Microsoft endpoint manager, the offspring of Intune and Configuration Manager, is used to manage an organization's devices and applications deployed to those devices. Endpoint manager inherits much of its mobile functionality from Intune, and as such, Microsoft appears to use the two terms interchangeably. Intune accommodates two overlapping modes of operation. One is device management, where devices are enrolled, giving complete control over users' devices, while the other, app management mode, enables you to deploy and manage specific apps on devices. 

Device management is typically employed when users are issued with company-provided hardware. Devices may operate over a secure VPN. Users will have a specific or restricted set of applications deployed to their devices. Users and devices will adhere to the organization's security and governance policies.

Application management is used in a BYOD, bring-your-own-device scenario. An organization cannot have full control over the device, but mobile app management can target specific apps, protecting their data and controlling aspects of their behavior.

Overlayed on these two management modes are four application types. Store apps are sourced from either the Microsoft store, Apple app store, or Google play store. Custom apps are typically in-house line of business applications or third-party apps not available through any app store. In the context of Intune and devices, web apps are URLs pointing to SPA apps or traditional websites. Microsoft service apps are online office apps or Azure AD Enterprise apps registered and assigned in Microsoft endpoint manager admin center.

Intune deploys store apps on devices, and updates are handled automatically. Custom apps are deployed from supplied installation files, with updates handled internally by the application or manually pushed out through the endpoint manager. As I said, web apps are URLs deployed as shortcuts with automatic updates. Microsoft service apps are essentially web apps as far as installation is concerned. 

Microsoft endpoint manager enables extensive app management and protection in both enrolled device and app-only modes. You can alter an app's functionality and settings where the app supports configuration through the Intune SDK or the App Wrapping Tool. In a managed device scenario, you can specify how the app interacts with the device and which of the device's capabilities it can access. 

Each platform vendor offers volume or business licensing programs to make purchasing and managing multiple app instances more efficient. Apple has the volume purchasing program for business. Unlike regular or retail Android apps from the Google Play store, Android Enterprise apps are sourced from the Managed Google Play store. Before deploying an enterprise Android app, you must select and approve it from the Managed Google Play store. Intune can connect to the Microsoft Store for Business which offers volume-purchasing and app management. 

When assigning apps from an app store, specifically in a BYOD or app-managed mode, be aware that users need to have an account with the store before the app can be installed on their device. Another more general consideration is ensuring that any app dependencies are installed. For example, if you distribute reading material like an eBook, does the device have the iBooks app or Kindle already installed?

When deploying custom line-of-business apps, installation files are stored in the cloud. A trial endpoint manager subscription comes with 2GB of cloud storage, while a full subscription has unlimited storage. All custom app installation files must be in the same folder, with no one file bigger than 8GB.

If your organization has many applications, you may want to categorize them to make them easier to find within the company portal. When setting up an app for deployment, you can assign a predefined category or create your own categories.