Skill 4.1: Deploy and update applications

Within an organization, you can use on-premises tools, such as Microsoft Endpoint Configuration Manager (ECM) and the Microsoft Deployment Toolkit (MDT), to manage Windows 10 desktop images. Using these tools, you can integrate your organization’s applications into standard desktop builds. You can also deploy additional applications and manage application updates using these tools.

For devices that are not part of your on-premises Active Directory Domain Services (AD DS) environment, you might consider using Microsoft Intune to deploy and manage apps. You can deploy apps to devices running Windows 10, iOS, Android, and macOS as long as these devices are enrolled in Intune. Microsoft Store for Business provides another method for the distribution of apps for your organizational users.

Using Windows Configuration Designer, part of the Windows Assessment and Deployment Toolkit (Windows ADK), you can create provisioning packages for your Windows 10 devices. You can use these packages to add, remove, and configure applications on your users’ Windows 10 devices.

This skill covers how to:

• Deploy apps by using Intune and assign apps to groups
• Deploy apps by using Microsoft Store for Business
• Enable sideloading of apps into images
• Use Windows Configuration Designer to deploy apps
• Configure and implement assigned access or public devices
• Deploy Microsoft 365 Apps
• Gather Microsoft 365 Apps readiness data

Deploy apps by using Intune and assign apps to groups

You deploy, configure, and manage apps in Intune by using the Apps node in the Microsoft Endpoint Manager admin center, displayed in Figure 4-1.

Figure 4-1 Managing apps in Microsoft Intune

From the Apps node, the following options are available:

• All Apps Use this node to add and assign apps to your enrolled devices, regardless of operating system (platform).
• Monitor Select this node to review the following:
  • App Licenses Enables you to identify volume-purchased apps from the app stores.
  • Discovered Apps Displays information about apps assigned by Intune or installed on devices.
  • App Installation Status Reports on the status of assigned apps.
  • App Protection Status Displays information about app protection policy status.
• Windows, iOS/iPadOS, macOS, and Android Beneath the By Platform heading, select one of the listed operating systems to review and manage apps for a specific operating system.
• App Protection Policies Use this node to configure policies that help to protect against data leakage from deployed apps. You can create policies for iOS/iPadOS, Android, and Windows.
• App Configuration Policies You can create app configuration policies to configure apps on both iOS and Android devices, enabling you to customize the targeted app. You can create a policy that targets either the platform or a specific app.
• iOS App Provisioning Profiles When you deploy apps to iOS devices by using Intune, you must use an enterprise signing certificate. This certificate helps ensure the integrity of apps that you deploy and typically has a lifetime of three years. However, the provisioning profile used to deploy the app lasts for a year. You can only assign and use a new app provisioning profile while the certificate is still valid.
• S Mode Supplemental Policies Windows S Mode helps protect Windows computers by limiting configured devices to only install and run apps that are distributed from the Microsoft Store. By using these policies, you can authorize additional apps so that S Mode–protected devices can run those additional apps. You must sign these policies using the Device Guard Signing Portal.
• Policies for Office apps Create policies that enable you to manage Office app features and capabilities on mobile devices. There are currently over 2,000 settings that you can assign.
• Policy Sets Using Policy sets enables you to group application management, device management, and device enrollment policies into a single grouping for assignment to specified groups of users or devices. This approach can help streamline the application process.
• App Selective Wipe Enables you to create a wipe request that will remove company app data from a selected user and device.
• App Categories Enables you to define app category names to help your users locate suitable apps.
• E-books Enables you to access your organization’s e-books and related settings.

In an earlier version of Intune, the following settings were also accessible through the Apps node. However, they now reside in the Tenant Administration node. Select Tenant Administration, and then select Connectors And Tokens. In this node, the following app-related options are available:

• Microsoft Store for Business Select to integrate Intune with the Microsoft Store for Business. Once configured, it enables you to track license usage for apps distributed through the store.
• Windows Enterprise Certificate Enables you to view and apply your code-signing certificate. This certificate is used to distribute your line-of-business (LOB) apps to managed Windows devices.
• Windows Symantec Certificate Enables you to view and apply a Symantec code-signing certificate. This certificate is used to distribute XAP and WP8.x appx files to enrolled Windows 10 Mobile devices. XAP and WP8.x appx files are used to distribute apps to phone devices running Windows 10 Mobile.
• Windows Side Loading Keys Enables you to distribute a side-loading key to devices. Allows users to install apps without needing to visit the Microsoft Store.
• Apple VPP Tokens Enables you to view and apply your iOS Volume Purchase Program (VPP) licenses.
• Managed Google Play Enables you to approve Google Android apps for your organization.

Other options are accessible in Connectors And Tokens, but they do not relate to app management.

Need More Review? What is Microsoft Intune app Management?

To review further details about using Intune for app management, refer to the Microsoft website at https://docs.microsoft.com/en-us/mem/intune/apps/app-management.