COVID-19 has in many ways changed the way we work and how IT departments manage users and devices. With remote work continuing for the unforeseeable future, I decided to write this article to demonstrate how easy it is to deploy the new Microsoft Edge browser on Windows 10 and macOS using Microsoft Intune.
Many customers are experiencing high utilization on their VPN deployment due to the increase of remote users connecting to the corporate network using VPN. Many organizations are working towards making applications accessible externally to reduce VPN dependency. The downside of this is that managing user and workstation configurations with group policies for example, are not sustainable. The users are no longer connected to Active Directory and won’t receive any updated group policy settings.
This may also result in scenarios where the use of Intune management is no longer reserved for the traditional Config Manager (SCCM) administrators. Active Directory engineers who are traditionally responsible to manage user and computer configurations with group policies are now able to use Intune configuration profiles to apply administrative settings to remote devices.
Microsoft Endpoint Manager admin center
Endpoint Manager is the central location to manage all your devices. It combines services such as Intune, Configuration Manager, Desktop Analytics, Autopilot and co-management.
You can access the Microsoft Endpoint Manager admin center using any one of the following URL’s:
In the admin center, navigate to Apps where we will create the deployment of Microsoft Edge on Windows 10 and macOS.
Microsoft Edge for Windows 10
While on the Apps page, select All apps, then Add. This will start the guided process which will take you through the steps to create the application deployment.
The first step is to select the application type that you want to create. In this instance I want to deploy Microsoft Edge on Window 10. I select Windows 10 from Microsoft Edge, version 77 or later section.
This is referred to as a built-in application deployment as you don’t need to upload the .msi file to Apps. The requirement for deployment of the Microsoft Edge for Windows 10 built-in application is Windows 10 version 1709 or later and the device has to be Azure AD joined. My test devices are Hybrid Azure AD joined.
Most of the details on the App information screen is already completed. The application owner or contact person can be added to the owner field and additional notes which will be visible to people signed-in to the admin center.
Select next to continue to App Settings
The App settings screen allows selection of the channel and language to deploy, stable being the recommended channel for broad deployment.
Beta channel is a preview version with updates every six weeks and dev channel receives updates every week. I’ve posted a link for more detailed explanation of the different channels at the end of this article.
Select next to move onto the Assignments page.
The assignments page allows you to manage the scope of the deployment. Here you can target the users and devices where you want to deploy the application. I’ll go through the steps to expand on this further.
There are 3 assignment options:
- Available for enrolled devices
Targeting users or devices in the required option will deploy the application to these devices automatically. Targeting can be customized as follows:
- Add all users: Install the application for all licensed users
- Add all devices: Install the application for all Intune enrolled devices
- Add group: Install the application to licenses users or devices that are members of the selected groups.
When adding the group, the mode, which is shown on the right-hand side, is set to included by default. The mode for specific groups can be changed to excluded by selecting the specific mode and then changing it to excluded on the Edit Assignment screen.
For my deployment, I add all users, then I add the “VIP Users” group and change the mode to excluded. The application will now be deployed to all licensed users, except for members of the “VIP Users” group. I will target my VIP users in the next section.
Available for enrolled devices
This assignment will make the application available on the Company Portal and website where the user can install the application manually. The name may be a bit misleading as the assignment is only available for user groups and not device groups. Ensure the users you want to target are members of the group being used, having their devices in the group will not have the intended results.
I’ve found that a targeted user will only see the application when they are listed as the primary user on the device. During my tests, I logged onto a device that had a different primary user. Effectively I logged onto a device owned by another user, and the application wasn’t available in published applications, until I changed the primary user of the device. Refer to the references section, I’ve included the link to an article that describes how to view and change the primary user of a device.
I cannot select all users again, notice in the image below, that this option cannot be selected. You can only use the “all users” assignment for one assignment option, so plan accordingly.
In the previous step, I’ve targeted all users on the required assignment option, but excluded the “VIP Users’. The reason for this is that I don’t want Microsoft Edge to install for my VIP users automatically, but rather give them the option to install the application on their own time. To do this, I now add the “VIP Users” group to the assignment.
This will uninstall the application from the targeted users or devices, only if the application was previously installed with Intune. Again, I cannot target all users since I already used this for the Required assignment option. The uninstallation of an application would normally be created as a separate application deployment and not included with the installation of an application.
With the assignment selections complete I can now select next to move onto the next screen which is Review + create. Review the App information, App Settings and Assignments information, then select create to complete the process.
I’ve now completed the creation of the Microsoft Edge for Windows 10 application deployment. Microsoft Edge will install on the devices of the targeted users shortly. The deployment status of the application can be monitored from the application overview page.
This is a built-in application as previously described. I simply followed the steps to create the application without being required to upload any installation files. The latest version of Microsoft Edge will be deployed based on my assignment configurations.
Before I validate the application deployment, let’s review the steps to create the application for macOS.
Microsoft Edge for macOS
The process to create the Microsoft Edge deployment for macOS is similar to Windows 10. I’ll go through the steps to highlight the differences when creating the Microsoft Edge deployment for macOS.
I will start by adding the application by following the same steps as with Windows 10, but selecting macOS from the Microsoft Edge, version 77 or later section.
The App information page looks the same as with Windows 10
On App settings, the channel can be selected but you don’t have the option to select the language to deploy.
On the Assignments page we don’t have the option to uninstall the application from the devices.
There are also no differences on the Review + create page.
Validate automatic installation
I have logged onto a device with a licensed user that is not a member of the “VIP Users” group that I’ve excluded from required assignment. After a few minutes the installation of Microsoft Edge completed without requiring any interaction from the logged-on user. There were toast notifications confirming the installation. I’ve taken a screenshot of these on the notifications pane to show the installation steps completed on the device.
By comparing the installation time with the application creation time in Endpoint Manager, we can see that it did not take long to install Microsoft Edge on this device. We can also review the application installation status on this page.
I accessed the application overview page by selecting the application from the All apps page in Endpoint Manager.
Manually install the available application
I created the Microsoft Edge application deployment to allow my VIP users to manually install the application on their own time. Let’s review this process.
I am logged onto the device with a VIP user account. For this demonstration, the user doesn’t have local administrator rights on this device.
Log onto the Company Portal website https://portal.manage.microsoft.com. Microsoft Edge should be listed as a published application.
Select Microsoft Edge for Windows 10 and select Install to continue.
The “old” Microsoft Edge browser that I used on this device has detected that I want to switch applications when I clicked on install. Select Yes to continue.
Microsoft Edge installation completes after a few minutes. Again, this is a silent deployment without any interaction required from the user during the installation. I’ve provided the screenshot of the notifications bar to show the install steps.
The installation status has also updated on the application overview page.
Deploying the new Microsoft Edge on Windows 10 and macOS is a simple process once you understand the assignment settings. Testing on pilot users or devices can assist to familiarize yourself with the assignment process.
Microsoft Edge installation is a fairly quick process without requiring user interaction and since you don’t need to supply any source files, the users will always receive the latest build when installation is triggered whether, they are connected to the corporate network or not.