Shift to the cloud is affecting all IT fields, including device management where Microsoft Intune is getting more and more popular at the cost of solutions such as Group Policies or Microsoft Endpoint Configuration Manager (MECM).
Essentially, Microsoft Intune is a one-stop cloud solution that allows you to manage all devices (PCs, laptops, tablets, and mobile phones), regardless of whether they belong to the organization or users (BYOD). It can be done in an automated and centralized way thanks to integration with Azure Active Directory (AAD). The solution also offers great compatibility and can be used to improve security, ensure unified experience across all the devices, and ultimately make your IT Department’s life easier.
Microsoft Intune is available with licenses listed here. There’s also possibility to purchase standalone user licenses for it. Last but not least, to configure all the Intune management features, you need to login to the Microsoft Endpoint Manager admin center as an admin.
What you can do with Microsoft Intune
The Microsoft’s solution offers a wide array of features. This time, I just want to focus on app deployment, but let’s just have an aerial view of what else you can do with Intune:
- Configure devices via profiles and configuration policies (enroll devices in organization, limit their settings to end-users, enable security features, wipe data from stolen or lost devices, etc.)
- Manage apps with app configuration policies (install/remove apps for specific groups of users, centrally configure apps’ settings, selectively remove organization data from apps, etc.)
- Protect data using app protection policies and device compliance policies (set rules for accessing data and networks, control data access and sharing, ensure compliance with security requirements, etc.)
Intune vs. GPOs
To get the complete image of centralized app deployment before I dig deep into the actual process, let’s quickly deal with differences in this respect between Global Policy Objects and Microsoft Intune.
Firstly, GPOs let you install apps on Windows 10 as well as legacy versions of Microsoft’s OSes (back to Windows 2000). On the other hand, Intune requires at least Windows 8.1, offering full app deployment functionality starting with specific Windows 10 versions. But the big advantage of Microsoft Intune is that it can install apps on machines running non-Microsoft operating systems, including mobile devices.
Also, while GPOs still have a greater coverage for Windows-OS-related configurations (e.g. folder options, printers and so on), Intune offers more app deployment options – simply because it also supports non-Windows OSes (just like I wrote before) and modern Windows applications.
Finally, GPOs are based on Azure Active Directory data, which means the devices on which you want to install apps must be joined to a specific AD domain. Such a restriction does not apply to Intune which allows you to centrally install apps on non-domain-joined and hybrid domain-joined devices as well.
Intune app deployment
In this guide, I’m going to show you one of the basic app management features of Microsoft Intune, namely centralized app deployment for all users in an organization. Here’s how the process goes:
- Log in to the Microsoft Endpoint Manager admin center.
- Go to Apps > All apps and click Add.
- Now, it’s time to select the app type you want to deploy. Your choice will affect the next steps, since each app type has a different set of requirements and options. In general, these may involve:
- Providing a link to an app (e.g. Android store app, Microsoft store app, Web link)
- Searching or selecting an app from a list (e.g. iOS store app, Bult-in app)
- Selecting an app’s installation file (e.g. Line-of-business app, Windows app)
In our example, I will deploy Microsoft 365 Apps on devices running under Windows 10 or later because it’s a common scenario for many organizations. This path also offers the greatest number of options, which is not surprising since both the solutions are a part of the Microsoft ecosystem.
To make the choice, click the Select app type dropdown and select Windows 10 and later under Microsoft 365 Apps. Finally, click the Select button.
- In the first step of the wizard, you can configure information that will be shared with your users about Microsoft 365 Apps, including the description to help users better understand the apps’ purpose, an URL to help resources and so on.
The default settings should be okay for most cases, but you can of course edit them in the way that suits your needs. Once you’re ready, click Next at the bottom.
- The second step, Configure app suite, is the place where the actual configuration takes place. Most of the settings are pretty self-explanatory, possibly except for the ones I list below, so let’s quickly discuss them:
- Configuration settings format – leave the default setting (Configuration designer) to use a user-friendly GUI in Intune to configure the Microsoft 365 Apps. The other option requires you to prepare a special XML file. Learn more
- Use shared computer activation – allows you to deploy Microsoft 365 Apps on computers accessed by many users and override the Microsoft 365 device limit. Learn more
- Install background service for Microsoft Search in Bing – allows you to deploy a Chrome extension to facilitate searching e.g. people, files or internal sites in your organization. Learn more
Tip: You can get information on each item by simply clicking the icon next to it .
Once you finish setting everything up, click Next.
- Scope tags is an Intune feature that allows you to decide which admins in your organization will have access to a specific configuration or policy. To limit access to this Microsoft 365 Apps configuration and be able to select appropriate scope tags, you have to define and assign them to specific groups of users first. Learn more
If you don’t want to use Scope tags, simply click Next.
- Assignments is an important step. Here, you can decide for which users or on which devices the Microsoft 365 Apps will be installed (the Required section), available to install (the Available for enrolled devices section), or removed (the Uninstall section). If you would like to make assignments according to AAD groups (the Add group option), remember to create appropriate public AAD group(s) beforehand.
Since you want to deploy Microsoft 365 Apps to all users, you should use the Add all users option under Required and click Next.
- The last step, Review + create, allows you to review the whole configuration for Microsoft 365 Apps. If you’re fine with all the settings, click Create to start the deployment.
That’s it. From now on, Microsoft 365 Apps will start to install on devices of all users in the organization.
Tracking deployment in Intune
With Intune, you can also track the progress of any deployment. To do it, go to Apps > All apps and click your deployment configuration. The items from the left-hand menu allow you to access various deployment progress information:
- Overview – here you can get general information on installation status for devices and users in the form of charts.
- Device install status & User install status – allow you to view the install status lists showing specific devices and users.
Finally, clicking Properties, you can edit your app deployment policy.
This concludes the presentation of the Microsoft 365 Apps deployment via Microsoft Intune. If you would like to further develop your Intune expertise, I encourage you to have a look at this article. It is a quick yet informative guide on how to deploy and uninstall a line-of-business app, using our CodeTwo Signatures Add-in for Outlook add-in (MSI package) as an example.