124: Apps Delivery / App Compat
Overview
Use Intune to manage and update apps in your organization, and the principles of Zero Trust in defining an app management strategy:
-
Assume Breach - Regularly monitor app behavior and security events. Assume that threats may already exist and proactively detect anomalies. Keep apps up-to-date with security patches to minimize vulnerabilities. Integrate threat intelligence feeds, like Microsoft Defender for Endpoint, to identify known malicious apps or behaviors.
-
Verify Explicitly - Define policies for how apps are acquired, installed, and updated. Only download and install apps from trusted sources. Use a secure enterprise app catalog like Enterprise Application Management with Microsofot Intune.
-
Use Least-Privilege Access - Allow only approved apps to run on managed devices. Limit those who can install apps on devices or add new apps to Intune. Run your users as standard user (without administrative rights) and consider Endpoint Privilege Management with Microsoft Intune to complete tasks that require elevated privileges.
Entra Join app compat
Most apps should continue to work on Entra Join devices as they do for traditional domain-joined devices. Learn about Windows cloud-native endpoints and review Known issues and limitations with cloud-native endpoints for gudiance on known app compat issues with Entra Join.
Microsoft App Assure is a service that helps you proactively analyze app portfolios, fix and shim apps that might require a fix, and monitor app performance and reliability on Windows 11 before and after upgrading your organization.