A quick disclaimer: We are not developers, we are ‘integrators’. Our job is to watch the market to try and identify technologies and applications that will provide benefits to both our employer and customers. It can be an interesting game at times as both those requirements do not always balance in a way that feels like you are doing everyone justice. However, we would like to talk about an occasion where all these pieces came together in a way that was well balanced for everyone.
A “win-win” you might say.
So, what’s the catch?
Application packaging and management is a complex business. In the modern age of malware and ransomware, creating and maintaining a consistent environment is not just about improving user experience, but is also the foundation of excellent security. With this in mind, how do we balance the burden of managing our stack of applications whilst avoiding overburdening users and IT Administrators with overly complex application management systems?
What components or issues are we faced with?
- Repository: Source for the application installations.
- Deployment: Mechanism for installing the applications onto the machines.
- Maintenance: managing application versions and upgrades.
- Compliance: Ensuring machines have the correct software versions.
- Automation: Making it cost-effective and easily repeatable.
We wanted to create an environment where we were not replicating the same work repeatedly or managing repositories of application installer files. Achieving this would result in a more positive experience for both our employer and customers.
If you Google the problem of application packaging and maintenance there are many products that claim to have the solution. We have tried many over the years and while some have been good, nothing has blown us away and we are still yet to find one that really integrates well into the Microsoft 365 stack.
So, instead of looking for a single solution, we decided to start down another track and break the problem into smaller, more manageable pieces, and find solutions for each of them. And that’s where APaMaC (Applications Packaging & Management as Code) comes in.
When we realised we needed to look at application packaging and management from a different angle, we started to pull the pieces of the issue together thanks to a YouTube channel called “Intune Training” - where they talked about deploying Win32 applications using Microsoft’s VS Code (big thanks to Ben R). And our solution grew from there.
As Modern Workplace Engineers, specialising in Microsoft 365 stack, we naturally needed solutions that integrated with Microsoft Endpoint Manager/Intune. We were really looking forward to the release of Microsoft’s Winget application repo service, if anything is going to integrate with Intune it would be Microsoft’s own application repository, but as you have to run it in the “User” context, it was not going to work.
Thanks to a recent “Nerdio manager for WVD” deployment we completed for a client we revisited the application repo “Chocolatey” to script the base application installations. We found ourselves rapping some of this process in the Powershell Application Deployment Toolkit (PSADT) to enable the support of in-house applications. This is all easy to maintain thanks to Chocolatey’s update logic, the command “Upgrade” will install the app if it’s not there so the same command (or package) for installing is used for upgrading.
We now have the Repository, Deployment and Maintenance mechanisms.
Compliance is easy as we are just going to use all the built-in features of Intune (that’s what it is there for) and we can create application deployment packages that have no files to update as they just call for Chocolatey to download and install the app.
Now we get to the automation part, this is where we owe a big thanks to Ben R. and his GitHub repo “Intune-App-Deploy”. Using this we created my own repo (we may have changed the yaml to Json, but that’s just our personal preference), created a base set of application packages that we can now branch at will when we need to package apps for a different client. Each client gets their own branch of the repo making it easy and secure for other engineers to collaborate.
On the security front, if you have concerns around supply chain vulnerabilities then you can create a private Chocolatey repo and employ package verification and testing.
So, there we have it, deploying and maintaining applications via code using an easily repeatable automated procedure.
As we mentioned earlier, we have used this concept for automating application deployment in an Azure WVD solution and it works flawlessly. At the time of writing this, Intune’s support of Windows 10 Multisession has just been released into preview so it won’t be long before you can use the same repo’s for your client machines and WVD hosts. Exciting stuff.