Do We Need a Client Application to Deploy Software via Microsoft Intune | EndPoint Sphere

byRakesh Kashyap
1

In most cases, no dedicated agent is required. Microsoft Intune is built on modern, OS-native management frameworks, which means it leverages the device’s built-in MDM client rather than installing heavy agents. Depending on the platform and your deployment model, the Company Portal and a few platform-specific apps may be required for user-driven scenarios—but silent deployments are often possible without them on certain OSes (like Windows).

Whether you’re modernizing from traditional tools (e.g., SCCM) or starting fresh with cloud management, understanding these app requirements—and when they matter—helps you plan smoother, more secure deployments.

Why Intune Doesn’t Need a Dedicated “Agent”

Traditional endpoint management solutions relied on agent-based architectures: you installed a client on every device to do policy enforcement, inventory, and software deployment. Intune flips that model by using built-in MDM frameworks provided by modern operating systems (Windows, Android, iOS/iPadOS, macOS). That means:

Less overhead: No extra agent to install, maintain, or troubleshoot on most platforms.

Better security and resiliency: Policies and apps are delivered via platform-native APIs.

Cloud-first simplicity: Enrollment, configuration, and app deployment flow through secure, OS-level channels.

Platform-by-Platform: Do You Need a Client App?

Windows 10/11

  • MDM Client: Built-in. No separate Intune agent.
  • Company Portal: Optional—use it for:
    • Self-service app installation (user-initiated)
    • User-driven enrollment flows
    • Improved end-user experience and branding
  • Silent deployments: Possible without Company Portal. Intune can target Required apps to devices or users.
  • App types to know:
    • Win32 apps (.intunewin): Great for EXE/MSI installers, with detection rules, dependencies, and install/uninstall commands.
    • MSI (Line-of-business apps): Simpler packaging.
    • Microsoft Store apps: Available via the new Store integration; can be Required or Available.
  • Pro tip: Use device-based assignments for fully managed machines and user-based for knowledge workers working across devices.

Android

  • Management Models:
    • Android Enterprise (recommended):
      • Work Profile (BYOD): Separates work and personal data.
      • Fully Managed / Corporate-Owned (COPE, kiosk, etc.).
    • Apps needed vary by mode:
      • Company Portal: Often used for user-based enrollment and self-service installations.
      • Microsoft Intune app: Used for Android Enterprise scenarios to enable additional management features on corporate-owned devices.
    • Managed Google Play: Required for app publishing, approvals, and silent installs on managed devices.
  • Silent deployments: Typically supported on Fully Managed devices via Managed Google Play. On BYOD Work Profile, app visibility and installs align with user consent and privacy boundaries.

 iOS/iPadOS

  • MDM Framework: Built-in; Intune leverages Apple’s MDM APIs.
  • Company Portal: Generally required for user enrollment and self-service app installs.
  • Apple MDM Push Certificate: Mandatory to manage Apple devices—this is what lets Intune talk to Apple devices securely.
  • App distribution:
    • VPP (Apple Business Manager): Strongly recommended for licensing and silent installation (especially for supervised/corporate devices).
  • Silent deployments: Supported for managed devices (often supervised) when apps are VPP-licensed and assigned as Required.

macOS

  • MDM Framework: Built-in (like iOS).
  • Company Portal: Required for enrollment and helps with app installation and self-service.
  • App packaging:
    • .pkg installers for Line-of-business apps.
    • Consider notarization and codesigning requirements for macOS apps to avoid Gatekeeper blocks.
  • Silent deployments: Possible for managed macOS devices when apps are assigned as Required and meet notarization/codesign policies.

The Role of Company Portal (When and Why)

Windows: Optional for silent installs; great for self-service, user-driven enrollment, and branded app catalogs.
Android: Typically used for user-facing enrollment and app installs; complements Managed Google Play.
iOS/iPadOS & macOS: Commonly needed for enrollment, self-service, and providing a familiar user experience.

Benefits:

  • User empowerment: Self-service app catalogs reduce helpdesk load.
  • Consistency: A single, branded place for company apps and device information.
  • Communication: Portal can help guide users through enrollment and compliance steps.

Common Misconceptions (Cleared Up)

  • “Intune is an agent.”
    Not exactly—Intune is a cloud service that manages devices via each OS’s native MDM. Some platforms still use helper apps (like Company Portal) for UX and enrollment, but this isn’t a heavy agent in the traditional sense.

  • “We must use Company Portal for every app deployment.”
    No. For Windows, silent deployments of Required apps don’t need Company Portal. For Apple/Android, the need depends on the management model and whether you’re doing user-driven or fully managed deployments.

  • “BYOD means full control over personal data.”
    Wrong. Work Profile (Android) and User Enrollment (Apple) explicitly separate work and personal contexts and limit what IT can see/do.

Best Practices for Smooth App Deployments

  1. Choose the right assignment

    • Required: Silent install to targeted users/devices.
    • Available for enrolled devices: Shows in Company Portal for self-service.
    • Uninstall: Cleanly remove when decommissioning or replacing apps.

  2. Pilot first
    Create pilot groups (IT, champions, test devices) to validate installs, detection rules, dependencies, and rollback paths.

  3. Package smartly (Windows)
    Use Win32 (.intunewin) for complex installers. Define detection rules and return codes for robust retry behavior.

  4. Use Managed Stores

    • Managed Google Play on Android.
    • Apple Business Manager + VPP for iOS/iPadOS/macOS.
    • Microsoft Store integration for Windows.

  5. Mind compliance and prerequisites
    Ensure devices meet OS version and policy compliance before rolling out critical apps (especially VPN, security agents, browsers).

  6. Communicate clearly
    Provide short, branded “What to expect” guides when introducing Company Portal or when shifting from legacy tools.

  7. Monitor & remediate
    Use Intune reporting and Endpoint analytics to track install success, time-to-deploy, and failures; set up retry and remediation scripts where appropriate.

Planning a Migration from Traditional Tools (e.g., SCCM)

  • Co-management: Keep SCCM for what it does best (e.g., complex OS deployment), while you gradually move apps, compliance, and endpoint security to Intune.
  • App rationalization: Clean up duplicates, outdated versions, and unused titles before migrating.
  • Packaging standards: Define clear conventions for detection rules, install/uninstall commands, and logging.
  • Staged rollout: Start with non-critical apps; move to critical business apps after validation.
  • User experience first: Decide when to introduce Company Portal (for self-service) and communicate timelines and benefits.

Frequently Asked Questions

Q: Can I silently deploy apps to Windows devices without Company Portal?
A: Yes. Assign apps as Required to devices or users; Intune uses the built-in MDM client to install silently.

Q: Do I need both Company Portal and Microsoft Intune app on Android?
A: It depends on the management scenario. Android Enterprise typically leverages Managed Google Play, and you may use Company Portal for user-based enrollment and Microsoft Intune app to enable specific management functions on corporate-owned devices.

Q: What about apps that need admin rights or drivers on Windows?
A: Use Win32 packaging with proper install commands and detection rules. For drivers, prefer vendor-provided, signed packages; consider deployment timing with maintenance windows.

Q: How do I ensure silent installs on iOS/iPadOS?
A: Use Apple Business Manager with VPP-assigned licenses and target managed (often supervised) devices; assign apps as Required.

  • No heavy agent is required for Intune—most platforms use built-in MDM.
  • Company Portal is optional for Windows silent installs, but valuable for user-driven scenarios and is commonly required on Apple/macOS.
  • Android relies on Managed Google Play and may use Company Portal/Microsoft Intune app depending on enrollment type.
  • Plan deployments with pilot groups, proper packaging, and clear user communication for best results.

Microsoft Intune App Deployment Checklist

1. Pre-Deployment Preparation

  • Confirm Intune tenant configuration (MDM authority set to Intune).
  • Verify platform enrollment (Windows, Android, iOS/macOS).
  • Ensure Apple MDM Push Certificate and Apple Business Manager integration for iOS/macOS.
  • Set up Managed Google Play for Android Enterprise.
  • Validate Microsoft Store integration for Windows apps.

2. App Packaging & Requirements

  • Identify app type:
    • Win32 (.intunewin), MSI, Store app, LOB app, VPP app.
  • Check OS compatibility and minimum version.
  • Prepare silent install commands (for Required deployments).
  • Define detection rules (especially for Win32 apps).
  • Confirm codesigning/notarization for macOS apps.

3. Deployment Strategy

  • Decide assignment type:
    • Required (silent install), Available (self-service via Company Portal).
  • Choose targeting method:
    • Device-based or user-based groups.
  • Create pilot group for initial testing.
  • Configure dependencies and supersedence if needed.

4. User Experience & Communication

  • Decide if Company Portal is required for your scenario.
  • Customize Company Portal branding (logo, colors).
  • Prepare user guides for enrollment and app installation.
  • Communicate rollout timelines and expectations.

5. Compliance & Security

  • Ensure compliance policies are applied before app deployment.
  • Validate conditional access requirements for critical apps.
  • Confirm device configuration profiles (e.g., VPN, certificates).

6. Monitoring & Remediation

  • Use Intune reporting to track install success/failure.
  • Set up retry logic for failed installs.
  • Monitor Endpoint analytics for performance impact.
  • Document lessons learned for future deployments.

7. Post-Deployment

  • Validate app functionality on all platforms.
  • Gather user feedback for experience improvements.
  • Update documentation and knowledge base.

Overall Context

  • This is the Intune portal interface used for managing Windows applications.
  • The view is focused on monitoring app deployment status.
Tags:

1 Comments

Previous Post Next Post