You may have the need to push an app to iOS (iPhone/iPad) or Android devices that are enrolled into and being managed by Microsoft Intune Mobile Device Management (MDM). For more information about the types of apps supported, and the details please see this article. For more information about Microsoft Intune, please see this article. Remember, MDM is one component of Intune, it can also perform Mobile Application Management (MAM) or app sandboxing, depending upon the needs of the business.
I want to take a look at how do we push apps that are already in the app store (public facing or deep linked) to an end-user’s device that is enrolled into MDM.
First, from within the Azure Portal, I’m going to navigate to Intune -> Client Apps -> Apps and click Add:
From here I will choose iOS as the App type:
Next, clicking Search the App Store I will search for Microsoft Teams and click on Microsoft Teams and choose Select:
For App Information, I will leave the defaults and click OK
When finished I will click Add:
Now that the app has been added, it still needs to be assigned. I will next click on Assignments:
Next click on Add Group:
Choose the appropriate Assignment Type based on your business scenario. For demo purposes, I will choose Required as this will force the app to be installed when the device is enrolled into Microsoft Intune MDM. More information on Assignment Types can be found here
Clicking on Included Groups, I will select Make this app required for all devices and select Yes. Note, I could assign to just a security group of users if I wish. Then click OK on the Assign blade, and again on the Add Group blade.
Back on the Assignments blade, click Save. Wait 30 minutes for the changes to propagate before proceeding.
Now, let’s enroll the device into Microsoft Intune MDM using the Company Portal app on the iPhone. For more information on enrollment, see this article, or using Apple Device Enrollment Program click here for mass provisioning devices. Once the device is enrolled into MDM, using the Company Portal App, in a few moments the app will start to be pushed down to the device:
Here we can see the app being pushed down, and prompting the user for permissions to install the app.
When the user taps Install we can see the app starting to be installed on the home screen:
Next, is when the magic happens. If the user is terminated, and a remote wipe (aka Retire) command is issued to the device – all corporate data (anywhere you are signed in with Azure AD credentials) and any required apps, will be removed. From the Intune portal, I am going to Retire this device as the user has been terminated from employment:
Wait a few moments for the retire command to be sent to the device:
Here we can see the Microsoft Teams app was removed as a result:
And the Company Portal app is now reverted back to the pre-enrollment state, asking the user to enroll the device into MDM:
As you can see, it’s simple to push an app to a mobile device, and based on the scenario many configurations can exist to accommodate that scenario to help you meet your requirements.