How to deploy Enterprise App Catalog updates with PowerShell

The guided update experience for applications deployed using Enterprise App Management in Microsoft Intune enables seamless app supersedence using a simple wizard-driven experience from the Intune web portal. 

While the experience from the web portal is quick and simple, in some cases you can improve the Enterprise App Management experience by utilising Microsoft Graph PowerShell to automate reporting on and updating applications in Microsoft Intune. 

In this article, I will show you how to use Microsoft Graph PowerShell to update applications in Microsoft Intune from the Enterprise App Catalog.

Requirements

To perform the steps outlined in this article you will need the Microsoft Graph PowerShell modules installed. To do this, follow the guidance in my article: How To Install the Microsoft Graph PowerShell Module.

You will also need to consent to the ‘DeviceManagementApps.ReadWrite.All’ permission which allows you to read and modify managed applications in Microsoft Intune. To do this, run the following command in PowerShell and when prompted, sign in with a Global Administrator account.

 Connect-MgGraph -Scopes DeviceManagementApps.ReadWrite.All

Lastly, the Enterprise App Management features talked about in this article are only available to tenants which contain the Enterprise App Management or Intune Suite license.

Report all available Enterprise App Catalog updates with PowerShell

Before you apply any updates to your applications, you first need to identify which apps have available updates which you can deploy using Enterprise App Management. I covered this in detail in a previous article here. Alternatively, you can use the below example code to generate a report of app applications which have pending updates.

Get-MgBetaDeviceManagementReportWin32CatalogAppUpdateReport `
-OutFile C:\temp\AppUpdateRaw.json

$json = Get-Content "C:\temp\AppUpdateRaw.json" | ConvertFrom-Json

$Report = [System.Collections.Generic.List[Object]]::new()

forEach ($value in $json.values) {
    $obj = [PSCustomObject][ordered]@{
        "ApplicationName" = $value[1]
        "Publisher" = $value[2]
        "UpdateAvailable" = $value[8]
        "UpdateEligible" = $value[9]
        "CurrentAppVersion" = $value[3]
        "LatestAvailableVersion" = $value[4]
        "ApplicationId" = $value[0]
        "IsSuperseded" = $value[5]
        "CurrentRevisionId" = $value[6]
        "LatestRevisionId" = $value[7]
    }
    $report.Add($obj)
 }
 
 $Report | ft

The final line of the example above will display the results of the report in your PowerShell console. You can use this to determine which app you want to update in the next step of this article.

Enterprise App Catalog update report
Enterprise App Catalog update report

Get the App ID of the latest application version

The previous report doesn’t provide all the information you need to get and deploy the latest version of the app. Instead, you must use the report to get the ID of the currently deployed application version, when you can query the app and expand the information on the latest version.

First filter the report by the name of the application you wish to upgrade. In the below example, I have chosen the 7-Zip application.

$App = $Report | Where {$_.ApplicationName -eq '7-Zip (x64)'}

Now query Microsoft Graph again while expanding on the latestUpgradeCatalogPackage property. The below command can just be copied and pasted as it is.

$latestPackage = Get-MgBetaDeviceAppManagementMobileApp `
-MobileAppId $app.ApplicationId `
-ExpandProperty "microsoft.graph.win32CatalogApp/referencedCatalogPackage,microsoft.graph.win32CatalogApp/latestUpgradeCatalogPackage"

You can display information on the latest application version for the selected app by using the following command in your PowerShell session.

$latestPackage.AdditionalProperties.latestUpgradeCatalogPackage
Enterprise App Catalog App Latest Package Info

Specifically, the information you need to deploy this application is the id value, which is unique to this (the latest) version of the selected application. You can see this information only using dot notation, like below.

$latestPackage.AdditionalProperties.latestUpgradeCatalogPackage.id

To make this easier to read in the next section, you can store this value in a shorter named variable.

$latestPackageId = $latestPackage.AdditionalProperties.latestUpgradeCatalogPackage.id

Deploy the latest application version

I previously wrote a blog highlighting how to deploy applications from the Enterprise App Catalog in Intune using PowerShell here. In this case, the process is still the same, except you will use some of the previously obtained values to deploy the latest version of the already deployed application automatically.

#Convert the app to catalog package
$ConUri = "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/convertFromMobileAppCatalogPackage(mobileAppCatalogPackageId='$latestPackageId')"
$MobApp = (Invoke-MgGraphRequest -uri $ConUri -Method GET -OutputType PSObject) | Select-Object * -ExcludeProperty "@odata.context", id, largeIcon, createdDateTime, lastModifiedDateTime, owner, notes, size, minimumSupportedOperatingSystem, minimumFreeDiskSpaceInMB, minimumMemoryInMB, minimumNumberOfProcessors, minimumCpuSpeedInMHz 
$AppPayload = $MobApp | ConvertTo-Json

#Deploy the app
$Response = New-MgBetaDeviceAppManagementMobileApp -BodyParameter $AppPayload

At this point, you will see the application in the list of new applications in Intune, however, there will be no assignments or supersedence applied. 

Notice in the example I use a mixture of Invoke-MgGraphRequest and the dedicated cmdlets. This is because when I use the following dedicated cmdlet Convert-MgBetaDeviceAppManagementMobileAppFromMobileAppCatalogPackage, the response is poorly formatted whereby half of the information is stored within an ‘additionalProperties’ hash table. When this data is then converted to JSON to deploy the app, it is not formatted appropriately and the command will fail.

Configure latest application supersedence

A critical step in this process is to deploy the supersedence for the application. Behind the scenes, Intune identifies this as a relationship between the applications.

The only information you need to specify in the body of the request is the target ID of the older app (which should still be stored in the $App variable), the $odata.type (type of the property) and the supersedenceType. By default the supersedenceType will be ‘Update’ but it could also be ‘Replace’.

$relationships = @{
  relationships =  @(
    @{
      "@odata.type" = "#microsoft.graph.mobileAppSupersedence"
       targetId = "$($App.ApplicationId)"
       supersedenceType = "update"
    }
  )
}

Invoke-MgGraphRequest -Method POST -Uri "/beta/deviceAppManagement/mobileApps/$($Response.id)/updateRelationships" -Body $relationships

Once this is done, you will see the app has been superseded from the Supersedence viewer in the Microsoft Intune admin portal.

To see this select: Apps > All Apps > The latest version of your app > Supersedence viewer.

Enterprise App Management Supersedence viewer
Enterprise App Management Supersedence viewer

Configure assignments for the new applicatgion

The final step is to assign the application to your users. In most cases, I recommend you do this manually from the admin portal. You likely would want to deploy this to a subset of users first to ensure there are no deployment or compatibility issues and as such, I recommend you do this from the admin portal.

To assign your new application to users, follow the below steps:

  1. Select Apps > All Apps > The latest version of your app
  2. Under Manage, select Properties
  3. Click Edit next to Assignments
  4. Assign your target user or device groups as Required or Available.
  5. Monitor the progress of your deployment and assign it to a wider audience when ready.

A simple approach to this would also be to assign the updated app as ‘Available’ for a set period, maybe one working week. During this time you can communicate to your users to update the application from the Company Portal. This will allow them to provide feedback (if any). You can then mark the update as required to force the update across all users/devices.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply