In this blog I will give you my opinion on how I prefer apps to be deployed.
When deploying a zero-trust modern workplace you need to make sure your users are not members of the local admin group. Take a look at my blogs if you want to make sure a user is never a local admin. When your users are no local admin anymore, you can implement an AppLocker policy to make sure your devices are secure.
But here comes trouble… Many of your users are used to just installing the app(s) they need, and now they don’t have this option anymore.
Each company has its own business apps which are used by almost everyone. You will need to make sure these apps are deployed to all devices. But there also some third-party apps not everyone is using. Just to mention a few: Java/Chrome/Firefox/Filezilla/7zip/Citrix Workspace/Silverlight/VLC/Zoom etc.
Of course, you can push all these apps to your endpoints when they are being enrolled, but why would you? In my opinion, the users have to choose for themselves which additional apps they need and when they need them.
I am going to divide this blog into three parts
- Configuring the Business store and the Company portal
- Configuring Applications as available
- Creating Win32 app and make it interactive with the user’s context
1.Configuring the Business store and the Company portal
But how are you going to facilitate this approach? Make sure you have enabled the “Microsoft store for business”.
When the Microsoft Business Store is connected you will need to make sure the company portal is installed on all devices. Just add/configure the company portal app.
Don’t forget to apply some governance. I guess you don’t want the user to remove their enrolled device from Intune?
2.Configuring Applications as available
When the company app is installed you’ll have some benefits.
One of them is the possibility to let end-users install apps even if they don’t have the permissions to do so. The only thing you will need to do is configure the app assignments. Take a look down here, I changed the app to be available for enrolled devices instead of setting it to required.
When the app is available for enrolled devices it will show up in the company portal on the devices. The user only has to click on it to begin the installation. The Intune management extension (sidecar agent) will take care of the installation and will install the app in the machine/system context.
As you can see in the picture above, I configured the apps to be installed with chocolatey. Chocolatey is a great tool for patching your third-party apps. It’s best practice to set Chocolatey as a required app within the ESP to be sure users can instantly install apps at their first login.
Of course, it can be a lot of work to create all these apps manually each time you onboard a new customer. But why not automate it as I did? You can create your own baseline with all third-party apps and deploy it through PowerShell within minutes and each time a customer asks for another not available application you can add it to your baseline.
- Push all the apps to Intune
- Assign the apps as available for all users
- Add the logo. It really looks a lot nicer with a logo?
3.Creating Win32 app and make it interactive with the user’s context
Do you remember I told you the app will be installed in the system context? With the use of Serviceui.exe and the PowerShell App Deployment Toolkit, you can bring the installation process in the system context to interactive mode. That’s maybe the best part of publishing Apps to the company portal. It’s perfect for software that needs user interaction like brother software which requires the user to connect the USB scanner…
Short summary what I did to get this working:
- Downloading serviceui.exe (Microsoft deployment toolkit) and copied it to c:\packages\brother
- Downloading the Powershell app deployment toolkit and unzipped it to c:\packages\brother
- Downloaded the Brother software and extracted the files to c:\packages\brother\files
- Changing the deployment-application.ps1 (variables application and the installation task: Execute-Process -Path “$dirFiles\InstUI.exe”)
- Created an intunewin package (Install file: deploy-application.exe folder: c:\packages\brother)
- Created the Intune Win32 App (Install command: .\ServiceUI.exe -Process:explorer.exe Deploy-Application.exe)
Giving some “freedom” to your end-users on a zero-trust secured device to install apps on their own behalf is the best thing you can do. Also, with the help of serviceui.exe, you can create a great user experience.
Also, take a look at my blog about how to let end-users install printers on their own. Combining the possibilities to let end-users install apps and printers on their own could not be better.