Hi there, welcome to the Microsoft Intune for Education deployment workshop. My name is Paolo Matarazzo. I'm a program manager in the Intune for Education product group. This is module 5, Managing Applications. This module consists of two sessions.
In the first session, we will look at how to manage applications in Intune for Education. In the second session, we will introduce Win32 apps and describe how to create and manage them. from Microsoft Endpoint Manager Admin Center. So let's start with an overview of app management.
Intuit for Education supports three types of applications. We have web apps, store apps, and Windows desktop apps. With the web apps we refer to shortcuts to web URLs.
These can be published either to Windows devices or to iPads. When we publish a web app to a Windows device, we create a shortcut to the Start menu, while on an iPad we create a new entry in the home screen with a specific icon that we can upload during the creation of the app itself. Regarding store apps, we support both Microsoft Store for Education apps and Apple App Store applications. Apple App Store apps can either be added as free apps or as Volume Purchase Program apps, sometimes referred as VPP apps.
Volume Purchase Program allows institutions to purchase apps and e-books in bulk and managing and monitoring their licenses from a central location. And this avoids students and teachers and the end users to be prompted to sign in to the Apple Store app with an Apple ID. This provides really the optimal experience for the end users and for that reason it is suggested to use VPP wherever possible.
Regarding Windows desktop apps we have three different scenarios. First there are the traditional line of business applications or LOB. Those are essentially MSIs but it's a more traditional type of application that we're not suggesting any longer.
as we are moving to Win32 applications. Now we will discuss Win32 applications in the second part of this module but remember that from Intune for Education we can view and assign Win32 applications but we cannot create them. Lastly we have an integrated experience to deploy our first party Microsoft applications.
So for that we have the integration with Microsoft 365 apps also known as Office 365 ProPlus and the latest version of Edge. Similarly, as we saw in Module 4 with Settings, applications can be deployed by assigning them to security groups. If you target a security group containing users, the apps will be installed on any managed device that the user signs into. Likewise, if you target security groups containing devices, the apps will be installed on those devices and available to any user signing in.
One important aspect that I'd like to emphasize is that Microsoft Intune allows applications to be deployed in two ways. There are optional and mandatory applications. So mandatory applications are those applications that are automatically installed with any end user intervention, while optional applications are published to the end users.
In which case you must target user groups only. So for those applications that are published to be installed, the end users have to use an application that is called the company portal. These applications allow the end users to do self-servicing. So the company portal becomes like a catalog from which the end users can pick and choose which applications to install on that device. Critical applications are usually installed as mandatory.
while others may be published to the end users. Since in education we want to prioritize the ease of use of devices, avoiding any extra step for students or for the teachers, Intune for Education takes the approach of deploying all the applications as mandatory. In the scenarios where you need to publish certain applications as optional, we can always do so from Microsoft Endpoint Manager Admin Center, as we will discuss in the second part of this module. Intune for Education offers three ways to manage applications.
The first one is Express Configuration. You saw that experience in Module 3, and Express Configuration essentially consists of a wizard where we select the security group first that we want to manage, then we are prompted with the list of settings and applications that we want to deploy to that specific group. Another way to manage applications from Intune for Education is by looking at the Groups view, which is very similar to what we covered during Module 4, when we were managing settings. You can select the Security group and view and edit all the applications that are assigned to that specific group.
The last option is to use the Apps view. From Apps we can view and modify the assignments of existing applications or we can define new applications. So let's now start our first demo about managing apps from Intune for Education. We will deploy web apps, store apps, and also we will use the integrated experience with the Microsoft 365 apps and Edge.
For store apps we will procure them from both the Microsoft Store for Education and from the Apple School Manager as VPP apps. Then we will send them to our devices. And to demonstrate that the applications get deployed, I went ahead and already enrolled an iPad and a Windows device.
but we will cover in great detail enrollment in the next module, module 6. So this is just a sneak peek of what to expect in terms of app delivery once the devices are managed by Intune. Now that we are in the Intune for Education console, let's start from Express Configuration. This is one of the three methodologies that you can use to assign applications. Again, this is about choosing a group. and in the second step you will choose an app to install.
Since we already covered this methodology, let's move to the other three methods. The next one, if we select Groups, let's assume that we want to deploy an application to the All Devices group, and here we can select Web Apps, Windows Apps, and iOS Apps. If we select Web Apps, We will see a list of applications assigned to this group. We don't have any right now. But if we select Edit Apps, then we could select any web links that are already present in this specific tenant.
For example, if I want to deploy a link to Excel Online or OneNote Online, I can select them and select Save. Likewise, if I select a Windows app. I can select edit apps and these are the Windows applications that I've again created in this specific tenant.
Same with iOS apps, I don't have any applications defined in this tenant so I would have to import them first. The next method is by looking at the apps view. If we select apps, Here we have a list of all the applications that are defined in this Intune tenant.
I can select Load More, and the full list will be loaded. I have the possibility to filter applications. And if I wanted to assign a specific application, I could select, for example, Excel. Under Group Assignment, I can see all the groups that are already assigned to this app. Then I can select Add Groups.
And here I can select multiple security groups and this application will be deployed to all the targeted groups. I can also remove specific security groups. Once I'm happy with my selection, I can select Save Group Assignments.
Now, from the Apps view, we also have the possibility to define new applications. If we select the New App button, We have four options here. We can create a new web app.
We can create a new Microsoft Store app, and with that it would open a new tab to the educationstore.microsoft.com site. We can create a desktop app. Again, this is an MSI app. Lastly, we can select New iOS App. Let's start with the new web app.
Here we specify the URL. We can specify the display name that will show up as a link on our devices. Lastly, I can specify an icon. I can select Save. And from here, I can select Group Assignments.
And let's assign this application to all devices. And save. Let's go back to Apps. and let's select New App. At this point I'm going to select New Microsoft Store App.
From the Store for Education I can select Search the Store and I can search for any applications that I need to distribute to my devices. For example, let's deploy Minecraft Education Edition. As you can see, I already have a Minecraft Education Edition assigned in My Tenant. In the store we can select it.
And what I want to call out here is that the application that we have in our tenant has a license type of online. What I want to do, I want to obtain a Minecraft Education Edition with a license type of offline. Reason being is if I want to target these store applications to device groups, I need to obtain a license type of offline. You may ask why do you want to deploy offline applications to your devices. On shared devices, offline applications have the benefit that as soon as a new user signs in to the device, that application will be available from the moment they sign in, instead of waiting for the application to be linked to the new profile.
So I'm going to select get the app and select close. I'm gonna do the same for Company Portal, because I want to allow my students to do self-servicing of any application that I need to publish to them. Again, I'm gonna choose the offline license and select Get the App. Now let's head back to Intune for Education. Let's now refresh the list of applications.
And as you can see, Company Portal is available in here. And it shows as assigned no. So what I'm going to do, I'm going to take the approach of assigning applications looking at the Groups view.
So I'm going to select Groups. Let's select the All Devices group. Here I'm going to select again Windows app. edit and if we expand Microsoft Store apps I now have two additional applications.
I have the company portal and as you can see we have an indication that this application is available with offline licensing. Likewise we have a Minecraft Education Edition which is offline licensed. We also have the online version, the online licensed version of Minecraft Education Edition, but we want again to target the device groups, making sure that these applications are available to all the users using these shared devices.
I select Save, and now these two applications will be pushed to my devices. Let's head back again to Apps. And I want to call out a couple of things. If we select New App, we have the possibility to select New Desktop App.
As I mentioned before, this allows us to create an LOB application, and we support only MSI installers. As I mentioned during the presentation, this is not the preferred method to deploy LOB applications, so I'm not going to use this methodology. We're going to use Win32 applications in the later demo. The last option here is the New iOS App. If we select this option, be aware that we are going to deploy free applications from the App Store.
We also have a banner here indicating that an Apple ID must be used if you deploy these applications. In other words, if you deploy an application from here, let's say for example that we want to deploy Intune Company Portal. If we do so, and we deploy it to our devices, then our end users will be required to sign in, so we call out that add this app in the Apple School Manager recommended. So let's use that methodology. Here I'm under Apps and Books, and I'm already redirected to Intune Company Portal.
I'm gonna specify quantity and select Get. I'm gonna do the same for Minecraft, the same for Microsoft Edge, and lastly I'm gonna do Teams. Great, now that the applications have been obtained, let's head over back to Intune for Education.
And from here I'm going to assign three of the four VPP apps to the All Devices group. So I'll select iOS Apps, Edit Apps. I'm not going to assign Intune Company Portal because I'm deploying userless devices and Intune Company Portal doesn't support iPad userless devices, so just Edge, Teams and Minecraft Education Edition.
Since we're here, I'm going also to deploy Office or Microsoft 365 Enterprise apps and the latest version of Edge. One thing is worth calling out is that in case you deselect applications in Intune for Education, then Intune for Education will trigger an uninstall of the apps. You may expect that the applications are stopped being deployed to the devices, but Intune for Education, again one more time, will issue an uninstall of the apps in case you deselect them. So to recap, we have one web app, We have four Windows apps and we have three iOS VPP apps.
Let's now look at our devices, making sure that these devices receive the published applications. We are on the iPad and we can see that Teams and Edge are getting installed. And they're then followed by...
Minecraft Education Edition and Wikipedia as a web link. We open Minecraft Education Edition and we authenticate with Allison and Allison can start using the device. Let's do the same on a Windows device.
We sign in with Allison. I'm gonna keep the start menu open and the company portal is already installed. and Minecraft as well.
Minecraft supports single sign-on with Windows, so Alison doesn't have to authenticate and she can start using Minecraft. This concludes our first demo and the first part of module 5. In the second part we will look at how to manage Win32 applications.