)
  • Microsoft Edge, version 77 and later for Windows and macOS
  • Microsoft Defender for Endpoint for macOS
• Line-of-business apps (LOB apps)
  • I would describe these as standard applications that we install from an installation file
  • Supported platforms are Windows, macOS, iOS/iPadOS, Android
  • Under Line-of-business app are supported the following OS (with the supported file format/extension in parentheses): Android (.apk), iOS (.ipa), macOS (.pkg), Windows (.msi, .appx, .appxbundle, .msix, .msixbundle)
  • Further, Windows app (Win32) (.intunewin) and macOS apps (DMG) (.dmg containing .app) are included, Win32 app is classified under LOB app, but the behavior is significantly different and the descriptions are separate in the documentation (it is often recommended to use Win32 app instead of Line-of-business app)
  • We must upload the installation file, for Windows it can be up to 8 GB, for others max. 2 GB
  • Updates are performed manually by adding and deploying the update through Intune
• Built-in apps
  • Microsoft-managed applications for Android and iOS
  • We select from the list (it includes a number of applications such as Acrobat Reader, Excel, Outlook, Jabber, Zoom, Slack)
• Web apps
  • The entire web application (user interface, content and functionality) is located on the server and accessed through a web browser, Intune creates a link to the application
  • Web application iOS/iPadOS web clip creates a link on the Home screen, Windows web link creates a link in the Windows Start Menu
  • Web Link creates a shortcut (link) on the device screen for the specified URL
• Apps from other Microsoft services
  • Displays or hides shortcuts to applications in the Company Portal, these are applications from Azure AD Enterprise (registered and assigned through Intune), Office Online (based on the assigned license) and Configuration Manager, configured in Tenant admin - Customization

Only for LOB apps do we need to add the installation file of the application. If a new version is available, we need to manually perform the update of the installation. Other applications are updated automatically (the app provider maintains updates in the respective store).

The first three types of applications will install the application on the device. The last two will only create a link (shortcut) to the web application address.

Note: Another option for installing applications on Windows or macOS is to use PowerShell or Shell scripts, which we mentioned in the previous article.

Policies

Under applications in Intune, we have the ability to create policies for security and configuration of applications. Here we will only list the overview.

• App protection policies - application settings for data security, for example, we can restrict copying data between applications, for Android, iOS/iPadOS, Windows Information Protection
• App configuration policies - application settings for its operation, for Android, iOS/iPadOS
• iOS app provisioning profiles - iOS applications contain a Provisioning profile (.mobileprovision) signed by a certificate, when the certificate expires, the application cannot be launched, we can assign a new profile
• S mode supplemental policies - for authorizing additional applications to run on Windows 10/11 in S (Security and Performance) mode
• Policies for Office apps - policies for Microsoft 365 Apps for Enterprise applications that access M365 services

Configuration (Features) Related to Applications

An overview of additional options, including the configuration location, related to applications.

• Microsoft Store for Business - the integration allows syncing apps to Intune, it will be retired very soon, Tenant admin - Connectors and tokens - Microsoft Store for Business
• Windows Enterprise Certificate - if we have Line-of-business apps signed with our own Code-signing Certificate, Tenant admin - Connectors and tokens - Windows enterprise certificate
• Microsoft Configuration Manager - integration (connector) with Configuration Manager, Tenant admin - Connectors and tokens - Microsoft Endpoint Configuration Manager
• Apple Business Manager location tokens - use of volume licenses for iOS/iPadOS, Location Tokens are known as Volume Purchase Program (VPP) Tokens, Tenant admin - Connectors and tokens - Apple VPP Tokens
• Managed Google Play - Google Enterprise App Store is the only source of apps for Android Enterprise, Tenant admin - Connectors and tokens - Managed Google Play

Installing Applications

Application management can be found in a dedicated section.

• Microsoft Endpoint Manager admin center - Apps

Managing Application Categories

For better overview, we can categorize applications into one or more categories. The default categories cannot be changed, but we can add our own. The category name can only be entered in one language.

• Microsoft Endpoint Manager admin center - Apps - App categories

Adding an Application - Add app

• Add apps to Microsoft Intune

We can add (and manage) an application in

• Microsoft Endpoint Manager admin center - Apps - All apps

When adding a new application (Add), we first choose the application type (App type), which we confirm with the Select button. The details of the settings vary depending on the application type. There are always two main steps here.

In the App information step, we select the app from the store, upload the installation file or enter the URL, and set a variety of information about the app. In some cases, the basic information is pre-filled, but often we have to fill it in manually.

Items to be filled in include the name (must be unique), description, publisher, category. A link to the address with information or privacy protection (Privacy). We can (sometimes must) upload a logo (icon) for the application. Many of these information could be retrieved from the installation file or store, but it seems to work only for Microsoft Store (without the icon) and iOS/iPadOS Store.

In the Assignments step, we configure the assignment of the application to a group of users or devices. We can set this when adding the application or later. We'll discuss this in the next chapter.

The final step is always Review + create, where we can review the settings and click Create to create the application.

Assigning an Application (Installation) - Assignments

• Assign apps to groups with Microsoft Intune

After adding an application to Intune, the next step towards installing the application is its assignment to a group of users or devices. Microsoft repeatedly states that we can deploy applications to devices that are not registered in Intune. However, this is very limited. It is only available for certain types of applications (we cannot use it for Windows) and it means that the application will be offered for installation in the Company Portal.

Assignment can be of several types (deployment intents)

• Required - a required or mandatory assignment will automatically install the application on the registered device, on some platforms the user may be required to confirm the installation
• Available for enrolled devices - the application is available through the Company Portal, users can optionally install it, for assignment we can only use user groups (only Win32 app can also be assigned to a device group, in my tests it also worked for Microsoft Store app)
• Available with or without enrollment - the application is available through the Company Portal, users can optionally install it without the requirement for the device to be registered in Intune
• Uninstall - the application will be uninstalled from the managed device if Intune had previously installed it (Required or Available for enrolled devices) in the same deployment

Note: For some types of applications, we can only use certain types of assignments. For example, Microsoft Store app (legacy) only supports Available for enrolled devices, macOS line-of-business app supports Required and Available for enrolled devices, macOS apps (DMG) supports Required and Uninstall.

Application assignment configuration process

• Microsoft Endpoint Manager admin center - Apps - All apps
• Select the application - Properties
• In the Assignments section, choose Edit
• Add a group (Add group) of users or devices to the required assignment type, we can use the pre-prepared groups All users and All devices, by default the group is included Included, but we can switch to exclusion Exluded
• Save the changes Review + save

Depending on the type of application, we can set additional parameters when assigning. Such as Filter, End user notifications, Availability, Installation deadline, Restart grace period. Additionally, there may be VPN, Uninstall on device removal, Install as removable.

End user notifications offers the following options

• Show all toast notifications
• Show toast notifications for computer restarts
• Hide all toast notifications

Application Availability

The options for setting the availability (installation) of the application are interesting. We can set (for certain types of applications) the start time (availability) App availability, when the application content starts to download and cache on the client or appears in the Company Portal. And the final time App installation deadline when the installation will occur. We can also set the Restart grace period (restart delay) with a specified time, warning the user, and the option for the user to postpone the restart.

Uninstalling an Application

• Uninstall an app

An application that we previously installed on a user's device through Intune can be uninstalled. This involves changing the assignment to the Uninstall type. For some types of applications, uninstallation is not supported (such as for macOS line-of-business app).

• Microsoft Endpoint Manager admin center - Apps - All apps
• Select the application - Properties
• In the Assignments section, choose Edit
• If the user/computer is a member of the group assigned for installation (Required), we must first remove it
• Add the group for uninstallation (Uninstall)
• Save the changes Review + save

Updating Applications

Store Apps

• Microsoft Store apps - App update

Store apps that we have installed on devices using the Required assignment, or that users have installed themselves with the Available for enrolled devices assignment, automatically update (unless it is prohibited by a policy/setting, such as Turn off Automatic Download and Install of updates).

Line-of-Business Apps

• Update a line-of-business app

Line-of-business apps are manually updated by uploading the new version of the installation file. The updates are automatically installed on user devices where the application is installed. No user intervention is required (or possible).

• Microsoft Endpoint Manager admin center - Apps - All apps
• Select the application - Properties
• In the App information section, choose Edit
• Click on the installation file next to Select file to update and upload the new version
• Save the changes Review + save
• Verify that the application version has changed

Some MSI applications are automatically updated. To avoid conflicts, we can set the version check to be ignored. In the application information, set Ignore app version to Yes.

For Intune to deploy a new version of a (Windows) APPX file, the Version value in the AppxManifest.xml must be increased. Similarly, for a (macOS) PKG file, the CFBundleShortVersionString value must be increased.

Windows App (Win32)

• Add Win32 app supersedence

For Win32 apps, we can use Supersedence (replacement). This involves setting one or more (max 10) Supersedence relationships, which describe the update or replacement of an existing Win32 app with a new version (or a different app). We can only replace an app that has no dependencies.

Monitoring Applications

• Monitor app information and assignments with Microsoft Intune

For applications added to Intune, we can monitor their properties and assignment status. The data is visible when expanding the application (Overview). Unfortunately, it is displayed with a significant delay.

• Microsoft Endpoint Manager admin center - Apps - All apps - selected application

More details can be viewed in the Device install status or User install status sections. In case of deployment failure, at least a brief error message is displayed here.

We can also take an overall look at Apps - Monitor - App install status.

Discovered Apps

On corporate devices, Intune discovers information about applications - Discovered apps. It collects information about all applications (whether they are managed or not). The report is updated once every seven days from the device's registration. The Intune Management Extension for Win32 Apps collects information every 24 hours. We can see the detected applications (software inventory) in summary or in the device detail.

• Microsoft Endpoint Manager admin center - Apps - Monitor - Discovered apps

Deploying Selected Application Types

Windows 10/11 Applications

• Windows 10/11 app deployment by using Microsoft Intune

We can install modern applications, which are Universal Windows Platform (UWP) apps, as well as classic (desktop) Win32 applications. UWP applications use the packaging format (Windows app package format) .appx, more recently it may also be .msix. For Win32 applications, it can be .msi (Microsoft Software Installer) or also .msix.

We can install the application (depending on its type) in one of two contexts (App install context / Install behavior):

• User Context - the application will be installed for the logged-in user, deployment in the user context
• Device Context (System) - the application will be installed directly on the device for all users, deployment in the device context, only Required assignment is supported

For Win32 applications created as Dual Mode, we must select the context for all assignments to the given application instance. The User Mode and Machine Mode applications will be set automatically. After creation, it is not possible to change the context. Only for modern applications can we later change the context.

Microsoft Store Apps

• Add Microsoft Store apps to Intune (legacy)
• Add Microsoft Store apps to Microsoft Intune

Microsoft Store app (legacy) is an old method of deploying applications from the Microsoft Store, it is recommended to use the latest method Microsoft Store app (new).

The Microsoft Store (new) supports UWP applications, desktop applications packaged in .msix, and also recently Win32 applications packaged in .exe or .msi installers. After deploying an application from the Microsoft Store, Intune automatically keeps it updated to the latest version. The device must have access to the Microsoft Store.

We can use the Required, Available for enrolled devices, and Uninstall assignments. The Intune Management Extension is used for application deployment.

For the deployment of applications from the Microsoft Store to work correctly, certain restrictions must not be set using Group Policy - Store group policies restrictions.

Note: The Intune Management Extension is also required for running scripts. If the conditions are met, the Intune management extension agent is automatically installed on the device. At the moment when a PowerShell script or a Win32 application is assigned to a user or device.

Windows Line of Business (LOB) App vs. Win32 App

For deploying custom applications on Windows, we have two options, we can choose the Line-of-business app or Windows app (Win32) type.

For the LOB app, we can use a single file in the format .msi, .appx, .appxbundle, .msix, .msixbundle. We cannot use MSI together with an MST transformation file. It has limited capabilities and we cannot use a number of advanced features. In the settings, we can specify certain command line arguments, but if more options are needed, it is recommended to use the Win32 App.

We can use the Required, Available for enrolled devices, and Uninstall assignments. The built-in MDM client (agent) in Windows 10/11 is used for application deployment.

The Win32 App offers more options for controlling the application deployment. It supports both 32-bit and 64-bit architectures. The Microsoft Win32 Content Prep Tool is used to pre-process the classic (Win32) application. This tool converts the application installation files (there can be multiple) into the .intunewin format. It also supports EXE files. It allows setting advanced parameters such as Requirements, Detection methods, Dependencies, and Supersedence.

We can use the Required, Available for enrolled devices, and Uninstall assignments. The Intune Management Extension is used for application deployment.

Signing Windows LOB Applications

• Sign line-of-business apps so they can be deployed to Windows devices with Intune

Applications in the .msix or .appx packaging format must be digitally signed (the device must trust the signature) for them to be installable on Windows. If we create our own installer, we can sign it with a Code-signing Certificate from a public certification authority. But we can also use our own CA, in which case we must upload its certificate to Intune as a Windows enterprise certificate. The signing can be done using the command-line tool Sign an app package using SignTool.

Modern applications (Windows Store apps) can normally only be installed from the Microsoft Store. Allowing the installation of an application that is not certified in the Microsoft Store is called Sideloading. To allow the installation of trusted applications on Windows 10/11, we must enable the Group Policy Allow all trusted apps to install.

Win32 App

• Win32 app management in Microsoft Intune

Win32 applications use the Intune Management Extension. Microsoft recommends that if we are using a Win32 app, we should not combine it with Line-of-business apps (especially for Autopilot enrollment).

We can only add Win32 applications to Intune in the .intunewin format. So we must first prepare the application using the Content Prep Tool (IntuneWinAppUtil.exe). The tool zips all files and subfolders in the application's installation directory (so we should not store the Content Prep Tool in the installation folder). It also detects certain attributes that Intune needs to determine the application's installation status.

We can run the Content Prep Tool without parameters, then it prompts for the required parameters step-by-step. Or we can run it with parameters, where we can specify the installation folder, installation file (setup.exe, etc.), and output folder.

IntuneWinAppUtil.exe -c d:\Source\ -s setup.exe -o d:\Intune-apps

The application installer can be in various formats, most likely EXE or MSI. It would be good if it allowed silent installation. When adding the application, we must specify the installation and uninstallation commands. We can enter the complete command in Intune or create install.cmd and uninstall.cmd files in the application directory.

For example, we can install Adobe Acrobat Reader directly from the EXE or unpack it. Inside, there is AcroRead.msi and other files (one of them is an update to the current version AcroRdrDCUpd2300120064.msp). We can also use the Acrobat Customization Wizard to create a customized installation (MST file). The installation can then be performed using

msiexec /i "AcroRead.msi" ALLUSERS=1 /qn TRANSFORMS="AcroRead.mst" /norestart

The uninstallation can be performed using

msiexec /x "AcroRead.msi" /q

It is useful to find the MSI Product Code, which we can use for uninstallation, but also for application detection. We can search in the registry HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\. For the current Acrobat Reader, we find {AC76BA86-7AD7-1033-7B44-AC0F074E4100}. Or on the web, e.g. Adobe Reader Silent Uninstall Strings (Master List). The uninstallation can be

msiexec /x {AC76BA86-7AD7-1033-7B44-AC0F074E4100} /qn

When adding a Win32 application, we define several additional steps (compared to most others). These are the steps

• Program - we set the commands for installing and removing the application - Install command, Uninstall command, Install behavior (System / User), Device restart behavior, Specify return codes to indicate post-installation behavior

• Requirements - we specify the requirements that the device must meet before installing the application - such as OS, HW parameters (disk, memory, CPU), additional rules checking the existence of a file, registry, script, the application is only installed if the specified conditions are met
• Detection rules - how to determine that the application is already present on the device, we can either specify a script or define rules (MSI product code and optionally version, file, registry), Intune - Understanding Win32 App Detection Rules

• Dependencies - which dependent (Win32) applications must be installed before installing this application, the installation can be done automatically
• Supersedence - replacing the application with a new version or a different application

For troubleshooting on the client, we can look at the Intune Management Extension log. They are stored in the %programdata%\Microsoft\IntuneManagementExtension\Logs folder. For viewing, we can use the Configuration Manager Trace Log tool - CMTrace.

macOS line-of-business app (PKG)

• How to add macOS line-of-business (LOB) apps to Microsoft Intune

The macOS LOB application can be a maximum of 2 GB in size. It must have a logo set. The supported format is .pkg, which must meet certain parameters. It is a package of components or a package containing multiple packages. It must not contain a set or disk image, or a .app file. It must be signed with a Developer ID Installer certificate. We can convert DMG to PKG using the information in How to deploy DMG or APP-format apps to Intune-managed Macs.

When adding the application, we upload the PKG file. Some data may be pre-filled, but we need to fill in or correct additional information. We can use the Install as managed option only when there is a single application in the package (without nested packages). Managed applications allow uninstallation (controlled or upon removal of the MDM profile).

We can use the Required, Available for enrolled devices, and Uninstall (only for managed applications) assignments.

In the Included apps section, the applications that are part of the uploaded file should be displayed. The information contains the App bundle ID (CFBundleIdentifier) and the App version (CFBundleShortVersionString). These values are used to detect that the application is installed. If not all are found on the client after installation, the status is reported as Failed, even if the application is correctly installed. The first application in the list is the primary one. Microsoft states that we must remove from the list everything that is not an application or is not installed in the Applications folder on macOS.

In practice, we often encounter the problem that the installation is reported as Failed. For example, even when installing the Install Company Portal for macOS as a macOS LOB app. Microsoft has a guide for the solution as well, Error 0x87D13BA2 when you deploy a macOS LOB app. We must install the application, then list the installed applications and compare them with the ones in Included apps (remove everything that is not on the computer). The comparison is quite tedious.

When we add the CompanyPortal-Installer.pkg, 17 applications appear in the Included apps. However, there should only be two: com.microsoft.CompanyPortalMac and com.microsoft.autoupdate2. We can open the PKG file, for example using 7-Zip. We see that it contains CompanyPortal-Component.pkg and Office16_all_autoupdate.pkg. For the application, we can view the PackageInfo file. We'll see a list where our application and the helper components that Intune identified as applications are listed. This may make it easier to identify what to leave in the Included apps.

macOS app (DMG)

• Add a macOS DMG app to Microsoft Intune

A DMG application is a disk image (Apple Disk Image) file that contains one or more applications. The .dmg file must contain one or more .app files. The size must be less than 2 GB. We can use the Required and Uninstall assignments.

For installing DMG applications, the Microsoft Intune management agent for macOS is required. The Intune management agent is automatically installed on the client when a Shell script is assigned to the user or device.

When adding the application, we upload the DMG file. Some information in the App information step may be pre-filled, but we need to fill in or correct additional information. In the Requirements step, we must select the minimum OS version.

The mandatory Detection rules step, where we determine how to detect that the application is installed (the application is only installed if it is not yet on the device), is more complex. Ignore app version determines whether to look for only the App bundle ID (choose this if the application updates itself) or also check the App version (if it's different, the installation is performed). This setting is also used for uninstallation.

In the Included apps section, we must enter at least one application that is part of the uploaded file. We enter the App bundle ID (CFBundleIdentifier) and the App version (CFBundleShortVersionString), which are used to detect the installation status of the application. Only applications that are installed (uploaded file) into the Applications folder should be included.

We can find the information by installing the application on a macOS computer. And then view the information from the uploaded application. Example for the FortiClient application.

defaults read /Applications/FortiClient.app/Contents/Info CFBundleIdentifier 
com.fortinet.FortiClient

defaults read /Applications/FortiClient.app/Contents/Info CFBundleShortVersionString
7.0.6.0208

We can also open the DMG file, for example using 7-Zip, and view the information in the <app_name>.app/Contents/Info.plist file.

Probably at the moment when the Intune management agent is not installed on the macOS device, the installation will fail and an error will be displayed:

This DMG file is not supported. Check the prerequisites for deploying a DMG file. (0x87D30143)

Scripts for Installing Applications

We can also install applications using a script. Microsoft recommends this in some cases, for example, Install Company Portal for macOS by using a macOS Shell Script. Various examples are available in the Intune macOS Shell Script Samples, such as Company Portal or Rosetta 2.