Working with Intune

Introduction

Microsoft Intune supports a variety of app types and deployment scenarios on both Mac and Windows 10/11 devices. Some preparation is involved prior to installing via Intune, including configuring apps according to the Intune format (.intunewin).

Full details on preparation and configuration for Windows devices can be found at Windows 10/11 app deployment by using Microsoft Intune. Further information on creating Mac profiles can be found at Create a device profile in Microsoft Intune.

This article describes the following:

  • How to prepare and add Admin By Request for Windows to an Intune package ready for deployment.

  • How to create an Intune Configuration Profile for a Mac.

Once packages and profiles are created and added to Intune, they can be deployed to users and devices.

How to add a Windows package

This guide outlines the full process for deploying Admin By Request Workstation via Microsoft Intune using the Win32 app packaging method.

Prerequisites
  • Devices must be Azure AD joined and Intune MDM-enrolled

  • Devices must be assigned to an AD group. The example below uses group ABR Installation Dep ("Dep" for deployment).

  • Users must be assigned an Intune-enabled license (e.g. EMS E3)

  • The Administrator must have permissions to create Win32 apps in Intune

  • The ABR MSI installer must be downloaded from the Admin By Request portal and must match your tenant

    Identify the exact version of this installer by right-clicking and selecting Properties, then selecting the Details tab. The version is given in the Comments field (e.g. 8.5.1.0).

Procedure
Outcome

Admin By Request is successfully deployed across all targeted devices silently via Microsoft Intune. No end-user interaction is required.

Test the Installation on Random Endpoints

Testing the installation involves a quick connection check:

  1. On an endpoint with Admin By Request installed, launch the application by selecting it from the system tray and clicking About Admin By Request:

  2. Select Connectivity and check that Operational Status and Cloud Connectivity are OK:

As a further test, you might also want to check the inventory in the portal, to review the details that are now being logged for this endpoint:

  1. From the portal top menu, select Inventory.

  2. Locate the endpoint and click either the computer name link or the Details link:

How to create a Mac configuration profile

  1. In Intune, under Configuration Profiles, select Create Profile.

  2. Enter the following details into the Create a Profile form:

    • Platform: macOS

    • Profile type: Templates

    • Template name: ABR – FDA

  3. Click Create.

  4. Under Device restrictions, go to Configuration settings.

  5. Select Privacy preferences and click Add:

  6. In the Edit Row form, enter the following:

    • Name: ABR – FDA

    • Identifier type: Path

    • Identifier: /Library/adminbyrequest/adminbyrequest

    • For Code Requirement, enter the following line of code:

      Copy
      identifier "com.fasttracksoftware.adminbyrequest" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AU2ALARPUP
      IMPORTANT

      The code snippet is all one line. Use the Copy button in the top right corner of the code box to copy the code to the clipboard.

  7. The completed form:

  8. Finally, select Allow in field Full disk access: