Unified Application Management: Intune App Import Process
Notes:
This feature is in Public Preview.
In the current release, this feature only supports the import of Intune Win32 applications.
The extraction process may take a long time depending on the responsiveness of the Intune platform. Each extraction task has a timeout of 24 hours.
This article provides a comprehensive guide to using the Unified Catalog page to import Intune applications. The process involves creating a temporary virtual machine, performing automated tasks, and cleaning up resources after the import process is completed.
High-level Process
To support the extraction, the following functions are required:
A temporary virtual machine is required as a proxy for the application extraction task. This virtual machine is removed after the task has completed.
A storage account and associated SAS URL are also required for the extraction of Intune applications.
A temporary Entra ID group is created to assign the application. This group is deleted after task completion.
Import an Intune Application
The following procedure performs the import.
To import an Intune application:
Navigate to Applications > Unified catalog.
Optionally, select Intune in the Repository filter,
Locate the Intune application you wish to extract.
From the action menu, select Import.
Enter the desired temporary VM settings information.
Note: To extract files from Intune, a temporary VM is created to perform the operation and then deleted.
Once you have entered the desired information, select OK.
The Intune application extraction task starts.
Navigate to Applications > Integrations.
Select the Intune extraction tab.
You can see your task's progress.
Optionally, if your task is still In Progress, you may select Cancel to cancel it.
When the extraction task completes, select Download to download the application.
Process Details
Automated Processing
The following background jobs take place when the import task runs.
VM creation: A VM is created specifically for the import process.
Entra ID enrollment: The VM is joined to Entra ID and enrolled with Intune.
Access restrictions: Access rules are restricted on the C:\Windows\IMECache folder within the VM.
Scheduled task setup:
A scheduled task is set up on the VM to monitor the target folder.
When app files are detected in the folder, they are zipped and uploaded to the new blob container app-management-intune-extract within the existing CSSA* storage account using a provided SAS URL.
Post-Job Actions
After the background job completes the tasks above, the following tasks are run:
Temporary Intune group creation:
o A temporary Intune group named app-management-intune-extract is created.
The Intune device corresponding to the VM is added to this group.
The target app is assigned to the group.
Background service monitoring:
A background service monitors the storage account for the presence of a result blob.
Once the blob is detected, the extraction is deemed successful.
A SAS URL with Read permissions is provided to the user.
Cleanup Process
After the extraction ends, a cleanup process is automatically triggered, regardless of the extraction's success or failure.
Remove temporary Intune group: The temporary Intune group is deleted, if it exists.
Unjoin VM from Entra ID: The VM is unjoined from Entra ID, if it was joined during the process.
Delete VM and related resources: The VM and any related resources are removed, if they exist.
Remove Intune devices: Any Intune devices associated with the VM are deleted, if they exist.
Error Handling
Extraction failure: The extraction process is considered failed if any error occurs at any step before the cleanup.
User cancellation: The extraction is considered canceled if directly canceled by the user or if any background job is canceled.
Cleanup errors: Errors occurring during the cleanup process do not affect the final status. The task is considered finished once cleanup ends, regardless of its success or failure.
Comments (0 comments)