Company Portal App: Unchained

Patch My Pc | install & update thousands of apps

In this blog, I will share my opinion on how I prefer apps to be deployed. Let me give you a small hint: using the company Portal!

When deploying a zero-trust modern workplace, you need to ensure that your users are not members of the local admin group. Take a look at my blogs if you want to ensure that a user is never a local admin. When your users are no longer local admins, you can implement an AppLocker policy to ensure your devices are secure.

But here comes trouble… Many of your users are used to just installing the app(s) they need, and now they don’t have this option anymore.

Each company has its own business apps that almost everyone uses. You will need to make sure these apps are deployed to all devices. However, there are also some third-party apps that not everyone uses. Just to mention a few: Java/Chrome/Firefox/Filezilla/7zip/Citrix Workspace/Silverlight/VLC/Zoom, etc.

Of course, you can push all these apps to your endpoints when users enroll, but why would you? In my opinion, users must choose for themselves which additional apps they need and when they need them.

1. Configuring the Company portal

With the New Microsoft Store apps Option, we can ensure the company portal is installed on all devices.  To do so select the Microsoft Store app option

Just add/configure the company portal app and select the proper install behavior (System/ User)

Of course, you could also add the Offline version of the Company Portal app, if you want to read more about the differences, please read this additional Company Portal app blog.

Don’t forget to apply some governance. I guess you don’t want the user to remove their enrolled device from Intune? So please make sure you configure these options in the Intune Admin Center (Tenant admin | Customization):

Hide Remove button on a corporate device

Hide the remove button on corporate IOS/IpadOs devices

Tenant admin – Microsoft Intune admin center

2. Configuring Applications as available

When the Company Portal app is installed, you’ll receive some benefits.

https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/company-portal?view=o365-worldwide

One of them is the possibility of letting end-users install apps even if they don’t have permission to do so.  The only thing you will need to do is configure the app assignments. Take a look down here, I changed the app to be available for enrolled devices instead of setting it to required.

When the app is available for enrolled devices, it will show up in the company portal on the devices. The user only has to click on it to begin the installation. The Intune management extension (sidecar agent) will take care of the installation and will install the app in the machine/system context.

the company portal showing us all the apps configured as available so we can easily install them ourselves without needing to be a local admin

As you can see in the picture above, I configured the apps to be installed with Chocolatey. Chocolatey is a great tool for patching your third-party apps.  It’s best practice to set Chocolatey as a required app within the ESP to ensure users can instantly install apps upon their first login.

Of course, it can be a lot of work to manually create all these apps each time you onboard a new customer. But why not automate it, as I did? You can create your own baseline with all third-party apps and deploy it through PowerShell within minutes. Each time a customer asks for another not-available application, you can add it to your baseline.

  1. Push all the apps to Intune
  2. Assign the apps as available for all users
  3. Add the logo. It really looks a lot nicer with a logo?

3. Creating Categories for the Apps

Now you could be questioning, how could we get a better overview of all the apps we have. That’s easy!You only need to create some Categories first. Let’s open Intune and open the Apps plane and click on App-Categories.

Click on “add” and create all the categories you want!

Now we have created all the categories, let’s add them to the apps. You could do so by simply opening the app and start editing it. Please select the proper category and press save.

Isn’t that nice? Now you can sort by category in the company portal!

4. Creating Win32 app and make it interactive with the user’s context

I moved this part to a dedicated blog so it could receive more attention and with this dedicated blog, I could explain it even more.

Conclusion:

The best thing you can do is give your end-users some “freedom” to install apps on their own behalf on a zero-trust secured device. Also, with the help of serviceui.exe, you can create a great user experience.

Freedom GIFs | Tenor

Also, take a look at my blog about how to let end-users install printers on their own. Combining the possibilities to let end-users install apps and printers on their own could not be better.

Leave a Reply

Your email address will not be published. Required fields are marked *

  −  1  =  6

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.