Hi all,

Managing app deployments for new devices with Intune can be challenging, especially when trying to balance build efficiency and user experience. Today’s blog looks at how to streamline your app deployment process using Intune and Autopilot by implementing a simple three-tier approach that I have personally used in previous deployments. This method prioritizes essential applications while allowing flexibility for user preferences and non-critical software.

Why Use a Three-Tier Approach?

When deploying applications with Intune, it’s essential to balance both the needs of the business and the user’s experience. With a three-tier approach, you can ensure that critical applications are deployed efficiently during device setup while providing flexibility for less essential applications. This approach can significantly improve the device setup success rate, reduce user downtime, and provide users with the ability to install their own selection of applications.

Tier One: Essential Applications

The first tier includes essential applications like web browsers, Office 365 Suite, security software and other critical tools that users need immediately upon receiving their devices. These applications are deployed during the Enrollment Status Page (ESP), ensuring they’re available as soon as users start their devices for the first time.

Deploying these apps during the ESP phase ensures that users can hit the ground running, accessing necessary tools without delay. This is especially important for new employees or when rolling out new devices, as it allows them to be productive from day one.

For an application to meet the requirements of tier one it should be essential for the user’s productivity or security, this allows you to justify blocking the completion of the device enrolment if the application fails to install. The application should also be a Machine-Wide install (installs using the SYSTEM account).

Tier Two: Required Applications Post-Login

Tier two consists of important applications that aren’t immediately necessary but should be installed soon after the initial setup. These apps are set as required applications but install post-login, allowing the device to complete its setup while gradually integrating the software. Tier two apps would usually be required for the entire organization (Adobe Acrobat) or entire departments (Visual Studio Code, Notepad++).

By installing tier two applications post-login, you minimize the impact on duration and completion rate during initial setup and ensure that users have access to these important tools as soon as they’re needed. This also reduces the impact if the application errors during the install and will attempt again at the next check-in.

Tier Three: Non-Business Critical and User Preference Apps

The third tier includes non-business critical applications and user preference apps, which are available in the company portal. These apps can be installed at the user’s discretion, providing flexibility and personalization without overwhelming the initial setup process.

This approach allows users to choose the tools that best suit their needs without forcing non-essential applications onto every device (Grammarly, VLC, FileZilla). It also enables IT to maintain a streamlined deployment process while still offering a wide range of software options.

Implementing the Three-Tier Approach with Intune and Autopilot

Here’s a step-by-step guide to implementing the three-tier approach in your organization:

1. Define Your Tiers: Start by reviewing your application catalogue  and then categorizing into the three tiers based on business needs and user requirements.
2. Configure Intune and Autopilot: Set up Intune and Autopilot to deploy tier one applications during the ESP phase. Make sure to block the enrollment from completing unless these applications install.
3. Set Up Required Applications: For tier two applications, configure Intune to install these apps post-login. Use the “User” assignment group to manage these deployments. The reason I recommend User groups is so then the applications will only install once the user has logged into their profile. These applications will also retarget the user each time they receive a new device.
4. Build the Company Portal: Populate the company portal with tier three applications, allowing users to install these apps as needed. Ensure to provide users with simple instructions for finding the Company Portal, especially if they are new to self-service applications.

Tips and Recommendations

• Provide clear instructions explaining what the user should expect during initial setup, such as that applications might not be available until the initial setup has completed. Managing the expectations of device setup can really help frustration from the user’s end when software is not immediately available.
• Plan your group assignments carefully for the Company Portal. Rather than making all applications available to everyone, try to match application availability based on the department. Does someone from HR really need Python installed? This can reduce unrelated software being installed on devices.
• Less is more during Autopilot. Don’t bloat the list of software required during the ESP, this will just cause more issues with device enrollment. If an application must be in the ESP, confirm it has an almost 100% success rate to prevent enrollment errors.
• Try to use “User” based groups for required applications, this can reduce overhead when a user receives a new device as their previous applications will automatically install.
• If any manual setup is required, make sure you don’t log into the device with an account that has applications assigned as these will install on the device.

Any other suggestions or advice? Please share with us.

Conclusion

Implementing a three-tier approach for app deployments with Intune and Autopilot offers a balanced and efficient way to manage software installations across your organization. By prioritizing essential applications and providing flexibility for less critical software, you can enhance the user experience and streamline the deployment process.

Thanks for reading, and feel free to check out our platform Pckgr for your Intune application deployments.