Our first two parts of this series are complete with the shift to applications this week. The previous installments can be found below:
- Workspace ONE Admin Guide Part 1: Core
- Workspace ONE Admin Guide Part 2: Profiles, Baselines, Scripts, and Product Provisioning
As we covered last year, applications can get very interesting. This situation has become more interesting with the introduction of the Microsoft Intune Suite’s Enterprise App Management. Today, we will cover the following areas:
- The Flavors of Apps in Workspace ONE
- Translating those Apps to Microsoft Intune
- A Deeper Look at Enterprise App Management
- Final Thoughts
Delivering Windows Apps in Workspace ONE
In Workspace ONE, we have a few ways that we deploy applications. Primarily, we are packaging apps like most platforms do. In Workspace ONE, you can package:
- APPX
- EXE
- MSI
- ZIP
Primarily, admins will be uploading MSIs which are super easy. You can find this video below showing how your standard Windows App Deployment works:
At a high level, MSIs are basically set it and forget it. When we deal with EXEs or ZIP files, we need to do additional detective work and provide:
- Install Commands
- Uninstall Commands
- Install Context/Admin Privilege
- Retry Counts/Intervals and Install Timeouts
- Success/Reboot Codes
- Call Completion Criteria
A secondary option, called Product Provisioning we covered last week here, which is basically the ability to drop files directly onto a PC and execute scripts, copy files, etc. Sometimes people will use this option for things like firmware or drivers that are not working well with App Deployments.
But wait there’s more!! Another option is the “Enterprise App Repository” which we can discuss next.
Workspace ONE Enterprise App Repository
This section will be very helpful for Intune administrators as it’s the same tech powering Enterprise App Management. Behind the covers, the fine people of Liquit and their product Liquit Release & Patch Management is the lifeblood of this product.
You can see below it’s pretty simple:
- WS1 calls the API to get the current catalog. (VMware only bought a few hundred apps as a FYI so there are limitations). You can access the list here. The app manifest data is stored like app name, version, download URL, icon image URL, language, vendor, and deployment options are stored.
- Admin selects an app and assigns it to a user
- Devices use the download URL to download and install the automatic apps or show on-demand apps in the Intelligent Hub
Check out the demo below:
Deploying Apps with the New Microsoft Store in Workspace ONE UEM
One other way some people might be installing apps is with the Microsoft Store. As mentioned in this VMware KB, the new WinGET method of deploying apps is now done via scripts in Workspace ONE UEM:
##Uninstall the Windows 365 App##
winget uninstall --name 'Windows 365'
##Don't forget to reboot first##
##Install Windows App##
winget install --name 'Windows App'My understanding is that addressing this is on their roadmap to bring it back to the GUI, but unsure where that is at today.
Deploying Apps in Microsoft Intune
We have a few different recommended paths with App installation. Let’s discuss our options:
- Microsoft Edge and Office 365 Deployments
- Microsoft Store Apps
- MSI/MSIX App Deployments
- Win32 App Deployments
Let’s focus on a few of these options, which I am really fond of, which cover our options in Workspace ONE.
Deploying Microsoft Edge and Office 365 in Intune
We can very easily add these apps in the Intune Admin Console. You can see our fun options that I was referring to:
The creation is incredibly easy. You just answer a few questions as you see in this demo below and deploy it to your users. We will discuss some of the customization in part 4 when we cover security:
Microsoft Store Deployments in Intune
With the new changes to the Microsoft Store, it’s going to be more revolutionary. They’re expanding the store with support for Win32 apps along with Microsoft’s Windows Package Manager providing richer app experience in the Intune console with app deployment and app update controls. Remember, one of the great things about Microsoft Store apps is they are kept up-to-date automatically. Win32 apps are currently available in public preview so you can’t deploy EVERYTHING, but you can deploy some of them.
You can now see that you can find Win32 apps inside of Intune when going to deploy a Microsoft Store application:
Luckily, with moving to Intune you have the advantage of getting great capabilities like these near day one.
MSI and MSIX Deployments in Microsoft Intune
I don’t reference MSI app deployments because firstly they’re simple and secondly, I don’t believe in using them. I don’t find them to be particularly reliable.
In terms of MSIX, check out this video below which uses the MSIX Packaging Tool to create a MSIX package, which you then upload to Intune. I don’t find this to be a common use case in my deployments, but they’re still prevalent especially with VDI:
Microsoft Win32 Content Prep Tool: The Robitussin for Intune
The longer I spend in Intune, the more I love the Intune Win App Utility (that’s what I call it). More specifically, it’s official name is the “Microsoft Win32 Content Prep Tool“
This tool preprocesses Win32 apps by converting app installation files into the .intunewin format. It also does detection for attributes that require Intune to determine app install state.
It’s essentially a command-line utility where we use a command like:
IntuneWinAppUtil -c c:\testapp\v1.0 -s c:\testapp\v1.0\setup.exe -o c:\testappoutput\v1.0 -qThe reason I love this format is you can build out the application installation validation criteria, and the rest of the metadata like you do today with Workspace ONE. My experience showed numerous issues with standard MSI deployments and install failures.
One other bright spot with .intunewin is you can deliver zip files with installers to do things like deliver the great Intune Migration utility by Steve Weiner without actually installing anything. This diagram shows the logical flow of the tool, which delivers the .intunewin format, which can then be uploaded to Intune.:
Let’s check out the video demo:
But wait… there’s actually one more way to install applications NOW. More on that next.
Microsoft Intune Enterprise Application Management
One of the features of the new Microsoft Intune Suite is Enterprise App Management. It’s very similar to the Liquit implementation with Workspace ONE.
The current apps supported are:
| 7-Zip | Citrix Workspace app LTSR | Lenovo Quick Clean | Lenovo Quick Clean | Python 3.11 | Zoom Client for Meetings |
| Amazon AWS Tools for Windows | CMake | LogMeIn GoToMeeting IT Installer | LogMeIn GoToMeeting IT Installer | QNAP Qsync | |
| Amazon Corretto 16 | Dell Command Update (Windows Universal Application) | Microsoft .NET Runtime 6.0 | Microsoft .NET Runtime 6.0 | R for Windows | |
| Amazon Kindle | Docker Desktop | Microsoft Azure CLI | Microsoft Azure CLI | Rarlab WinRAR | |
| Android Studio 2022 | draw.io Desktop | Microsoft Azure Storage Explorer | Microsoft Azure Storage Explorer | Remote Help | |
| Android Studio 3 | Duo Desktop | Microsoft Power BI Desktop | Microsoft Power BI Desktop | Royal TS 5 | |
| Android Studio 4 | Eclipse Temurin JDK with Hotspot 11 (LTS) | Microsoft PowerShell Core | Microsoft PowerShell Core | Royal TS 6 | |
| Araxis Merge | Eclipse Temurin JDK with Hotspot 19 | Microsoft PowerToys | Microsoft PowerToys | Royal TS 7 | |
| Artweaver Free | Eclipse Temurin JRE with Hotspot 11 (LTS) | Microsoft Skype for Desktop | Microsoft Skype for Desktop | ScreenToGif | |
| Atomi Systems ActivePresenter | Eclipse Temurin JRE with Hotspot 19 | Microsoft Surface Diagnostic Toolkit for Business | Microsoft Surface Diagnostic Toolkit for Business | Simon Tatham Putty | |
| Audacity | Egnyte Connect Desktop App | Microsoft Visual C++ 2008 Redistributable | Microsoft Visual C++ 2008 Redistributable | SyncBackFree | |
| Beyond Compare | Egnyte WebEdit | Microsoft Visual C++ 2015-2022 Redistributable | Microsoft Visual C++ 2015-2022 Redistributable | TeamSpeak client | |
| Blender | Evernote | Microsoft Visual Studio Code | Microsoft Visual Studio Code | TechSmith Snagit 2019 | |
| BlueJeans 2 | Foxit PDF Editor 11 | Mozilla Firefox | Mozilla Firefox | TechSmith Snagit 2020 | |
| Brady Workstation | Foxit PDF Editor 12 | Mozilla Thunderbird | Mozilla Thunderbird | TechSmith Snagit 2021 | |
| Burp Suite Community Edition | Foxit PDF Reader | Nessus Agent 10 | Nessus Agent 10 | TechSmith Snagit 2023 | |
| Burp Suite Professional Edition | Frame App | Notepad++ | Notepad++ | TechSmith Snagit 2024 | |
| Calibre | Free Countdown Timer | NVIDIA GeForce Experience | NVIDIA GeForce Experience | TightVNC | |
| Cisco Jabber 14 | Google Chrome for Business | OpenShot Video Editor | OpenShot Video Editor | TortoiseSVN | |
| Cisco Webex Meetings | Google Drive | OpenVPN | OpenVPN | TortoiseSVN ipv6 | |
| Cisco WebEx Recorder and Player | Inkscape | Oracle Java Runtime Environment Version 8 | Parallels Client 18 | UltraViewer | |
| Cisco WebEx Recording Editor | JAM Software TreeSize Free | Parallels Client 18 | Piriform CCleaner | voidtools Everything | |
| Cisco Webex Teams | KeePass Password Safe (Classic Edition) | Piriform CCleaner | Poll Everywhere | voidtools Everything Lite | |
| Citrix Receiver | KeePassXC | Poll Everywhere | Poly Lens Desktop App | WinSCP | |
| Citrix Workspace app | Lansweeper | Poly Lens Desktop App | Python 3.10 | WireGuard |
What’s interesting is that Microsoft isn’t hosting the apps in your tenant automatically. Once you deploy an application, it will download it into Microsoft storage. A few minutes later you are able to deploy it out to your users.
All of the apps that come down are either EXE or MSI depending on the application. A few other notes:
- Graph API support is coming soon
- They support licensed apps
- Only supported by Intune (no SCCM support)
- Leverages the Intune Management Extension (Not WinGET)
- Delivers automatic app upgrades
- No current SLA
As mentioned earlier, it uses the same tech as VMware does (Liquit). The hope is with this being a paid service that Microsoft is motivated to increase the landscape from the 100 apps today to something in the 1k-5k range.
Closing Thoughts
Apps is probably one of the easier transitions for current Workspace ONE administrators as there are many fundamental similarities. It’s definitely reassuring that you can use WinGET in the GUI and leverage their new Enterprise App Catalog to create easier lifts for administrators. With plenty of video demos, the transition to Microsoft Intune should be pretty simple for current WS1 admins. Join us next week when we cover the final section: SECURITY!