Posted on

Intune Application Deployment (My) Best Practices

This comes up with the deployment of applications and Intune, so I thought I would throw this out there.

Deploying to User Groups

Pros:

  1. User-Centric Applications:
    • Applications follow the user, regardless of the device they sign in to. This is ideal for applications that are tied to user productivity (e.g., Office 365 apps).
  2. Dynamic User Assignment:
    • If a user moves to a new device, the applications will automatically install on that device when they sign in.
  3. Licensing Considerations:
    • For applications licensed per user, this approach ensures compliance.
  4. Targeting Based on User Identity:
    • Easier to manage in scenarios where users need specific applications based on their role, department, or group membership.

Cons:

  1. Device Variability:
    • If users sign into shared or non-primary devices, applications may install unnecessarily.
  2. Potential Conflicts:
    • Some applications may fail if they require device-specific configurations or permissions.
  3. Dependency on User Sign-In:
    • Applications will only install when a user logs into the device.

Deploying to Device Groups

Pros:

  1. Device-Centric Applications:
    • Ideal for applications that are required on specific devices, such as kiosks, shared devices, or devices with a fixed purpose.
  2. Consistency:
    • Applications install regardless of who logs in, ensuring a consistent experience on the device.
  3. Performance and Control:
    • Allows better control over app deployment to specific hardware or device types (e.g., Windows 10, iOS, macOS).
  4. Shared Devices:
    • Useful for devices used by multiple users, such as in a classroom, hospital, or factory.

Cons:

  1. Less Flexibility for Users:
    • Applications do not follow users if they sign into other devices.
  2. Licensing Issues:
    • For applications licensed per user, deploying to devices may result in compliance issues.
  3. Static Assignment:
    • Device groups are often more static, requiring manual updates when devices are added or removed.

When to Use Each Approach

ScenarioRecommended Group Type
Applications tied to user identity (e.g., Office 365, OneDrive)User Groups
Applications for shared devices (e.g., kiosks, classrooms)Device Groups
Applications with per-user licensing requirementsUser Groups
Applications with per-device licensing or configurationsDevice Groups
Consistent app deployment on all devices regardless of userDevice Groups
Role- or department-based app assignmentUser Groups

Hybrid Approach

In many cases, a hybrid approach works best:

  • Deploy user-specific applications (e.g., productivity tools) to user groups.
  • Deploy device-specific applications (e.g., security tools, drivers, or shared apps) to device groups.

For example:

  • Deploy Microsoft Office to a user group.
  • Deploy Antivirus software to a device group.

Key Considerations

  1. Licensing: Ensure you comply with licensing terms for per-user or per-device applications.
  2. Shared Devices: For shared devices, always target device groups to avoid unnecessary app installations.
  3. Dynamic Groups: Use dynamic groups in Intune to automate group membership for both users and devices based on attributes like department, OS, or device name.

Conclusion

  • User Groups are better for user-centric applications that follow users across devices.
  • Device Groups are better for device-centric applications that must be installed on specific devices.
    In practice, using both methods strategically will give you the most flexibility and control in your Intune environment.

Leave a comment