The course is part of this learning path


Publishing Applications With Microsoft Endpoint Manager looks at what's involved when publishing apps to fully managed and BYOD devices. This course examines how to publish and deploy different app types and how to use Microsoft Endpoint manager to implement application configuration and protection. We see what an app needs to support configuration and protection policies, what those policies offer in the way of data protection, and how a policy can configure an app's access to a mobile device's hardware and capabilities. While the course's primary focus is deploying apps to mobile devices through app stores, we also look at using Endpoint manager to publish a custom in-house app to a desktop client.

Learning Objectives

  • Overview of app publishing scenarios
  • Learn about app protection policies and how to create one
  • Learn about app configuration policies and how to create one
  • Publish a custom line of business to a Window client
  • See how to investigate deployment issues

Intended Audience

  • Students working towards the MS-101 Microsoft 365 Mobility and Security exam
  • Those wanting to learn how to use Microsoft Endpoint Manager to publish and deploy applications


  • There are no prerequisite courses needed to take this course

Microsoft endpoint manager, the offspring of Intune and Configuration Manager, is used to manage an organization's devices and applications deployed to those devices. Endpoint manager inherits much of its mobile functionality from Intune, and as such, Microsoft appears to use the two terms interchangeably. Intune accommodates two overlapping modes of operation. One is device management, where devices are enrolled, giving complete control over users' devices, while the other, app management mode, enables you to deploy and manage specific apps on devices. 

Device management is typically employed when users are issued with company-provided hardware. Devices may operate over a secure VPN. Users will have a specific or restricted set of applications deployed to their devices. Users and devices will adhere to the organization's security and governance policies.

Application management is used in a BYOD, bring-your-own-device scenario. An organization cannot have full control over the device, but mobile app management can target specific apps, protecting their data and controlling aspects of their behavior.

Overlayed on these two management modes are four application types. Store apps are sourced from either the Microsoft store, Apple app store, or Google play store. Custom apps are typically in-house line of business applications or third-party apps not available through any app store. In the context of Intune and devices, web apps are URLs pointing to SPA apps or traditional websites. Microsoft service apps are online office apps or Azure AD Enterprise apps registered and assigned in Microsoft endpoint manager admin center.

Intune deploys store apps on devices, and updates are handled automatically. Custom apps are deployed from supplied installation files, with updates handled internally by the application or manually pushed out through the endpoint manager. As I said, web apps are URLs deployed as shortcuts with automatic updates. Microsoft service apps are essentially web apps as far as installation is concerned. 

Microsoft endpoint manager enables extensive app management and protection in both enrolled device and app-only modes. You can alter an app's functionality and settings where the app supports configuration through the Intune SDK or the App Wrapping Tool. In a managed device scenario, you can specify how the app interacts with the device and which of the device's capabilities it can access. 

Each platform vendor offers volume or business licensing programs to make purchasing and managing multiple app instances more efficient. Apple has the volume purchasing program for business. Unlike regular or retail Android apps from the Google Play store, Android Enterprise apps are sourced from the Managed Google Play store. Before deploying an enterprise Android app, you must select and approve it from the Managed Google Play store. Intune can connect to the Microsoft Store for Business which offers volume-purchasing and app management. 

When assigning apps from an app store, specifically in a BYOD or app-managed mode, be aware that users need to have an account with the store before the app can be installed on their device. Another more general consideration is ensuring that any app dependencies are installed. For example, if you distribute reading material like an eBook, does the device have the iBooks app or Kindle already installed?

When deploying custom line-of-business apps, installation files are stored in the cloud. A trial endpoint manager subscription comes with 2GB of cloud storage, while a full subscription has unlimited storage. All custom app installation files must be in the same folder, with no one file bigger than 8GB.

If your organization has many applications, you may want to categorize them to make them easier to find within the company portal. When setting up an app for deployment, you can assign a predefined category or create your own categories.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.