An organization with many apps can become overwhelming for users. To help users find an app in the company portal, you can assign apps to one or more categories, such as Accounting apps or Marketing apps. When adding apps, you can assign a category in Intune using the following procedure:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps, then select App categories.
The App categories pane displays a list of current categories.
To add a category, select Add in the Create category pane, and then provide a name for the category.
To edit a category, select the ellipsis (…) next to the category, and then select Pin to dashboard or Delete.
Select Create.
Add Android store apps to Microsoft Intune Use the following procedure to add an Android store app to Intune:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps > All apps > Add.
In the Select app type pane, under Store app, select Android store app.
Click Select.
To configure the app information for the Android app, you must provide the Google Play store’s app details. (The Google Play store is located at https://play.google.com.)
In the App information page, add the app details, as shown in Figure 4-18: • Name • Description • Publisher • Appstore URL • Minimum operating system • Category (Optional) • Show this as a featured app in the Company Portal • Information URL (Optional) • Privacy URL (Optional) • Developer (Optional) • Owner (Optional) • Notes (Optional) • Logo (Optional)
FIGURE 4-18 Adding a Windows 10 Line-of-business app
Select Next.
On the Assignments page, select the group assignments for the append and select Next.
On the Review + create page, review the values and settings you entered for the app and select Create to add the app to Intune.
Use this procedure in Intune to create Cloud Policy for Office applications that access Microsoft 365 services:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps > Policies for Office apps > Create.
If this is your first time creating a cloud policy configuration, you will see the Create button in the center of the pane. Otherwise, the Create button is on the menu bar.
On the Start with the basics page, provide a name and description for the policy configuration, then select Next.
On the Choose the scope page, choose the scope for the policy. This can apply to a specific group of users or users who access documents anonymously using Office on the web. If you choose the first option, you need to select the group and then select Next.
On the Configure Settings page, select the policy or policies you want to include in the policy configuration, as shown in Figure 4-17, and select Apply.
FIGURE 4-17 Configure Cloud Policy using Intune
You can configure additional policies by selecting additional policies on the Configure Settings page. Once complete, select Next.
On the Review configuration and create page, review your selections and then select Create to create the policy configuration. Note Use Policy Filters When this book was written, the Cloud Policy service offered 2,206 policies relating to Office apps and multiple platforms. You can use the filter to show only the apps and platforms you want to view.
On the Policy configuration created page, you will see the successful message indicating the policy configuration has been created; select Done.
On the Policy configurations page, you will see the policy configuration listed.
When a user launches a Microsoft 365 app, the Click-to-Run service used by Microsoft 365 Apps for enterprise will sync with the Cloud Policy to see if a policy configuration should be applied to the user. Note Cloud Policy Complements Group Policy-Based Management Cloud Policy service does not replace Group Policy management. Cloud Policy manages user-based policies for Office apps used on any device (iOS, Android, Windows) where the user signs in using Azure Active Directory. Conversely, Group Policy can manage both user-based and machine-based policies on Windows PCs devices joined to an Active Directory domain.
Verify that the Administrative Templates installation is successful by viewing the new templates within Group Policy Management using the following steps.
On your domain controller, select Start > Windows Administrative Tools > Group Policy Management.
Right-click the Default Domain Policy and click Edit.
Expand the Computer Configuration\Policies\Administrative Templates Policy definiations folder.
You should see Office policies appear in the Group Policy Management console, as shown in Figure 4-14.
You can verify that Office policies also appear in the User Configuration\Policies\Administrative Templates folder.
The policies can now be configured using Group Policy. Once you have installed the Administrative Template files for Microsoft Office, you can manage Microsoft Office settings with Group Policy. Group Policy allows you to control thousands of settings by configuring Group Policy Objects (GPO) in the Group Policy Management Console and then applying the GPOs to users and devices in your domain.
In the following example, we will create a new policy to enable week numbers in the Outlook calendar using the following procedure.
On your domain controller, select Start, Windows Administrative Tools, Group Policy Management.
Expand the Group Policy Management tree, right-click Group Policy Objects, and click New.
Name the new GPO User_Outlook and select OK.
Expand Group Policy Objects. Right-click User_Outlook GPO and select GPO Status. Ensure that Computer Configuration Settings is set to Disabled.
Right-click User_Outlook and click Edit.
In the Group Policy Management Editor, navigate to User Configuration\Policies\Administrative Templates to view the Microsoft Office ADMX templates you imported earlier.
Navigate to User Configuration\Administrate Templates\Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options and double-click Calendar week numbers.
Select Enabled and select OK, as shown in Figure 4-15.
FIGURE 4-15 Enable the Outlook week numbers Group Policy setting
Close the Group Policy Management Editor.
In Group Policy Management, right-click the Organizational Unit (OU) containing the users to which you want the GPO to apply and select Link an Existing GPO.
On the Select GPO dialog box, select the User_Outlook GPO and select OK.
The group policy is now configured and will be applied to users within the OU when they next log in to their Windows computers. By default, Group Policy refreshes in the background every 90 minutes. You can force an individual computer to update the polices by using the gpupdate /force command from an elevated command prompt. You can then start Outlook and verify that the calendar week numbers are visible, as shown in Figure 4-16.
FIGURE 4-16 Display week numbers in Outlook
Note Microsoft 365 Apps ADMX/ADML Templates
The Group Policy settings you configure for Microsoft 365 Apps are included in the Administrative Template files (ADMX/ADML) for Microsoft 365 Apps. You configure the Microsoft 365 Apps settings using the Microsoft Office 2016 settings in Group Policy.
To add a Microsoft 365 suite app to Windows devices, use the following procedure:
In the Microsoft Intune Manager admin center, select Apps, and then select All Apps.
Select Add, and then on the Select app type blade, in the App type list, under the Other heading, select Line-of-business app, and click Select.
On the Add App blade, select the Select app package file link.
On the Add package file blade displayed in Figure 4-12, browse for and select a line of business app. This can include Android (.apk), iOS (.ipa), macOS (.intunemac), and Windows (.msi, .appx, .appxbundle, .msix, and .msixbundle) app files.
FIGURE 4-12 Adding a Windows 10 Line-of-business app
Select OK.
On the App tab, enter the following information: • Name (required) • Description (required) • Publisher (required) • App install context (User or Device) • Ignore app version • Command-line arguments (for installation purposes) • Category (Business, Productivity, Photos & Media, and so on) • Show this as a featured app in the Company Portal (set the toggle to Yes or No) • Information URL, Privacy URL, Developer, Owner, Notes, and a Logo image
Select Next, and assign the app using the previously described procedure on the Assignments tab.
Select Next, and then select Create. Need More Review? Add Apps to Microsoft Intune To review further details about using Intune to assign apps, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/apps/apps-add.
Gather Microsoft 365 Apps readiness data
Before deploying Microsoft 365 Apps to your users’ devices, you must ensure the devices are ready for those apps. Before deploying Office apps, you should verify that your users’ devices support the current version. Also, there might be compatibility issues with older versions of Office documents and newer versions of the apps.
Many organizations use Office add-ins such as Microsoft Visual Basic for Applications (VBA) macros to help automate Office-based tasks. These add-ins might not be compatible with Microsoft 365 Apps. To help you identify potential add-in compatibility issues within your organization, you can use the Readiness Toolkit to assess your organization’s readiness for Microsoft 365 Apps.
Most recently used Office documents and installed add-ins on this computer
Scans Office documents in the user’s list of most recently used files.Also looks for any Add-Ins for Office that are installed.Report type: VBA and Add-In.
Office documents in a local folder or network share
Scans the Office documents in the folder or network share that you specify.Report type: VBA only. Does not scan for Add-Ins.
Previous readiness results saved in a local folder or network share
Enables you to create a consolidated report comprised of individual readiness results from multiple computers. Useful for departmental analysis.Report type: Configurable depending on what you previously scanned for.
Add-in data from the Office Telemetry dashboard
Scans data from the Office Telemetry dashboard.Report type: Add-In only.
Need More Review? Telemetry Dashboard Topology, Sizing, and Bandwidth Planning
You can then choose either a basic or an advanced report. Advanced reports are recommended because they provide more complete information on which to base your decisions. The Readiness Report Creator tool generates an Excel spreadsheet comprised of several worksheets. Each worksheet contains information about different aspects of your existing devices’ compatibility.
Depending on the report type, the following worksheets are available:
VBA Overview
VBA Summary
VBA Results
VBA Remediation
VBA References
Add-In Summary
Add-In Details
By Computer Name
Need More Review? Use The Readiness Toolkit to Assess Application Compatibility for Microsoft 365 Apps
You can also use Intune to deploy Microsoft 365 Apps to your enrolled devices. To add a Microsoft 365 suite app to Windows 10 devices, use the following procedure:
In the Microsoft Intune admin center, select Apps, and then under By Platform, select Windows.
On the Windows apps blade, select Add.
On the Select add type blade, in the App type list, under the Microsoft 365 Apps heading, select Windows 10 and later, as shown in Figure 4-9, and choose Select.
FIGURE 4-9 Adding Microsoft 365 apps to Windows 10 devices
On the App suite information tab, most properties are preconfigured. However, you can feature the app in the Company Portal and add notes. Select Next.
On the Configure app suite tab, in the Select Office apps list, select the components of Office you want to deploy: Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Teams, and Word. All are selected except Skype for Business.
In the Select other Office apps (license required) list, select any additional Office products you want to deploy. For example, Project Online Desktop Client.
Next, choose the architecture (32-bit or 64-bit), the Default file format Office will use, and the Update channel, as shown in Figure 4-10. You can also remove other software versions on targeted devices and select a specific version of Microsoft 365 apps. The default is the latest version available.
FIGURE 4-10 Configuring Microsoft 365 app suite properties
There are several additional properties that you can configure, including supported languages. When you’re ready, select Next.
On the Assignments tab displayed in Figure 4-11, you can assign the suite to a group, all users, or all devices. You can require the app suite or make it available for enrolled devices. If you make an app available, you can only assign it to user groups. The available app is displayed in the Company Portal app for assigned users to install.
FIGURE 4-11 Configuring Microsoft 365 app suite assignments
Select Next, and review your choices on the Review + create tab. When you’re ready, select Create.
After creating the app, you can use the monitoring options to view the installation status for both devices and users. The process for assigning Microsoft 365 apps to macOS varies in as much as you cannot control which components of Office you deploy, nor can you define app suite settings, such as Update and Architecture settings.
Once you have deployed Microsoft 365 apps to your users, you might need to fine-tune the configuration or deploy policies. You can apply specific Microsoft Office app policies using Intune or Group Policy.
You will see how both solutions are implemented with specific management examples.
Configure policies for Office apps by using Group Policy
With Group Policy, you choose from hundreds of available policies that can be set locally on a Windows device or applied on Windows devices across your whole enterprise using Group Policy with the Microsoft Office administrative templates.
To manage Microsoft Office with Group Policy, you need to install the Administrative Template files for Microsoft Office, which contain the specific GPOs that allow you to configure settings for all supported versions of Microsoft Office, including Microsoft 365 apps.
The Administrative Templates (ADMX/ADML) for Microsoft Office and Microsoft 365 are not installed by default, so you first need to download the latest Administrative Template files from https://www.microsoft.com/en-us/download/details.aspx?id=49030. The Administrative Templates files define the available Group Policy settings.
The Group Policy Administrative Template is supported by Windows 8.1 and later and works with the following Office programs:
Microsoft 365 Apps for enterprise.
Desktop versions of Project and Visio (subscription plans only).
Volume licensed versions of Office LTSC 2021, Project 2021, and Visio LTSC 2021 (such as Office LTSC Professional Plus 2021, Project Standard 2021, and Visio LTSC Professional 2021).
Volume licensed versions of Office 2019, Project 2019, and Visio 2019 (such as Office Standard 2019 and Visio Professional 2019.).
Volume-licensed versions of Office 2016, Project 2016, and Visio 2016 (such as Office Professional Plus 2016 and Project Standard 2016).
Once you have downloaded the Administrative Templates, you need to extract the files by executing the file as an administrator. The files must be copied to your Central Store for Group Policy Administrative Templates on your domain controller. The Administrative Templates must be placed in the local domain controller store if you only have one domain controller.
It is recommended to copy all the ADMX files so that you have access to all the policies. Add the downloaded ADMX files to your domain controller using the following procedure.
Copy all the downloaded ADMX files, as shown in Figure 4-13.
FIGURE 4-13 Adding ADMX files
Copy and paste the ADMX files to your domain controller at C:\Windows\PolicyDefinitions.
Allow File Manager to overwrite the files. If prompted, select Yes to All. Overwriting the ADMX files makes the latest Microsoft Office and Microsoft 365 Policy settings available.
Repeat this task for the ADML language files. You can copy all the files or just the language folders you want. For example, you could select only the en-Us language (English – United States) folder, select all the files in the folder, and choose Copy.
Paste the ADML files to your domain controller at C:\Windows\PolicyDefinitions.
Intune is the mobile application management solution to configure and manage policies related to the software deployed within your organization. These policies are assigned to your users and devices and control how applications behave.
Just as you saw with Group Policy, Intune also provides policies specifically for controlling how Microsoft Office apps behave. Mobile app management policies within Intune allow cloud-based management of your Office apps that can be applied to groups of end users. In addition to configuring app features available to users, you can control how apps access Microsoft 365 services, control data sharing, and enforce security requirements.
Some examples of Office app policies are shown in Table 4-2.
Turn off Protected View for attachments opened from Outlook
Microsoft Visio
Block macros from running in Office files from the Internet
Microsoft Word
Turn off Protected View for attachments opened from Outlook
Microsoft Publisher
Publisher Automation Security Level
Microsoft Project
Allow Trusted Locations on the network
Organizations can use the Microsoft 365 Apps admin center to configure the Cloud Policy service for Microsoft 365 (known as Cloud Policy). If you have an Intune subscription, you can use Cloud Policy directly in the Microsoft Intune admin center under Apps\Policy\Policies for Office apps. Both services include many of the same user-based policy settings available in Group Policy. Once defined, Cloud Policies are automatically enforced as users sign in and use Office.
Before you can use the Cloud Policy with Microsoft 365 Apps for enterprise, you need to meet the following requirements:
A supported version of Microsoft 365 Apps for enterprise.
User accounts created in or synchronized to Azure Active Directory (Azure AD). Users must be signed into Microsoft 365 Apps for enterprise with an Azure AD-based account.
Cloud Policy supports Microsoft 365 Groups and Azure AD Security Groups created in or synchronized to Azure AD. The group membership type can be either Dynamic or Assigned.
Only users who are members of one of the following roles in Azure AD can create a policy configuration:
Global Administrator
Security Administrator
Office Apps Admin
Note Click-To-Run Volume Licensed Versions of Office
You cannot apply policy configuration to volume-licensed versions of Office that use Click-to-Run, such as Office LTSC Professional Plus 2021 or Office Standard 2019.
When you deploy apps to your devices, Intune supports several app stores. Before you can deploy the apps, you must add them to Intune.
In a modern workplace, users have multiple devices and platforms your company needs to support. Therefore, you might have several app requirements to consider. In this skill, you will first learn about the various app types supported by Intune and then review how to deploy apps using Intune to various platform-specific app stores. You learned how to deploy a Microsoft Store app earlier in this skill, so now you will now focus on other app stores.
To offer cloud-based app deployment, you can upload your apps to Intune or provide a link to the platform-specific ap store. A full Intune storage subscription offers unlimited storage space for apps. If you use a trial Intune subscription, you have 2 GB of cloud storage.
Note Max App File Size
The maximum file size for any Windows-related app file (Windows Line-of-business (LOB) apps, including Win32, Windows Universal AppX, Windows Universal AppX bundle, Windows Universal MSI X, and Windows Universal MSI X bundle) uploaded to Intune storage is 8 GB. All other apps, including iOS/iPadOS LOB apps, have a maximum size limit of 2 GB per app.
Intune supports the following general app types.
Apps from the store (store apps)
Apps written in-house or as a custom app (line-of-business)
Apps that are built-in (built-in apps)
Apps on the web (web link)
Apps from other Microsoft services
You can add an app in Intune by selecting Apps > All apps > Add. The Select app type pane is displayed and allows you to select the app type. Intune supports specific app types, as shown in Table 4-3.
The Office Customization Tool offers a web-based interface that creates configuration files that you can use to deploy Office at scale. Like the ODT, you can define which applications and languages are installed and how the Office applications will be updated.
FIGURE 4-5 Configuring Office using the Office Customization Tool
Within the Office Customization Tool, you will choose the products, languages, and application preferences to configure. For example, you can configure the following settings.
64-bit German version of Microsoft 365 Apps
All Microsoft 365 Apps except Access
Automatically accept the EULA
Microsoft recommends that you uninstall any previous versions of Office before installing volume-licensed versions of Office 2019 or 2021 products. When using the Office Deployment Tool, you can use the RemoveMSI element in your configuration.xml file to uninstall versions of Office that use the Windows Installer installation technology. Follow these steps to create a configuration file using the Office Customization Tool that can be used to install a customized version of Office.
Launch the Office Customization Tool at https://config.office.com/deploymentsettings and sign in as a Global Administrator.
In the Product and releases section, choose the architecture you want to deploy—either the 32-bit or 64-bit version of Office. You can deploy one architecture per configuration file.
Choose the products and apps you want to deploy. You can choose Office Suites, Visio, Project, and other products such as Skype for Business Basic 2019 and Language Packs.
Choose the update channel, which will be determined by the products you select in Step 3.
Choose which version you want to deploy. Typically, this is the latest available version. Use the toggles under the Turn apps on or off to include or exclude them from being deployed section to select the desired apps and select Next.
In the Language section, choose which primary language you require. You can include additional languages. You can use the option to Match Operating System, which will automatically install the same languages used on the client device. Select Next.
In the Installation section, choose whether to install the Office files directly or from the cloud: • Office Content Delivery Network (CDN) from a location on your network • Local source • Microsoft Endpoint Configuration Manager
Choose whether the installation is displayed to the users and whether the process can shut down any running applications. Select Next.
In the Update and upgrade section, choose whether to install the Office files directly or from the cloud: • Office Content Delivery Network (CDN) from a location on your network. • Local source • Microsoft Endpoint Configuration Manager
Choose whether the installation process will automatically check for updates.
In the Upgrade section, choose whether to uninstall all MSI-versions of Office, including Visio and Project, and whether to automatically install the same language versions as the removed MSI-version of Office. Select Next.
In the Licensing and activation section, choose between User based, Shared Computer, and Device based licensing. Select Next.
In the General section, you can provide your organization name and a description that will populate the Company property on Office documents. Select Next.
In the Application preferences section, choose what preferences to apply for when deploying Office. There are more than 30 options to fine-tune the behavior of Office. Most settings can be configured or set to True, False, or Not configured.
Select Finish. You can review the configured settings in the right-hand pane throughout the configuration process.
Once complete, you can select Export. Before creating the file, you must specify the default file format that Office uses or choose Keep Current Settings to keep the current settings. File formats can be either Office Open XML formats or OpenDocument formats. Select OK.
Accept the terms in the license agreement, then provide a name for the configuration file, and then select Export. After creating the configuration files, you can now use the file in your deployment workflow with the Office Deployment Tool or another software distribution solution.
In an earlier version of Intune, the following settings were also accessible through the Apps node. However, they now reside in the Tenant Administration node. Select Tenant Administration, and then select Connectors And Tokens. In this node, the following app-related options are available:
Windows enterprise certificate Enables you to view and apply your code-signing certificate. This certificate is used to distribute your line-of-business (LOB) apps to managed Windows devices.
Windows 365 Citrix connector Enables you to integrate Citrix Cloud with Windows 365. to access Citrix HDX technologies for enhanced Cloud PC security and manageability.
Apple VPP Tokens Enables you to view and apply your iOS Volume Purchase Program (VPP) licenses.
Managed Google Play Enables you to approve Google Android apps for your organization.
Other options are accessible in Connectors and Tokens, but they do not relate to app management.
Need More Review? What is Microsoft Intune APP Management?
When you deploy apps to your devices, there are several different app types that you can select, as shown in Figure 4-2.
FIGURE 4-2 Adding a new client app
These app types are as follows:
Store App Use this option to deploy apps to your users’ devices to avoid requiring users to directly deploy the apps from the specified store. The available options are as follows:
Android store app Enter the app’s Google Play Appstore URL and then define its minimum operating system level.
iOS store app Enter a search string, and search the Apple Store directly for the appropriate app. Then configure the requirements for the app, including the operating system version.
Microsoft Store app (new) Enter the app’s URL.
Microsoft Store app (legacy) Enter the app’s URL.
Managed Google Play app Approve apps in Managed Google Play and then assign the apps.
Microsoft 365 Apps Use this option to assign Microsoft 365 apps to your users’ devices. Available options are:
Windows 10 and later Specify which apps within Microsoft 365 you want to deploy. Then define a suite name, description, and options, such as whether the app suite will be displayed in the Company Portal. You also must choose the architecture (32-bit or 64-bit), Update channel [Current Channel (Preview), Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel (Preview), and Semi-Annual Enterprise Channel], and other options (Software License Terms Acceptance and Languages).
macOS You cannot control which apps are deployed from the suite. However, you must define a name, description, and whether the app displays in the Company Portal.
Microsoft Edge, version 77 and later
Windows 10 and later Add Microsoft Edge for Windows to install the Microsoft Edge browser on managed devices running Windows 10 or later.
macOS Add Microsoft Edge for macOS to install the Microsoft Edge browser on managed macOS devices.
Microsoft Defender for Endpoint
macOS Add Microsoft Defender for Endpoint to managed macOS devices.
Web Application
iO/iPadOS web clip Add a website URL into App information to place a shortcut to the web clip to the Home screen.
Windows web link Add a website URL into App information. A shortcut to the website is added to the Start menu.
Other Use for any other type of app. The options are as follows:
Web link Use to assign a web app for which you have a valid URL. These are client-server apps, and the URL identifies the server that contains the web app.
Built-In app Use to assign curated apps to iOS or Android devices. After you assign the app(s), it appears as either a built-in iOS app or a built-in Android app.
Line-of-business app Use to assign a Line-Of-Business (LOB) app. You can use this approach to sideload apps for which you have the application package file. Windows devices use .appx packages. Browse and select the package file, then configure supplemental options such as category and description.
Windows app (Win32) Use to assign apps to Windows devices. Like an LOB app, you browse and select the package file (in this case, a file with an .intunewin file extension), then complete the configuration as above. Note that to create a file with the appropriate extension, you must convert your Win32 app to the Intune format using the Microsoft Win32 Content Prep Tool. This tool packages the app correctly for upload to Intune and is available at https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool.
macOS app (DMG) To add a macOS application, upload the app’s installation file. Intune supports .dmg files containing .app files.
Android Enterprise system app Use to assign an Android Enterprise system app to your users’ devices.
