In Part One of our series, we discussed the core functionality available in Windows on Intune against Workspace ONE. We are shifting our focus to a vital area: application management and deployment. Intune and Workspace ONE have drastically different viewpoints on application deployment, which we will discuss and evaluate. We will discuss the types of applications, how Intune deploys applications, how Workspace ONE deploys applications, and some overall discussions about the challenges involved.
Types of Windows Applications
Between both platforms in Workspace ONE and Intune, we have several application types that are supported. Let’s use a basic table to explain them briefly. I don’t want to spend too much time on it, but it’s good to have a general idea.
|Application Type||What Platform Supports It||Comments|
|MSI||WS1 UEM, Intune||MSI is the standard for applications. They’re good because they are easily uninstalled, logging is standardized, and you can standardize on the commands, such as silent installation, logging, and help pages.|
|MSIX||Intune||MSIX is a very compelling idea that most people are unaware of unless you’re a VDI person. Some of the benefits are predictable, safe, and reliable deployment/removal, Windows 7 support, optimizes disk and network usage, and provides integrity e.g. tamper protection and policy controls.|
|Win32 Apps||Intune||Win32 apps are are containerized in Windows 10. These classic apps are still very much a part of Windows. You can read more here.|
|UWP Apps||WS1 UEM, Intune||UWP (Universal) apps are also known as Store apps which have a few benefits like control of updates, installs, deployments, and uninstallations. They can control runtime, manage resources, and leverage the Windows Store for business for simplified deployments.|
|EXE Apps||WS1 UEM||Workspace ONE UEM let’s you deploy EXE files or even zip files containing binaries to deploy applications. This is in inevitability as some applications will require that you use an EXE and do some detective work.|
It’s vital to get a good idea around the types of applications that you could run into, which is something we will have to consider or think about regardless of the platform. There is no right or wrong way, but some are easier to work with than others. We can now take a look at how Intune does things and get started.
Intune Application Deployment
You can deploy applications via Intune in a few specific ways. Specifically, you can use these mechanisms:
- Microsoft Store App Deployments
- Automatic Deployments for Microsoft 365 Apps or Edge
- Win32 Apps
- Web Clips
- Line-of-business Apps (.MSI, .appx, .appxbundle, .msix, or .msixbundle)
The two areas we will discuss a bit are Win32 Apps and Line-of-business apps. The other areas are pretty basic and don’t really need a significant explanation.
Win32 App Deployments
To deploy Win32 Apps, you use the Microsoft Win32 Content Prep Tool. Simply this tool will wrap the Win32 app and make it Intune-uploadable. The process flow looks like this:
Essentially, after you download/install the prep tool, you run a simple command like this in CMD to create the .intunewin file that you use for upload:
IntuneWinAppUtil -c c:\testapp\v1.0 -s c:\testapp\v1.0\setup.exe -o c:\testappoutput\v1.0 -q
From a technology perspective, it’s a very easy lift. You just want to be aware that it requires Azure AD Join, Windows 10 1607+, and is capped at 8 GB per application.
Our main focus around LOB apps is going to be on building MSIX packages. A simple MSI build is really easy in Intune. A few of the things that I love about their MSI deployment are:
- You can ignore the app version (which can be really useful)
- Ability to specify command-line arguments
They do have a similar issue in both Intune and WS1 where they do not automatically pull logos, which should happen, but it’s not a huge deal.
I don’t focus too much on APPX or bundles because it’s not that important to me, but MSIX packaging is the crucial part of this.
In my experience, the breakdown is usually somewhere around 60/40 MSI vs. non-MSI apps like .exe. Intune has standardized typically on MSIX for non-MSI, which takes some time to learn, but once you get there it’s very appealing. We will be breaking down the demo on how to build MSIX packages into two parts: install and post-reboot. Let’s take a look at how this MSIX packaging works overall:
In Part two, we see the finalization and actual deployment of applications via Intune:
Yeah, I know it can be somewhat daunting. It definitely takes time to learn MSIX, but once you get there it can go very quickly and smoothly. My main issue with app deployment in Intune is the timing. When you deploy a new app, it essentially takes a hour or so before it replicates and comes down.
One of the other problematic issues that I have found is a lack of version control. When you deploy new versions of applications, it doesn’t iterate it or anything. You basically have to retire the old application. Overall, I have to say that I am fairly happy with the experience because MSIX is very reliable and works great overall.
Cloud Policy Management for Microsoft 365 Apps
I couldn’t talk about apps without hitting on a great new offering that Microsoft gives you the ability to deploy policy to your Office apps via the cloud similar to Microsoft App Protection Policies. You can essentially create a policy and deploy it out to users to tweak aspects of their office apps.
Final Thoughts on Intune Application Management
Overall, I wasn’t sure how I would feel about how Intune is handling applications. It’s also not fun sometimes to learn something new e.g. MSIX packaging, but I have to say I really enjoyed it. MSIX packaging will take some time to learn and adjust to, but the overall experience was the best I have had with application deployments. It’s an issue that they don’t have version control, but it’s not the end of the world. I enjoy how less noisy it is than others. Cloud policies offered for Office Apps are the wave of the future that I would bet is normalized by 2022-2023 as the modernization of CSPs and GPOs. It’s more realistic to assume policies are tied to our Azure identities and not the device.
Intune Application Management Score: 9
Workspace ONE Application Deployment
Deploying apps via Workspace ONE are more simplistic overall, but it can be a challenge. Similar to Intune, MSIs are basically plug and play, but Workspace ONE gives you some additional customization on MSIs e.g. ability to tweak uninstall/install commands, adding in transforms, etc.
When you build non MSI apps, it can be a bit challenging. Your detective skills definitely need to be on point for you to be successful. The demo below will show you how we figure out the install commands, uninstall commands, and verification criteria.
Challenges with Workspace ONE Application Deployments
We can’t really discuss the challenges of WS1 application deployments without referencing the holy bible of WS1 Windows Troubleshooting. We have a few things at play with WS1 App Deployments.
I’m a fan of this little script that I wrote:
Start-ScheduledTask -TaskPath "\VMware\AirWatch" -TaskName "Check Required Apps" Start-ScheduledTask -TaskPath "\VMware\AirWatch" -TaskName "Install Validation Task" Start-ScheduledTask -TaskPath "\VMware\AirWatch" -TaskName "Software Distribution Queue Task"
A big part of how WS1 Windows deployments work is relying on Windows scheduled tasks for check for new apps, check on validation, and checking the software distribution queue. You can run the script above to make those fire, which can be helpful at times. The queue for applications is maintained in the registry. You can read more about it in my article here on how those queues work.
Application validation is a real issue overall. I have seen situations where I have to leave PCs overnight just to get their full suite of applications. I’ve found that it hangs and you may have to reboot or just come back later. I don’t think it’s a major issue, but it is still a problem. It’s part of the reason why Microsoft went toward MSIX. VMware really needs to make that happen since it’s so similar to AppVolumes and the synergy is so nice. The marketing on that is a great play, which I hope VMware gets to soon. Let’s talk about the Enterprise App Repository.
Enterprise App Repository
One area that VMware has a major leg-up on things is their Enterprise App Repository (EAR), which is similar to Microsoft’s auto-deployment for Edge and Office 365 Apps. With the Enterprise App Repository, you have a nice list of apps that you can auto-deploy without any work or effort on your part. Currently, there is a collection of 100 apps readily as you can see below. Please do your part by sending your app addition requests to EARrequests@vmware.com if you find apps are missing that you want. One major criticism with EAR is how slow they have been to add applications and how they’re missing all of the VMware/Dell apps. They really need to start eating their own dog food as my old CISO used to say:
Functionally-speaking, this shows you how the EAR service functions, which is a great addition by VMware:
Final Thoughts on App Deployments with Workspace ONE
Workspace ONE application deployments can be the epitome of a love/hate relationship. Sometimes they work great, but other times things just hang and are very frustrating. I’ve spent many times trying to fight through deleting registry keys, reboots, blah blah, but c’est la vie. Sometimes those of us with ADD/ADHD do not enjoy this situation. Most times, you are better off leaving stuff overnight and it will sort itself out.
Overall, two things really save you now (1) hide installation notifications and (2) modifying app verification criteria:
VMware Workspace ONE application deployment is a work-in-progress, but you can do some great things as you evolve and learn how to build a special experience. I would love to see them evolve EAR, MSIX capabilities, and how their application queueing works to evolve the platform because it’s definitely their biggest gap today.
Workspace ONE Application Management Score: 7.5
My last time out with Intune was a bit of a disappointment on their follow-through. Application deployment, which is arguably as important as core MDM in Windows was a huge comeback for them. Their strategy around MSIX, Win32 Apps, and the overall management capabilities of applications is a revelation to me. It made me re-think and question how VMware manages applications and what they could do better. In the arms race of UEM, we must be dynamic and evolve quickly to win the competitive advantage. VMware absolutely MUST adopt MSIX to solidify their footing and strengthen their positioning in Windows 10 Management.