The ultimate MEM tour part 2 – Applications

In this blog series, I’ll give you a tour through the features that Microsoft Endpoint Manager offers us. In my first blog we looked at the Device Management features. In this blog I want to cover all the features around Application Management. Good apps are one of the foundations of a successful company. With Intune, you can ensure that end users have access to the apps they need to do their jobs.

More blogs from this series:

So here we go enjoy the blog

Intune offers the possibility to distribute apps for Windows, iOS/iPadOS, macOS and Android. In this blog, I’ll cover all the functions and features related to application management. These features are all bundled in the Apps menu.


Just like Device Management, everything starts with an Overview Dashboard. In this dashboard you will get a brief overview of the installation status and the app protection policy status (more about this later). You will also get some information about your tenant and the MDM authority. As MDM authority you have the following options: – –

  • Intune (Cloud-only management)
  • Intune co-management (Integration of the Configuration Manager)
  • Basic Mobility and Security for Microsoft 365 (Office 365 as MDM authority. If you want to start using Intune, you’ll need purchase Intune licenses)
  • Basic Mobility and Security for Microsoft 365 coexistence (authority is defined based on the license assigned to the user)

All Apps

In this menu you get an overview of all apps that are in your company’s app portfolio across all platforms. In this menu you get an overview of all apps that are in your company’s app portfolio across all platforms. You can identify per app which type it is. You can also see the version, the status and if the app is assigned.

Not only do you get an overview of the apps in the portfolio, but you can also add new ones. There are the following

Here you will not only get an overview of the apps in the portfolio, you can also add new ones. MEM supports the following app types:

Store app

  • Android store app
  • iOS store app
  • Microsoft store app
  • Managed Google Play app

Microsoft 365 Apps

  • Windows 10 and later
  • macOS

Microsoft Edge, version 77 and later

  • Windows 10 and later
  • macOS

Microsoft Defender for Endpoint

  • macOS



As in the Device menu, there is also a monitor area in which you can find various reports. Which reports are available and what they are for I will explain now.

App licenses

  • This report provides you with an overview of the licenses used per app. When you create an app you can specify how many licenses you have for this app.

Discovered apps

  • Here you can see a discovery of managed and unmanaged apps installed on a device with the version and the count of devices on which the app is installed.

App installation status

  • Here you can see a percentage per app, how often the installation failed.

App protection status

  • In this report you will get a lot of information about app protection. You can download various reports or use the “Reports” button to view additional reports. We will look at what app protection is below.

By Platform

For the By Platform you have the choice between Windows, iOS/iPadOS, macOS and Android. What you find within the categories is the same as for all apps, but filtered by OS type.
For iOS, you can additionally create an app provisioning profile here.

App protection policies

App Protection Policies allow you to manage and protect your data for specific apps on iOS, Android, and Windows, and ensure that data is not lost without the need of a device management. These policies are enforced when a user accesses corporate data. Apps that are assigned policies through MAM (Mobile Application Management) are called managed apps. However, this cannot be applied to every app, because the app must have a support for MAM. A list of supported apps can be found here. For apps that have no ootb support, an XML can be uploaded to add it.

There can be several policies defined that must be met before access is granted. For example, you can define that access is only allowed from certain networks.

There are 2 ways you can create these policies:

  • With enrollment (devices enrolled with Intune).
  • Without enrollment (non-enrolled devices e.g. BYOD)
    • You can also, block access to company data for non-enrolled devices

App configuration policies

App configuration policies allow you to make settings within apps on iOS/iPadOS or Android. These settings are applied as soon as a user runs the app. Intune offers ootb a support of many applications. But it is possible to add more.

An example for an app configuration policies are security settings or branding settings within apps. Using app configuration policies can simplify and speed up the rollout of new apps.

iOS app provisioning profiles

In the iOS app provisioning profiles menu, provisioning profiles can be uploaded.

But what are these profiles for?
Unlike Android, you can’t install just any app on iOS devices. The app must be signed by Apple. When running apps on iOS devices, various checks are performed such as installation file integrity and enforcing features from the provisioning profile. However, if your company self develops apps and does not want to make them publicly available in the public app store, you can distribute them via an IPA file. Provisioning profiles helps to ensure that these apps are trusted even if they are not signed by apple.

S mode supplemental policies

Windows S mode is a Windows version where only Windows Store apps are allowed for better performance and security. In order to install Win32 apps in the S version, Microsoft has introduced the S mode policies. These policies require Windows Build 18363 or higher.
With the S mode supplemental policies you can define Windows Defender Application Control policies to run Win32 apps. Such a policy is created via Powershell and must be signed afterwards.

Detailed instructions on how to create such a policy can be found here.

Policies for Office apps

With these policies you can configure and protect the Office apps. Some of the Office policies available here can also be created via Configuration Profiles. However, the number of policies and options are larger in this menu.

Policy sets

We have already looked at the option for policy sets in the device configuration. But here again for completeness:

Policy sets are a collection of different management objects and apps that can be grouped and assigned together. The policy set is a reference to different objects you added. This feautre was introduced at the end of 2019.

In the following blog post I explain policy sets in detail.

App selective wipe

With App selective wipe you can delete company data from devices when for example an employee leaves the company. This data is then deleted from the MAM managed apps without the need to wipe the device. This is useful for e.g. a BYOD concept where private data can also be on the device.

App categories

In this menu you can rename or delete existing app categories but also create new categories. You can then assign these to apps when you create them. In the Company Portal, the apps are then clearly listed according to the categories.


This option allows you to manage and assign e-books to Intune managed iOS/iPadOs devices purchased through a volume license. For this purpose, a VPP token must be deposited in Intune.


With Assignment Filter you can make the assignments more comfortable. This feature was first available for configuration profiles and then for apps. With the service release 2107 Intune has enabled the assignment filters also for update rings.

What are assignment filters and how can you use them I explain in the following blog.

Help and support

Help and Support is spread all over the MEM portal. Also here in the Application menu there is this option again. Here you have the possibility to get help, to open tickets or to access already opened tickets.


Also in the application management area intune offers a lot of functions and features. Here, however, there is a larger mix of functions that are operating system dependent. Not every feature is applicable to every platform. This is mostly due to the dependency on the provider when implementing the features in the OS.

In the next blog, we’ll take a closer look at Intune’s security features.

Thank you very much for reading this blog. If you like this blog I would be very happy about a like or a share.

We hear us in the next part of this series.
Stay healthy, Cheers

4 thoughts on “The ultimate MEM tour part 2 – Applications

Comments are closed.