Intune App Wrapping Tool

14 Sep 2019

Aug 08, 2019 Intune is a unified endpoint management tool that offers a number of helpful mobility management functions, such as mobile device enrollment, mobile app wrapping and app protection. IT professionals must understand the benefits and use cases for these Intune app management controls and features before they try to deploy them across an organization. The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps.The tool is a command-line application that creates a wrapper around the app, which then allows the app to be managed by an Intune app protection policy. Dec 07, 2020 The Intune App Wrapping Tool for iOS has released a new version that enables key bug fixes, or new, specific Intune application protection policy features. This happens after 6-8 weeks through GitHub repo for the Microsoft Intune App Wrapping Tool for iOS. Feb 22, 2021 Use the Intune App Wrapping Tool for Mac to enable Mac apps to be managed by Microsoft Intune. Important The.pkg file must be signed using 'Developer ID Installer' certificate, obtained from an Apple Developer account.

Win32 application deployments using Microsoft Intune continues to improve, with application dependencies now available and script based requirement capabilities, Intune provides a comprehensive cloud based application deployment solution hot on the heels of it’s big brother Configuration Manager.

One feature that does not have parity with SCCM, is the option to allow users to interact with a installation prompts during deployment.There has been some great community developed tools like the PSAppDeployToolkit which can provide end users with company branded dialogue boxes, creating a more personable deployment experience.

Of course, we can use the PSAppDeployToolkit with Intune on it’s own today, utilising it’s superior logging and PowerShell based installation cmdlets to silently install .msi or .exe applications. But as Win32 applications are installed from within the system (session 0) context, we are unable to benefit from the user driven dialogue boxes.

It is common for applications to have dependencies that need to be closed during installation. And as Administrators we need to make sure that the application installs successfully, and within a timely manner. But also need to make sure that to achieve these objectives, that we don’t do so at the users expense.

As Administrators we can be force close dependent applications prior to installation, using some crude stop-process commands coupled with a force parameter. But without the ability to set maintenance Windows within Intune, or being able to specify installation to take place outside of Active Hours, we’re going to get some very unhappy end users as applications close without the opportunity to defer installation to a time that suits them better.

The Problem to Solve?

How can we provide end users whose devices are managed with Microsoft Intune (Standalone) with a better installation experience, for high user applications while not relying on them to self serve application updates using the Company Portal?

The Solution

Using a combination of PowerShell, PSAppDeployToolkit and a tool borrowed from MDT called ServiceUI - we can provide a user friendly deployment experience from a Win32 Intune required application assignment, like the one I demonstrate in this video:

Prerequisites:

  • Microsoft 365 (any SKU), EMS E3 or Intune Device Licensing
  • The PSAppDeployToolkit downloaded from Github
  • ServiceUI.exe, borrowed from Microsoft Deployment Toolkit (MDT)
  • Microsoft Win32 Content Prep Tool from Github

For those unfamiliar with some of components listed in the prerequisites, here’s a brief overview:

ServiceUI.exe

ServiceUI.exe is a tool included as part of MDT, it allows us to to launch applications from within the system context, into the context of an active console user. This allows end users to interact with individual applications running as system, rather than being elevated themselves. The tool can be found in the Toolsx64 directory of a deployment share.

PSAppDeployToolkit

The PSAppDeploymentToolkit website describe their toolkit as:

“The PowerShell App Deployment Toolkit provides a set of functions to perform common application deployment tasks and to interact with the user during a deployment. It simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.The toolkit functions as a wrapper”

Definitely check out the website to find a full list of features and capabilities.

Microsoft Win32 Content Prep Tool

The content prep tool allows Intune Administrators to wrap install files for Win32 Applications, and use silent install switches or custom install scripts to install the wrapped application.

Solution Breakdown

  1. Intune runs the the Configure.ps1 PowerShell Script (shown below)
  2. PowerShell uses WMI to check to see if any users are running the target process
  3. If the process is not detected, PSAppDeployToolkit is run in noninteractive mode, and the installation/upgrade takes place unknowingly to the user
  4. If the process is detected, PSAppDeployToolkit is launched in interactive mode within the users console session based on the user running explorer.exe using ServiceUI, prompting the user to close the required applications before starting the installation
  5. If the user chooses to defer the installation, exit code 60012 is returned to Intune - and a failure is recorded.

Retry vs Failure

Why return a failure to Intune rather a retry? The retry time on a Win32 application is only 5 minutes, which is not a long enough delay before prompting the user who just dismissed the prompt to try the installation again. If a failure is returned, Intune will wait at least 24 hours before retrying in the installation again.

Configure.ps1

Here is an example of a PowerShell script that can be used to detect the target process is in use, and launch PSADT in either interactive, or non-interactive mode accordingly:

Wrapping It All Together

Wrapping

Here’s the directory to wrap using the Win32 Content Prep Tool with the three components:

  • Configure.ps1 PowerShell Script
  • PSAppDeployToolkit, customised for my application
  • ServiceUI, borrowed from MDT

Intune Install Command:

The install command used in Intune, is (a reminder that PowerShell scripts launched via Win32 are started in x86, rather x64).

Intune App Wrapping Tool For Macos

For extra points, you can add some switching logic in your configure script and pass a parameter that tells the script whether to launch PSADT in Install or Un-Install mode.

Summary

This solution is not a new one, previously used by SCCM administrators prior to 1802, but I’ve yet to see it used with Intune. It has a couple of moving parts, but is relatively simple once you wrap your head around the components.

Recently, I utilised this deployment method with 3 separate customers, upgrading a critical database client application used by 75% of all end users, and within a 24 hour period - we were on track for 80% upgrade success. And most importantly, across 600 client machines, we received about 3 support calls.

The previous upgrade method for these customers would have been either a manual per user upgrade, or a deploying the upgrade via Group Policy, which depended on the user being on-site at start up time.

Hopefully this provides some inspiration into what is possible with Win32 App Deployment through Intune. If you’d like more details, ask me a question in the comments or send me a tweet on twitter.


Previous Chats

Please enable JavaScript to view the comments powered by Disqus.

Win32 Apps, What Are they?

If you’re familiar with Configuration Manager/MEMCM then think of these files as your source directory, the difference being you are effectively zipping it up and then uploading to Intune.

According to Microsoft, if you decide to use Win32 Apps, it is advised that you use these exclusively and NOT ‘Mix and Match’ these with Line of Business applications when using Autopilot (See Microsoft Doc link below).

What content can be in a Win32 App Package?

The answer to that is well pretty much anything to a certain extent. These files are just proprietary files for Intune however under the hood they are just zip files that are then hashed and encoded.

What uses are there for Win32 Apps?

Well put, to Install apps. Now don’t be thrown by the 32 as these are not just for 32-bit apps, they can be used for any app.

You can use Win32 apps to just launch PowerShell scripts, Batch scripts, VBScripts etc. as long as you have a detection method if they succeed.

Mainly they are used for installing custom app packages like Greenshot, Citrix, PSADT Apps etc.

Microsoft Doc: Win32 app management in Microsoft Intune | Microsoft Docs

Package Creation Methods

IntuneWinAppUtil Application

The first method is creating a packaged using the GUI (Well kind of GUI) that is mentioned in the Microsoft Doc. Yiu can grab the utility from the below link;

If you clone/download the files, and extract them to a suitable location to work with.

Let’s get started. The below works on the assumption you have your files in a folder with noting other than those required for the app. (You don’t want to be uploading your entire desktop do you :P)

  1. Launch the IntuneWinAppUtil.exe
  2. Type/Paste your Source Directory (e.g. C:/Win 32 Apps/7-Zip), hit Enter.
  3. Type/Paste you setup file name (e.g. 7z2002-x64.exe or MyScript.ps1), hit Enter
  4. Type/Paste your Output Directory (e.g. C:/Win 32 Apps), hit Enter.
  5. When prompted about catalogue files type N unless you are deploying to Windows S Mode, hit Enter
The window will automatically close when your .intunewin file is finished if you head over your output folder you will be able to get your file for upload.

PowerShell

For you command-line gurus and script lovers out there, you will be pleased to know that there is a PowerShell module for bundling these your apps up, you can even go a step further and import them via a script, but we will save that for another post :D.

You can install the module using the following command;

Once you have the module installed you can type a command like this;

This command will create a .intunewin file in the output location named 7z2002-x64.intunewin, this is because it takes the installers name for the output. Unfortunately at the time of writing this, you can’t do it natively with this module. However, you can add a Rename-Item into your script to change it.

Using the packages with Intune

Head over to Microsoft Endpoint Manager admin center (Intune) to to get started

  1. Select Apps from the navigation pane
  2. Select All Apps, Click Add
  3. Select App type Other>Windows app (Win32), Click Select
  4. Click Select app package file, Click the Blue Folder icon to open the browse windows
  5. Select the .intunewin file you have created, Click Open and then click OK
  6. Fill out the Name and Publisher mandatory fields, and any other fields you desire
  7. Upload an icon if you desire, I would recommend doing this if you are deploying this to users via the Company Portal
  8. Click Next
  9. Enter your install command (e.g. 7z2002-x64.exe /S)
  10. Enter your uninstall command (e.g. 'C:Program Files7-ZipUninstall.exe'/S)
  11. Select your install behavior, if this is a machine wide installation you will need to select System, otherwise select User if this is installing to the user profile
  12. Select your desired restart behavior, Adding custom return codes if required
  13. Click Next
  14. Complete your OS Requirements, At a minimum you need to specify the Architecture (x86/x64) and the minimum OS Version (e.g. 1607/1703 etc.)
  15. Click Next
  16. For Detection rules, See the Detection Rules section below, Once complete click Next
  17. Add any dependent Intune Apps you may require, Click Next
  18. Assign the application to your desired group, just as a NOTE if you want to display the app in the company portal, it MUST be assigned to a group containing that user. Required Assignments will force the app to install, whereas Available will show this in the Company Portal. Click Next
  19. Click Create
That is your app finished and deploying, it is worth noting it may take 15/20 minutes to be available on the device, the device must also perform a sync to check for the app.

Detection Rules

Detection rules have 4 options, you can use a Custom Detection Script, Registry, File(Folder) and MSI, lets look at them in a little bit more detail.

When you first reach the Detection Rule Screen you will have a single Drop-Down box with two options, Use a custom detection script and Manually configure detection rules. File, Registry and MSI are all available under the Manual option, it is worth noting that you can can mix and match these rules, however there are considered AND methods. If you are looking to do a AND/OR detection you will need to use a custom PowerShell Script.

We will dive into all of the options below.

Intune App Wrapping Tool Online

File

As you can see above using this detection method is fairly straight forward, however it can get a bit messy if you use the Date Created/Modified options.

Lets put a rule together.

  1. Rule Type - File
  2. Path - 'YourPath' (e.g. C:Program Files7-Zip)
  3. File or Folder - 'YourFileFolder' (e.g. 7z.exe)
  4. Detection Method - File or Folder Exists
  5. Associated with a 32-bit app on a 64-bit client, No.
Now that rule is very quick and simple, as mentioned you can use the date modified or created option, and that would look something like below.
  1. Rule Type - File
  2. Path - 'YourPath' (e.g. C:Program Files7-Zip)
  3. File or Folder - 'YourFileFolder' (e.g. 7z.exe)
  4. Detection Method - Date Modified
  5. Operator, select the option that you wish to validate against (e.g. Equals, Greater than etc.)
  6. Select the date using the date picker and enter the time using the 12 hour format
  7. Associated with a 32-bit app on a 64-bit client, No.

Registry

The registry option is fairly straight forward, and is the most likely option you are going to select if you are just installing a simple application and just want to check that the program itself exists. Again for the detection method you have various options, for this example we will just use Key Exists

  1. Rule Type - Registry
  2. Key Path - 'Path to key' (e.g. HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/7-Zip)
  3. Value Name - 'Vaule Name' (e.g. DisplayVersion)
  4. Detection Method - File or Folder Exists
  5. Associated with a 32-bit app on a 64-bit client, No.

MSI

MSI detections are quick and easy if you are installing an MSI application, all you need is the GUID, for the 7-zip app this is not applicable however below is a basic example. You can also perform version checks on the MSI apps.

Intune App Wrapping Tool For Android Download

Intune
  1. Rule Type - MSI
  2. MSI Product Code - 'Product GUID' (e.g. {8C3A8923-0000-0000-0000-C82C1BE7294D})
  3. MSI product version check - Yes
  4. Select your operator (e.g. Equals, Greater than etc.)
  5. Value - Product Version (e.g. 20.02)

Detection Script

For me, this is the most favorable option, but I love to script :D. But that aside you can check multiple actions, the only thing you need to do is return any value other than Null for the detection to pass. For example the below script checks for the registry value and also that the file exists, if they do it will return a True value, else it will return nothing.

You will need to have the file save and ready to be upload to Intune, The above is written in PowerShell so will need a .ps1 extension. To use this method follow the below steps.

  1. Rule format - Use custom detection script
  2. Script file - Upload yours using the blue folder icon
  3. Run Script as a 32-bit process on 64-bit clients - No(This is entirely your choice again but for this example it is not required)
  4. Enforce script signature check and run script silently - No
That covers the basics all of the detection methods, if you have any further questions please reach out or review the Microsoft Docs.

3rd Party/Community Tools & Blogs

Here are some of the 3rd Party and Community Tools and Blogs that I have found useful and they may help you in you hour of need!!

Syst & Deploy - Intune Win32 App Tool

This is a great tool to create and extract/decode Win32 apps if you prefer a GUI to creating your intunewin files, this tool also has a feature to decode the packages you already have incase you loose the source files but have the intunewin file.

Intune

Oliver Kieselbach - How to decode Win32 App Packages

This is a great guide and it can truly help pull you out of the gutter if you have lost all of your intunewin files, although its not straight forward to get them back (Not Oliver’s Fault) this guid provides you an in-depth guide on how to retrieve the intunewin packages. Truly worth a read and Kudos to Oliver for giving us this gift.

Comments are closed.