Push apps to Android devices using Microsoft Endpoint Manager (Intune)

When a device (iOS, Android, Mac, Windows) is enrolled into Mobile Device Management (MDM) to Microsoft Endpoint Manager (Intune), applications can be pushed to that device. These apps can be custom line of business (LOB), apps from a public marketplace i.e. Apple App Store, Google Play Store, Microsoft Store), win32 (Windows only),etc.

In this blog we will cover how to push an app to an Android device using Microsoft Endpoint Manager. This is assuming a device is already enrolled (for instructions on how to enroll see:

Android Corporate Owned Fully Managed MDM Enrollment

How to MDM Enroll Android Devices (Personal w/ Work Profile)

What apps can be pushed to an Android device?

The following apps can be pushed to an Android device:

  • Android Store apps
  • Managed Google Play app
  • Web links
  • Built-In Apps
  • Line of Business Apps
  • Android Enterprise System App

For more information see Add apps to Microsoft Intune https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

Add app to Microsoft Endpoint Manager

Browse to https://endpoint.microsoft.com and navigate to Apps ->Android

Click Add -> choose Managed Google Play App and click Select. Notice the other app types under Other.

Type Microsoft Edge in the search box and press Enter

Click Microsoft Edge then click Approve

Click Approve again to approve the permissions

Then click Done


Next click Sync


Click Microsoft Edge on the Android Apps screen

Click Properties then click Edit next to Assignments

For demo purposes, we are going to deploy this app to all users. Intune/Microsoft Endpoint Manager is intelligent to know that if you are on an Android device to push the app, but if you are on an iOS/iPadOS device to not push the app.

You can also create a security group (recommend practice) add the users to that group and then assign that group, or create a dynamic device security group and assign to devices.

On Assignments screen click Add all users under Required then click Review + save

Then click Save

Time to Test!

On my Android device, within a few moments I will see a notification appear indicating Microsoft Edge was successfully installed

On the home screen the app will be shown, indicating it was installed

Lastly, in the Google Play store, tapping on the Microsoft Edge app you will notice Per your administrator, this app may not be uninstalled

It’s that easy!

Confirm App Deployment from Intune/Microsoft Endpoint Manager

Let’s go back to Microsoft Endpoint Manager, and navigate to the Microsoft Edge app screen. (You can also get here by browsing to Apps -> Android -> Microsoft Edge)

Clicking on Device Install Status will show the app is installed on the Android device

Push apps to iOS devices using Microsoft Endpoint Manager (Intune)

When a device (iOS, Android, Mac, Windows) is enrolled into Mobile Device Management (MDM) to Microsoft Endpoint Manager (Intune), applications can be pushed to that device. These apps can be custom line of business (LOB), apps from a public marketplace i.e. Apple App Store, Google Play Store, Microsoft Store), win32 (Windows only),etc.

In this blog we will cover how to push an app to an iOS/iPadOS device using Microsoft Endpoint Manager. This is assuming a device is already enrolled (for instructions on how to enroll, see this blog)

What apps can be pushed to an iOS/iPadOS device?

The following apps can be pushed to an iOS/iPadOS device:

  • Apple App Store apps
  • Web links
  • Built-In Apps
  • Line of Business Apps

For more information see Add apps to Microsoft Intunehttps://docs.microsoft.com/en-us/mem/intune/apps/apps-add

Add app to Microsoft Endpoint Manager

Browse to https://endpoint.microsoft.com and navigate to Apps -> iOS -> iOS Apps

Click Add -> choose iOS Store App and click Select. Notice the other app types under Other.

Click Search the App Store

Type in the name of the app you want to push. For demonstration purposes in this blog I will search for Microsoft Edge. When finished, click Microsoft Edge then click Select

On the App Information tab click Next

On scope tags click Next (if you want to learn more about scope tags see this article)

For demo purposes, we are going to deploy this app to all users. Intune/Microsoft Endpoint Manager is intelligent to know that if you are on an iOS/iPadOS device to push the app, but if you are on an Android device to not push the app.

You can also create a security group (recommend practice) add the users to that group and then assign that group, or create a dynamic device security group and assign to devices.

On Add App screen click Add all users under Required then click Next

Note: If I select yes on Uninstall on device removal then when the device is removed from MDM enrollment, this app (Microsoft Edge) will be uninstalled from the user’s device)

On Review + create click Next

Time to Test!

On my iPad, within a few moments I will see a dialog box appear prompting permissions to install the app. Tap Install.

On the home screen the app will be installed

It’s that easy!

Confirm App Deployment from Intune/Microsoft Endpoint Manager

Let’s go back to Microsoft Endpoint Manager, and where we left off was on the Microsoft Edge app screen. (You can also get here by browsing to Apps -> iOS -> Microsoft Edge)

Clicking on Device Install Status will show the app is now installed on the iPad

IMPORTANT: It can take up to 60 minutes for the installation status to be updated in the portal.

Intune: Android Corporate Owned Fully Managed MDM Enrollment

I wrote about managing Android devices using Microsoft Intune or Microsoft Endpoint Manager in previous posts, where I described the different ways of using Mobile Device Management (MDM) to manage the Android OS on a smartphone/tablet:

  1. Intune: How to MDM Enroll Android Devices (Personal w/ Work Profile) (Ideal for BYOD)
  2. Intune: Android Kiosk w/ MDM (Corporate-owned Dedicated Devices)

In this third post in my MDM enrollment for Android series, I’m going to describe how to enroll an Android device that is corporate owned and fully managed. Meaning, this is the type of device an organization would issue to a user (that the organization owns), and that the entire device is managed and controlled. This type of device would not be intended to be used for personal reasons.

I’m going to cover how to enroll the device into MDM using Microsoft Endpoint Manager (MEM). I will save management capabilities and configuration of the device for future blogs. I will also not be covering zero touch deployment of Android devices – we’ll save that for a future blog also.

This blog will assume you already connected Microsoft Endpoint Manager to your Managed Google Play account.

Obtain Enrollment Token

To enroll devices using this method, you will need to obtain an enrollment token from MEM. To do so, login to https://endpoint.microsoft.com and navigate to Devices -> Android Enrollment ->Corporate-owned, fully managed user devices. This barcode will be scanned by the device later in the instructions.

This barcode can be emailed to users, posted on a helpdesk website, etc and the users will self enroll using their credentials. This is how corporate owned devices will be enrolled.

Enroll The Android Device

My Android smartphone has been wiped and reset to factory defaults. Upon powering on, I will connect the device to a Wi-Fi or carrier network and will then be presented with a sign in screen.

At the sign in screen, type afw#setup then tap Next

Wait while the sign in process completes

At Let’s setup your work device tap Accept & Continue and wait while the device loads.

At Enroll this device tap Next

At Scan or enter code scan the barcode you created earlier

Here’s my enrollment token I will scan with the device’s camera

Wait while the device loads

At the sign in screen, sign in with your credentials

At Set up your work phone screen tap Install

Three core apps will be installed on the device:

When the apps are finished installed, tap Next

Tap Start to register the device

At the blue Intune screen tap Sign In

Enter your credentials and tap Sign In

The device will sign in

At Set up Access screen tap Next

The device will register. When complete tap Done

At You’re ready for work tap Done

The home screen will be displayed

The device is now fully managed. To show an example of this, opening the Google Photos app notice the red text Your administrator has not given you access to this item

At this point, we can push security policy to the device, in addition to apps – this is configured in Microsoft Endpoint Manager under Device Configuration Profiles and Apps respectively.

To manage the device, within Microsoft Endpoint Manager browse to Devices -> Android -> Android Devices

From here, click on the device, and it will display the management screen for that device.

Intune: How to MDM enroll iOS/iPadOS devices

When it comes to managing iOS and iPadOS devices within the organization, Microsoft Intune (aka Microsoft Endpoint Manager) has the capability to manage these devices via Mobile Device Management (MDM). This allows the operating system (OS) to be managed, fully customizing the device to the organization’s requirements.

Background

For Apple iOS/iPadOS devices specifically (excluding Mac and Apple TV, although can be managed), there are two methods that can be used to manage them:

  1. Intune MDM. Through device configuration profiles, Intune can manage settings within the OS, push apps, ensure device compliance is met, remote wipe all data or just business data, etc. The device is typically enrolled by downloading the Company Portal app and the user self-enrolls.
  2. The device can be managed through Apple’s deployment programs (formerly known as Device Enrollment Program (DEP): Apple School Manager or Apple Business Manager which allows it to be “supervised“. This enables additional functionality like GPS tracking when the device is entered into “lost mode” among other (really cool) managed features. For more information see Deployment Reference for iPhone and iPad

IMPORTANT: MDM and Apple Deployment Programs can be combined to provide even greater management of a device, and even fully automate the provisioning of a device such as a “Zero Touch” approach. For more information see Deployment Models. However, I need to stress, majority of scenarios can be accomplished through just normal MDM enrollment. Review your business requirements to determine which path to go down.

Note: For purposes of this blog, we will only be discussing Intune MDM enrollment for iOS/iPadOS. As much as I would love to show you DEP and Supervision – and even Zero Touch, I don’t have the means neccessary to lab this up (It requires a company’s DUN, TaxID and Purchase Order to complete the process with Apple to obtain a business account).

See my blog Intune: How to MDM Enroll Android Devices (Personal w/ Work Profile) for how to MDM manage Android devices.

Setup Intune for Apple Device Enrollment & Management

To allow for Apple devices to be enrolled, we need to configure Intune so that it can properly manage an Apple device. Before we begin I recommend you review this documentation so you have a good understanding of what this entails. Let’s walk through it together.

Note: I will be using Microsoft Endpoint Manager (MEM), which Intune is built into, for this blog. It can be accessed at https://endpoint.microsoft.com

Configure Apple MDM Push Certificate

This starts with setting up the Apple MDM Push Certificate. Within MEM navigate to Devices -> Enroll Devices -> Apple Enrollment and click on Apple MDM Push Certificate:

I have already performed this step in my lab. Simply follow the 5 steps in the wizard to setup the certificate.

IMPORTANT: You do not need a Certificate Authority or worry about creating a certificate. This is a special certificate that Apple will generate for you. Simply download the Certificate Signing Request from the portal, upload it to the Apple tool and then download the certificate.

Once the certificate has been uploaded, you are ready to start managing Apple devices! Note, the other methods we called out using Apple Device Enrollment Program and Apple Configurator can also be setup on this screen – but for purposes of this blog we will not go into those.

MDM Enroll the Device using Company Portal

Now it’s time to start the MDM enrollment process. For this blog, we will use the Company Portal app to “self enroll”, meaning the end-user will download the Company Portal app from the Apple App Store and will manually enroll the device into Intune MDM.

  1. From the Home Screen, launch the App Store app:

2. Download the Company Portal app from the App Store:

3. Launch the Company Portal app:

4. Sign in with your Azure AD credentials

5. Once signed in, you will be presented with the steps required to complete enrollment, tap Begin.

6. At the Device management and your privacy screen, carefully review what the employer can see and not see on a device, and tap Continue

7. Tap Continue on the Setup Contoso Access screen:

8. Tap Allow on the dialog box This website is trying to download a configuration profile. Do you want to allow this?

9. Tap Close on the dialog box Profile Downloaded: Review the profile in Settings app if you want to install it.

Note: This downloaded the MDM profile from Intune and we will not install that profile on the device.

10. Tap Continue Now on the Download management profile screen

11. On the Setup Contoso access screen, tab Continue

12. On the How to install Management Profile screen, goto the Home Screen on the device.

13. On the home screen, tap Settings

14. Within Settings tap General

15. Tap Profile

16. Tap Management Profile

17. Tap Install

18. Enter your device’s passcode

19. Tap Install to install the profile

20. On Warning tap Install

21. On Remote Management dialog box tap Trust

22. On Profile Installed tap Done

23. Go back to the Company Portal app and on the Allow “Comp Portal” to use your location? dialog box tab Allow while using app

24. At this point the device is now enrolled into Intune MDM, and if there are any apps that are required to be installed – they will start to be pushed down. (note, we have not configured those yet in this blog)

25. On Set up Contoso access tap Continue

26. Intune will now check to see if the device adheres to any compliance policies (note, we have not configured those yet in this blog)

27. From here you can navigate the Company Portal app and see apps that are available for download:

28. Tapping on Devices at the bottom of the screen shows all devices under MDM management for the user:

Here is a PowerPoint or “Click Thru” deck of these screenshots, feel free to download and reuse.

Push apps to iPhone/Android using Microsoft Intune

You may have the need to push an app to iOS (iPhone/iPad) or Android devices that are enrolled into and being managed by Microsoft Intune Mobile Device Management (MDM). For more information about the types of apps supported, and the details please see this article. For more information about Microsoft Intune, please see this article. Remember, MDM is one component of Intune, it can also perform Mobile Application Management (MAM) or app sandboxing, depending upon the needs of the business.

I want to take a look at how do we push apps that are already in the app store (public facing or deep linked) to an end-user’s device that is enrolled into MDM.

First, from within the Azure Portal, I’m going to navigate to Intune -> Client Apps -> Apps and click Add:


 

From here I will choose iOS as the App type:

Next, clicking Search the App Store I will search for Microsoft Teams and click on Microsoft Teams and choose Select:

 

For App Information, I will leave the defaults and click OK

When finished I will click Add:


Now that the app has been added, it still needs to be assigned. I will next click on Assignments:

 

Next click on Add Group:


Choose the appropriate Assignment Type based on your business scenario. For demo purposes, I will choose Required as this will force the app to be installed when the device is enrolled into Microsoft Intune MDM. More information on Assignment Types can be found here


Clicking on Included Groups, I will select Make this app required for all devices and select Yes. Note, I could assign to just a security group of users if I wish. Then click OK on the Assign blade, and again on the Add Group blade.


Back on the Assignments blade, click Save. Wait 30 minutes for the changes to propagate before proceeding.

Now, let’s enroll the device into Microsoft Intune MDM using the Company Portal app on the iPhone. For more information on enrollment, see this article, or using Apple Device Enrollment Program click here for mass provisioning devices. Once the device is enrolled into MDM, using the Company Portal App, in a few moments the app will start to be pushed down to the device:

Here we can see the app being pushed down, and prompting the user for permissions to install the app.

When the user taps Install we can see the app starting to be installed on the home screen:

Next, is when the magic happens. If the user is terminated, and a remote wipe (aka Retire) command is issued to the device – all corporate data (anywhere you are signed in with Azure AD credentials) and any required apps, will be removed. From the Intune portal, I am going to Retire this device as the user has been terminated from employment:

 

Wait a few moments for the retire command to be sent to the device:

Here we can see the Microsoft Teams app was removed as a result:

And the Company Portal app is now reverted back to the pre-enrollment state, asking the user to enroll the device into MDM:

 

Conclusion:

As you can see, it’s simple to push an app to a mobile device, and based on the scenario many configurations can exist to accommodate that scenario to help you meet your requirements.