Skip to content

Deployments in Intune

Applications

Equivalent types from CMF:

  • Apply -> Required

  • Publish -> Available

  • Deny -> Uninstall (though we probably won't do these for now)

  • Publish + Install -> no direct equivalent, but a mixture of requirements in a package and Required type can be used.

Packaging apps in Intune

Info

For access to the Intune portal, use your operations (ops) account. For access to the EOS share, use your primary account. For DFS access, most likely your administrative (adm) account has the access, but this may differ from team to team; in case you cannot access it with any account, check with Sébastien, Pablo, or Siavas.

There are three stages for creating an MSI package in CMF:

  1. Obtain the assets required for the package

  2. Prepare the .intunewin package

  3. Publish in Intune

1. Obtain the assets required for the package

This includes installation commands, requirements for installation, custom criteria, installation files, and so on.

We can obtain them either from the Internet or from previous packages in Intune or CMF.

To obtain these in Intune, go to the Intune homepage > Apps > Windows, then Search by name or publisher, then click on the relevant app, then go to Properties. All sections will be shown there, and you can click on Edit to see exactly how they were set up.

Example: Paint.NET

Our file assets need to be organised in a way that the package in Intune will contain only the files we absolutely need. For example, a PowerShell script calling an MSI, or an MSI and an MST file. Scripts like "DoNothing" or unused scripts should not be copied over.

Organise your Intune packaging folder as follows:

Info

You can access EOS either by browsing to \eosproject-smb\eos on your PC in Explorer, or by using the web interface and the following link: https://cernbox.cern.ch/files/spaces/eos/project/w/windows/Intune/Packaging.

We are using the \\eosproject-smb\eos\project\w\windows\Intune\Packaging for keeping all assets in one place, like we do in DFS.

Organise your software folder as follows: Intune\Packaging\Staging\<SoftwareName>\<version>

This will be the folder that will be compresssed and packaged as an .intunewin file later.

For any other assets like the logo to be used, save them to Intune\Packaging\Staging\<SoftwareName>\Assets

For example, Paint.NET version 5.1: - Create folder Intune\Packaging\Staging\Paint.NET\5.1.1 and save the MSI in it (which can be obtained from \\cern.ch\dfs\Applications\paintnet\5.1)

  • Take note somewhere of package properties in CMF like installation/uninstallation command & options, OS requirement, etc.

2. Prepare the .intunewin package

With the assets in place, we can now prepare the .intunewin package to be later uploaded in Intune.

  • If you don't have it already, download the IntuneWinAppUtil tool from here, by clicking on Source Code (zip) and unarchiving.

  • With PowerShell/Command Prompt, browse to the path where you downloaded the tool, and execute: .\IntuneWinAppUtil.exe. A wizard will commence.

  • For the source folder, specify the full path without quotes, like: \\eosproject-smb\eos\project\w\windows\Intune\Packaging\Staging\Paint.NET\5.1

  • For the setup file, provide the MSI filename (without the path) or the PowerShell script if there is one. For example: PaintDotNet_x64.msi

  • For the output folder, provide the Output path for this Software and version in a format similar to: \\eosproject-smb\eos\project\w\windows\Intune\Packaging\Output\Paint.NET\5.1. If prompted to create a new folder, confirm with "Y".

  • For the "specify catalog folder" choice, enter "N".

An .intunewin package will therefore be created.

3. Publish in Intune

  • With your admin account, go to https://intune.microsoft.com/ and browse to Apps > Windows on the sidebar.

  • Click on Add and select Windows app (Win32), then click Select

  • Click on the "Select app package file" and choose the .intunewin file we just created

  • Provide the releavnt information for the package, which will all be shown to the user when they check this app. You are encouraged to provide at least the following properties: Name, Description, Publisher, App Version, Category, Information URL, Privacy URL, and Logo (which can be obtained onlnie, prioritise PNGs with transaparent backgrounds of ideally more than 400px width)

  • In the Install Command, either leave the default (for MSI it should be filled automatically), or change according to how it was set up in DFS. NOTE: Do not use a DFS path for the installation. Always use local paths (meaning you only need to provide the relative path to the file in your intunewin package) For example, for the Paint.NET 5.1 package, the path will be simply "PaintDotNet_x64.msi"

  • In the Uninstall Command, leave the default or change according to CMF if needed (especially if the Product Code echanges and you want to reference the uninstaller path instead).

  • Choose if you wish the uninstallation to be made possible from the Company Portal, and the installation will be system-wide or for the user only.

  • Leave the restart properties as default unless you know you need to change them. Click Next.

  • In the OS architecture, it is recommended to provide 64-bit only. Minimum operating system can be the first one (1607). Provide other requirements such as disk space required (which is a hard limit, unlike in CMF where it is only informational). File or registry requirements can be added using the "additional requirement rules" section. More complex requirements can be added as a PowerShell script. Click Next.

  • For detection rules, unless needed otherwise, choose Manually configure detection rules, click Add, and choose MSI. The ProductCode should be automatically filled in. It is recommended to enable MSI product version check too, by using the greater than or equal to operator and providing the version of this software as the value (eg., 5.1)

  • Click Next, then skip the Dependencies and Supersedence parts.

  • in Assignments, for making an app available to all users in the Company Portal, under Available for enrolled devices choose Add all devices. Change any other properties if needed. Click Next.

  • Review the Summary page and click on Create to create this package in Intune. NOTE: You now need to wait on this page for the package to be uploaded, when you will be notified in the top right corner. If you do not wait on this page, the package may not finish uploading. The tab doesn't need to be active, it can be left in the background.

  • Once the package is confirmed as uploaded, go to Company Portal, where you will see the package you just created.