As part of the modernisation of device management, one of the first steps is obviously the selection, implementation, and enrolment of devices into a Mobile Device Management (MDM) solution. I’ve covered – and will continue to cover – this in other posts, so now I’ll talk about the next obvious process: Making apps available to your managed devices. Now, just to set expectations, while there are a variety of awesome MDMs from a number of different providers, I will be focussing on Microsoft Endpoint Manager (MEM, also known as Intune) as this is one of the more popular environments for Windows PCs that also happens to cater for macOS, iOS, and Android: Other MDMs should offer similar, so you can still follow along.
Ultimately, Intune app types fall into six main headings, and these are Store apps, Microsoft 365 Apps, Microsoft Edge, Microsoft Defender for Endpoint, Web Applications, and the strange Others category that actually hosts some of the more useful options. At the time of writing, MEM currently supports the following App types (for all platforms):
- Android store app – This app type allows you to use existing Android app store links to provide self-service and required deployment options to enrolled devices, as well as available options for any device using Company Portal (including unenrolled). To get started, go to the Google Play Store to find the apps that you need for Android devices, create a new app of this type, and paste the Google Play Store URL into App information. As soon as you complete the rest of the App information fields, you can quickly assign this to your users and devices. Find out more here.
- Managed Google Play app – This app type is Google’s enterprise app store and represents the sole source of applications for Android Enterprise in Intune. Admins can leverage this service to deploy and update public apps, private (Line of Business) apps, and private web links. Apps are found using a built-in search tool that helps you complete the required App information fields. Find out more here.
- iOS store app – These, like the Android and Windows apps, allows you to quickly identify an app from the App Store, and publish the app to you users and devices (including unenrolled devices). Unlike the Android store apps, however, is the built-in app search that makes finding and selecting the required app much easier and fills in most of the App information fields for you automatically. Additionally, this app type lets you make the app available, required, and even has an option for a required uninstall. Find out more here.
- Microsoft Store app – These are online links to Microsoft Store apps and can only be made available for users to optionally install on enrolled devices. This option also currently supports the deployment of Microsoft Store for Business/Education apps, however that Store has had its End of Life (EOL) announced as first quarter 2023, so we won’t really be covering this as an available option at this late stage. Importantly, however, if you want to perform a required installation of a Store app – such as the Company Portal app – signing up and using the Windows Store for Business/Enterprise is currently the only supported method. Find out more here.
Microsoft 365 Apps
- Windows & macOS – This app type is a wizard that helps you configure and deploy Office 365 desktop applications. There are options for both Windows and macOS under this heading, but they ultimately serve the same purpose: Deploying the latest version of the modern Office desktop apps, direct from the Content Distribution Network (CDN). The Windows side leveraged the Click-to-Run (C2R) configuration, you can find out more here; and the macOS version relies more on the PKG format and provides less customisation, you can find out more here. Importantly, at least for the Windows side of things, the Office Deployment Tool (ODT) setup and configuration files can also be packaged up and deployed using the Windows app (Win32) option below, and this tends to be more reliable for Autopilot deployments, so is going to be my recommendation over this app type.
Microsoft Edge, version 77 and later
- Windows & macOS – This isn’t so much an app type, but rather a way to package and deploy Edge upgrades and configurations. If you are already using a modern version of Windows, you will likely not need this type, and will deploy browser configurations as a Configuration Profile instead… but you can find out more here. For macOS, this might be useful if you want a MUCH better browser installed, and you can find out more here.
Microsoft Defender for Endpoint
- macOS – This app type is a bit of a weird one. For Windows, Intune offers a separate blade in the Admin Portal that lets you create Onboarding and Offboarding packages. For macOS, I guess they don’t have the underlying Windows Defender bits so require a completely different package: I would still think this makes more sense under the Defender for Endpoint section in Intune, but here it is. Find out more here.
- iOS/iPadOS web clip – This app type is going to be familiar to anyone that managed iOS devices back in the day, and it’s still just as common (and useful) today. The process is simply to define a new app, copy and paste a website URL into App information, and deploy that to your enrolled devices and/or to the Company Portal for unenrolled devices: A shortcut to the web clip is added to the Home screen. Find out more here.
- Windows web links – This app type is exactly the same as the web clip described above, but only applies on the Windows platform. In most instances, you would probably be better using the Device Configuration profiles to apply browser Managed Links and reduce the clutter associated with web links. But, you can find out more here.
- Web link – I’m not sure why this app type isn’t part of the Web applications section above, because it does pretty much the same thing: Allows you to define a new app entry, enter a valid URL in the App information, and deploy it to device home screens. Find out more here.
- Built-in app – This app type has a weird name, because it isn’t about managing built-in apps at all. The built-in app type, instead, just makes it easier for admins to deploy a set of managed apps, such as Microsoft 365 apps and third-party apps, to iOS/iPadOS and Android devices. You can assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and others… but I’m not sure how this differs from the Android and iOS store app types. Find out more here.
- Line-of-business app – Line of Business applications, or LOBs, are custom application packages. These are single file apps and are typically supplied as simple packages using: Microsoft Installer package files (MSI), Android packages (APK), iOS applications (IPA), macOS packages (.pkg), or through modern apps (UWP, APPX, APPX Bundles, MSIX). In most cases, if you can, it’s usually better to leverage the store apps for iOS and Android, or the Windows app (Win32) or macOS app (DMG)options instead. Find out more here.
- Windows app (Win32) – Probably the most powerful and flexible option on the list, this app type can execute command lines for scripts, executable files, Microsoft Installers (MSI), and more. The trick is, you need to compress the contents of your application into a single file – with the intunewin extension – using the Microsoft Win32 Content Prep Tool. Find out more here, or watch for Part 2 of this blog where I dive into the Content Prep Tool with examples.
- macOS app (DMG) – This app type allows you to place a macOS App files (*.app) and other content into a macOS disk image (DMG) and deploy this to your devices. Find out more here.
- Windows Package Manager – This option has been discussed but has no public preview options available as of the time of writing. More than likely, this will appear as an option within the above “Microsoft Store app” section as a replacement to the Windows Store for Business/Education, and will integrate public – and apparently private – Windows Package Manager repositories with Intune to automate the installation. This is pretty exciting, but we’ll need to wait for more information.
So, what do I use for Windows apps?
If you’ve made it this far, and are thinking that the Windows app (Win32) app type seems like the most flexible option for Windows app deployment, then I would completely agree with you… for now. I’ve had a play with the early versions of the Windows Package Manager, and I’m fairly happy with the progress being made in that area, and especially with the large amount of apps that are already available (it’s infinitely better than the old Store). Sure, I wish the WinGet commands and the output they produce were more useful and able to be scripted in PowerShell, but I’m positive that is in the works. I’ve also been reliably informed that organisations (and schools) will be able to define their own repository for the Windows Package Manager, and they can pull their own apps through Intune after a bit of packaging and code signing (that will be documented, eventually). But yes, for right now, the Windows app (Win32) app type is going to be the most likely way readers’ head, especially as the Store app option doesn’t allow Required deployments unless you use the outgoing Windows Store for Business/Education.
It’s not… entirely that straight forward though. Because this is Microsoft we’re talking about, there are of course a number of cavetas, limitations, and licensing requirements to also consider. For Defender for Endpoint, there are macOS and Windows M365 licensing requirements, but that’s an entirely different post. For selecting a deployment type for Windows apps though… it gets a little trickier. The good news is, if you are willing to ignore HoloLens, Surface Hub, Mobile, WCOS, and S-Mode (including SE devices) from the table, and also forget about the outgoing Microsoft Store for Business/Education, it becomes a lot simpler to explain the licensing and prerequisites for Windows app deployment: All the Windows-centric app types above work, except that Home versions of Windows lose the ability to use MSI, IntuneWin, Office C2R and Microsoft Edge packages… so is pretty much just limited to Line of Business apps, user-driven Store links and web links (i.e. pretty much pointless). Hopefully, if you’ve bought a device with Home installed, and you’re looking to deploy apps via Intune, you’re also covered by an agreement that allows you to change the edition to Pro so that you unlock all of the app types.
Join me in Part 2, where I dive into the Win32 Content Prep Tool and describe how we make the Win32 app type work.