I am excited about the opportunities that managing Windows 10 devices with Azure AD Join and MDM (i.e. modern management) provides for both users and admins. In this article, I’ll cover deploying and managing modern applications (Universal apps) on a modern platform with a modern device management solution – Microsoft Intune standalone for managing Universal apps.
Consider that with Windows 10, an organisation can provision and manage Windows 10 PCs without a custom SOE and with a fully cloud-based authentication and management solution, requiring no infrastructure (other than networking) on-premises. This approach comes with some caveats today, of course, but PC and application lifecycle can be achieved without exhaustive architectural consideration or deployment of complex management solutions.
Using Intune to manage Windows 10 PCs (and Windows 10 mobile devices) along with the Windows Store for Business will enable you to manage Universal apps on these devices. With Intune, you can deploy and remove apps by targeting users or devices.
Requirements for Microsoft Intune
Deploying and configuring Microsoft Intune requires two things – Azure AD and licensing Intune. In this article, I’m concentrating on Intune standalone only, i.e. Intune as a standalone cloud solution, not integrated with Configuration Manager.
Azure Active Directory
Like the Windows Store for Business (WSfB), Intune relies on Azure Active Directory for user identities. As with my previous article, I recommend setting up an Azure tenant as your first step before integrating any additional solutions. That process may, or may not, include synchronising identities with AD Connect. This approach to application deployment and device management can be achieved with cloud-based identities only.
Licensing Microsoft Intune
While Intune can be licensed on its own, the ideal way of licensing Intune is as a component of the Microsoft Enterprise Mobility + Security suite (EMS). The primary reason is to enable advanced features you get with an Azure AD Premium subscription. If you’re not familiar with EMS, you can read up on the components and licensing details here: Enterprise Mobility + Security Pricing.
For this solution, we’re interested in:
- Azure Active Directory Premium – this enables automatic MDM enrollment when a device is provisioned and connected to Azure AD. Additionally Azure AD Premium provides branding customisation which improves the sign on user experience; multi-factor authentication onto devices as well as cloud applications and conditional access to protect resources such as Exchange and SharePoint Online.
- Microsoft Intune – Intune is included in the EMS license which is the primary reason for deploying modern management.
Additional components that make sense in a cloud-based management approach include Azure Information Protection and Microsoft Advanced Threat Analytics. These are entire topics on their own, so I won’t be covering those in the context of this article.
Setting up Intune
I’m not going to cover the setup of Intune in detail as there are plenty of existing resources available including the official Microsoft document. I highly recommend reading the getting started guide and using the Microsoft IT Pro Cloud Essentials site to setup a trial environment if you’re new to Intune.
Once you have Azure AD and Intune provisioned, we can connect Intune to the Windows Store for Business and start managing Universal apps.
Connect Intune to the Windows Store for Business
To start managing Universal apps with Intune, we need to first associate our Intune deployment with the Windows Store for Business that we set up previously. This is a 3-step process:
- Ensure that you sign into the Business Store using the same tenant account you use to sign into Intune
- In the Business Store, choose Settings > Management tools
- On the Management tools page, choose Add a management tool, and choose Microsoft Intune.
You should see a screen similar to the below. This sets Intune as the device management authority. Note that I’ve already associated my Intune tenant.
Now we can synchronise the Universal app inventory with Intune.
Managing Universal Apps
Synchronising the Business Store inventory with Intune will show the full list of subscribed apps in the Intune console from which we can then target user or device groups.
Sign into the Intune console and configure sync:
- Navigate to Admin / Mobile Device Management / Windows / Store for Business
- Click Configure Sync
- Select Enable Windows Store for Business Sync and click OK
Which should look like the screenshot below. Once configured click the Sync now button and wait for the first synchronisation.
Now navigate to Apps / Apps / Volume-Purchased Apps. The list of Universal apps from the Business Store inventory should be displayed.
Apps added to the Business Store inventory will appear immediately after a sync, so unlike the Windows Store app on devices, we don’t need to wait 12-24 hours for apps to appear in the list.
Now that we have a list of apps, the deployment to users can be managed. Because we have a list of apps in the Inventory that we want to deploy and a list of apps to target for removal from devices the deployment options can be set per app.
To deploy apps:
- Select the app or a selection of apps
- Select the user groups (and by extension their devices) to target. Create custom groups to target specific users. Click Next.
- Set the Approval to Uninstall or Required Install as desired.
- Click Finish and the application action will take effect when the devices next sync.
Now when a Windows 10 PC is provisioned, enrolled into Azure AD and Intune MDM, the Universal apps will be deployed and removed as required. If you have targeted the inbox applications, this will include removal of apps and even those pesky tiles on the default Start menu.
Updates to Universal apps are automatic. Windows will automatically handle updates to installed apps going forward and this should be largely seamless to the user.
Intune Company Portal
One app worth highlighting is the Intune Company Portal for Windows 10. The Compay Portal, especially since the latest update last week to the app to support Windows 10, provides users with a nice interface to their enrolled devices, available legacy apps and Universal apps configured as links to the Windows Store. While this is a separate interface to the Windows Store app
With an Azure AD joined Windows 10 PC, enrolled for Intune MDM, the Company Portal app can be targeted to all users and installed when their device is provisioned. Applications installed via an MSI can be targeted to MDM enrolled PCs and made available for users to install via the Portal.
Online vs. Offline Distribution
In this scenario where Universal apps are synchronised with the Business Store and deployed via Volume-Purchased Apps, app distribution is Online. Where devices are connected to the Internet and managed via a cloud-based device management solution, this type of distribution mechanism makes sense.
Intune does support Offline distribution of Universal apps; however, this doesn’t necessarily make sense for connected devices plus access to download apps from the Windows Store for Business for offline distribution is controlled by the vendor of the app. If they don’t make the app available for offline distribution you must deliver the app online.
In this article, I’ve detailed the steps required for managing Universal apps on Windows 10 PCs enrolled for MDM management with Microsoft Intune. While this approach may not yet be right for every organisation, I do see this gaining traction for smaller organisations in the future.