Looking at Enterprise App Management

What is Enterprise App Management

Enterprise App Management (EAM), part of The Intune Suite, is designed to manage the never-ending updates to applications on your Windows device estate. EAM’s goal is to remove the overhead of packaging, testing and deploying 3rd party software updates, by automatically managing the complexity that these action place on organizations.

The why of Enterprise App Management

Patching usually is pretty complex. Most organizations have large app portfolios, heavily entrenched patching processes, and infrastructure investments. For most organizations evaluating Cloud Management for Windows 11, Intune has historically had a number of pitfalls in managing 3rd party apps. Over the last few years capabilities like supersedence in the Win32 App story have aimed to close the feature gaps app management in Intune has had over ConfigMgr. Let’s take a look at this new feature included in The Intune Suite and see why you should be looking at this as a way to reduce your patching complexity and move this workload to the Microsoft Cloud.

Intune licensing

EAM is part of the Intune Suite. This capability is not included in the standard Intune license provided with Microsoft 365, EMS or other licensing bundles. In order to use EAM, you will need purchase the Intune Suite or Enterprise App Management as a standalone add on. Each user who will be consuming the service will need to be assigned the EAM License.

Demo: Adding Apps to EAM

Our friend, Johnny Appleseed has dropped his Mac off at the Apple Store for the day and is using his Entra ID Joined, Intune Managed Windows 11 Device. Johnny is part of the RemoteUsers Security Group, and as we will find out, needs a Firefox update. Let’s navigate to the Intune Admin Center>Apps>All apps>Add>Enterprise App Catalog App to add our first app.

Next, we search Enterprise App Management Catalog for Firefox, then click Next.

Under the Configuration tab> we select the package, in this case Firefox (English) (x64), and select Next.

Next, EAM pulls into Intune the package metadata for the app. We will keep the defaults here and select Next.

EAM then pulls into Intune the install / uninstall commands, along with the installation behavior, and return codes. No additional details are required to get this installed. We will take the defaults and select Next.

Under the Requirements section, we can set additional configurations around the OS and hardware, as well as checking for a file, registry key, or add a custom script to handle additional preinstall activities. We will again take the default and select Next.

Next, EAM prepopulates the detection logic for Firefox. This is used to detect Firefox on the target device. Once again we will take the default and select Next.

We click Review + Create and save the app. Finally, we add the RemoteUsers Entra ID Group to the Required option under the Assignment portion on the app. After a bit of time the App is loaded into the Tenant’s storage and ready for deployment.

Demo: Johnny’s PC

Checking on Johnny’s Firefox version, we can see its old. Let’s take a look at the IME logs and see what’s going on under the hood while EAM patches this old version.

IntuneManagementExtension.Log

We can see IME checking in to Intune and download the policy associated with the app we just created, aa4fa177-8aa6-4f0d-a0bd-d4c0f0d00fec. Inside we can see the JSON response from Intune in plaintext including the detection method, reboot behavior and all the details that we defined in the Intune Admin Center. These attributes will be used throughout the download, detection and install processes.

Next, Johhny gets a Toast notification, we see Win32App begin downloading the Intunewin.bin file. This is the package we uploaded to Intune when we authored the policy wrapped as an Intunewin file. Additional as we see in the next two screenshots IME supports Delivery Optimization. Keep in mind this is the existing Win32 App support.

Once IME finishes the downloading the payload to the Staging Directory, IME unzips the payload and stages it into the IMECache.

Next, IME runs the detection rules. IME finds the application via the file path (C:\Program Files\Mozilla Firefox\firefox.exe) and notes that the version is 94.0.1.7977. The detectionManager then runs a comparison and checks to ensure the catalog version is greater than or equal to the detected version. In this case, EAM’s version for Firefox is 123.0.0.8809. This was cached in the JSON when IME downloaded the policy.

Next, IME calls the Win32AppInstaller, and the installer is passed the install parameters as described in the Policy JSON.

Finally, a completion Toast notification is presented to the user letting them know that IME is completed the install, and the IME reports back to Intune the status of the policy.

As we can see, Johnny’s PC has Firefox updated to the latest version in the EAM Catalog.

Wrapping up…

Cloud Native patching in a nutshell. Is this enough to replace WSUS, ConfigMgr, or PatchMyPC? Well that depends. Few things to keep in mind. EAM build into the existing Win32 App capability in Intune. This means software will come from cloud storage. Bandwidth consumption at your branch office locations maybe a concern. While IME supports Delivery Optimization, a few devices do have to pull content from the CDN before DO begins to seed clients on your network. While the Application Catalog has a significant amount of 3rd Party apps, it may not be complete not enough for most organizations that have large app portfolios. Additionally, if you are using ConfigMgr or WSUS standalone to manage Windows Server, these are also obviously not supported in EAM. For some organizations these short comings may not matter. As the product continues to mature, specifically the app portfolio growth, this will be a nice capability to manage 3rd party patching for your Cloud Native Endpoints.

Common Troubleshooting:

  • IME Logs are located in C:\ProgramData\Microsoft\IntuneManagementExtension
  • IME checks in every 60 minutes. Bouncing the Microsoft Intune Management Extension service, or using Sync in Company Portal, forces a check-in.
  • IME is deployed when a App or PS script is deployed to the device. It’s managed and updated by Intune, you do not need to worry about maintenance.
  • EAM builds into of the existing Win32 App Story in Intune. Most of the common troubleshooting steps with Win32 Apps apply here as well.
  • For IME for Mac, check out the series on Understanding macOS management with IntuneMDMAgent and Configuration Profiles – Part 3 – Company Portal and IME
Share the Post:

Related