Application delivery solutions for the Modern Workplace
The Microsoft Modern Workplace is based on Microsoft 365. Within the Microsoft 365 basically the following products are used: Azure Active Directory, Microsoft Intune and Windows 10. Inside the Modern Workplace applications can be packaged and delivered on several ways. In this blogpost I will give an overview of all the solutions that can be used.
- SaaS (Software as a Service) applications published through Azure Active Directory;
- Internal apps published through Azure Active Directory Application proxy
- MSI Apps published through Intune
- iOS / Android store Apps published through Intune
At Ignite there are new options announced:
- Deploying Win32 applications through Intune
- Legacy apps or desktops that can be delivered through Windows Virtual Desktop.
Above options will be described in the next paragraphs.
Azure Active Directory
Through Active Directory it is possible to publish web applications and service the authentication and/or provisioning for other SaaS or Web Applications.
Native Azure Active Directory can be used to do single sign on (SSO) to SaaS/Web Applications. This can be done with 3 options:
- Federated single sign-on
This enables applications to redirect to Azure AD for user authentication instead of prompting for its own password. Federated single sign-on is supported for applications that support protocols such as SAML 2.0, WS-Federation, or OpenID Connect, and is the richest mode of single sign-on.
- Password-based single sign-on
This enables secure application password storage and replay using a web browser extension or mobile app. Password-based single sign-on uses the existing process provided by the application, but enables an administrator to manage the passwords and does not require the user to know the password.
- Linked single sign-on
This enables Azure AD to leverage any existing single sign-on that has been set up for the application, but enables these applications to be linked to the Office 365 or Azure AD access panel portals, and also enables additional reporting in Azure AD when the applications are launched there.
Azure AD Application Proxy
Internal Web applications can be published through Azure AD Application Proxy. The authentication can be realized with the following 5 options:
- Azure AD single sign-on disabled
No authentication or passthrough. This is only for web applications that has an own secured logon mechanism.
- Internal Windows Authentication
Based on Kerberos authentication. The Azure AD credentials will be transferred, on the application proxy server, to Kerberos logon information. This is handled by the App Proxy server. More info – https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-kcd
- Password-based sign-on
The first time you use an app the username and password are saved into Azure Active Directory and the next time Azure AD is filling the credentials into that application. More info – https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-password-vaulting
- Linked sign-on
If you have already an Single Sign On system this one can be connected to Azure AD. More info – https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on#how-does-single-sign-on-with-azure-active-directory-work
- Header-based sign-on
With PingAccess it is possible to do header authentication. There are apps that are using headers for authentication and this options helps us for that. More info – https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-ping-access
With Microsoft Intune it is possible to deploy applications to a Modern Windows 10 Workplace and also to iOS and Android mobiles/tabs.
Mobiles (Android / iOS)
On Android and iOS it is possible to add apps through Intune. The follow ways can be used:
- Store app Android
This one must be manually configured. For example the url must be copied from the Play store and copied into the Intune configuration.
- Store app iOS
From Intune it is possible to search the Apple App store and add the App this way into the Intune environment.
- Store app Windows mobile
The steps to add a Windows store app are the same as for Android.
Weblinks can be published to mobiles. The weblink can be configured that it can only opened in the Managed Browser (or Edge).
- Build-in Apps
Diverse MAM capable apps for iOS and Android can be added to Intune with the “Built-in”
- Line-of-Business Apps
A custom build iOS or Android app can be added to the Intune environment to publish this apps to the mobiles/tabs of your organization.
On Windows 10 we can install or publish applications on several ways:
- Install the Office 365 C2R suite
With the option to install the O365 C2R suite we have the possibility to configure several options such as:
- Select the apps (of the O365 C2R Suite) which must be installed on Windows 10.
- Configure information such as app name, description, category, etc.
- Set settings like the Office version, Update channel, languages, remove older versions, etc.
- Install a MSI (Line-of-Business App)
The option to install MSI can be found in the Line-of-Business App option. The MSI can be added and then the options can be configured. The options like name, category, Command Line arguments, logo, etc. can be used.
- Install a Win32 App
To publish a Win32 app with Intune we have to wrap the executable. This can be realized with powershell. After wrapping the app it can be published through Intune. More detailed info can be found on the following link – https://www.petervanderwoude.nl/post/deploy-customized-win32-apps-via-microsoft-intune/
- Publish a Web Link
The weblinks can be published to Windows 10. The weblinks will be added to the Start Menu when installed.
All applications can be assigned to a group of users. With assigning a user group the options to set the app as required (installation will be enforced) or available (installation can be started through the Company Portal) can be used.
Windows Virtual Desktop
At Ignite 2018 Windows Virtual Desktop (WVD) is announced. With this service it will be possible to deliver a full Windows 10 desktop with Office 365 apps from Azure. This can be used for scenarios like clients that have low latency bandwidth connectivity. The WVD solutions makes it also possible to deliver client/server applications on a Modern Windows 10 Scenario. Where we nowadays have to use solutions like Citrix XenApp to publish applications this will be possible in WVD. With native integration in Azure AD and Windows 10 the user will get a Single Sign On (SSO) experience and conditions like Multi Factor Authentication (MFA) can be enforced when the user is at a non-trusted location for example. In a next blogpost I will dive a little deeper into the WVD solution. So for now the following two applications delivery options can be used through WVD:
- Delivering a full desktop with Office 365 C2R;
- Delivering published apps through web or a Windows 10 Remote App client.
In this blogpost I gave an overview of all the possibilities to offer applications from Intune. Most common options are already available. With the latest two announced options around Win32 apps and Windows Virtual Desktop we can cover all applications. The possibility to deliver Win32 applications was a much requested feature and we are happy that it is now possible. On the other hand, the arrival of Windows Virtual Desktop gives us the opportunity to offer legacy client / server applications on a Windows 10 Modern Workplace without using VPN or other tools.
So next year we can delivering all types of applications in a Modern Workplace scenario and we don’t need any other solutions anymore.