How to Deploy Apps from the Enterprise App Catalog In Intune

In this post, I will show you how to deploy applications from the Enterprise App Catalog in Microsoft Intune, using both the web portal and Microsoft Graph PowerShell.

What is the Enterprise App Catalog?

The Enterprise App Catalog is a Microsoft solution to simplify the lifecycle of managing first and third-party applications with a pre-packaged catalog of apps from the Intune platform.

The goal of the solution is to help reduce the time and effort administrators spend packaging, deploying and maintaining applications on their end devices, from large software packages to smaller utility-style apps.

Intune administrators will be able to deploy apps in a few clicks and have a clear view of any apps that need updating.

Deploy apps from the Enterprise App Catalog

1. Log in to https://intune.microsoft.com/

2. Select Apps > Windows > Add.

3. From the App type drop-down box, select Enterprise App Catalog app.

4. Click Search the Enterprise App Catalog, select an app from the list and click Next. I have selected WinSCP

WinSCP Enterprise App Catalogue
WinSCP Enterprise App Catalogue

5. The Configuration tab will show you the available app types, including language, architecture and version. While some may have multiple options, many apps will only show you the latest version, depending on the vendor. Click Select.

Enterprise app catalogue configuration
Enterprise app catalogue configuration

6. Leave the settings on the App information page as default unless you want to make it available from the Company Portal app, then click Next.

7. On the Program page, the information has been pre-filled. You can leave this as the default unless you want to remove the option for the user to uninstall the app.

Enterprise app catalogue app program settings
Enterprise app catalogue app program settings

8. The same goes for the Requirements page, which has already been completed by the Vendor; just click Next.

9. The Detection settings page has also been pre-filled. As for the WinSCP app, it will simply look for the current version of the .exe file.

Enterprise app catalogue detection settings
Enterprise app catalogue detection settings

10. On the final page, click Add app.

11. You will notice no option for Assignments during the wizard. You must go back to your app and assign it to your target users or devices.

Deploy apps from the Enterprise App Catalog with PowerShell

You can also deploy Enterprise App Catalogue apps using Microsoft Graph PowerShell. Although there are no set cmdlets for this, we can supplement this issue using Invoke-MgGraphRequest

Below I have created a small function which used the /beta/deviceAppManagement/mobileAppCatalogPackage endpoint to find each catalog app, then the /beta/deviceAppManagement/mobileApps/convertMobileAppCatalogPackageToMobileApp endpoint to automatically prepare the information to submit and create the app in Intune.

Use the code below to deploy one or more applications to Intune from the Enterprise App Catalog at one.

Connect-MgGraph -Scope DeviceManagementApps.ReadWrite.All

Function DeployCatalogApps {

    Param(
        $Apps = "WinSCP"
    )

    Foreach ($CatalogApp in $Apps) {

        #Get the latest version of the catalog app
        $GetUri = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCatalogPackages?`$filter=productDisplayName eq '$CatalogApp'"
        $RetrievedApp = Invoke-MgGraphRequest -Method GET -Uri $GetUri -OutputType PSObject | Select -ExpandProperty Value
        $SelectedApp = $RetrievedApp[0]
    
        Write-Host "Attempting to deploy catalog app: $($SelectedApp.productDisplayName) v:$($SelectedApp.versionDisplayName)"
        write-host "Converting to mobile app"

        #Convert the app to catalog package
        $ConUri = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/convertFromMobileAppCatalogPackage(mobileAppCatalogPackageId='$($SelectedApp.id)')"
        $MobApp = (Invoke-MgGraphRequest -uri $ConUri -Method GET -OutputType PSObject) | Select-Object * -ExcludeProperty "@odata.context", id, largeIcon, createdDateTime, lastModifiedDateTime, owner, notes, size, minimumSupportedOperatingSystem, minimumFreeDiskSpaceInMB, minimumMemoryInMB, minimumNumberOfProcessors, minimumCpuSpeedInMHz 
        $AppPayload = $MobApp | ConvertTo-Json

        Write-Host "Attempting to deploy catalog app: $($SelectedApp.productDisplayName) v:$($SelectedApp.versionDisplayName)"

        #Deploy the catalog app
        $DeployUri = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps"
        Invoke-MgGraphRequest -Method POST -Uri $DeployUri -Body $AppPayload -ContentType "application/json"
        
    }
}

DeployCatalogApps -Apps "WinSCP", "7-Zip"

Application updates

Each application deployed from the Enterprise App Catalogue is self-updated. This means that whenever the vendor releases an update to said application, it will both be published to the Enterprise App Catalogue and be available to update from the Intune portal quickly. Follow the below steps to update an application from the Intune portal.

1. Log in to https://intune.microsoft.com/

2. Select Apps, then under Other, select Updates for Windows (Win32) catalog apps.

Updates for Enterprise app catalog apps
Updates for Enterprise app catalog apps

3. From this page, you will see a list of all available application updates. Select the 3-dot menu option next to the app you wish to update and click Update app.

Update apps wizard
Update apps wizard

4. This will launch the same wizard as you saw earlier, but instead, this time, the latest version of the application will be selected as well and the supersedence option will be pre-filled out.

5. Click through the wizard, leaving the options as default and create your app. You will need to assign the application to your users or devices like you did before. Ensure you select the same assignments as the previous app.

Enterprise App Catalog vs 3rd party solutions

It will be interesting to see how Microsoft’s latest innovation into enterprise app management compares with tried, tested and trusted 3rd party solutions such as Patch My PC. So far, my experience with Microsoft’s solution has been positive; apps seem to deploy quickly and confidently.

As for the price, Microsoft’s Enterprise App Catalogue add-on is $2 per device/user per month. However, Patch My PC, their leading competitor, is only $2 per device per year. Click here to check out their pricing page.

Wrapping up

Fundamentally, it is early days for Microsoft’s solution. With a lack of case studies and real-world deployment scenarios, it is hard to make a judgment call. If you want to avoid the hassle of additional vendor relationships and contracts, I suggest trialling Enterprise App Management from Microsoft. It makes app deployment a breeze, keeping everything under one roof. However, suppose you need an easy-to-manage and effective solution, regardless of whether you are a small 10-user company or a 10,000-user enterprise. In that case, I recommend sticking with the 3rd party solutions mentioned in this blog.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 6 Comments

  1. Robert Crane

    I think MS has just changed the Graph request and unfortunately this no longer seems to work. Have you a fix?

    1. Daniel Bradley

      Hi Robert,

      I have updated the script and this is now working again 🙂

      1. Robert Crane

        Thank you so much. Can I ask how you found that change so quickly? I struggle finding how MS changes the Graph, especially for Intune. Also, have you nay insight in getting Google Play apps deployed via PowerShell? Feel free to email me directly if you wish, but am struggling to get some Graph working in Intune and need some kinda reference if you can share?

          1. Robert Crane

            I have your book and have read it. My issue is that Google Play store apps don;t seem supported on same endpoint as other apps. For example:

            $asrbpurl = “https://raw.githubusercontent.com/directorcia/bp/main/Intune/Policies/Apps/Android/companyportal-managed.json”
            $query = invoke-webrequest -method GET -ContentType “application/json” -uri $asrbpurl -UseBasicParsing
            $Uri = “https://graph.microsoft.com/beta/deviceAppManagement/mobileApps”
            $result = Invoke-MGGraphRequest -Method POST -Uri $Uri -Body $query.content -ContentType “application/json”

            fails

            but if

            $asrbpurl = “https://raw.githubusercontent.com/directorcia/bp/main/Intune/Policies/Apps/iOS/companyportal.json”

            then it works.

            Any ideas why it fails?

          2. Daniel Bradley

            Hi Robert!

            Google store apps cannot be deployed via Microsoft Graph due to the integration with the Google play store in the portal.

            Kind regards
            Daniel

Leave a Reply