Intune App Wrapping Tool

admin

A tool to wrap Windows Classic App and then it can be uploaded to Intune - microsoft/Intune-Win32-App-Packaging-Tool. Intune is a unified endpoint management tool that offers a number of helpful mobility management functions, such as mobile device enrollment, mobile app wrapping and app protection. IT professionals must understand the benefits and use cases for these Intune app management controls and features before they try to deploy them across an organization. If you use the IntuneWinAppUtil.exe content prep tool to create Win32 apps for deployment through Intune, I created this simple wrapper to speed things up. Drop the Package-IntuneApp.ps1 into the root of your packaging directory structure, mine looks like this: OneDrive Packages Packages Microsoft-AzureStorageExplorer; Packages Chocolatey-Free. Feb 22, 2021 Use the Intune App Wrapping Tool for Mac to enable Mac apps to be managed by Microsoft Intune. Important The.pkg file must be signed using 'Developer ID Installer' certificate, obtained from an Apple Developer account.

Win32 Apps, What Are they?

If you’re familiar with Configuration Manager/MEMCM then think of these files as your source directory, the difference being you are effectively zipping it up and then uploading to Intune.

According to Microsoft, if you decide to use Win32 Apps, it is advised that you use these exclusively and NOT ‘Mix and Match’ these with Line of Business applications when using Autopilot (See Microsoft Doc link below).

What content can be in a Win32 App Package?

The answer to that is well pretty much anything to a certain extent. These files are just proprietary files for Intune however under the hood they are just zip files that are then hashed and encoded.

Intune app wrapping tool for android download

What uses are there for Win32 Apps?

Well put, to Install apps. Now don’t be thrown by the 32 as these are not just for 32-bit apps, they can be used for any app.

You can use Win32 apps to just launch PowerShell scripts, Batch scripts, VBScripts etc. as long as you have a detection method if they succeed.

Mainly they are used for installing custom app packages like Greenshot, Citrix, PSADT Apps etc.

Microsoft Doc: Win32 app management in Microsoft Intune | Microsoft Docs

Package Creation Methods

IntuneWinAppUtil Application

The first method is creating a packaged using the GUI (Well kind of GUI) that is mentioned in the Microsoft Doc. Yiu can grab the utility from the below link;

If you clone/download the files, and extract them to a suitable location to work with.

Let’s get started. The below works on the assumption you have your files in a folder with noting other than those required for the app. (You don’t want to be uploading your entire desktop do you :P)

  1. Launch the IntuneWinAppUtil.exe
  2. Type/Paste your Source Directory (e.g. C:/Win 32 Apps/7-Zip), hit Enter.
  3. Type/Paste you setup file name (e.g. 7z2002-x64.exe or MyScript.ps1), hit Enter
  4. Type/Paste your Output Directory (e.g. C:/Win 32 Apps), hit Enter.
  5. When prompted about catalogue files type N unless you are deploying to Windows S Mode, hit Enter
The window will automatically close when your .intunewin file is finished if you head over your output folder you will be able to get your file for upload.

PowerShell

For you command-line gurus and script lovers out there, you will be pleased to know that there is a PowerShell module for bundling these your apps up, you can even go a step further and import them via a script, but we will save that for another post :D.

You can install the module using the following command;

Once you have the module installed you can type a command like this;

This command will create a .intunewin file in the output location named 7z2002-x64.intunewin, this is because it takes the installers name for the output. Unfortunately at the time of writing this, you can’t do it natively with this module. However, you can add a Rename-Item into your script to change it.

Using the packages with Intune

Head over to Microsoft Endpoint Manager admin center (Intune) to to get started

  1. Select Apps from the navigation pane
  2. Select All Apps, Click Add
  3. Select App type Other>Windows app (Win32), Click Select
  4. Click Select app package file, Click the Blue Folder icon to open the browse windows
  5. Select the .intunewin file you have created, Click Open and then click OK
  6. Fill out the Name and Publisher mandatory fields, and any other fields you desire
  7. Upload an icon if you desire, I would recommend doing this if you are deploying this to users via the Company Portal
  8. Click Next
  9. Enter your install command (e.g. 7z2002-x64.exe /S)
  10. Enter your uninstall command (e.g. 'C:Program Files7-ZipUninstall.exe'/S)
  11. Select your install behavior, if this is a machine wide installation you will need to select System, otherwise select User if this is installing to the user profile
  12. Select your desired restart behavior, Adding custom return codes if required
  13. Click Next
  14. Complete your OS Requirements, At a minimum you need to specify the Architecture (x86/x64) and the minimum OS Version (e.g. 1607/1703 etc.)
  15. Click Next
  16. For Detection rules, See the Detection Rules section below, Once complete click Next
  17. Add any dependent Intune Apps you may require, Click Next
  18. Assign the application to your desired group, just as a NOTE if you want to display the app in the company portal, it MUST be assigned to a group containing that user. Required Assignments will force the app to install, whereas Available will show this in the Company Portal. Click Next
  19. Click Create
WrappingThat is your app finished and deploying, it is worth noting it may take 15/20 minutes to be available on the device, the device must also perform a sync to check for the app.

Detection Rules

Detection rules have 4 options, you can use a Custom Detection Script, Registry, File(Folder) and MSI, lets look at them in a little bit more detail.

When you first reach the Detection Rule Screen you will have a single Drop-Down box with two options, Use a custom detection script and Manually configure detection rules. File, Registry and MSI are all available under the Manual option, it is worth noting that you can can mix and match these rules, however there are considered AND methods. If you are looking to do a AND/OR detection you will need to use a custom PowerShell Script.

We will dive into all of the options below.

File

As you can see above using this detection method is fairly straight forward, however it can get a bit messy if you use the Date Created/Modified options.

Lets put a rule together.

  1. Rule Type - File
  2. Path - 'YourPath' (e.g. C:Program Files7-Zip)
  3. File or Folder - 'YourFileFolder' (e.g. 7z.exe)
  4. Detection Method - File or Folder Exists
  5. Associated with a 32-bit app on a 64-bit client, No.
Now that rule is very quick and simple, as mentioned you can use the date modified or created option, and that would look something like below.
  1. Rule Type - File
  2. Path - 'YourPath' (e.g. C:Program Files7-Zip)
  3. File or Folder - 'YourFileFolder' (e.g. 7z.exe)
  4. Detection Method - Date Modified
  5. Operator, select the option that you wish to validate against (e.g. Equals, Greater than etc.)
  6. Select the date using the date picker and enter the time using the 12 hour format
  7. Associated with a 32-bit app on a 64-bit client, No.

Registry

The registry option is fairly straight forward, and is the most likely option you are going to select if you are just installing a simple application and just want to check that the program itself exists. Again for the detection method you have various options, for this example we will just use Key Exists

  1. Rule Type - Registry
  2. Key Path - 'Path to key' (e.g. HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/7-Zip)
  3. Value Name - 'Vaule Name' (e.g. DisplayVersion)
  4. Detection Method - File or Folder Exists
  5. Associated with a 32-bit app on a 64-bit client, No.

MSI

MSI detections are quick and easy if you are installing an MSI application, all you need is the GUID, for the 7-zip app this is not applicable however below is a basic example. You can also perform version checks on the MSI apps.

  1. Rule Type - MSI
  2. MSI Product Code - 'Product GUID' (e.g. {8C3A8923-0000-0000-0000-C82C1BE7294D})
  3. MSI product version check - Yes
  4. Select your operator (e.g. Equals, Greater than etc.)
  5. Value - Product Version (e.g. 20.02)

Detection Script

For me, this is the most favorable option, but I love to script :D. But that aside you can check multiple actions, the only thing you need to do is return any value other than Null for the detection to pass. For example the below script checks for the registry value and also that the file exists, if they do it will return a True value, else it will return nothing.

You will need to have the file save and ready to be upload to Intune, The above is written in PowerShell so will need a .ps1 extension. To use this method follow the below steps.

  1. Rule format - Use custom detection script
  2. Script file - Upload yours using the blue folder icon
  3. Run Script as a 32-bit process on 64-bit clients - No(This is entirely your choice again but for this example it is not required)
  4. Enforce script signature check and run script silently - No
That covers the basics all of the detection methods, if you have any further questions please reach out or review the Microsoft Docs.

3rd Party/Community Tools & Blogs

Here are some of the 3rd Party and Community Tools and Blogs that I have found useful and they may help you in you hour of need!!

Syst & Deploy - Intune Win32 App Tool

This is a great tool to create and extract/decode Win32 apps if you prefer a GUI to creating your intunewin files, this tool also has a feature to decode the packages you already have incase you loose the source files but have the intunewin file.

Oliver Kieselbach - How to decode Win32 App Packages

This is a great guide and it can truly help pull you out of the gutter if you have lost all of your intunewin files, although its not straight forward to get them back (Not Oliver’s Fault) this guid provides you an in-depth guide on how to retrieve the intunewin packages. Truly worth a read and Kudos to Oliver for giving us this gift.

Last year I wrote a blog about how to deploy the Citrix Receiver (which is now replaced by the Citrix Workspace app) via Intune. Like described in that blog, the executable consists of 10 MSIs that need to be installed on a Windows 10 device when you are not able to use the store app of Citrix in the Microsoft app store.

With the new Windows app (Win32) app type you are able to deploy more complex Win32 apps via Microsoft Intune. So, the Citrix Receiver is a great app to test the new feature in Microsoft Intune with.

To be able to use this app format you need to wrap the file into a format that is supported by Microsoft Intune. The INTUNEWIN format is a format especially for Microsoft Intune and which allows you to wrap executables or multi file MSI installs, a great addition.

The Intune Win32 App Packaging Tool is the tool to be used to “wrap” the installation files into the INTUNEWIM format. The packaging tool can be downloaded here.

After downloading the packaging tool you need to follow the next steps to package the Citrix Receiver.

  1. Download the Citrix Receiver 4.12
  2. Extract the Intune Win32 App Packaging tool and execute the following command;

intunewinapputil -c . -s citrixreceiver.exe -o .

-c = source path with all setup files

-s = setup file for the Citrix Receiver

-o = output path

  1. After successfully creating the new package we need to add the package to Microsoft Intune, this can be done in the Intune console via https://portal.azure.com > Intune > Client Apps > Apps and click Add.
  2. First step is to add the App package file citrixreceiver.intunewin, click OK
  3. Click App information and supply the Name, Description and Publisher as mandatory fields and click OK
  4. Click Program and supply the following information and click OK:
    1. Install command: citrixreceiver.exe /silent
    2. Uninstall command: citrixreceiver.exe /uninstall
    3. Install behaviour: System

Intune App Wrapping Tool Ios

You need to add the command line that allows you to install and uninstall the Citrix Receiver unattended. Of course, this differs per application.

Intune App Wrapping Tool

  1. Click Requirements and supply the Operation System Architecture, Minimum Operation System version, Disk space required (MB), Physical memory required (MB), Minimum number of logical processors required, Minimum CPU speed required (MHz) and click OK.
  2. Click Detection Rules and supply the way to check if an application is already installed on a device, this can be done via a manual rule by checking the existence of an MSI product code, if a file or folder exists or if a registry key exists. Also, a detection script can be used. After configuring the detection rules, click OK.
  3. Click Return codes and check if the default return codes are okay and click OK
  4. Next, click Add to add the app to Intune.

Intune App Wrapping Tool Mac

Next you can deploy the app to your Windows 10 devices and you will see that the Citrix Receiver is being installed using the new app you have just created. In the console you can see if the deployments are successful or not.

Intune App Wrapping Tool For Android Download

Comments