Intune-app-wrapping-tool-mac

admin
  1. Microsoft Intune For Mac
  2. Intune App Packaging Tool

In this month’s post I focus on app approval processes when utilizing MEM Intune. Customers I work with are always interested how to streamline or integrate admin and end user processes. Software approval is no exception.

Intunemac intunemac file intune mac configuration intune mac os support intune mac intune macbook intune machine intune mac os intune mac dep.

During the course of my career I’ve interacted with many customers who come up with processes to accomplish tasks such as software approval. IT processes may be manual or automated and they all utilize a variety of tools such as email, Excel files, online apps, and home grown solutions.

Microsoft Endpoint Manager (MEM) Configuration Manager (MEMCM) has software approval built-in via “Application Requests” orgs may leverage as shown in the image below.

However, if you’re utilizing Intune only or hosting Win32 apps in Intune (vs in MEMCM) and you’d like to maintain a software approval process for applications that only live in Intune, I’ll show you how to do this using SharePoint, Graph, and Power Automate.


Requirements

Microsoft Intune For Mac

  • SharePoint Online
  • Power Automate
  • Intune
  • Microsoft Graph
  • Win32 apps uploaded to Intune
Wrapping

Let’s get started!

One thing to note is the app approval process outlined here may be utilized for any software, iOS, Android, macOS, and Windows. For this post, I chose to focus on Win32 apps because some Win32 apps require licenses and some organizations tightly control what software may be installed on devices so they may want granular control of app approval/installation.

SharePoint

Building an app catalog data model using a SharePoint list

First we need to create an application catalog. We can do this by creating a SharePoint list to store the apps we’ll query for using Graph in a later step. The list I created is shown below:

  • AppName – stores the name of the app
  • Win32AppID – stores the app ID pulled from Intune
  • appPackageType – type of app package – e.g. Win32
  • userGroupID – group assigned to the app

Note: you can name the columns anything you like.

Let’s take a moment to focus on the userGroupID as this has a special purpose. Apps may be assigned to multiple groups so the question is how do we know which group is the right group? There are multiple methods to go about accomplishing this, however I chose to create a special group in Azure AD dedicated to software requests. Details of the how this is accomplished with Power Automate are shown in a step below under Power Automate.


Creating a software approval SharePoint list

We’ll need a process to request software and I complete this in SharePoint as well by creating another list with the following attributes:

  • Win32 App Name – Lookup field from the App Catalog we created in the previous step.
  • AppName:Title – Lookup field from the App Catalog we created in the previous step.
  • AppName:Win32AppID – Lookup field from the App Catalog we created in the previous step.
  • AppName:appPackageType – Lookup field from the App Catalog we created in the previous step.
  • Win32 App Name:userGroupID – Lookup field from the App Catalog we created in the previous step.
  • Date needed by – custom column created in the list.

In the request form we only need two items, “Win32 App Name” and “Date needed by” since the other lookup items will be pulled over automatically when the form is saved:

After stepping through the request process, below is what a request will look like in SharePoint:

Power Automate
Add western digital external hard drive.

Importing the Intune app catalog

Once we have all of the columns created in the SharePoint list we need to populate the list with existing software and delta updates as new software is added.

In the Power Automate process below we can manually trigger or set a recurrence to run it on a regular basis.

  1. HTTP action uses Graph to pull all the apps from Intune.
  2. We then Parse the JSON, to get the Schema run the Graph query using Graph explorer then copy and paste the JSON output by selecting “Generate from sample” and pasting within.
  3. Then Filter the apps to only select the Win32 apps.
  4. Next add an action to create an Azure AD group for every Win32 app returned (I prepend my groups with AG- (AG=Auto Generated))
  5. Next we need to remove the first three letters in the app name because I don’t want users to see “AG-appname” as the “AG” is meaningless to them. We do this by using compose actions. The substring in the second compose action looks like the following: “substring(outputs(‘Compose’),3,sub(length(outputs(‘Compose’)),3))”
  6. In the final step of the Flow, I create SharePoint items for every Win32 app returned using the dynamic attributes available. Use the “Compose 2” output for the title of the app.

Note: if you’d like to add a recurrence and run the Flow periodically, you’ll need to add a step to check if the software exists already. This is can be done by adding a condition to check the app ID in Intune against app ID in the SharePoint app catalog.

Intune-app-wrapping-tool-mac

When the Power Automate flow is run the custom SharePoint app catalog will be populated as shown below:

Creating the application approval process

Below is the full Power Automate process and it may look complex, however it’s quite simple. Here are the high-level steps:

  1. We start with a trigger when a SharePoint item is created in the app approval request list.
  2. Next we go on to start an approval process action and wait for a response.
  3. We then query Azure AD for the user using the information about the user collected in SharePoint (it’s the same AAD user).
  4. Next we query the group assigned to the Win32 app (this is the same group created during the app catalog generation process in the steps above).
  5. When a request is approved or declined there are two paths to go down:
    • For the “Yes” path we introduce a condition to check if the group is empty and if it is we proceed to add the user to the group and send the user a mail that their request has been approved (or message in Teams or whatever you want to do). For the “No” path, this tells us there are members in the group and we perform another conditional check to see if the user already exists in the group. If the user exists we send a mail stating so with instructions of what to do next. If the user does not exist in the Azure AD group, we add the user to the group and send the user an email stating their request has been approved.
    • For declined requests, we travel down the “No” path and simply send the user a mail with the comments of why their request wasn’t approved.

If you’re curious about the expression used to check if the Azure AD group is empty it is: empty(body(‘Get_group_members_2’)?[‘value’])

Intune App Packaging Tool

Win32 app approval process video walkthrough

Color With Pixelmator’s powerful, pixel-accurate selection tools, you can quickly and easily select any part of your image. Then, refine your selection by applying color adjustments and special effects, transforming, moving or deleting. You can also duplicate, or copy and paste your selection onto a new background. Mar 29, 2020  Pixelmator is a photo editing for Mac app developed by two Lithuanian brothers and based on a combination of open source and Mac OS X technologies. This software has many features, including more than 40 tools for selection, painting, retouching, navigation, color correction, and color management, GPU-powered image processing, pixel-accurate selection, and more. Nov 28, 2017  ‎Pixelmator Pro is an incredibly powerful, beautiful, and easy to use image editor designed exclusively for Mac. With a wide range of professional-grade, nondestructive image editing tools, Pixelmator Pro lets you bring out the best in your photos, create gorgeous compositions. Apple’s Photos app is included for free on all recently released Macs. It does a good job at organizing your photos, but its collection of photo enhancement tools leaves much to be desired. Hopefully, our selection of the best free programs for photo editing on Mac will help you choose the right app to suit all your creative needs.

The video below demonstrates an app approval process end-to-end:

Conclusion

That’s it, to conclude, we created an app catalog in SharePoint and using Power Automate, imported Win32 apps from Intune to the app catalog and created a unique Azure AD group for each app. Next we created a software request portal in SharePoint that references the app catalog. Finally we built out the Power Automate process for the software approval process. If you’d like you can expand this app approval process across all platforms.