Overview
In this article we will cover:
- How automatic application updates work with Devicie
- How automatic assignments work with Devicie's back catalog applications
- Difference between required and available applications
- Benefits and limitations with automatic application updates and assignments
- Enrolment Status Page (ESP) automation
How automatic application works with Devicie
Devicie offers a range of services on Intune, one of them is an automatic application packaging and assignments.
With the auto-packaging service, Devicie is able to automatically pull the latest version of applications in our Back Catalog directly from the publisher, package it into an Intune app, upload it to customers, and set assignments on the application as per the customer's requirements.
Daily at midnight AEST, pipelines run on Devicie's end and query the most recent version on all application in our back catalog and cross checks that against the currently packaged version on our records. If a new version is detected on the publisher's side, the pipeline will download the latest version and package it into an Intune application. The pipeline will proceed to also upload the latest version to customers who have opted to receive it from Devicie's back catalog.
How automatic assignments work with Devicie's back catalog applications
An assignment worker runs 4 times a day and checks if a new version of an application was packaged since the last run. If a new application version is detected, the worker then checks the below:
- Customers consuming the application
- Delay set on the assignment (min default is 24h)
- Groups the application should be assigned to
- Intent of the assignment (required or available)
- Any exclusions or special conditions requested by the customer or required by the application
After the above details have been captured, the worker then proceeds to send the assignment to customers as per the agreed upon policy with each customer.
Difference between required and available applications
Applications can be assigned to "All Devices", "All Users", a group of users, or a group of devices.
Required applications are installed automatically and do not require action from the end user. Even in the event of an uninstall by the end user, the required application will install again on the device within 8 hours.
Available applications do not install automatically. Instead, they will be available to install through Company Portal. The end user can click on the application and install it on their device.
In order for Devicie to maintain the installation of the most recent updates, available applications are uploaded with an Update_ version of the same app. When a customer requests for an application to be assigned as available, Devicie will automatically set the update version of the application as required to the same group as the base app. The Update_ version of the app has a requirement for the base version to be install before if would install. This allows us to ensure that the application is up-to-date without having to contact end users and ask them to manually install the most recent update from Company Portal. If the base application is not installed, the Update_ version of the app will not detect the requirement on the device and in return will not install the updated version of the app.
Notes
Applications targeting ESP will need to be assigned with the intent "Required" as user interaction on ESP is blocked.
Applications assigned to devices need to be assigned with the intent "Required". This is because the end user will not be able to see them in their Company Portal in order to install.
Benefits and limitations with automatic application updates and assignments
Benefits
By automating updates and assignments, Devicie can guarantee users are running the most recent up-to-date version of an application within 24h from its release date, in turn plugging any security vulnerabilities and patching any bugs the update offers.
It also provides a source of truth for what applications should be available to end users by re-uploading any application that was accidentally deleted by an admin or intentionally removed a malicious actor. Our automation will also reassign any missing or changed assignments on the application.
Limitations
Any changes to assignments for applications deployed through Devicie's back catalog need to be requested from Devicie. If a customer changes the assignments manually on the application, our assignment worker will revert it back to the way it's set in our records as per the agreement with the customer.
Back catalog applications cannot have dependency applications. This is a Microsoft limitation. If you need an application to be installed prior to another, we will need to package the application as a Bespoke app. Bespoke application don't offer auto-updates or auto-assignment capabilities.
We cannot mix assignment inclusions and exclusions between a group of users and a group of devices. If an application is assigned to a group of devices, we cannot exclude a group of users from that assignment. We can however set an exclusions filter between devices and users, please contact Devicie if you need to discuss this approach.
Enrolment Status Page (ESP) automation
Devicie also offers the ability to automate and maintain your ESP. By automating ESP, we can guarantee that applications deployed during ESP are on the most recent version.
Our ESP worker will cross check the list applications being deployed during ESP with the assignments set for the applications. If a new assignment is detected for an application, the worker will update the application ID in the ESP so that the most recent version is installed when enrolling a device.
Much like application assignments, any changes to applications or settings in the ESP need to be requested by Devicie as the changes will be reverted back to the agreed upon settings on our record.