Tuesday, 23 February 2016

Configuration Manager (Current Branch) On premise MDM - deploying apps

System Center Configuration Manager landing page

Configuration Manager 1511 introduced us to on premise MDM. Windows 10 devices can now be managed as mobile devices using an on premise infrastructure only (although Microsoft Intune is still required for licensing). This is made possible by using the OMA-DM channel. I've previously blogged about this here. Remember that only Windows 10 devices are supported.

After you enrol Windows 10 computers to the on premise infrastructure  you will be able to deploy apps to the devices. Three app types can be deployed to devices managed in this way:

1. Web Applications (from Windows Store)
2. 32-bit MSI apps
3. Windows app packages - Line of Business (appx)

Let's have a look at the requirements for each of these app deployments. 1 & 2 are really straightforward. 3 is a little more complex. I haven't deployed this in my lab yet but I've listed the high level steps below. It's on my list of "things to do".

1. Web Applications

This couldn't be easier. I chose Dropbox from the Windows Store as an example. Launch the "Create Application" wizard as normal.

Choose the Web Application deployment type. Enter the URL for the store app.

The app must be deployed as "Required". Remember there is no need to distribute this app.

I don't want to wait for the on prem client to refresh policy so I manually "Sync" (Settings > Accounts> Work Access).

Dropbox is installed almost immediately.

A successful installation is reported.

There are two conditions associated with the deployment of this app type:
  • must be deployed as "Required"
  • can only be deployed to Device collections

2. 32-bit MSI apps

This is also very straightforward to implement. It's a similar process to the one we use to deploy MSI apps to full ConfigMgr clients.

Choose "Windows Installer through MDM (*.msi)" as the deployment type> Enter the path to the MSI. I'm testing with the Now Micro Right Click tools.

Remember that you have to distribute the content. Just for kicks I just distributed to a HTTP DP in the first instance.

The client just waited for content before timing out. Then I distributed to my HTTPS DP.

The app installed immediately I refreshed the policy on the device (Sync).

Note that it will take a further sync for the deployment to be reported as successful by ConfigMgr.

  • 32-bit MSI apps only supported
  • Single MSI file only
  • Content must be distributed to a HTTPS distribution point (configured to allow requests from mobile devices).
  • must be deployed as "Required"
  • can only be deployed to Device collections

3. Windows app packages - Line of Business

This type of app is a little trickier to deploy. The process is as follows:

  • Create your LOB app (typically appx)
  • Sign the app with the Enterprise Code Signing certificate
  • Distribute the content to a HTTPS distribution point (configured to allow requests from mobile devices)
  • Deploy the app to a device collection (must be "Required")

  • Enable sideloading (computer settings or registry)
  • Install app code signing certificate (manual, certificate profile or  provisioning package)
  • Wait for computer to refresh policy or manually "Sync" (Settings > Accounts> Work Access)
  • App is installed and should appear in the start menu
  • You can also verify using the Get-AppxPackage PowerShell cmdlet

Note that the deployment of appx apps is still a work in progress. The Configuration Manager console might show an error for the application deployment status even if the application is successfully installed on the device.

I hope that this blog post has been helpful. I wanted to give you a sense of what is possible using on premise MDM with Configuration Manager. Big things are expected in this space.

Until next time.....

No comments:

Post a comment