Intune enterprise app management

Earlier this year, Microsoft launched Intune Enterprise App Management - aiming to simplify how organisations package, deploy, and update third-party apps for Windows.

The challenge: Keeping apps updated and secure

Maintaining up-to-date and secure applications is a significant challenge for many organisations. A Microsoft Digital Defense Report revealed that a staggering 78% of devices remain unpatched nine months after a critical vulnerability fix was released.

This delay in applying patches and updating applications, leaves organisations vulnerable to cyberattacks which are responsible for 60% of data breaches. 

The solution: Streamlining app management

Enterprise App Management is here to simplify the lifecycle of managing both first-party, and third-party applications. Let’s explore its key features:

App catalog: With easy access to a catalog of Microsoft and third-party applications, IT administrators can tailor their selection based on specific preferences and needs. The catalog includes available language packs and architectures, making it a breeze to find the right apps.

Editable metadata: Once you’ve selected the desired application, editable metadata is prefilled with essential details such as install and uninstall commands. Say goodbye to manual data entry and hello to efficiency.

Application updates: Enterprise App Management streamlines the application update process. Admins get a comprehensive view of all apps that need an update from a single, easy-to-use screen. You’ll see both current and new versions, reducing the traditional workload required to monitor updates and gather application-related data.

Streamlined deployment: With Enterprise App Management, IT administrators easily select any application they want to deploy to their devices and via a simple wizard have it pushed out within minutes. Microsoft hosts the binaries for these apps, allowing for seamless creation of Intune applications. Say goodbye to manual packaging and hello to efficiency!

Reduced admin effort: IT teams worldwide spend countless hours duplicating work—packaging and deploying the same third-party apps. Enterprise App Management aims to alleviate this burden by providing a centralised solution.

Why is this important?

Efficiency. IT teams save time by relying on a pre-packaged catalog and streamlined the deployment process. 

Whether you're managing Windows applications or exploring other aspects of app management, Microsoft Intune Enterprise App Management will be your ally in simplifying the complex world of Intune apps.

Does this work with SureDeploy?

SureDeploy fully supports Enterprise App Management. You can manage these applications from your SureDeploy dashboard.

SureDeploy addresses the shortcomings of Enterprise App Management, such as app update automation and testing, by managing all the application updates, group assignments. This provides a fully customisable update schedule across your organisation, removing all the manual steps required if you only have Enterprise App Management.

Enterprise App Management can be used to reduce costs associated with application packaging for common apps. SureDeploy provides support for Enterprise App Management for FREE :)

Any limitations?

Self-Updating Apps:

The Enterprise App Catalog includes apps that self-update. Intune ensures that the app is at least at a target minimum version but not necessarily the latest.

This can cause a few issues:

1.) Old applications being installed on new devices, leaving open vulnerabilities

2.) Application updates being mass installed with no testing

3.) Users forgoing updates leaving vulnerabilities across your devices

4.) No reporting or visibility on the "Installed" version of any apps within your environment

Network rules may also need configuration to allow updates from the app vendor. While this might be fine for small deployments, updating Adobe Creative Suite for 1,000 devices via your internet connection may not be a great experience.

Limited Catalog:

Whilst I'm sure this will change quickly, currently being limited to only 95 applications is a bit lack luster. The march towards web apps is not slowing down, however, business still are heavily reliant on installed "phat" apps on user devices.

I expect - and am looking forward to - the catalog expanding quickly, there will always be application and customisations that just don’t have enough scope for Microsoft to bother including in their catalog.

This will be especially true for custom line of business applications developed internally and also large application suites with multiple license and deployment options, I'm looking at you Adobe Creative Suite and AutoCAD. Also, if you are still running Google Chrome there are currently no options to configure any of the advanced security features, this still needs an Intune configuration policy separate to the application.

Out Of Date:

While Microsoft is working with application vendors to package new releases, this still leaves something to be desired. They can be quite far behind. Below Mozilla is more than a month out of date.

Still Manual:

When a new update is released, you still need to manually change all the group assignments, manage the rollout and hope.

If you have any experience with Win32 application updated via Intune and all the group assignments you know what I'm taking about. It's still a very manual and cumbersome process.

While Enterprise App Management simplifies app management, understanding its limitations helps organisations make informed decisions and plan effectively.

What about self-updating apps? I have two issues with this:

1.) Users are never going to keep their application updated.
2.) You have no way to test updates before users update their apps. 

Chasing up users to update Chrome to fix the latest CVE released to keep the security team happy isn't a job I'd wish on anyone. 

So, what?

While there are still a few shortcomings with Enterprise App Management, it can probably reduce a good amount of work for your packaging team. I think for small businesses and managed service providers, it’s a no brainer! We hope to see some more enterprise features like app update automate and a much larger catalog soon.

While you still need to manage all of the application updates and rollout, having the Intune package created for you saves a massive amount of time, even if it’s a little bit behind the vendor release.

If you need CVEs patched within a quick time frame for NIST, Essential 8, SOC 2 or ISO 27001 this might not be the solution you are looking for.

Contact us if you have any questions or want more info.

The Enterprise App catalogue: what's inside?

The size of the catalog matters, as it directly impacts the time saved by IT admins. As per the initial release, the Enterprise App Management catalog boasts 94 unique Windows applications.

Here’s a glimpse of some of the apps included:

• 7-Zip [Igor Pavlov]
• Amazon AWS Tools for Windows [Amazon Web Services Developer Relations]
• Android Studio 2022 [Android]
• Audacity [Audacity]
• Beyond Compare [Scooter Software, Inc.]
• Blender [Blender Foundation] (15 Configurations)
• Cisco Jabber 14 [Cisco Systems, Inc.]
• Citrix Workspace app [Citrix]
  
  

We are looking forward to Microsoft's plans to significantly expand this catalog in the near future, even adding MacOS apps to the mix!

Take the complexity out of Microsoft Intune deployments with SureDeploy. Elevate your device management capabilities and enhance your security score.