Earlier this year, Microsoft launched Intune Enterprise App Management - aiming to simplify how organisations package, deploy, and update third-party apps for Windows.
The challenge: Keeping apps updated and secure
Maintaining up-to-date and secure applications is a significant challenge for many organisations. A Microsoft Digital Defense Report revealed that a staggering 78% of devices remain unpatched nine months after a critical vulnerability fix was released.
This delay in applying patches and updating applications, leaves organisations vulnerable to cyberattacks which are responsible for 60% of data breaches.
The solution: Streamlining app management
Enterprise App Management is here to simplify the lifecycle of managing both first-party, and third-party applications. Let’s explore its key features:
App catalog: With easy access to a catalog of Microsoft and third-party applications, IT administrators can tailor their selection based on specific preferences and needs. The catalog includes available language packs and architectures, making it a breeze to find the right apps.
Editable metadata: Once you’ve selected the desired application, editable metadata is prefilled with essential details such as install and uninstall commands. Say goodbye to manual data entry and hello to efficiency.
Application updates: Enterprise App Management streamlines the application update process. Admins get a comprehensive view of all apps that need an update from a single, easy-to-use screen. You’ll see both current and new versions, reducing the traditional workload required to monitor updates and gather application-related data.
Streamlined deployment: With Enterprise App Management, IT administrators easily select any application they want to deploy to their devices and via a simple wizard have it pushed out within minutes. Microsoft hosts the binaries for these apps, allowing for seamless creation of Intune applications. Say goodbye to manual packaging and hello to efficiency!
Reduced admin effort: IT teams worldwide spend countless hours duplicating work—packaging and deploying the same third-party apps. Enterprise App Management aims to alleviate this burden by providing a centralised solution.
Why is this important?
Efficiency. IT teams save time by relying on a pre-packaged catalog and streamlined the deployment process.
Whether you're managing Windows applications or exploring other aspects of app management, Microsoft Intune Enterprise App Management will be your ally in simplifying the complex world of Intune apps.
Does this work with SureDeploy?
SureDeploy fully supports Enterprise App Management. You can manage these applications from your SureDeploy dashboard.
SureDeploy addresses the shortcomings of Enterprise App Management, such as app update automation and testing, by managing all the application updates, group assignments. This provides a fully customisable update schedule across your organisation, removing all the manual steps required if you only have Enterprise App Management.
Enterprise App Management can be used to reduce costs associated with application packaging for common apps. SureDeploy provides support for Enterprise App Management for FREE :)
Any limitations?
Self-Updating Apps:
The Enterprise App Catalog includes apps that self-update. Intune ensures that the app is at least at a target minimum version but not necessarily the latest.
This can cause a few issues:
1.) Old applications being installed on new devices, leaving open vulnerabilities
2.) Application updates being mass installed with no testing
3.) Users forgoing updates leaving vulnerabilities across your devices
4.) No reporting or visibility on the "Installed" version of any apps within your environment
Network rules may also need configuration to allow updates from the app vendor. While this might be fine for small deployments, updating Adobe Creative Suite for 1,000 devices via your internet connection may not be a great experience.
Limited Catalog:
Whilst I'm sure this will change quickly, currently being limited to only 95 applications is a bit lack luster. The march towards web apps is not slowing down, however, business still are heavily reliant on installed "phat" apps on user devices.
I expect - and am looking forward to - the catalog expanding quickly, there will always be application and customisations that just don’t have enough scope for Microsoft to bother including in their catalog.
This will be especially true for custom line of business applications developed internally and also large application suites with multiple license and deployment options, I'm looking at you Adobe Creative Suite and AutoCAD. Also, if you are still running Google Chrome there are currently no options to configure any of the advanced security features, this still needs an Intune configuration policy separate to the application.
Out Of Date:
While Microsoft is working with application vendors to package new releases, this still leaves something to be desired. They can be quite far behind. Below Mozilla is more than a month out of date.
Still Manual:
When a new update is released, you still need to manually change all the group assignments, manage the rollout and hope.
If you have any experience with Win32 application updated via Intune and all the group assignments you know what I'm taking about. It's still a very manual and cumbersome process.
While Enterprise App Management simplifies app management, understanding its limitations helps organisations make informed decisions and plan effectively.
What about self-updating apps? I have two issues with this:
1.) Users are never going to keep their application updated.
2.) You have no way to test updates before users update their apps.
Chasing up users to update Chrome to fix the latest CVE released to keep the security team happy isn't a job I'd wish on anyone.
So, what?
While there are still a few shortcomings with Enterprise App Management, it can probably reduce a good amount of work for your packaging team. I think for small businesses and managed service providers, it’s a no brainer! We hope to see some more enterprise features like app update automate and a much larger catalog soon.
While you still need to manage all of the application updates and rollout, having the Intune package created for you saves a massive amount of time, even if it’s a little bit behind the vendor release.
If you need CVEs patched within a quick time frame for NIST, Essential 8, SOC 2 or ISO 27001 this might not be the solution you are looking for.
Contact us if you have any questions or want more info.
The Enterprise App catalogue: what's inside?
The size of the catalog matters, as it directly impacts the time saved by IT admins. As per the initial release, the Enterprise App Management catalog boasts 94 unique Windows applications.
Here’s a glimpse of some of the apps included:
- 7-Zip [Igor Pavlov]
- Amazon AWS Tools for Windows [Amazon Web Services Developer Relations]
- Android Studio 2022 [Android]
- Audacity [Audacity]
- Beyond Compare [Scooter Software, Inc.]
- Blender [Blender Foundation] (15 Configurations)
- Cisco Jabber 14 [Cisco Systems, Inc.]
- Citrix Workspace app [Citrix]
Full Enterprise App Catalogue
- Amazon Corretto 16 [Amazon]
- Amazon Kindle [Amazon]
- Android Studio 3 [Android]
- Android Studio 4 [Android]
- Araxis Merge [Araxis] (2 Configurations)
- Artweaver Free [Boris Eyrich Software]
- Atomi Systems ActivePresenter [Atomi Systems, Inc.]
- BlueJeans 2 [Blue Jeans] (2 Configurations)
- Brady Workstation [Brady Corporation]
- Burp Suite Community Edition [PortSwigger]
- Burp Suite Professional Edition [PortSwigger]
- Calibre [Kovid Goyal]
- Cisco Webex Meetings [Cisco Webex LLC]
- Cisco WebEx Recorder and Player [Cisco Webex LLC]
- Cisco WebEx Recording Editor [Cisco Webex LLC]
- Cisco Webex Teams [Cisco Systems, Inc.]
- Citrix Receiver [Citrix]
- Citrix Workspace app LTSR [Citrix]
- CMake [2BrightSparks Ptd Ltd] (8 Configurations)
- Dell Command Update (Windows Universal Application) [Dell, Inc.]
- Docker Desktop [Docker Inc.]
- draw.io Desktop [draw.io]
- Duo Desktop [Duo Security Inc.]
- Eclipse Temurin JDK with Hotspot 11 (LTS) [Eclipse Foundation]
- Eclipse Temurin JDK with Hotspot 19 [Eclipse Foundation]
- Eclipse Temurin JRE with Hotspot 11 (LTS) [Eclipse Foundation]
- Eclipse Temurin JRE with Hotspot 19 [Eclipse Foundation]
- Egnyte Connect [Egnyte, Inc.]
- Egnyte WebEdit [Egnyte, Inc.]
- Evernote [Evernote]
- Foxit PDF Editor 11 [Foxit Software]
- Foxit PDF Editor 12 [Foxit Software]
- Foxit PDF Reader [Foxit Software]
- Frame App [Nutanix Inc.]
- Free Countdown Timer [Comfort Software Group]
- Google Chrome for Business [Google]
- Google Drive [Google]
- Inkscape [Inkscape]
- JAM Software TreeSize Free [JAM Software GmbH]
- KeePass Password Safe (Classic Edition) [Dominik Reichl]
- KeePassXC [KeePassXC]
- Lansweeper [Lansweeper]
- Lenovo Quick Clean [Lenovo Software]
- LogMeIn GoToMeeting IT Installer [LogMeIn]
- Microsoft .NET Runtime 6.0 [Microsoft]
- Microsoft Azure CLI [Microsoft]
- Microsoft Azure Storage Explorer [Microsoft]
- Microsoft Power BI Desktop [Microsoft]
- Microsoft PowerShell Core [Microsoft] (6 Configurations)
- Microsoft Skype for Desktop [Microsoft]
- Microsoft Surface Diagnostic Toolkit for Business [Microsoft]
- Microsoft Visual C++ 2008 Redistributable [Microsoft]
- Microsoft Visual C++ 2015-2022 Redistributable [Microsoft]
- Microsoft Visual Studio Code [Microsoft]
- Mozilla Firefox [Mozilla] (37 Configurations)
- Mozilla ThunderbirdMozilla] (29 Configurations)
- Nessus Agent 10 [Tenable, Inc.]
- Notepad++ [Don Ho]
- NVIDIA GeForce Experience [NVIDIA]
- OpenShot Video Editor [OpenShot Studios]
- OpenVPN [OpenVPN Technologies, Inc.]
- Oracle Java Runtime Environment Version 8 [Oracle]
- Parallels Client 18 [Parallels International GmbH]
- Piriform CCleaner [Piriform Ltd]
- Poll Everywhere [Poll Everywhere]
- Poly Lens Desktop App [Plantronics]
- Python 3.10 [Python Software Foundation]
- Python 3.11 [Python Software Foundation]
- QNAP Qsync [QNAP]
- R for Windows [R Core Team]
- Rarlab WinRAR [Rarlab] (27 Configurations)
- Remote Help [Microsoft]
- Royal TS 5 [code4ward.net e.U.]
- Royal TS 6 [code4ward.net e.U.]
- Royal TS 7 [code4ward.net e.U.]
- ScreenToGif [Nicke Manarin]
- Simon Tatham Putty [Simon Tatham]
- SyncBackFree [2BrightSparks Ptd Ltd]
- TeamSpeak client [TeamSpeak Systems]
- TechSmith Snagit 2019 [TechSmith Corporation]
- TechSmith Snagit 2020 [TechSmith Corporation]
- TechSmith Snagit 2021 [TechSmith Corporation]
- TechSmith Snagit 2023 [TechSmith Corporation]
- TechSmith Snagit 2024 [TechSmith Corporation]
- TightVNC [TightVNC]
- TortoiseSVN [TortoiseSVN]
See the rest of the list!
We are looking forward to Microsoft's plans to significantly expand this catalog in the near future, even adding MacOS apps to the mix!
Take the complexity out of Microsoft Intune deployments with SureDeploy. Elevate your device management capabilities and enhance your security score.