Within an organization, you can use on-premises tools, such as Microsoft Endpoint Configuration Manager (CM) and the Microsoft Deployment Toolkit (MDT), to manage Windows desktop images. Using these tools, you can integrate your organization’s applications into standard desktop builds and deploy and manage additional applications and updates.
You might consider using Microsoft Intune to deploy and manage apps for devices not part of your on-premises Active Directory Domain Services (AD DS) environment or cloud-managed. If enrolled in Intune, you can deploy apps to Windows, iOS, Android, and macOS devices. The Microsoft Store for Business provides another method for distributing apps for your organizational users.
Windows Configuration Designer, part of the Windows Assessment and Deployment Toolkit (Windows ADK) mentioned in chapter 1, enables you to create provisioning packages for your Windows devices. You can use these packages to add, remove, and configure applications on your users’ Windows devices.
This skill covers how to:
- Deploy apps by using Intune
- Configure Microsoft 365 Apps deployment by using the Microsoft Office Deployment Tool or Office Customization Tool (OCT)
- Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center
- Deploy Microsoft 365 Apps by using Intune
- Configure policies for Office apps by using Group Policy or Intune
- Deploy apps to platform-specific app stores by using Intune
Using Intune, you can deploy and maintain apps from the cloud onto your users’ devices. A copy of the software can be made available across multiple devices such as their iPhone, Windows laptop, or tablet. You deploy, configure, and manage apps in Intune using the Apps node in the Microsoft Intune admin center, displayed in Figure 4-1.
FIGURE 4-1 Managing apps in Microsoft Intune
From the Apps node, the following options are available:
- All apps Use this node to add, configure, and assign apps to your enrolled devices, irrespective of operating system (platform).
- Monitor Select this node to review:
- App licenses Enables you to identify volume-purchased apps from the app stores.
- Discovered apps Displays information about apps assigned by Intune or installed on devices.
- App installation status Reports on the status of assigned apps.
- App protection status Displays information about app protection policy status.
- Windows, iOS/iPadOS, macOS, and Android Under By Platform, select one of the listed operating systems to review and manage apps for a specific operating system.
- App protection policies Use this node to configure policies that help to protect against data leakage from deployed apps. You can create policies for iOS/iPadOS, Android, and Windows.
- App configuration policies You can create app configuration policies to configure apps on both iOS and Android devices, enabling you to customize the targeted app. You can create a policy that targets either the platform, or a specific app.
- iOS app provisioning profiles When you deploy apps to iOS devices by using Intune, you must use an enterprise signing certificate. This certificate helps ensure the integrity of apps you deploy and typically has a lifetime of three years. However, the provisioning profile used to deploy the app lasts for a year. You can only assign and use a new app provisioning profile while the certificate is still valid.
- S Mode supplemental policies Windows S Mode helps protect Windows computers by limiting configured devices to only installing and running apps distributed from the Microsoft Store. By using these policies, you can authorize additional apps so that S Mode–protected devices can run those additional apps. You must sign these policies using the Device Guard Signing Portal.
- Policies for Office apps Create policies that enable you to manage Office app features and capabilities on mobile devices. There are currently more than 2,000 settings that you can assign.
- Policy sets Using Policy sets enables you to group application management, device management, and device enrollment policies into a single grouping for assignment to specified groups of users or devices. This can help streamline the application process.
- App selective wipe Enables you to create a wipe request that will remove company app data from a selected user and device.
- App categories Enables you to define app category names to help your users locate suitable apps.
- E-books Enables you to access your organization’s e-books and related settings.
- Filters Enables you to filter apps by platform and other criteria to assign a policy based on rules you create.