Intune App Factory

Overview
Setup
Docs
Releases
Source
Q&A

Intune App Factory is an automated solution that combines the flexibility and power of Azure DevOps Pipelines together with the IntuneWin32App PowerShell module, intended to simplify and streamline the application packaging process in Intune.

Intune App Factory does this by reducing the overall manual steps involved in the process, replacing these with automated tasks such as:

Check for new available application versions
Detect and download the latest application content
Prepare and package the latest application
Create the application in Intune

In addition to the automated steps mentioned above, Intune App Factory was built to automatically incorporate the PowerShell App Deployment Toolkit into every application it creates in Intune.

How does it really work?

With application packaging, it’s almost impossible to automate every involved step, but those that are repetitive should definitely be taken out of the equation. Intune App Factory was designed to work with the concept of ‘onboarded applications’. What this means is that you as the administrator define how Intune App Factory should handle one said application. For instance, let’s assume you want to onboard 7-Zip and let Intune App Factory handle the whole application packaging process from detecting there’s a new version available to having it deployable from Intune. For this to happen, the onboarding process comes into play. Onboarding an application in Intune App Factory means that you define the following in a manifest file:

Application name, publisher and branding
Source from where to check for new versions
Source specific detection configuration
Application detection rule logic
Unattended installation configuration

When all of the above have been defined, the onboarding of the application has completed, and Intune App Factory will take over and periodically check for newer versions when such become available. It’s fair to say, but not limited to in all situations, that the onboarding process is a one-time operation per application.

What sources does Intune App Factory work with?

Winget, Evergreen, Storage Account

What applications can be onboarded?

Everything available in the sources, but with the Storage Account source type, essentially everything.

Table of content

Prerequisites

Before you can get started to setup Intune App Factory, you will need to ensure the following prerequisites are in place. Intune App Factory requires you to have access to the following including the specified permissions:

Azure DevOps Organization
- You require access to a project within an Azure DevOps Organization within your company. Preferably, Project Administrator permissions is recommended to complete the setup steps.
Azure subscription
- Contributor access to subscription or Contributor access to a resource group where an Azure Key Vault can be created.
Azure Active Directory
- Permission to create app registrations (service principals).

License requirements

To gain access to Azure DevOps, there’s two possibilities from a license perspective. You can either purchase direct Azure DevOps licenses or gain access if you have an active Visual Studio subscription. In terms of being compliant, but also for certain functionality within Azure DevOps to even appear once you’ve entered into your project, it’s recommended that you speak to whoever manages licenses within your company to obtain the correct license.

Your user must have a valid license or subscription for Azure DevOps, otherwise you’ll at least not have access to Repositories and potentially other required features such as Pipelines, that Intune App Factory makes use of.

For subscribers of Visual Studio (formerly known as MSDN subscriptions), you can get more details regarding licenses and what’s included:

Azure DevOps benefits for Visual Studio subscribers | Microsoft Learn

In my lab environment, being a MVP, Microsoft kindly provides us with a Visual Studio Enterprise subscription, that I’ll be using through writing these setup instructions:

In the event that you’ll at some point throughout following along in setting up Intune App Factory, where you for instance don’t have access to Pipelines or other features of Azure DevOps, consult your license and what features it includes, as that’s most likely the culprit.

Azure DevOps Organization

It’s very likely that you company already makes use of Azure DevOps in any form, and have setup existing organizational structures. Intune App Factory was built to be used with Pipelines with the source coded hosted within a Repository of a Project within an Organization of Azure DevOps. Initial setup of Azure DevOps is not covered in these instructions, and if Azure DevOps is already in use, it’s recommended that you reach out to the department that manages access. Request access to a new Project within your existing Azure DevOps Organization.

In the event Azure DevOps is not already used within your company, the process for setting it up is very well documented by Microsoft already and therefor not covered in these instructions. You will find everything you need to get started here:

Create an organization – Azure DevOps | Microsoft Learn

Azure subscription

Intune App Factory will require access to a single or multiple, depending on your desired configuration regarding high availability of the host agents that will perform all the heavy duty work, virtual machines but also access to secrets that will be stored securely in a Key Vault. For this, an Azure subscription is required, where such resources can be created.

Azure Active Directory

As we’re going to store client secrets of service principals in an Azure Key Vault resource, Azure DevOps must have access to reading the secrets. In addition to reading secrets, Intune App Factory will also make use of service principal with permissions to create Win32 application type objects in Intune.

Create a Key Vault in Azure

It’s a good practice to make use of an Azure Key Vault to store secrets, especially when dealing with service principals in Azure AD. Storing a client secret for a service principal in a Key Vault, isn’t only a good security practice, it can also benefit from all the application and services that can interact with the Key Vault, to retrieve the secrets in a secure manner, restricted by access policies in the Key Vault.

Intune App Factory doesn’t require a Key Vault, however the setup guide assumes that you creates one and follows good security practices. It’s also easier to follow along through the setup instructions. If your organization already uses processes around storing secrets for Azure resources in a Key Vault, make use of the existing Key Vault instead if applicable.

Follow the instructions below from Microsoft on how to create an Azure Key Vault resource:

Quickstart – Create an Azure Key Vault with the Azure portal | Microsoft Learn

Throughout these setup instructions, the following Key Vault resource will be used, available in a resource group named ‘mse-az-devops’:

Create a Log Analytics workspace for analytics

Log Analytics workspaces are useful for sending log data for analytics purposes and more. Intune App Factory make use of a Log Analytics workspace merely to send a log event of a newly published application it has created in Intune.

Follow the instructions below from Microsoft on how to create a Log Analytics workspace resource:

Create Log Analytics workspaces – Azure Monitor | Microsoft Learn

Add Log Analytics workspace Primary Key to Key Vault

Once the workspace has been created, browse to the resource and click on Agents under Settings. Expand Log Analytics agent instructions under Windows servers. Make a note of the Workspace ID, as it will be used later when configuring the Azure DevOps Pipeline variable groups. Copy the Primary Key value.

Browse to your Key Vault and click on Secrets under the Objects section. Click on Secrets.

Click on Generate / Import.

Provide a name for the new secret, e.g. LA-IntuneAppFactory-PrimaryKey. Enter the previously copied Primary Key value from the Log Analytics workspace in the Secret value field. Depending on your internal processes, configure the additional fields as required. Click Create.

You should now see the new secret object created.

Create Azure AD service principals

Intune App Factory makes use of two different service principals that must be created in Azure AD.

Service Connection service principal
- Used to authenticate against the Azure subscription and Key Vault
Intune service principal
- Used to authenticate against Graph API and Intune

Service Connection service principal

In the Azure portal, browse to Azure Active Directory and App registrations. Click on New registration.

Provide a name for the app registration, e.g. Azure DevOps Service Connection. Ensure that Account in this organizational directory only is selected. Do not configure anything for Redirect URI. Click Register.

The new service principal have now been registered. Make a note of the Application (Client) ID in the Overview section, as it will be required later in the setup instructions when creating the Service Connection in Azure DevOps.

Create Service Connection service principal Client Secret

Click on Certificates & secrets and click New client secret.

Provide a name for the secret and select the expiry configuration in accordance with your organizational policies. Click Add.

The new client secret has been added and the value is shown in the portal. Make sure that you temporarily copy the value as it will be used later when setting up the Service Connection in Azure DevOps. While it’s not required for Intune App Factory, you could safely store this client secret in the newly created Key Vault, which would be recommended, if you did not have a Key Vault prior to following these setup instructions.

Add access for Service Connection service principal to Key Vault

Browse to your Key Vault and click on Access configuration.

Ensure the permission model is set to Vault access policy.

Click on Access policies to the left or click on the button Go to access policies.

Click Create.

Under Secret permissions, check both Get and List permissions and click Next.

Search for the name of the Service Connection service principal (named Azure DevOps Service Connection in these instructions), ensure it’s the selected item and click Next.

Click Next in the Application (optional) section.

Click Create in the final Review + create section.

Access to the Key Vault has now been granted for the Service Connection service principal.

Intune App Factory service principal

In the Azure portal, browse to Azure Active Directory and App registrations. Click on New registration.

Add Graph API permissions for the Intune App Factory service principal

Click on API Permissions under the Manage section of the Intune App Factory service principal.

Click on the ellipsis button next to the User.Read permissions and select Remove permission.

In the prompt, select Yes, remove.

Click Add a permission.

Click on Microsoft Graph.

Click on Application permissions.

Search for DeviceManagementApps.ReadWrite.All under Select permissions. Expand DeviceManagementApps and check the DeviceManagementApps.ReadWrite.All permission. Click Add permissions.

The required permissions have now been added, but they require a an admin consent to be granted. Click Grant admin consent for <tenant name>.

Click Yes in the prompt that appears.

Admin consent should now have been successfully granted. If your organization doesn’t allow you to consent to these permissions, contact the team or department that manages those aspects.

Create Intune App Factory service principal Client Secret

Click on Certificates & secrets and click New client secret.

Provide a name for the secret and select the expiry configuration in accordance with your organizational policies. Click Add.

The new client secret has been added and the value is shown in the portal. Make sure that you temporarily copy the value as it will be used later when setting up

Add Intune App Factory service principal Client Secret in Key Vault

Browse to your Key Vault and click on Secrets under the Objects section. Click on Secrets.

Click on Generate / Import.

Provide a name for the new secret, e.g. SP-IntuneAppFactory-ClientSecret. Enter the previously copied client secret value from the Intune App Factory service principal in the Secret value field. Depending on your internal processes, configure the additional fields as required. Click Create.

You should now see the new secret object created.

Create an Azure DevOps Project

Skip this step if your company have already provided you with access to a project, that you requested prior.

From within the organization that was just created by following the Microsoft documentation, you’re automatically asked to create a Project, the first time you visit the following page:

https://dev.azure.com/<organization_name>

In the Project name field, enter a project name and optionally a description and ensure the visibility is set to Private. It’s recommended to name the project something that resembles your department or team that you work in, instead of just naming it Intune App Factory. While it’s perfectly fine doing so, a project is much more in the DevOps world. I think it’s fair to draw the resemblance with an Azure subscription, where you can have multiple items or resources scattered across resource groups. A resource group in this case translates to a repository in the Azure DevOps world.

If you wish to make changes under the Advanced section, do so, but it’s recommended that you keep the default.

Click Create project.

Once created, you’ll be taken to the Project start page. It’s recommended that you bookmark this page, as this is the place where most of the configuration is performed in order to setup Intune App Factory.

The project start page can always be accessed again from the following URL:

https://dev.azure.com/<organization_name>/<project_name>

Import Intune App Factory data to new repository

All the scripts, pipeline and other resources that the Intune App Factory solution consists of is available publicly on our GitHub repository. In this step we’ll import that repository data into Azure DevOps. But before we do that, let’s explore the Repository settings of the Project to better understand where to make changes to a repository, from a settings perspective.

From the Project start page, in the bottom left corner click Project settings.

Under Repos, click on Repositories.

When the project was first setup, a default repository with the same name was also created. This default repository is not going to be used, and could from here be deleted once we’ve imported the new repository from GitHub.

Familiarize yourself with the default available repository from this view in the Project settings. You can go back here and remove the repository with the same name as your Project, in case you wish to do so. It’s not a requirement, however it will make navigating Azure DevOps a bit easier.

Go back to Repos, by clicking on the Repos node in the left navigation pane.

From the top navigation ‘bread crumb’, click the repository name and then Import repository.

In the Clone URL field, enter the following URL:

https://github.com/MSEndpointMgr/IntuneAppFactory.git

Ensure the Name field is amended to IntuneAppFactory only, as it automatically adds .git at the end of the name. Click Import.

Wait for the import to complete, it only takes a short while.

Once imported, all the files available on the public GitHub repository has now been imported to Azure DevOps, in a new repository named IntuneAppFactory.

Setup Service Connection in Azure DevOps

A Service Connection in Azure DevOps could be used for various things, such as reaching out to fetch resources and data from external services. For Intune App Factory, you have already stored the client secret for the Intune service principal in the Key Vault created earlier. For the pipeline to be able to make use if the client secret in a secure fashion, it needs to be made available to it, e.g. through a variable. Setting up a Service Connection to Azure Resource Manager, would allow Azure DevOps to pull in data from the Key Vault and present the client secret to the pipeline when needed.

Click Project settings in the left menu bar.

Scroll down through the Project settings menu, click on Service connections and then Create service connection.

Select Azure Resource Manager and click Next.

Select Service principal (manual) and click Next.

Locate the Subscription ID of the Azure subscription where the Key Vault resource resides. The ID can be found when searching for Subscriptions in the Azure portal, and in the Subscription ID column showing all subscriptions you have access to.

Enter the Subscription ID in the New Azure service connection configuration window. Additionally, enter the name of the subscription. Then in the Service Principal ID field, enter the Application (Client) ID of the Service Connection service principal (named Azure DevOps Service Connection in these instructions).

Enter the client secret of the Service Connection service principal created earlier in the Service Principal key field. Enter the Azure AD Tenant ID in the Tenant ID field. Provide a suitable name for the Service Connection, ensure the Grant access permissions to all pipelines check box is checked and expand the Verify and save button to select Save without verification.

In the event that you might click Verify and save instead, failure message would appear similar to the one below, stating that you’ve not provided the necessary permissions for the Service Connection service principal (named Azure DevOps Service Connection in these instructions) on the subscription itself, which is in fact true. This is not required when only accessing secrets from within a Key Vault.

Failed to query service connection API: 'https://management.azure.com/subscriptions/#SubscriptionID#?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '#ClientID#' with object id '#ObjectID#' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/#SubscriptionID#' or the scope is invalid. If access was recently granted, please refresh your credentials."}}'

The Service Connection has now been saved and should be visible in the list of service connections.

Create an Agent pool in Azure DevOps

This part of the setup instructions can be skipped and when setting up the Azure Pipelines agent on a self-hosted virtual machine, the Default host group can be selected. However it’s a good practice to create your own host group of agents to separate load and jobs sent to the agent, if there are other Azure DevOps projects within your organization that you don’t want to potentially share resources with.

Also, in the initial version of Intune App Factory, it has not been fully verified if the solution is supported using the default Azure Pipelines host group.

Click on Project Settings in the Azure DevOps portal and then select Agent pools.

Click on Add pool.

Select Self-hosted as Pool type, provide a name for the agent pool, check Grant access permissions to all pipelines and click Create.

The newly created agent pool should now be visible in the list of agent pools.

Make a note of the agent pool name, as it will be provided during the agent setup and configuration.

Setup Azure DevOps self-hosted agent

…

Create the self-hosted agent virtual machine

A virtual machine in Azure can be deployed in various ways, either through the portal or using ARM templates (easily created with Bicep). Due to all the configuration options available, it’s impossible to cover all scenarios for each organizations, hence these setup instructions only provides a recommended setup, that should not be considered best practice to follow but it gives you an indication of the general configuration needed, such as:

Running Windows 10 or 11 (or later)
Internet access is required

Apart from the absolute minimum requirements above, the virtual machine can be configured any way that is aligned with your organizational policies for Azure resources.

From within the Azure portal, browse to Virtual Machines and click Create.

Below screenshot illustrates how a virtual machine running Windows 11 Pro is configured to be able to run the Azure DevOps self-hosted agent.

Additional configuration is shown below.

Allowing inbound communication on port 3389 is not a recommendation, but during the initial configuration of the self-hosted agent, it’s a requirement. When the agent configuration has been completed, the RDP access should be turned off.

Retrieve Personal Access Token (PAT)

…

Configure the self-hosted agent virtual machine

To configure the self-hosted agent virtual machine, we need to connect to it using RDP. Browse to your virtual machine, click Connect and select RDP.

Click on Download RDP File after all the connection tests successfully completes.

Establish a connection using the username and password set when creating the virtual machine in the previous steps. Once connected, you should have an active RDP session towards your virtual machine.

Follow these instructions from Microsoft on how to deploy an Azure Pipelines agent on a self-hosted virtual machine:

Deploy an Azure Pipelines agent on Windows – Azure Pipelines | Microsoft Learn

… beskriv något om RDP in mot VM, configure Winget (one-time)

Configure Pipeline variables groups

…

Create the Intune App Factory pipeline

asd

Configure the Intune App Factory pipeline

asd

Can this below be used? What about DevOps agent installation, can it be automated?

Run scripts on VMs after deployment with Bicep – Erlend Rushfeldt – Blog (errush.org)

Create host pool

Pipeline docs, what each step / job does

Document what all script does, generally

Application onboard docs

(0)