An organization with many apps can become overwhelming for users. To help users find an app in the company portal, you can assign apps to one or more categories, such as Accounting apps or Marketing apps. When adding apps, you can assign a category in Intune using the following procedure:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps, then select App categories.
The App categories pane displays a list of current categories.
To add a category, select Add in the Create category pane, and then provide a name for the category.
To edit a category, select the ellipsis (…) next to the category, and then select Pin to dashboard or Delete.
Select Create.
Add Android store apps to Microsoft Intune Use the following procedure to add an Android store app to Intune:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps > All apps > Add.
In the Select app type pane, under Store app, select Android store app.
Click Select.
To configure the app information for the Android app, you must provide the Google Play store’s app details. (The Google Play store is located at https://play.google.com.)
In the App information page, add the app details, as shown in Figure 4-18: • Name • Description • Publisher • Appstore URL • Minimum operating system • Category (Optional) • Show this as a featured app in the Company Portal • Information URL (Optional) • Privacy URL (Optional) • Developer (Optional) • Owner (Optional) • Notes (Optional) • Logo (Optional)
FIGURE 4-18 Adding a Windows 10 Line-of-business app
Select Next.
On the Assignments page, select the group assignments for the append and select Next.
On the Review + create page, review the values and settings you entered for the app and select Create to add the app to Intune.
Use this procedure in Intune to create Cloud Policy for Office applications that access Microsoft 365 services:
Sign in to the Microsoft Intune admin center as a Global Administrator.
Select Apps > Policies for Office apps > Create.
If this is your first time creating a cloud policy configuration, you will see the Create button in the center of the pane. Otherwise, the Create button is on the menu bar.
On the Start with the basics page, provide a name and description for the policy configuration, then select Next.
On the Choose the scope page, choose the scope for the policy. This can apply to a specific group of users or users who access documents anonymously using Office on the web. If you choose the first option, you need to select the group and then select Next.
On the Configure Settings page, select the policy or policies you want to include in the policy configuration, as shown in Figure 4-17, and select Apply.
FIGURE 4-17 Configure Cloud Policy using Intune
You can configure additional policies by selecting additional policies on the Configure Settings page. Once complete, select Next.
On the Review configuration and create page, review your selections and then select Create to create the policy configuration. Note Use Policy Filters When this book was written, the Cloud Policy service offered 2,206 policies relating to Office apps and multiple platforms. You can use the filter to show only the apps and platforms you want to view.
On the Policy configuration created page, you will see the successful message indicating the policy configuration has been created; select Done.
On the Policy configurations page, you will see the policy configuration listed.
When a user launches a Microsoft 365 app, the Click-to-Run service used by Microsoft 365 Apps for enterprise will sync with the Cloud Policy to see if a policy configuration should be applied to the user. Note Cloud Policy Complements Group Policy-Based Management Cloud Policy service does not replace Group Policy management. Cloud Policy manages user-based policies for Office apps used on any device (iOS, Android, Windows) where the user signs in using Azure Active Directory. Conversely, Group Policy can manage both user-based and machine-based policies on Windows PCs devices joined to an Active Directory domain.
To add a Microsoft 365 suite app to Windows devices, use the following procedure:
In the Microsoft Intune Manager admin center, select Apps, and then select All Apps.
Select Add, and then on the Select app type blade, in the App type list, under the Other heading, select Line-of-business app, and click Select.
On the Add App blade, select the Select app package file link.
On the Add package file blade displayed in Figure 4-12, browse for and select a line of business app. This can include Android (.apk), iOS (.ipa), macOS (.intunemac), and Windows (.msi, .appx, .appxbundle, .msix, and .msixbundle) app files.
FIGURE 4-12 Adding a Windows 10 Line-of-business app
Select OK.
On the App tab, enter the following information: • Name (required) • Description (required) • Publisher (required) • App install context (User or Device) • Ignore app version • Command-line arguments (for installation purposes) • Category (Business, Productivity, Photos & Media, and so on) • Show this as a featured app in the Company Portal (set the toggle to Yes or No) • Information URL, Privacy URL, Developer, Owner, Notes, and a Logo image
Select Next, and assign the app using the previously described procedure on the Assignments tab.
Select Next, and then select Create. Need More Review? Add Apps to Microsoft Intune To review further details about using Intune to assign apps, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/apps/apps-add.
Gather Microsoft 365 Apps readiness data
Before deploying Microsoft 365 Apps to your users’ devices, you must ensure the devices are ready for those apps. Before deploying Office apps, you should verify that your users’ devices support the current version. Also, there might be compatibility issues with older versions of Office documents and newer versions of the apps.
Many organizations use Office add-ins such as Microsoft Visual Basic for Applications (VBA) macros to help automate Office-based tasks. These add-ins might not be compatible with Microsoft 365 Apps. To help you identify potential add-in compatibility issues within your organization, you can use the Readiness Toolkit to assess your organization’s readiness for Microsoft 365 Apps.
Most recently used Office documents and installed add-ins on this computer
Scans Office documents in the user’s list of most recently used files.Also looks for any Add-Ins for Office that are installed.Report type: VBA and Add-In.
Office documents in a local folder or network share
Scans the Office documents in the folder or network share that you specify.Report type: VBA only. Does not scan for Add-Ins.
Previous readiness results saved in a local folder or network share
Enables you to create a consolidated report comprised of individual readiness results from multiple computers. Useful for departmental analysis.Report type: Configurable depending on what you previously scanned for.
Add-in data from the Office Telemetry dashboard
Scans data from the Office Telemetry dashboard.Report type: Add-In only.
Need More Review? Telemetry Dashboard Topology, Sizing, and Bandwidth Planning
You can then choose either a basic or an advanced report. Advanced reports are recommended because they provide more complete information on which to base your decisions. The Readiness Report Creator tool generates an Excel spreadsheet comprised of several worksheets. Each worksheet contains information about different aspects of your existing devices’ compatibility.
Depending on the report type, the following worksheets are available:
VBA Overview
VBA Summary
VBA Results
VBA Remediation
VBA References
Add-In Summary
Add-In Details
By Computer Name
Need More Review? Use The Readiness Toolkit to Assess Application Compatibility for Microsoft 365 Apps
In an earlier version of Intune, the following settings were also accessible through the Apps node. However, they now reside in the Tenant Administration node. Select Tenant Administration, and then select Connectors And Tokens. In this node, the following app-related options are available:
Windows enterprise certificate Enables you to view and apply your code-signing certificate. This certificate is used to distribute your line-of-business (LOB) apps to managed Windows devices.
Windows 365 Citrix connector Enables you to integrate Citrix Cloud with Windows 365. to access Citrix HDX technologies for enhanced Cloud PC security and manageability.
Apple VPP Tokens Enables you to view and apply your iOS Volume Purchase Program (VPP) licenses.
Managed Google Play Enables you to approve Google Android apps for your organization.
Other options are accessible in Connectors and Tokens, but they do not relate to app management.
Need More Review? What is Microsoft Intune APP Management?
When you deploy apps to your devices, there are several different app types that you can select, as shown in Figure 4-2.
FIGURE 4-2 Adding a new client app
These app types are as follows:
Store App Use this option to deploy apps to your users’ devices to avoid requiring users to directly deploy the apps from the specified store. The available options are as follows:
Android store app Enter the app’s Google Play Appstore URL and then define its minimum operating system level.
iOS store app Enter a search string, and search the Apple Store directly for the appropriate app. Then configure the requirements for the app, including the operating system version.
Microsoft Store app (new) Enter the app’s URL.
Microsoft Store app (legacy) Enter the app’s URL.
Managed Google Play app Approve apps in Managed Google Play and then assign the apps.
Microsoft 365 Apps Use this option to assign Microsoft 365 apps to your users’ devices. Available options are:
Windows 10 and later Specify which apps within Microsoft 365 you want to deploy. Then define a suite name, description, and options, such as whether the app suite will be displayed in the Company Portal. You also must choose the architecture (32-bit or 64-bit), Update channel [Current Channel (Preview), Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel (Preview), and Semi-Annual Enterprise Channel], and other options (Software License Terms Acceptance and Languages).
macOS You cannot control which apps are deployed from the suite. However, you must define a name, description, and whether the app displays in the Company Portal.
Microsoft Edge, version 77 and later
Windows 10 and later Add Microsoft Edge for Windows to install the Microsoft Edge browser on managed devices running Windows 10 or later.
macOS Add Microsoft Edge for macOS to install the Microsoft Edge browser on managed macOS devices.
Microsoft Defender for Endpoint
macOS Add Microsoft Defender for Endpoint to managed macOS devices.
Web Application
iO/iPadOS web clip Add a website URL into App information to place a shortcut to the web clip to the Home screen.
Windows web link Add a website URL into App information. A shortcut to the website is added to the Start menu.
Other Use for any other type of app. The options are as follows:
Web link Use to assign a web app for which you have a valid URL. These are client-server apps, and the URL identifies the server that contains the web app.
Built-In app Use to assign curated apps to iOS or Android devices. After you assign the app(s), it appears as either a built-in iOS app or a built-in Android app.
Line-of-business app Use to assign a Line-Of-Business (LOB) app. You can use this approach to sideload apps for which you have the application package file. Windows devices use .appx packages. Browse and select the package file, then configure supplemental options such as category and description.
Windows app (Win32) Use to assign apps to Windows devices. Like an LOB app, you browse and select the package file (in this case, a file with an .intunewin file extension), then complete the configuration as above. Note that to create a file with the appropriate extension, you must convert your Win32 app to the Intune format using the Microsoft Win32 Content Prep Tool. This tool packages the app correctly for upload to Intune and is available at https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool.
macOS app (DMG) To add a macOS application, upload the app’s installation file. Intune supports .dmg files containing .app files.
Android Enterprise system app Use to assign an Android Enterprise system app to your users’ devices.
This section contains the solution to the thought experiment. Each answer explains why the answer choice is correct.
Scenario 1
Microsoft Intune with Mobile Device Management enabled.
Enable and configure Windows Autoenrollment.
You require an Apple MDM Push Certificate for your organization.
Scenario 2
You can monitor Threat Agent Status to determine the current status of Microsoft Defender on your users’ enrolled Windows devices.
You can use the Microsoft Intune admin center to create an Endpoint Protection Profile that contains the necessary Microsoft Defender Application Guard settings and assign the profile to the appropriate group(s) of devices.
In the Microsoft Intune admin center, create a Device Enrollment Restriction and define a Platform Restriction that prevents the enrollment of Android devices.
Scenario 3
You should configure Delivery Optimization and select that updates are downloaded from Devices on my local network on all devices except one device which needs to receive the updates from the Microsoft update service.
You can implement Delivery Optimization for the head office devices so that updates are received from other devices on the network. You can also configure bandwidth optimization measures that restrict the bandwidth consumed by updates during defined business hours.
You should install Windows 11 Enterprise, version 22H2 (General Availability Channel), and then implement policy using Windows Update to defer Windows Feature Updates for the maximum allowed duration of 365 days.
Enroll into the Windows Insider Program and install Windows 11 preview builds. Test these builds for compatibility issues. This should allow you to be ready to test the next General Availability Channel release and obtain compliance sign-off.
Scenario 4
1. You could implement Microsoft Tunnel for Intune. Microsoft Tunnel provides a VPN gateway for Android and iOS devices in your organization for access to on-premises resources.
You must perform the following high-level steps: • Create a server configuration on Intune. • Create a site in Intune. • Install a Microsoft Tunnel Gateway on a Linux server in your on-premises environment (by using an Intune script). • Deploy the Microsoft Tunnel client app to your iOS and Android devices. • Create and deploy VPN profiles to your iOS and Android devices.
If you create a profile on an earlier baseline and Microsoft releases a newer version of that baseline, you might decide to update the profiles. However, existing profiles do not update automatically.
In fact, profiles using an older version of a baseline become read-only. They can still be used to secure your devices, and you can edit their name, description, and assignments. But you should consider updating them to the new baseline.
If Microsoft releases a baseline update, you can choose to update the baseline version used for a profile. You do this by using the following procedure:
In the Microsoft Intune admin center, navigate to Endpoint security.
Select Security baselines.
Select the appropriate baseline.
Select the check box next to the target profile.
Click Change Version on the toolbar (see Figure 3-63).
FIGURE 3-63 Changing the version for a security profile based on a baseline
If a new baseline is available (none are in the screenshot), then choose either • Accept baseline changes but keep my existing setting customizations • Accept baseline changes and discard existing setting customizations
Click Submit. Need More Review? Use Security Baselines to Configure Windows Devices in Intune To review further details about managing security baselines, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/protect/security-baselines.
Onboard devices to Defender for Endpoint
Microsoft Defender for Endpoint (formerly Windows Defender Advanced Threat Protection) is a security platform built into Windows 11 and integrated with Microsoft cloud-based security services. Microsoft Defender for Endpoint integrates many of the security features we have already discussed to help you secure your devices.
Requirements
To use Microsoft Defender for Endpoint, you require one of the following Microsoft Volume licensing options:
Windows 10/11 Enterprise E5
Windows 10/11 Education A5
Microsoft 365 E5 (M365 E5), which includes Windows 11 Enterprise E5
Microsoft 365 A5 (M365 A5)
Microsoft 365 E5 Security
Microsoft 365 A5 Security
Microsoft Defender for Endpoint
The Portal
You use the Microsoft 365 Defender portal to manage Microsoft Defender for Endpoint settings and to view reports and alerts. You can access the portal at https://securitycenter.windows.com.
Need More Review? Microsoft Defender for Endpoint Portal Overview
In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers in the section that follows.
Scenario 1
Your organization has 500 employees and has implemented a bring-your-own-device (BYOD) strategy that enables users to use their personal mobile phones and tablets for corporate purposes as long as they comply with company policy regarding security and management features. After consulting an employee survey, you find that the users in your organization have iOS, Android, or Windows 11 devices.
What technology should you use to manage the devices?
You want to simplify enrollment for your Windows device users. What should you do?
To support your iOS devices, what additional step is required to enable MDM?
Scenario 2
Like many large organizations, security is a big concern at Contoso. You decide to implement MDM with Intune to help to manage and secure your users’ devices.
What feature of Intune could you use to verify the current status of Microsoft Defender on your users’ Windows 11 devices?
You want to be able to configure Microsoft Defender Application Guard settings for enrolled Windows 11 devices. How can you achieve this in Intune?
You don’t want users with Android devices to be able to enroll them. How could you enforce this restriction?
Scenario 3
Adatum Corporation uses Microsoft 365 and has implemented Windows 11 Enterprise for all devices. You configure Windows Update and deploy update rings using Microsoft Intune.
Answer the following questions for your manager:
Two remote offices are in an area with poor Internet bandwidth, and the IT team is concerned that operational requirements might be difficult to maintain. What measure could you implement for the devices located at the remote locations to reduce bandwidth consumption from Windows updates?
Windows updates received by the head office devices are consuming too much of the available bandwidth. Users are reporting that access to the Internet is slow. What settings can you configure within Microsoft Intune to help relieve congestion at the head office?
Your Compliance Manager has received confirmation that your regulatory body has approved Windows 11 Enterprise, version 22H2 as being compliant. You need to ensure that all devices use only this version of Windows until the Compliance Manager confirms that a new version is compliant. How will you proceed?
You need to work with the Compliance Manager to ensure that future versions of Windows 11 Enterprise obtain regulatory compliance before the deployed version of Windows 11 becomes unsupported. What will you do to ensure that you can proactively evaluate the compatibility of new versions of Windows 11?
Scenario 4
Your users use both Android and iOS devices. Lately, it’s been necessary for these users to access a database application that runs on an on-premises server. Intune manages your users’ devices.
Answer the following questions:
How could you facilitate access for your users?
What high-level steps are necessary to facilitate your solution?
Within an organization, you can use on-premises tools, such as Microsoft Endpoint Configuration Manager (CM) and the Microsoft Deployment Toolkit (MDT), to manage Windows desktop images. Using these tools, you can integrate your organization’s applications into standard desktop builds and deploy and manage additional applications and updates.
You might consider using Microsoft Intune to deploy and manage apps for devices not part of your on-premises Active Directory Domain Services (AD DS) environment or cloud-managed. If enrolled in Intune, you can deploy apps to Windows, iOS, Android, and macOS devices. The Microsoft Store for Business provides another method for distributing apps for your organizational users.
Windows Configuration Designer, part of the Windows Assessment and Deployment Toolkit (Windows ADK) mentioned in chapter 1, enables you to create provisioning packages for your Windows devices. You can use these packages to add, remove, and configure applications on your users’ Windows devices.
Using Intune, you can deploy and maintain apps from the cloud onto your users’ devices. A copy of the software can be made available across multiple devices such as their iPhone, Windows laptop, or tablet. You deploy, configure, and manage apps in Intune using the Apps node in the Microsoft Intune admin center, displayed in Figure 4-1.
FIGURE 4-1 Managing apps in Microsoft Intune
From the Apps node, the following options are available:
All apps Use this node to add, configure, and assign apps to your enrolled devices, irrespective of operating system (platform).
Monitor Select this node to review:
App licenses Enables you to identify volume-purchased apps from the app stores.
Discovered apps Displays information about apps assigned by Intune or installed on devices.
App installation status Reports on the status of assigned apps.
App protection status Displays information about app protection policy status.
Windows, iOS/iPadOS, macOS, and Android Under By Platform, select one of the listed operating systems to review and manage apps for a specific operating system.
App protection policies Use this node to configure policies that help to protect against data leakage from deployed apps. You can create policies for iOS/iPadOS, Android, and Windows.
App configuration policies You can create app configuration policies to configure apps on both iOS and Android devices, enabling you to customize the targeted app. You can create a policy that targets either the platform, or a specific app.
iOS app provisioning profiles When you deploy apps to iOS devices by using Intune, you must use an enterprise signing certificate. This certificate helps ensure the integrity of apps you deploy and typically has a lifetime of three years. However, the provisioning profile used to deploy the app lasts for a year. You can only assign and use a new app provisioning profile while the certificate is still valid.
S Mode supplemental policies Windows S Mode helps protect Windows computers by limiting configured devices to only installing and running apps distributed from the Microsoft Store. By using these policies, you can authorize additional apps so that S Mode–protected devices can run those additional apps. You must sign these policies using the Device Guard Signing Portal.
Policies for Office apps Create policies that enable you to manage Office app features and capabilities on mobile devices. There are currently more than 2,000 settings that you can assign.
Policy sets Using Policy sets enables you to group application management, device management, and device enrollment policies into a single grouping for assignment to specified groups of users or devices. This can help streamline the application process.
App selective wipe Enables you to create a wipe request that will remove company app data from a selected user and device.
App categories Enables you to define app category names to help your users locate suitable apps.
E-books Enables you to access your organization’s e-books and related settings.
Filters Enables you to filter apps by platform and other criteria to assign a policy based on rules you create.
To add a Microsoft Store app, use the following procedure:
Open the Microsoft Intune admin center and select Apps in the navigation pane.
Select All apps, and then select Add.
On the Select add type blade displayed in Figure 4-2, in the App Type list, under the Store app heading, select Microsoft Store app (new) and click Select.
On the Add App blade, select Search the Microsoft Store app (new).
On the Search the Microsoft Store app (new) blade, search for an app and then choose Select. as displayed in Figure 4-3.
FIGURE 4-3 Adding a Microsoft Store app
To obtain the URL, visit the Appstore using a web browser, locate the app you want, and then copy the URL for the app’s page.
Select Next, and on the Assignments tab select the appropriate groups for assignment, or select Add all users as displayed in Figure 4-4. Then select Next.
FIGURE 4-4 Assigning a Microsoft Store app
On the Review + create tab, select Create.
After you create the app, you can use the Device install status and User install status options in the Monitor section to monitor the installation of the selected app.
Note Installing IOS and Android Store Apps Installing store apps for iOS and Android is fairly similar to this process. Note ARM64 APPS Microsoft Store apps do not support any app with an ARM64 installer.
Configure Microsoft 365 Apps deployment by using the Microsoft Office Deployment Tool or Office Customization Tool (OCT)
You can configure Microsoft 365 Apps by using specialist tools that allow you to customize and configure the Office installation for your company’s needs. Two tools are available:
Office Deployment Toolkit (ODT)
Office Customization Tool
Using the Microsoft Office Deployment Tool
The ODT is a command-line utility that can deploy Microsoft 365 Apps to client devices. The ODT provides granular control over how to install Office installation. For example, you can configure the following:
Which products are installed
Language options
Office updates
Whether the install experience is displayed to users
If your users’ computers experience a situation where BitLocker will not unlock their operating system drive, they must enter a recovery key, as mentioned earlier. You can store and access the keys using Intune.
To access the BitLocker key for a user, use the following procedure:
In the Microsoft Intune admin center, navigate to Devices and select Windows devices.
Locate the device in the list of Windows devices and then select it.
In the navigation pane, select Recovery keys.
In the details pane, select Show Recovery Key.
Provide the key to the user to unlock their drive.
Implement and manage Microsoft Defender Credential Guard
When users sign in, they provide their user credentials via the Local Security Authority subsystem (LSA) to an authentication service. These user credentials are stored temporarily in memory in the LSA as hashes. Certain malicious software can access the LSA and exploit the stored hashes.
To help protect against this possibility, Windows 11 Enterprise and Windows 11 Education editions have a feature called Microsoft Defender Credential Guard, which implements virtualization-assisted security technology, enabling Microsoft Defender Credential Guard to block access to credentials stored in the Local Security Authority.
Requirements
In addition to requiring the appropriate edition of Windows 11, the following are the requirements for implementing Microsoft Defender Credential Guard:
Support for Virtualization-based security.
UEFI 2.3.1 or greater.
Secure Boot.
TPM 1.2 or 2.0, either discrete or firmware.
UEFI (firmware) lock preferred.
Virtualization features: Intel VT-x or AMD-V; SLAT must be enabled.
Windows hypervisor, although Hyper-V doesn’t need to be installed.
Implement Microsoft Defender Credential Guard
After verifying that your computer meets the requirements, you can enable Microsoft Defender Credential Guard by using Group Policy or Microsoft Intune. To use Intune, perform the following steps:
Open Microsoft Intune admin center.
Navigate to Endpoint security and select Account protection.
In the details pane, select Create Policy.
On the Create a profile page, displayed in Figure 3-55, in Platform, select Windows 10 and later, and in the Profile list, choose Account protection.
FIGURE 3-55 Enabling Microsoft Defender Credential Guard
Click Create.
In the Create profile wizard, on the Basics tab, enter a Name and Description and click Next.
On the Configuration settings page, select Enable with UEFI lock in the Turn on Credential Guard list and click Next.
Complete the wizard by defining scope tags and assignments and click Create on the Review + create page.
You can also use a configuration profile of type Endpoint protection:
Select Devices, select Windows, and then select Configuration profiles.
Select Create profile, and in the Platform list, select Windows 10 and later.
In the Profile type list, select Templates.
In the list of templates, select Endpoint protection, and click Create.
On the Configuration settings page, expand Microsoft Defender Credential Guard and configure the desired settings.
Need More Review? Manage Microsoft Defender Credential Guard
