By Nina Desnica – Program Manager 2 | Microsoft Endpoint Manager – Intune
and
Lothar Zeitler – Senior Program Manager | Microsoft Endpoint Manager – Intune
Application lifecycle management (ALM) is a fascinating and potentially complex process, however the general elements of ALM are similar across all models. The app lifecycle starts with configuring the app itself and usually ends with app retirement.
In this post, we’ll review the different elements of the app lifecycle in Microsoft Intune from the perspective of mobile device management (MDM). We’ll start with provisioning or adding an app to Microsoft, and then review how we deliver various app types to devices and users. We’ll also explain app configuration and assigning apps to your users or devices. Application protection is a feature that Endpoint Manager offers for apps on managed and unmanaged devices, and we’ll explain different options for protecting your apps. Lastly, we’ll review steps for retiring an app to uninstall it from devices and remove access to business-critical data.
Each platform that Intune supports offers options for different app types, deployment sources, and update management. Additionally, configuration of an individual app, protection, and retirement varies across app types and platforms too. The following chart gives a high-level overview of supported apps by OS.
- Only with Managed Google Play
- Update management with Intune
- Update Office with Microsoft Update
- With packaging tools
- With scripts
- Only with Microsoft Store for Business
The following sections in this blog will provide a closer look into each of the elements of the app lifecycle in Intune.
Add
The app lifecycle starts with adding the applications to Intune. This process is similar for several app types, and there are different options depending on the platform (iOS, Android, Windows 10, macOS) or usage scenario (managed device, BYOD).
The following table gives an overview of options for adding different app types to each supported OS and includes links to documentation with detailed instructions.
App type |
Windows |
iOS |
Android |
macOS |
Store app |
|
|||
Microsoft 365 apps |
|
|||
Microsoft Edge |
Microsoft Edge |
Microsoft Edge, version 77 and later |
||
Web apps |
Web links |
Web links |
Web links |
Web links |
LOB |
|
|
|
|
MDE |
Microsoft Defender for Endpoint |
Microsoft Defender for Endpoint |
*Recently, we announced exciting plans that bring together the management capabilities of Microsoft Endpoint Manager, the new Microsoft Store, and the flexibility of Windows Package Manager. These plans enhance the new Microsoft Store experience that is coming soon to both Windows 11 and Windows 10: Evolving the Microsoft Store for Business and Education.
The process of adding apps in the Microsoft Endpoint Manager admin center is described in add apps to Microsoft Intune.
Deploy
After apps are added, you need to prepare to deploy those apps to devices, which includes three different methods, depending on the types of apps you deliver.
Store apps, such as iOS/iPadOS and Windows apps from private stores as well as from business/volume stores can be distributed with Endpoint Manager. Keep in mind that apps from private stores usually need to be free of charge. License management and company purchasing is supported by business and volume stores. Consider this when you are selecting apps for delivery. If you are enrolling Android devices and using Android Enterprise, only apps from the Managed Google Play store can be distributed. If you want to deploy line of business (LOB) apps or web apps to your Android devices, you need to upload these packages first to Managed Google Play.
The second method is to use Endpoint Manager to deploy your own applications. When you upload your applications to Intune, they are stored in Azure in the same location where your Azure AD tenant was created (e.g., West Europe). As shown in the table in the previous section, Intune supports single installers/package files, such as MSI or IPA for iOS/iPadOS and APK, for Android device administrator scenarios only. Web links or Web clips are supported for these platforms too, and a file with a link is sent to the applicable devices.
Lastly, we offer the delivery of complex application installation. For macOS we offer a packaging tool to help you prepare a package for delivery. Once the package is uploaded to Microsoft Endpoint Manager, we can deploy our application to macOS devices. Complex installers are well known in Windows. We are simply calling them Win32 apps, which are freestanding installation programs, such as setup.exe. For this app type, prior delivery to Endpoint Manager offers additional functions for complex installations, such as dependencies and supersedence.
It’s worth mentioning winget, which is a client interface to the Windows Package Manager service. To learn how to use this command line tool, see: Use the winget tool to install and manage applications.
Configure
You can use Intune app configuration policies to set up custom configuration settings for iOS/iPadOS apps, Android apps, and Microsoft Edge browser. App suppliers can define settings that you can customize using key-value pairs. There are two ways to deploy app configuration policies: managed devices or managed apps.
What about updates? The available options differ for each app type. Intune installs some updates automatically on the device. For LOB app updates, you will need to supply the installation file, update it in Endpoint Manager, and then Intune will install the update on the device. App updates are automatic for Store apps, built-in apps, web apps, and apps from other services. However, you must manually update in-house or custom LOB apps. See the Intune documentation for specific steps, for example Update an Android line-of-business app.
Protect
Application protection is an important element of the app lifecycle for apps that consume corporate data. With Intune, protection is enforced with app protection policies (APP), which you can apply at the app level, independent of an MDM solution. In addition to targeting apps on iOS and Android devices, you also have to protect corporate data on desktop operating systems such as Windows and macOS—which can be more complicated to implement.
Let’s start with the mobile operating systems. Android and iOS offer functions to encrypt data at rest and set encryption levels and conditions and can distinguish if an app is managed or not. While the managed “state” is set by the OS, using encryption or additional security features requires app modification. Intune offers the Microsoft Intune App SDK which can be integrated in apps to enable additional security features. For a list of Microsoft and Partner apps that support Intune APP, see Microsoft Intune protected apps.
Intune has a defined APP data protection framework, which includes three distinct configuration scenarios: Level 1 enterprise basic data protection, Level 2 enterprise enhanced data protection, and Level 3 enterprise high data protection. You can read more about this in our previous post App Protection Policy data protection framework. For detailed guidance on this methodology, see the docs article Data protection framework for using app protection policies.
Application protection policies use the Intune service, and on the device, apps need to have the Intune SDK components integrated. However, the devices themselves do not necessarily need to be managed by Intune. Intune APP works on the app-level for unmanaged devices, as well as with devices that are enrolled in third party MDM solutions.
This chart illustrates the application protection flow:
(source: Data protection with APP on devices managed by an MDM solution)
Windows Information Protection (WIP) is built into Windows, and you can use WIP policies to protect data at the application layer. However, there are more security factors to consider. Microsoft 365 Endpoint data loss prevention works on a device and document level. You can configure settings to add restrictions, such as blocking documents from being copied onto a USB drive, or to audit which documents are copied to a network share. More information, see Learn about Microsoft 365 Endpoint data loss prevention.
Retire
At the end of the app lifecycle, when you are ready to uninstall the app, you need to first remove all the earlier assignments for install (both "Available for enrolled devices" or "Required") for the targeted members or groups. If a group is assigned to both install an app and uninstall an app, the app will remain and not be removed. After you have removed all the assignments for install, you can proceed with uninstall.
Select the members or groups for which you want to uninstall the app. Apps with this assignment are uninstalled from managed devices in the selected groups if Intune has previously installed the application onto the device via an "Available for enrolled devices" or "Required" assignment on the same deployment.
Conclusion
In this article, we discussed each element of app lifecycle management in Intune and touched upon the ability to manage diverse types of apps using different deployment methods across several platforms. We plan to follow this post with a series of articles that will dive into the specifics of app platforms, deployment, configuration, protection, and retirement.
If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.