Assign and deploy apps using Microsoft Intune
Once you've set up and deployed the capabilities of Intune, added apps to Intune, configured app policies using Intune, and secured and protected your apps using Intune, you can begin the process to assign and deploy apps to end user's devices using Intune.
Managed apps use configuration and protection policies. You assign these managed apps to users and devices via a unified endpoint management provider, such as Intune. In addition, you create app configuration policies and app protection policies in Intune and assign them to users and devices at your organization. These policies and apps work together to configure and protect your organization's data.
The Microsoft Intune service supports two Mobile Application Management (MAM) configurations. The first MAM configuration is MAM without device management, where the device is often the user's personal device. When MAM is used with personal devices, only organization-related access and data are managed. This configuration allows your organization's apps to be managed by Intune, but doesn't enroll the devices to be managed by Intune. The second MAM configuration is MAM with device management. This configuration allows both your organization's apps and devices to be managed. MDM, in addition to MAM, makes sure that the device is protected. For more information, see Mobile Application Management configurations.
Important
MAM in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices and personal devices.
The content provided in this solution helps you understand the different aspects of assigning and deploying apps for each of the supported platforms (Android/Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11). You'll understand app management for both managed and unmanaged devices, app assignments and capabilities based on platform, and the steps you should consider when assigning apps.
Note
If you are new to Microsoft Intune and need to understand how to move your organization to Intune, see Migration guide: Set up or move to Microsoft Intune.
Intune offers several advantages when assigning and deploying apps to your organization. The following list provides the benefits:
By assigning and deploying apps from Intune, you can protect your organization's data at the app-level. Intune applies this protection using app protection policies. By implementing app-level policies, you can restrict access to company resources and keep data within the purview or scope of your IT department. You can use Intune app protection policies independently of any mobile-device management (MDM) solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution. In addition, organizations can protect their data using Intune app management with and without Mobile Device Management (MDM) at the same time. For example, consider an end-user (employee or organization member) that uses both a phone issued by the company, and their own personal tablet. The organization issued phone is enrolled in MDM and protected by app protection policies, while the personal device is protected by app protection policies only.
You can also protect data at the app-level using selective wipe. When a device is lost or stolen, or if the employee leaves your organization, you want to make sure company app data is removed from the device. However, you might not want to remove personal data on the device, especially if the device is an employee-owned device. To selectively remove company app data, you can create a wipe request for a selected user.
Note
Managed apps are enhanced by being integrated to support the Intune App SDK or wrapped using the Intune App Wrapping Tool. This integration allows managed apps to support Microsoft Intune's app protection policies and app configuration policies. For a list of apps that support both app configuration and app protection policies, see Microsoft Intune protected apps.
There are four platforms where you can assign and deploy apps that you've added to Intune. In addition, you can monitor app assignments to ensure end users at your organization successfully have the apps they need to accomplish their work.
You can assign and deploy apps based on the following available platforms:
- Android/Android Enterprise
- iOS/iPadOS
- macOS
- Windows 10/11
Each platform offers different app management capabilities. For a more information about supported platforms, see App management capabilities by platform.
Many app types that are used in Intune support automatic updates. These apps ensure that members of your organization are using the latest and most secure versions of their apps. By using Intune, you can select apps from the related app platform store, such as the Apple App store, the Google Play store, and the Microsoft store. Intune supports automated app updates for built-in apps that include curated apps, such as Microsoft 365 apps and third-party apps for iOS/iPadOS and Android devices. Also, Intune supports automated app updates for web apps.
Important
An app written in-house or as a custom app must be updated manually.
Intune supports a variety app types and app functionality. For example, Intune supports store apps by platform. Intune integrates with Apple apps store, the Google Play store, and the Microsoft store to seemlessly allow you to find apps in the store and add them to Intune before assigning them to members of your organization. Also, Intune supports Windows apps (Win32) along with Win32 app supersedence, Enterprise App Catalog apps (Win32), cross platform web apps, and many store apps that integrate with Microsoft technologies. For a list of app types, see Specific app type details. In addition, Intune supports creating and assigning configuration policies that help to ensure an app is installed on end users' devices based on your organization's requirements. The same is true when applying app protection policies to your organization's users and devices. To better understand app types, purchases, and licenses, see Purchase and add apps for Microsoft Intune.
Important
You can use Intune to help enforce a Zero Trust security strategy for your organization. Zero Trust is an approach to use when designing and implementing a set of security principles. For more information, see Zero Trust with Microsoft Intune and Zero Trust identity and device access configurations.
Before you can assign apps using Microsoft Intune, you must follow a few prerequisites to set up Intune, as well as understand key app management concepts.
Note
If you're new to Intune, start with the Microsoft Intune free trial. Trying out Intune is free for 30 days. When you complete the sign-up process, you'll have a new tenant that you can use to evaluate Intune. A tenant is a dedicated instance of Microsoft Entra ID (Microsoft Entra ID) where your subscription to Intune is hosted. You can then configure the tenant, which involves many capabilities that you can use to protect your organization. One of those involves adding and configuring apps for Intune.
Follow these steps if you haven't already set up Intune and added the apps you need to manage and protect:
- Set up and deploy Intune
- Purchase and add apps for Microsoft Intune
- Configure apps using Microsoft Intune
- Secure and protect apps using Microsoft Intune
Important
To use Microsoft Intune beyond the free trial, you'll need to acquire a license from Microsoft. For more information about licenses that include Microsoft Intune, see Microsoft Intune licensing.
Although many apps that you can deploy to the members of your organization are free, some apps may require either a license, subscription, or account for each user to use the app. For more information about app licenses, see Understand app licenses used in Intune.
This solution helps you understand the concepts related to assigning apps using Microsoft Intune. In addition, this solution provides recommended steps to follow when assigning apps to devices and members of your organization. Once you've completed the above prerequisites, you're ready to assign apps to your organization using Intune. In addition, using configuration and protection policies as part of your app management efforts allows members of your organization to safely use apps. By managing apps at your organization, you help to protect and secure your organization’s data.
To learn about app deploying using Intune, see the following articles:
To follow the recommended steps when assigning managed apps to your organization using Intune, see the following articles:
- Step 1. Confirm users and devices
- Step 2. Assign apps to groups
- Step 3. Verify app assignments
- Step 4. Troubleshoot app deployment issues
After you've completed the above steps, you're ready to manage and monitor the managed apps your organization uses.