An organization with many apps can become overwhelming for users. To help users find an app in the company portal, you can assign apps to one or more categories, such as Accounting apps or Marketing apps. When adding apps, you can assign a category in Intune using the following procedure:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps, then select App categories.
The App categories pane displays a list of current categories.
To add a category, select Add in the Create category pane, and then provide a name for the category.
To edit a category, select the ellipsis (…) next to the category, and then select Pin to dashboard or Delete.
Select Create.
Add Android store apps to Microsoft Intune Use the following procedure to add an Android store app to Intune:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps > All apps > Add.
In the Select app type pane, under Store app, select Android store app.
Click Select.
To configure the app information for the Android app, you must provide the Google Play store’s app details. (The Google Play store is located at https://play.google.com.)
In the App information page, add the app details, as shown in Figure 4-18: • Name • Description • Publisher • Appstore URL • Minimum operating system • Category (Optional) • Show this as a featured app in the Company Portal • Information URL (Optional) • Privacy URL (Optional) • Developer (Optional) • Owner (Optional) • Notes (Optional) • Logo (Optional)
FIGURE 4-18 Adding a Windows 10 Line-of-business app
Select Next.
On the Assignments page, select the group assignments for the append and select Next.
On the Review + create page, review the values and settings you entered for the app and select Create to add the app to Intune.
To add a Microsoft 365 suite app to Windows devices, use the following procedure:
In the Microsoft Intune Manager admin center, select Apps, and then select All Apps.
Select Add, and then on the Select app type blade, in the App type list, under the Other heading, select Line-of-business app, and click Select.
On the Add App blade, select the Select app package file link.
On the Add package file blade displayed in Figure 4-12, browse for and select a line of business app. This can include Android (.apk), iOS (.ipa), macOS (.intunemac), and Windows (.msi, .appx, .appxbundle, .msix, and .msixbundle) app files.
FIGURE 4-12 Adding a Windows 10 Line-of-business app
Select OK.
On the App tab, enter the following information: • Name (required) • Description (required) • Publisher (required) • App install context (User or Device) • Ignore app version • Command-line arguments (for installation purposes) • Category (Business, Productivity, Photos & Media, and so on) • Show this as a featured app in the Company Portal (set the toggle to Yes or No) • Information URL, Privacy URL, Developer, Owner, Notes, and a Logo image
Select Next, and assign the app using the previously described procedure on the Assignments tab.
Select Next, and then select Create. Need More Review? Add Apps to Microsoft Intune To review further details about using Intune to assign apps, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/apps/apps-add.
Gather Microsoft 365 Apps readiness data
Before deploying Microsoft 365 Apps to your users’ devices, you must ensure the devices are ready for those apps. Before deploying Office apps, you should verify that your users’ devices support the current version. Also, there might be compatibility issues with older versions of Office documents and newer versions of the apps.
Many organizations use Office add-ins such as Microsoft Visual Basic for Applications (VBA) macros to help automate Office-based tasks. These add-ins might not be compatible with Microsoft 365 Apps. To help you identify potential add-in compatibility issues within your organization, you can use the Readiness Toolkit to assess your organization’s readiness for Microsoft 365 Apps.
Most recently used Office documents and installed add-ins on this computer
Scans Office documents in the user’s list of most recently used files.Also looks for any Add-Ins for Office that are installed.Report type: VBA and Add-In.
Office documents in a local folder or network share
Scans the Office documents in the folder or network share that you specify.Report type: VBA only. Does not scan for Add-Ins.
Previous readiness results saved in a local folder or network share
Enables you to create a consolidated report comprised of individual readiness results from multiple computers. Useful for departmental analysis.Report type: Configurable depending on what you previously scanned for.
Add-in data from the Office Telemetry dashboard
Scans data from the Office Telemetry dashboard.Report type: Add-In only.
Need More Review? Telemetry Dashboard Topology, Sizing, and Bandwidth Planning
You can then choose either a basic or an advanced report. Advanced reports are recommended because they provide more complete information on which to base your decisions. The Readiness Report Creator tool generates an Excel spreadsheet comprised of several worksheets. Each worksheet contains information about different aspects of your existing devices’ compatibility.
Depending on the report type, the following worksheets are available:
VBA Overview
VBA Summary
VBA Results
VBA Remediation
VBA References
Add-In Summary
Add-In Details
By Computer Name
Need More Review? Use The Readiness Toolkit to Assess Application Compatibility for Microsoft 365 Apps
You can also use Intune to deploy Microsoft 365 Apps to your enrolled devices. To add a Microsoft 365 suite app to Windows 10 devices, use the following procedure:
In the Microsoft Intune admin center, select Apps, and then under By Platform, select Windows.
On the Windows apps blade, select Add.
On the Select add type blade, in the App type list, under the Microsoft 365 Apps heading, select Windows 10 and later, as shown in Figure 4-9, and choose Select.
FIGURE 4-9 Adding Microsoft 365 apps to Windows 10 devices
On the App suite information tab, most properties are preconfigured. However, you can feature the app in the Company Portal and add notes. Select Next.
On the Configure app suite tab, in the Select Office apps list, select the components of Office you want to deploy: Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Teams, and Word. All are selected except Skype for Business.
In the Select other Office apps (license required) list, select any additional Office products you want to deploy. For example, Project Online Desktop Client.
Next, choose the architecture (32-bit or 64-bit), the Default file format Office will use, and the Update channel, as shown in Figure 4-10. You can also remove other software versions on targeted devices and select a specific version of Microsoft 365 apps. The default is the latest version available.
FIGURE 4-10 Configuring Microsoft 365 app suite properties
There are several additional properties that you can configure, including supported languages. When you’re ready, select Next.
On the Assignments tab displayed in Figure 4-11, you can assign the suite to a group, all users, or all devices. You can require the app suite or make it available for enrolled devices. If you make an app available, you can only assign it to user groups. The available app is displayed in the Company Portal app for assigned users to install.
FIGURE 4-11 Configuring Microsoft 365 app suite assignments
Select Next, and review your choices on the Review + create tab. When you’re ready, select Create.
After creating the app, you can use the monitoring options to view the installation status for both devices and users. The process for assigning Microsoft 365 apps to macOS varies in as much as you cannot control which components of Office you deploy, nor can you define app suite settings, such as Update and Architecture settings.
When you deploy apps to your devices, Intune supports several app stores. Before you can deploy the apps, you must add them to Intune.
In a modern workplace, users have multiple devices and platforms your company needs to support. Therefore, you might have several app requirements to consider. In this skill, you will first learn about the various app types supported by Intune and then review how to deploy apps using Intune to various platform-specific app stores. You learned how to deploy a Microsoft Store app earlier in this skill, so now you will now focus on other app stores.
To offer cloud-based app deployment, you can upload your apps to Intune or provide a link to the platform-specific ap store. A full Intune storage subscription offers unlimited storage space for apps. If you use a trial Intune subscription, you have 2 GB of cloud storage.
Note Max App File Size
The maximum file size for any Windows-related app file (Windows Line-of-business (LOB) apps, including Win32, Windows Universal AppX, Windows Universal AppX bundle, Windows Universal MSI X, and Windows Universal MSI X bundle) uploaded to Intune storage is 8 GB. All other apps, including iOS/iPadOS LOB apps, have a maximum size limit of 2 GB per app.
Intune supports the following general app types.
Apps from the store (store apps)
Apps written in-house or as a custom app (line-of-business)
Apps that are built-in (built-in apps)
Apps on the web (web link)
Apps from other Microsoft services
You can add an app in Intune by selecting Apps > All apps > Add. The Select app type pane is displayed and allows you to select the app type. Intune supports specific app types, as shown in Table 4-3.
The Office Customization Tool offers a web-based interface that creates configuration files that you can use to deploy Office at scale. Like the ODT, you can define which applications and languages are installed and how the Office applications will be updated.
FIGURE 4-5 Configuring Office using the Office Customization Tool
Within the Office Customization Tool, you will choose the products, languages, and application preferences to configure. For example, you can configure the following settings.
64-bit German version of Microsoft 365 Apps
All Microsoft 365 Apps except Access
Automatically accept the EULA
Microsoft recommends that you uninstall any previous versions of Office before installing volume-licensed versions of Office 2019 or 2021 products. When using the Office Deployment Tool, you can use the RemoveMSI element in your configuration.xml file to uninstall versions of Office that use the Windows Installer installation technology. Follow these steps to create a configuration file using the Office Customization Tool that can be used to install a customized version of Office.
Launch the Office Customization Tool at https://config.office.com/deploymentsettings and sign in as a Global Administrator.
In the Product and releases section, choose the architecture you want to deploy—either the 32-bit or 64-bit version of Office. You can deploy one architecture per configuration file.
Choose the products and apps you want to deploy. You can choose Office Suites, Visio, Project, and other products such as Skype for Business Basic 2019 and Language Packs.
Choose the update channel, which will be determined by the products you select in Step 3.
Choose which version you want to deploy. Typically, this is the latest available version. Use the toggles under the Turn apps on or off to include or exclude them from being deployed section to select the desired apps and select Next.
In the Language section, choose which primary language you require. You can include additional languages. You can use the option to Match Operating System, which will automatically install the same languages used on the client device. Select Next.
In the Installation section, choose whether to install the Office files directly or from the cloud: • Office Content Delivery Network (CDN) from a location on your network • Local source • Microsoft Endpoint Configuration Manager
Choose whether the installation is displayed to the users and whether the process can shut down any running applications. Select Next.
In the Update and upgrade section, choose whether to install the Office files directly or from the cloud: • Office Content Delivery Network (CDN) from a location on your network. • Local source • Microsoft Endpoint Configuration Manager
Choose whether the installation process will automatically check for updates.
In the Upgrade section, choose whether to uninstall all MSI-versions of Office, including Visio and Project, and whether to automatically install the same language versions as the removed MSI-version of Office. Select Next.
In the Licensing and activation section, choose between User based, Shared Computer, and Device based licensing. Select Next.
In the General section, you can provide your organization name and a description that will populate the Company property on Office documents. Select Next.
In the Application preferences section, choose what preferences to apply for when deploying Office. There are more than 30 options to fine-tune the behavior of Office. Most settings can be configured or set to True, False, or Not configured.
Select Finish. You can review the configured settings in the right-hand pane throughout the configuration process.
Once complete, you can select Export. Before creating the file, you must specify the default file format that Office uses or choose Keep Current Settings to keep the current settings. File formats can be either Office Open XML formats or OpenDocument formats. Select OK.
Accept the terms in the license agreement, then provide a name for the configuration file, and then select Export. After creating the configuration files, you can now use the file in your deployment workflow with the Office Deployment Tool or another software distribution solution.
In an earlier version of Intune, the following settings were also accessible through the Apps node. However, they now reside in the Tenant Administration node. Select Tenant Administration, and then select Connectors And Tokens. In this node, the following app-related options are available:
Windows enterprise certificate Enables you to view and apply your code-signing certificate. This certificate is used to distribute your line-of-business (LOB) apps to managed Windows devices.
Windows 365 Citrix connector Enables you to integrate Citrix Cloud with Windows 365. to access Citrix HDX technologies for enhanced Cloud PC security and manageability.
Apple VPP Tokens Enables you to view and apply your iOS Volume Purchase Program (VPP) licenses.
Managed Google Play Enables you to approve Google Android apps for your organization.
Other options are accessible in Connectors and Tokens, but they do not relate to app management.
Need More Review? What is Microsoft Intune APP Management?
When you deploy apps to your devices, there are several different app types that you can select, as shown in Figure 4-2.
FIGURE 4-2 Adding a new client app
These app types are as follows:
Store App Use this option to deploy apps to your users’ devices to avoid requiring users to directly deploy the apps from the specified store. The available options are as follows:
Android store app Enter the app’s Google Play Appstore URL and then define its minimum operating system level.
iOS store app Enter a search string, and search the Apple Store directly for the appropriate app. Then configure the requirements for the app, including the operating system version.
Microsoft Store app (new) Enter the app’s URL.
Microsoft Store app (legacy) Enter the app’s URL.
Managed Google Play app Approve apps in Managed Google Play and then assign the apps.
Microsoft 365 Apps Use this option to assign Microsoft 365 apps to your users’ devices. Available options are:
Windows 10 and later Specify which apps within Microsoft 365 you want to deploy. Then define a suite name, description, and options, such as whether the app suite will be displayed in the Company Portal. You also must choose the architecture (32-bit or 64-bit), Update channel [Current Channel (Preview), Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel (Preview), and Semi-Annual Enterprise Channel], and other options (Software License Terms Acceptance and Languages).
macOS You cannot control which apps are deployed from the suite. However, you must define a name, description, and whether the app displays in the Company Portal.
Microsoft Edge, version 77 and later
Windows 10 and later Add Microsoft Edge for Windows to install the Microsoft Edge browser on managed devices running Windows 10 or later.
macOS Add Microsoft Edge for macOS to install the Microsoft Edge browser on managed macOS devices.
Microsoft Defender for Endpoint
macOS Add Microsoft Defender for Endpoint to managed macOS devices.
Web Application
iO/iPadOS web clip Add a website URL into App information to place a shortcut to the web clip to the Home screen.
Windows web link Add a website URL into App information. A shortcut to the website is added to the Start menu.
Other Use for any other type of app. The options are as follows:
Web link Use to assign a web app for which you have a valid URL. These are client-server apps, and the URL identifies the server that contains the web app.
Built-In app Use to assign curated apps to iOS or Android devices. After you assign the app(s), it appears as either a built-in iOS app or a built-in Android app.
Line-of-business app Use to assign a Line-Of-Business (LOB) app. You can use this approach to sideload apps for which you have the application package file. Windows devices use .appx packages. Browse and select the package file, then configure supplemental options such as category and description.
Windows app (Win32) Use to assign apps to Windows devices. Like an LOB app, you browse and select the package file (in this case, a file with an .intunewin file extension), then complete the configuration as above. Note that to create a file with the appropriate extension, you must convert your Win32 app to the Intune format using the Microsoft Win32 Content Prep Tool. This tool packages the app correctly for upload to Intune and is available at https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool.
macOS app (DMG) To add a macOS application, upload the app’s installation file. Intune supports .dmg files containing .app files.
Android Enterprise system app Use to assign an Android Enterprise system app to your users’ devices.
This section contains the solution to the thought experiment. Each answer explains why the answer choice is correct.
Scenario 1
Microsoft Intune with Mobile Device Management enabled.
Enable and configure Windows Autoenrollment.
You require an Apple MDM Push Certificate for your organization.
Scenario 2
You can monitor Threat Agent Status to determine the current status of Microsoft Defender on your users’ enrolled Windows devices.
You can use the Microsoft Intune admin center to create an Endpoint Protection Profile that contains the necessary Microsoft Defender Application Guard settings and assign the profile to the appropriate group(s) of devices.
In the Microsoft Intune admin center, create a Device Enrollment Restriction and define a Platform Restriction that prevents the enrollment of Android devices.
Scenario 3
You should configure Delivery Optimization and select that updates are downloaded from Devices on my local network on all devices except one device which needs to receive the updates from the Microsoft update service.
You can implement Delivery Optimization for the head office devices so that updates are received from other devices on the network. You can also configure bandwidth optimization measures that restrict the bandwidth consumed by updates during defined business hours.
You should install Windows 11 Enterprise, version 22H2 (General Availability Channel), and then implement policy using Windows Update to defer Windows Feature Updates for the maximum allowed duration of 365 days.
Enroll into the Windows Insider Program and install Windows 11 preview builds. Test these builds for compatibility issues. This should allow you to be ready to test the next General Availability Channel release and obtain compliance sign-off.
Scenario 4
1. You could implement Microsoft Tunnel for Intune. Microsoft Tunnel provides a VPN gateway for Android and iOS devices in your organization for access to on-premises resources.
You must perform the following high-level steps: • Create a server configuration on Intune. • Create a site in Intune. • Install a Microsoft Tunnel Gateway on a Linux server in your on-premises environment (by using an Intune script). • Deploy the Microsoft Tunnel client app to your iOS and Android devices. • Create and deploy VPN profiles to your iOS and Android devices.
Implementing security and related settings is one of the more important tasks you’ll need to perform. As discussed, Microsoft has begun consolidating the security-related settings into a single Intune: Endpoint security folder.
Here, you’ll find options to manage the various security settings we’ve been discussing. But you’ll also find a link to review security baselines.
You can use the security baselines to manage and monitor the security status of enrolled devices within your organization. By default, there are three security baselines, as shown in Figure 3-61:
Security Baseline for Windows 10 and later
Microsoft Defender for Endpoint Baseline
Microsoft Edge Baseline
Windows 365 Security Baseline
FIGURE 3-61 Configuring Security Baselines in Intune
The security baselines provide preconfigured groups of settings that enable you to configure security on your devices more easily. When you create and apply a security baseline profile, you create multiple device configuration profiles.
Periodically, Microsoft releases new baselines. When viewing profile details, the baseline used is identified in the Current Baseline column, displayed in Figure 3-62.
FIGURE 3-62 Reviewing versions for a security baseline
Create a profile
To create a profile based on a security baseline, use the following procedure:
In the Microsoft Intune admin center, select Endpoint security in the navigation pane.
Select Security baselines, and then select the appropriate baseline.
Select the Profiles tab, and then select Create profile.
On the Create profile page, on the Basics tab, enter the Name and Description and select Next.
On the Configuration settings tab, configure the appropriate settings. These will vary based on the baseline you select. When you’ve completed the configuration, select Next.
Optionally, use the Scope tags tab to scope the profile, select Next, and then assign the profile in the usual way.
Select Next, and then on the Review + create tab, select Create.
Your profile displays in the list of profiles. Notice that the Current Baseline column indicates the baseline used to create the profile.
In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers in the section that follows.
Scenario 1
Your organization has 500 employees and has implemented a bring-your-own-device (BYOD) strategy that enables users to use their personal mobile phones and tablets for corporate purposes as long as they comply with company policy regarding security and management features. After consulting an employee survey, you find that the users in your organization have iOS, Android, or Windows 11 devices.
What technology should you use to manage the devices?
You want to simplify enrollment for your Windows device users. What should you do?
To support your iOS devices, what additional step is required to enable MDM?
Scenario 2
Like many large organizations, security is a big concern at Contoso. You decide to implement MDM with Intune to help to manage and secure your users’ devices.
What feature of Intune could you use to verify the current status of Microsoft Defender on your users’ Windows 11 devices?
You want to be able to configure Microsoft Defender Application Guard settings for enrolled Windows 11 devices. How can you achieve this in Intune?
You don’t want users with Android devices to be able to enroll them. How could you enforce this restriction?
Scenario 3
Adatum Corporation uses Microsoft 365 and has implemented Windows 11 Enterprise for all devices. You configure Windows Update and deploy update rings using Microsoft Intune.
Answer the following questions for your manager:
Two remote offices are in an area with poor Internet bandwidth, and the IT team is concerned that operational requirements might be difficult to maintain. What measure could you implement for the devices located at the remote locations to reduce bandwidth consumption from Windows updates?
Windows updates received by the head office devices are consuming too much of the available bandwidth. Users are reporting that access to the Internet is slow. What settings can you configure within Microsoft Intune to help relieve congestion at the head office?
Your Compliance Manager has received confirmation that your regulatory body has approved Windows 11 Enterprise, version 22H2 as being compliant. You need to ensure that all devices use only this version of Windows until the Compliance Manager confirms that a new version is compliant. How will you proceed?
You need to work with the Compliance Manager to ensure that future versions of Windows 11 Enterprise obtain regulatory compliance before the deployed version of Windows 11 becomes unsupported. What will you do to ensure that you can proactively evaluate the compatibility of new versions of Windows 11?
Scenario 4
Your users use both Android and iOS devices. Lately, it’s been necessary for these users to access a database application that runs on an on-premises server. Intune manages your users’ devices.
Answer the following questions:
How could you facilitate access for your users?
What high-level steps are necessary to facilitate your solution?
Within an organization, you can use on-premises tools, such as Microsoft Endpoint Configuration Manager (CM) and the Microsoft Deployment Toolkit (MDT), to manage Windows desktop images. Using these tools, you can integrate your organization’s applications into standard desktop builds and deploy and manage additional applications and updates.
You might consider using Microsoft Intune to deploy and manage apps for devices not part of your on-premises Active Directory Domain Services (AD DS) environment or cloud-managed. If enrolled in Intune, you can deploy apps to Windows, iOS, Android, and macOS devices. The Microsoft Store for Business provides another method for distributing apps for your organizational users.
Windows Configuration Designer, part of the Windows Assessment and Deployment Toolkit (Windows ADK) mentioned in chapter 1, enables you to create provisioning packages for your Windows devices. You can use these packages to add, remove, and configure applications on your users’ Windows devices.
Using Intune, you can deploy and maintain apps from the cloud onto your users’ devices. A copy of the software can be made available across multiple devices such as their iPhone, Windows laptop, or tablet. You deploy, configure, and manage apps in Intune using the Apps node in the Microsoft Intune admin center, displayed in Figure 4-1.
FIGURE 4-1 Managing apps in Microsoft Intune
From the Apps node, the following options are available:
All apps Use this node to add, configure, and assign apps to your enrolled devices, irrespective of operating system (platform).
Monitor Select this node to review:
App licenses Enables you to identify volume-purchased apps from the app stores.
Discovered apps Displays information about apps assigned by Intune or installed on devices.
App installation status Reports on the status of assigned apps.
App protection status Displays information about app protection policy status.
Windows, iOS/iPadOS, macOS, and Android Under By Platform, select one of the listed operating systems to review and manage apps for a specific operating system.
App protection policies Use this node to configure policies that help to protect against data leakage from deployed apps. You can create policies for iOS/iPadOS, Android, and Windows.
App configuration policies You can create app configuration policies to configure apps on both iOS and Android devices, enabling you to customize the targeted app. You can create a policy that targets either the platform, or a specific app.
iOS app provisioning profiles When you deploy apps to iOS devices by using Intune, you must use an enterprise signing certificate. This certificate helps ensure the integrity of apps you deploy and typically has a lifetime of three years. However, the provisioning profile used to deploy the app lasts for a year. You can only assign and use a new app provisioning profile while the certificate is still valid.
S Mode supplemental policies Windows S Mode helps protect Windows computers by limiting configured devices to only installing and running apps distributed from the Microsoft Store. By using these policies, you can authorize additional apps so that S Mode–protected devices can run those additional apps. You must sign these policies using the Device Guard Signing Portal.
Policies for Office apps Create policies that enable you to manage Office app features and capabilities on mobile devices. There are currently more than 2,000 settings that you can assign.
Policy sets Using Policy sets enables you to group application management, device management, and device enrollment policies into a single grouping for assignment to specified groups of users or devices. This can help streamline the application process.
App selective wipe Enables you to create a wipe request that will remove company app data from a selected user and device.
App categories Enables you to define app category names to help your users locate suitable apps.
E-books Enables you to access your organization’s e-books and related settings.
Filters Enables you to filter apps by platform and other criteria to assign a policy based on rules you create.
