|
| 1 | +--- |
| 2 | +# required metadata |
| 3 | + |
| 4 | +title: Manage and secure apps in Intune |
| 5 | +titleSuffix: Microsoft Intune |
| 6 | +description: Learn more about the concepts and features you should know when managing apps that access organization resources in Microsoft Intune. You can deploy apps used by your organization, including Microsoft Edge and Microsoft 365. You can also configure apps, protect apps on organizations owned and BYOD personal devices, and update apps that you deploy. |
| 7 | +keywords: |
| 8 | +author: MandiOhlinger |
| 9 | + |
| 10 | +ms.author: mandia |
| 11 | +manager: dougeby |
| 12 | +ms.date: 09/22/2022 |
| 13 | +ms.topic: conceptual |
| 14 | +ms.service: mem |
| 15 | +ms.subservice: |
| 16 | +ms.localizationpriority: high |
| 17 | +ms.technology: |
| 18 | +ms.assetid: |
| 19 | +# optional metadata |
| 20 | + |
| 21 | +#audience: |
| 22 | +#ms.devlang: |
| 23 | +ms.reviewer: |
| 24 | +ms.suite: ems |
| 25 | +search.appverid: |
| 26 | +#ms.tgt_pltfrm: |
| 27 | +ms.custom: intune-azure |
| 28 | +ms.collection: |
| 29 | + - M365-identity-device-management |
| 30 | + - highpri |
| 31 | +--- |
| 32 | + |
| 33 | +# Manage your apps and app data in Microsoft Intune |
| 34 | + |
| 35 | +Managing and protecting apps and their data is a significant part of any endpoint management strategy and solution. In most environments, user can install public retail apps and possibly access organization data from these apps. Many organizations also have their own private apps and line-of-business apps that need to be deployed & managed, and make sure this app data stays within the organization. |
| 36 | + |
| 37 | +App management can be challenge and Intune can help. Microsoft Intune is a cloud-based service that can manage many apps types. Using Intune, admins can deploy, configure, protect, and update apps that access your organization resources. For more information on Intune and its benefits, go to [What is Microsoft Intune?](what-is-intune.md). |
| 38 | + |
| 39 | +Microsoft Intune supports Android, iOS/iPadOS, macOS and Windows client devices. So, you can use Intune's app management features across your many devices. |
| 40 | + |
| 41 | +From a service perspective, Intune uses Azure Active Directory (AD) for identity management. To use some apps, these Azure AD user identities must have licenses assigned to them. The Microsoft Endpoint Manager admin center can also help you manage licensing. |
| 42 | + |
| 43 | +This article discusses concepts and features you should consider when managing and securing apps. |
| 44 | + |
| 45 | +## Deploy apps your organization uses |
| 46 | + |
| 47 | +Organizations use many different types of apps, including store apps, line-of-business (LOB) apps, web apps, and more. You can add apps to Intune and then use its app policy management to deploy these apps to your devices. |
| 48 | + |
| 49 | +The app features in the Endpoint Manager admin center make it easier to deploy these different kinds of apps. Intune supports Android, iOS/iPadOS, macOS, and Windows client devices: |
| 50 | + |
| 51 | +- For **Android** devices, the Endpoint Manager admin center automatically connects to the public Play Store and gives you the ability to search for apps. You can also sync with your Managed Google Play account to access your Android Enterprise apps, including private apps. |
| 52 | + |
| 53 | + On Android devices, you can deploy: |
| 54 | + |
| 55 | + - Public and retail apps from the public Play Store |
| 56 | + - Managed Google Play apps to Android Enterprise devices |
| 57 | + - Web links to web apps |
| 58 | + - Built-in apps, which are apps automatically included and available in the Endpoint Manager admin center |
| 59 | + - Custom line-of-business apps your organization creates |
| 60 | + - Android Enterprise system apps, which are apps typically included on Android devices |
| 61 | + |
| 62 | + If you use [Google Mobile Services (GMS)](https://www.android.com/gms/) (opens Android's web site), you can purchase licenses to GMS, which typically happens when you purchase Android devices. GMS gives users access to the public Play Store and its public apps. |
| 63 | + |
| 64 | + If your organization doesn't use [Google Mobile Services (GMS)](https://www.android.com/gms/) (opens Android's web site), then Intune can also manage devices using the Android Open Source Project (AOSP) platform. |
| 65 | + |
| 66 | + For more specific information, go to: |
| 67 | + |
| 68 | + - [How to use Intune in environments without Google Mobile Services](../apps/manage-without-gms.md) |
| 69 | + - [Add Managed Google Play apps to Android Enterprise devices](../apps/apps-add-android-for-work.md) |
| 70 | + - [Manage private Android apps in Google Play](https://support.google.com/a/answer/2494992) (opens Google's web site) |
| 71 | + - [Add built-in apps](../apps/apps-add-built-in.md) |
| 72 | + |
| 73 | +- For **iOS/iPadOS** devices, the Endpoint Manager admin center automatically connects to the public App Store and gives you the ability to search for apps. You can also sync with your Apple Business Manager or Apple School Manager account to access your volume-licensed apps. When you sync, the apps you purchase (your licensed apps) are automatically shown in the admin center. |
| 74 | + |
| 75 | + On iOS/iPadOS devices, you can deploy: |
| 76 | + |
| 77 | + - Public and retail apps from the public App Store |
| 78 | + - Volume-licensed apps using Apple Business Manager or Apple School Manager |
| 79 | + - Web clips, which are shortcuts to web site links that you can add to the home screen |
| 80 | + - Web links to web apps |
| 81 | + - Built-in apps, which are apps automatically included and available in the Endpoint Manager admin center |
| 82 | + - Custom line-of-business apps your organization creates |
| 83 | + |
| 84 | + For more specific information, go to: |
| 85 | + |
| 86 | + - [Add iOS store apps](../apps/store-apps-ios.md) |
| 87 | + - [Manage iOS/iPadOS and macOS apps purchased through Apple Business Manager](../apps/vpp-apps-ios.md) |
| 88 | + - [Add iOS/iPadOS LOB apps](../apps/lob-apps-ios.md) |
| 89 | + - [Add built-in apps](../apps/apps-add-built-in.md) |
| 90 | + |
| 91 | +- For **macOS** devices, the Endpoint Manager admin center has built-in features that include apps commonly deployed to macOS, including Microsoft Edge and Microsoft 365 apps. You can also sync with your Apple Business Manager or Apple School Manager account to access your volume-licensed apps. When you sync, the apps you purchase (your licensed apps) are automatically shown in the admin center. |
| 92 | + |
| 93 | + On macOS devices, you can deploy: |
| 94 | + |
| 95 | + - Volume-licensed apps using Apple Business Manager or Apple School Manager |
| 96 | + - Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote, Teams, and OneDrive |
| 97 | + - Microsoft Edge version 77 and newer, which is the modern chromium version |
| 98 | + - Microsoft Defender for Endpoint, which is a cloud service that detects malicious intent and can help remediate security threats |
| 99 | + - Web links to web apps |
| 100 | + - Custom line-of-business apps your organization creates |
| 101 | + - Apple disk image (DMG) apps, which is a file that includes one or more apps to deploy |
| 102 | + |
| 103 | + For more specific information, go to: |
| 104 | + |
| 105 | + - [Manage iOS/iPadOS and macOS apps purchased through Apple Business Manager](../apps/vpp-apps-ios.md) |
| 106 | + - [Assign Microsoft 365 to macOS devices](../apps/apps-add-office365-macOS.md) |
| 107 | + - [Add macOS LOB apps](../apps/lob-apps-macos.md) |
| 108 | + |
| 109 | +- For **Windows** devices, the Endpoint Manager admin center automatically connects to the public Microsoft Store and gives you the ability to search for apps. You can also sync with your Microsoft Store for Business account to access your volume-licensed apps. When you sync, the apps you purchase (your licensed apps) are automatically shown in the admin center. |
| 110 | + |
| 111 | + On Windows devices, you can deploy: |
| 112 | + |
| 113 | + - Volume-licensed apps using Microsoft Store for Business |
| 114 | + - Public and retail apps from the Microsoft Store |
| 115 | + - Microsoft 365 apps, which include Word, Excel, PowerPoint, Outlook, OneNote, Teams, and OneDrive |
| 116 | + - Microsoft Edge version 77 and newer, which is the modern chromium version |
| 117 | + - Web links to web apps |
| 118 | + - Custom line-of-business apps your organization creates |
| 119 | + - Win32 apps |
| 120 | + |
| 121 | + For more specific information, go to: |
| 122 | + |
| 123 | + - [Manage volume purchased apps from the Microsoft Store for Business](../apps/windows-store-for-business.md) |
| 124 | + - [Add Microsoft 365 apps to Windows client devices](../apps/apps-add-office365.md) |
| 125 | + - [Win32 app management](../apps/apps-win32-app-management.md) |
| 126 | + |
| 127 | + > [!NOTE] |
| 128 | + > [Microsoft Store for Business](/microsoft-store/microsoft-store-for-business-overview) is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077). |
| 129 | +
|
| 130 | +## Configure apps before they're installed |
| 131 | + |
| 132 | +When an app is deployed to your users and devices, your users may be prompted for configuration information. Users might not know what to enter or you may have organization settings you want configured a certain way. |
| 133 | + |
| 134 | +App configuration policies give you these features. You can create app configuration policies that automatically configure apps. Depending on your policy settings, users might not need to enter any configuration information. |
| 135 | + |
| 136 | +For example, in an app configuration policy, you can enter the app language, add your organization's logo, block apps from using personal accounts, and more. |
| 137 | + |
| 138 | +Your app configuration policies can be deployed at any time. If you want to configure apps before users open them the first time, then you can include the app configuration policy when users enroll their devices. During enrollment, your app configuration policies are automatically deployed and the apps include your configuration settings. |
| 139 | + |
| 140 | +For more specific information, go to [App configuration policies in Intune](../apps/app-configuration-policies-overview.md). |
| 141 | + |
| 142 | +## Protect apps on organization owned and personal devices |
| 143 | + |
| 144 | +App protection policies are a key part to protecting data in apps that access organization data. If user-owned personal devices are accessing your organization data, then you need app protection policies. You can use these policies to protect email, protect shared files, protect access to meetings, and more. |
| 145 | + |
| 146 | +You can use Intune to create, configure, and deploy app protection policies to your users and your devices, including personally owned devices and devices managed by another MDM provider. Typically, organization owned devices are managed by your organization. If there are apps on these managed devices that require extra security, then you can also use app protection policies on these devices. |
| 147 | + |
| 148 | +App protection policies also help separate personal data from organization data. For example, you can create policies that block copy-and-paste between apps, require a PIN when opening an app, block backups to personal cloud services, and more. |
| 149 | + |
| 150 | +For more specific information, go to: |
| 151 | + |
| 152 | +- [App protection policies overview and benefits](../apps/app-protection-policy.md) |
| 153 | +- [How to create and assign app protection policies](../apps/app-protection-policies.md) |
| 154 | + |
| 155 | +## Update apps to the latest version |
| 156 | + |
| 157 | +Apps are often updated to include bug fixes, feature improvements, security updates, and more. When apps are deployed using Intune, most apps are automatically updated when there's an app update available. So, it's recommended to use Intune to deploy apps used by your organization. |
| 158 | + |
| 159 | +You can also use Windows Autopatch for automatic patching of Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams. |
| 160 | + |
| 161 | +If users install apps themselves, including from a public app store, then these apps will need updated manually. In this situation, you can use app protection policies to enforce a minimum app version, and even wipe organization data on devices that don't meet your standards. |
| 162 | + |
| 163 | +For more information, go to: |
| 164 | + |
| 165 | +- [Add and update apps](../apps/apps-add.md) |
| 166 | +- [Windows Autopatch overview](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) |
| 167 | +- [Wipe corporate data from Intune-managed apps](../apps/apps-selective-wipe.md) |
| 168 | +- [Selectively wipe data using app protection policy conditional launch actions](../apps/app-protection-policies-access-actions.md) |
| 169 | + |
| 170 | +## Next steps |
| 171 | + |
| 172 | +- [Manage identities](manage-identities.md) |
| 173 | +- [Manage devices](manage-devices.md) |
| 174 | +- [Frequently asked questions about application management and app protection](../apps/mam-faq.yml) |
0 commit comments