Microsoft Intune App Management: Ultimate MEM Tour Part 2

In this blog series, I’ll give you a tour through the features that Microsoft Intune offers us. In my first blog we looked at the Device Management features. In this blog I want to cover all the features around Application Management. Good apps are one of the foundations of a successful company. With Intune, you can ensure that end users have access to the apps they need to do their jobs.

More blogs from this series:

• Part 1 – Devices
• Part 2 – Applications – this blog
• Part 3 – Endpoint Security
• Part 4 – Reports
• Part 5 – User and Groups

So here we go enjoy the blog

Intune offers the possibility to distribute apps for Windows, iOS/iPadOS, macOS and Android. In this blog, I’ll cover all the functions and features related to application management. These features are all bundled in the Apps menu.

Overview

Just like Device Management, everything starts with an Overview Dashboard. In this dashboard you will get a brief overview of the installation status and the app protection policy status (more about this later). You will also get some information about your tenant and the MDM authority. As MDM authority you have the following options: – –

• Intune (Cloud-only management)
• Intune co-management (Integration of the Configuration Manager)
• Basic Mobility and Security for Microsoft 365 (Office 365 as MDM authority. If you want to start using Intune, you’ll need to purchase Intune licenses)
• Basic Mobility and Security for Microsoft 365 coexistence (authority is defined based on the license assigned to the user)

All Apps

In this menu you get an overview of all apps that are in your company’s app portfolio across all platforms. You can identify per app which type it is. You can also see the version, the status and if the app is assigned.

Here you will not only get an overview of the apps in the portfolio, you can also add new ones. Intune supports the following app types:

Store app

• Android store app
• iOS store app
• Microsoft store app
• Managed Google Play app

Microsoft 365 Apps

• Windows 10 and later
• macOS

Microsoft Edge, version 77 and later

• Windows 10 and later
• macOS

Microsoft Defender for Endpoint

• macOS

Other

• Web link
• Built-in app
• Line-of-business app
• Windows app (Win32)
• Android Enterprise system app

Monitor

As in the Device menu, there is also a monitor area in which you can find various reports. Which reports are available and what they are for I will explain now.

By Platform

For the By Platform you have the choice between Windows, iOS/iPadOS, macOS and Android. What you find within the categories is the same as for all apps, but filtered by OS type.
For iOS, you can additionally create an app provisioning profile here.

App protection policies

App Protection Policies allow you to manage and protect your data for specific apps on iOS, Android, and Windows, and ensure that data is not lost without the need of a device management. These policies are enforced when a user accesses corporate data. Apps that are assigned policies through MAM (Mobile Application Management) are called managed apps. However, this cannot be applied to every app, because the app must have a support for MAM. A list of supported apps can be found the Microsoft documentation. For apps that have no ootb support, an XML can be uploaded to add it.

There can be several policies defined that must be met before access is granted. For example, you can define that access is only allowed from certain networks.

There are 2 ways you can create these policies:

• With enrollment (devices enrolled with Intune).
• Without enrollment (non-enrolled devices e.g. BYOD)
  • You can also, block access to company data for non-enrolled devices

App configuration policies

App configuration policies allow you to make settings within apps on iOS/iPadOS or Android. These settings are applied as soon as a user runs the app. Intune offers ootb a support of many applications. But it is possible to add more.

An example for app configuration policies are security settings or branding settings within apps. Using app configuration policies can simplify and speed up the rollout of new apps.

iOS app provisioning profiles

In the iOS app provisioning profiles menu, provisioning profiles can be uploaded.

But what are these profiles for?
Unlike Android, you can’t install just any app on iOS devices. The app must be signed by Apple. When running apps on iOS devices, various checks are performed such as installation file integrity and enforcing features from the provisioning profile. However, if your company self develops apps and does not want to make them publicly available in the public app store, you can distribute them via an IPA file. Provisioning profiles help to ensure that these apps are trusted even if they are not signed by Apple.

S mode supplemental policies

Windows S mode is a Windows version where only Windows Store apps are allowed for better performance and security. In order to install Win32 apps in the S version, Microsoft has introduced the S mode policies. These policies require Windows Build 18363 or higher.
With the S mode supplemental policies you can define Windows Defender Application Control policies to run Win32 apps. Such a policy is created via Powershell and must be signed afterwards.

Detailed instructions on how to create such a policy can be found the Microsoft documentation.

Policies for Office apps

With these policies you can configure and protect the Office apps. Some of the Office policies available here can also be created via Configuration Profiles. However, the number of policies and options are larger in this menu.

Policy sets

We have already looked at the option for policy sets in the device configuration. But here again for completeness:

Policy sets are a collection of different management objects and apps that can be grouped and assigned together. The policy set is a reference to different objects you added. This feature was introduced in late 2019.

In the following blog post I explain policy sets in detail.

App selective wipe

With App selective wipe you can delete company data from devices when for example an employee leaves the company. This data is then deleted from the MAM managed apps without the need to wipe the device. This is useful for e.g. a BYOD concept where private data can also be on the device.

App categories

In this menu you can rename or delete existing app categories but also create new categories. You can then assign these to apps when you create them. In the Company Portal, the apps are then clearly listed according to the categories.

E-books

This option allows you to manage and assign e-books to Intune managed iOS/iPadOS devices purchased through a volume license. For this purpose, a VPP token must be deposited in Intune.

Filters

With Assignment Filter you can make the assignments more comfortable. This feature was first available for configuration profiles and later expanded to apps and update rings.

What are assignment filters and how can you use them I explain in the use assignment filter for the update ring assignment.

Help and support

Help and Support is spread all over the Intune admin center. Also here in the Application menu there is this option again. Here you have the possibility to get help, to open tickets or to access already opened tickets.

Conclusion

Also in the application management area Intune offers a lot of functions and features. Here, however, there is a larger mix of functions that are operating system dependent. Not every feature is applicable to every platform. This is mostly due to the dependency on the provider when implementing the features in the OS.

In the next blog, we’ll take a closer look at Intune’s security features.

Thank you very much for reading this blog. If you like this blog I would be very happy about a like or a share.

See you in the next part of this series.
Stay healthy, Cheers
Jannik