App Management¶
App Deployment¶
Adding apps to Intune¶
Intune admin center → Apps → All apps → Add
| App type | Use case |
|---|---|
| Microsoft 365 Apps (Windows/macOS) | Office suite deployment |
| Microsoft Store app (new) | Windows Store apps |
| Line-of-business app | Custom .msi, .intunewin, .ipa, .apk |
| Web app | Shortcut pinned to device |
| Managed Google Play | Android Work Profile apps |
| iOS/iPadOS App Store | iOS/iPadOS apps |
Package Win32 apps for Intune¶
Convert .msi or complex installers to .intunewin using the Microsoft Win32 Content Prep Tool:
# Download the prep tool from GitHub (Microsoft/Microsoft-Win32-Content-Prep-Tool)
.\IntuneWinAppUtil.exe -c "C:\Sources\AppFolder" -s "setup.exe" -o "C:\Output"
Upload the .intunewin file in Intune and configure:
| Setting | Example |
|---|---|
| Install command | setup.exe /silent /norestart |
| Uninstall command | setup.exe /uninstall /silent |
| Install behaviour | System |
| Detection rule | File exists: C:\Program Files\App\app.exe or Registry key |
| Return codes | 0=success, 1707=success, 3010=reboot |
Microsoft 365 Apps Deployment (Windows)¶
Intune admin center → Apps → All apps → Add → Microsoft 365 Apps → Windows 10 and later
Recommended settings¶
| Setting | Value |
|---|---|
| Suite name | Microsoft 365 Apps |
| Apps included | Word, Excel, PowerPoint, Outlook, Teams, OneNote, OneDrive |
| Update channel | Current Channel (most up to date) or Monthly Enterprise Channel (more predictable) |
| Version to install | Latest |
| Architecture | 64-bit |
| Activation | Shared computer activation (for shared/terminal server) or per-user |
| Languages | English (or add others as required) |
| Remove other versions | Yes |
| Accept Microsoft Software Licence Terms | Yes |
Assign as Required to All Devices (or an All Windows Devices group).
App Protection Policies (MAM)¶
App Protection Policies (APP) control how corporate data is handled within apps, even on unmanaged (BYOD) devices.
Intune admin center → Apps → App protection policies
iOS App Protection Policy¶
Create a policy for iOS/iPadOS:
Data protection¶
| Setting | Value |
|---|---|
| Backup org data to iTunes and iCloud backups | Block |
| Send org data to other apps | Policy managed apps only |
| Receive data from other apps | Policy managed apps only |
| Save copies of org data | Block |
| Allow users to save copies to selected services | OneDrive for Business, SharePoint Online only |
| Transfer telecommunication data to | Any dialler app |
| Restrict cut, copy and paste | Policy managed apps with paste in |
| Encrypt org data | Require |
| Sync policy-managed app data with native apps | Block |
| Printing org data | Block |
| Restrict web content transfer | Microsoft Edge |
| Org data notifications | Block org data |
Access requirements¶
| Setting | Value |
|---|---|
| PIN for access | Require |
| PIN type | Numeric |
| Simple PIN | Block |
| Select minimum PIN length | 6 |
| Touch ID instead of PIN | Allow |
| Override PIN with biometrics after timeout | 30 minutes |
| Timeout (minutes of inactivity) | 30 |
| Work or school account credentials for access | Not required |
| Recheck the access requirements after (minutes of inactivity) | 30 |
Conditional launch¶
| Setting | Value | Action |
|---|---|---|
| Max PIN attempts | 5 | Reset PIN |
| Offline grace period | 720 minutes | Block access |
| Offline grace period | 90 days | Wipe data |
| Jailbroken/rooted devices | N/A | Block access |
| Minimum OS version | 16.0 | Block access |
| Minimum app version | Varies | Warn |
Target apps: Microsoft Outlook, Teams, OneDrive, Word, Excel, PowerPoint, Edge
Assign to: All Users (or a group that includes BYOD users)
Android App Protection Policy¶
Equivalent settings for Android. Notable differences:
| Setting | Value |
|---|---|
| Screen capture and Google Assistant | Block |
| Approved keyboards | Microsoft SwiftKey |
| Encrypt org data | Require |
| Encrypt org data on enrolled devices | Require |
Required vs Available Apps¶
| Assignment type | Behaviour |
|---|---|
| Required | Installs automatically (no user action) |
| Available for enrolled devices | Appears in Company Portal for user to install |
| Available with/without enrolment | MAM only — available via Company Portal on unmanaged devices |
| Uninstall | Forces removal of the app |
Assignment strategy¶
| App | Assignment | Target |
|---|---|---|
| Microsoft 365 Apps | Required | All Windows Devices group |
| Microsoft Teams | Required | All Users group |
| Microsoft Edge | Required | All Devices |
| Company Portal (iOS) | Required | All iOS Devices |
| Line-of-business apps | Required | Relevant department group |
| Optional tools | Available | All Devices |
Managed Google Play¶
For Android Enterprise Work Profile devices, all apps must be added via Managed Google Play:
- Intune admin center → Apps → Android → Add → Managed Google Play app
- Search for and approve the app in the Google Play console
- Sync Managed Google Play apps back to Intune
- Assign the approved app to device groups