Friday, 17 July 2015

Deploying apps to iOS devices with Intune - what you need to know

EMS Landing page

I've noticed a lot of confusion lately regarding app deployment to mobile devices with Microsoft Intune. There have been several threads on TechNet forum and the My IT Forum mailing list about this. People are confused by the different behaviours of apps on the Android and iOS platforms. There is even confusion about the different types of apps when deployed to the iOS platform. Jason Sandys explained it very well on one of those threads:

"Microsoft has no control over this behavior. You must always remember that this is not the Windows OS that we’ve all grown up with in which we can do pretty much anything that we want to. These OSes are locked down and designed for consumer use".

This makes perfect sense. We apply a definite logic to desktop and server management and we want to standardise this management across the platforms. It's pretty straightforward in this case - we can implement a lot of the same features on Windows 7 and Windows 8 for example. We can do the same in the server world - Windows Server 2008 (R2) and Windows Server 2012(R2) can be managed in much the same way. We can use the same System Center Configuration Manager client across all these operating systems. However, now consider Linux and Unix servers. Now we're introducing some variety and we cannot apply the same logic to the management of these devices. We need to install different Configuration Manager clients and the management features that we can implement very much depend on what the platform allows us to do.

Let's now apply this thinking to mobile devices. The platforms are designed very differently by the respective vendors. We can't even install the same Intune Portal on all the devices. How then can we expect to be able to standardise management across the devices? It's simply not possible. Intune can only deliver what the vendors permit.

This is the first of a pair of blog posts about app deployment to mobile devices. I hope you find them useful.

  • Deploying apps to iOS devices with Intune - what you need to know.
  • Deploying apps to Android devices with Intune - what you need to know.
Four types of apps can be deployed to iOS devices via Intune.
  1. Internal line-of-business apps (IPA app packages - side-loaded apps)
  2. Managed App Store apps (Intune Managed apps)
  3. Unmanaged App Store apps (external deep-links to the App Store)
  4. Web Apps (URL bookmarks that appear on the home screen, called Web Clip for iOS 
As we know apps can be deployed to iOS devices in two ways: Required or Available. The user experience for a deployed app is not only dependent on the deployment action but also the app type.

Note that items 1 & 2 above (Internal line-of-business apps & Managed App Store apps) are also deemed to be Corporate Apps.


The table above shows the user experience for all scenarios. There is one odd situation (which caused some of the confusion that I described earlier). Currently, end users cannot install corporate apps (types 1 & 2 above) from the Intune Company Portal app for iOS. This is due to restrictions placed on apps that are published in the iOS App Store. I've previously read this excellent description of the situation:

"Due to the Apple App Store submission guidelines, line-of-business apps deployed through Windows Intune cannot be viewed from the Intune Company Portal app for iOS. When these types of apps are deployed as an optional install, they are only visible from the Mobile Web Portal (MWP) on an iOS device".

You can see all this information in this ConfigMgr Team Blog:

Tutorial: Deploy a web clip on iOS devices that links to the Mobile Web Portal

Also:

"Currently, end users cannot install corporate apps from the Intune Company Portal app for iOS. This is due to restrictions placed on apps that are published in the iOS App Store (see App Store Review Guidelines). Users can access corporate apps (including managed App Store apps and line-of-business app packages) by launching the Company Portal app on their device and tapping the Company Apps tile, which will open the browser and redirect them to the Intune Web Portal".
 
You can find this information on TechNet library:


On 29th June 2015 Microsoft announced the release of an update (version 2.1.0) to the Intune Company Portal for iOS. Read the full release here 

http://blogs.technet.com/b/microsoftintune/archive/2015/06/29/improved-app-catalog-experience-on-ios-for-microsoft-intune-company-portal-users.aspx

Two enhancements have been referenced:

  • Improved app catalog experience for discovering and installing company apps
  • Bug fixes to improve security

What is the first of these enhancements about?
 

There is a brand new “Company Apps” tile on the home page of the Intune Company Portal. Users can now easily access corporate apps by tapping the “Company Apps” tile which will launch the Safari browser and automatically navigate to the Apps browse page of the Company Portal website (portal.manage.microsoft.com). On this page, end-users can view all of the apps available for install on their enrolled iOS device, including line-of-business apps and managed apps from the App Store (such as Microsoft Word and Microsoft OneDrive). Users now do not have to re-authenticate when the Company Portal website is launched in Safari.

So what is the user experience?

I've deployed the following to a test device.

#1: Web App - Required (Gerry Hampson Blog) - Expected behavior: app should be on home screen

#2: Web App - Available (Microsoft Intune Team Blog) - Expected behavior: app should be seen in Company and Web Portals 
#3: Unmanaged App - Available (Skype) - Expected behavior: app should be seen in Company and Web Portals 
#4: Managed App - Available (Excel) - Expected behavior: app should be seen only in Web Portal 
#5: Managed App - Required (Word) - Expected behavior: app should be installed on device and also seen in Web Portal

(I don't have an LOB app for testing).
Note that you cannot deploy an Unmanaged App as "Required".

So let's have a look at the behaviour on the device.

 

See a shortcut for my blog on the Home Screen, accompanied by a very nice logo - perfect. Expected behaviour #1


Now launch the Intune Company Portal. See the Web App (Intune Team blog) and Unmanaged App (Skype) available. Expected behaviour #2 & #3



Now click on Company Apps to open the Intune Web Portal. There is no requirement for further authentication. See all the Apps that have been deployed as "Available" plus the Managed App that has been deployed as "Required". Expected behaviour #2, #3, #4 and #5.


Here comes the Required Managed App. Click to Install.


You have to sign in to the Apple Store with your Apple ID.


The App is installed. Expected behaviour #5

Next time I'll be looking at deploying apps to Android devices with Intune.


Edit: you can find the second blog post here

Deploying apps to Android devices with Intune - what you need to know  




No comments:

Post a Comment