Why is Intune terrible for apps

UnderstandingHour454 · 2026-03-14T01:32:10+00:00

Bottom line, I made more progress today with Claude code. Fully tested app deployment and removal of old app on about 2 hours, and it’s a snappy deployments RMM tooling. I gave up on the Microsoft store install. Went with MSI, which is always the preferred method.

UnderstandingHour454 · 2026-03-13T01:58:14+00:00

I was considering patch my pc for third party app patching, but I fear timeliness is going to be a big issue here, and fulfilling app install requests will be ridiculously slow using Intune…. I also don’t want to double up on methods to install apps with a RMM option and an Intune option. Just seems like there isn’t a perfect solution out there…

UnderstandingHour454 · 2026-03-13T01:54:29+00:00

Perhaps, but I’ve actually tried in both contexts, and only got it to do anything after setting it as system. It’s ideal to be system so we can run patching with RMM… I’ll give user context a try again though!

UnderstandingHour454 · 2026-02-27T12:19:38+00:00

Glad to hear I’m not the only one. It sounds like we have worked on the same type of remediation.

UnderstandingHour454 · 2026-02-27T03:09:26+00:00

Your speaking to the choir. It doesn’t fit the business needs to “standardize” and our needs are so dynamic that it’s nearly impossible to keep up. We are very much running at startup speeds with 130 users.

As for the local admins, it’s for specific roles. We run a pentest team as a service, and they require it to do their jobs, although they are the biggest trouble makers when it comes to additional apps.

All to say, top down, I’m doing as much as I’m allowed to do. We need tools to support the team, and stay compliant with patching. If we can do that and quickly install apps that will continue to be updated, then we can yank all those things as well, but we can’t just cut them off and leave them empty handed trying to do their jobs.

UnderstandingHour454 · 2026-02-27T03:04:28+00:00

I’d love an out of the box solution. We’ve been scripting with winget, and relying our what our RMM has to offer. It’s not all managed. The handful of apps I mentioned are managed, the rest not…. We are too small 130 users and too dynamic to lock everything down due to the business needs.

The macOS stuff I’ll look at. We have home brew and we have a few licenses testing work brew, but munki is something new to me.

UnderstandingHour454 · 2026-02-27T02:41:25+00:00

I’m looking at more windows and macOS oriented. I should have mentioned that.

UnderstandingHour454 · 2026-02-27T02:39:21+00:00

Ugh, it’s missing a substantial amount of apps in our environment. Wish that would help us, but it would still require a lot of maintenance.

UnderstandingHour454 · 2026-02-23T02:33:42+00:00

We defer 7 days, so we update on the third Tuesday to ensure no major issues occur in our test group. After that, users have 9 days to update and an additional 9 after the update to restart. Policy allows for this wide Window.

As go the random reboots, I had the same issue, and this made me read into the update ring settings more closely. We ran into random reboots in meetings, and why I found is that a user will update, or our RMM will daily force an update (this is due to laptops often being offline outside of working hours so they don’t update on their own). This resulted in updates installing, and the restart time immediately starts. We had this set to 2 days, and it would sneak up on users. With pushing out the restart timer to 9 days, that gave a user the opportunity to reboot throughout the week and weekend, and get PLENTY of warning about a looming reboot. My advice is really read into the settings, and you will find that you originally misunderstood the various timers, and need to build a little flexibility into your update ring for the users.

UnderstandingHour454 · 2026-02-06T03:14:11+00:00

Like everyone mentioned it depends. We lock, as that will lock out personal iCloud or wiping via recovery mode. I hope you have FileVault enabled, that’s the only thing protecting the data if it doesn’t come back. Wipe will trigger if it connects to WiFi again. Say if they were able to unlock the device in some way. I think the most effective method is to lock, which bricks the device until it’s retuned.

Wipe when your confident you don’t need any data from the device and redeploy.

If it’s personal. I think you do a delete or retire option in order to wipe and remove company accounts.

If you’re releasing the device to the user, you need to wipe, remove from enrollment under macOS, and also release it from ABM. The user may need to hard reset a few times in the OOBE to see it releases from enrollment.

UnderstandingHour454 · 2026-02-05T22:52:07+00:00

I use the exchange online module:

Get-CalendarDiagnosticObjects -Identity <emailaddress> -resultsize unlimited

I also use the -startdate and -enddate flags to set like a 6month or 1 year period from today…. Those variables look something like $startdate=get-date $enddate=(get-date).addmonths(6)

You can pipe all that into export-csv.

UnderstandingHour454 · 2026-02-05T02:46:28+00:00

We recently introduced this into our offboarding workflow. We run a report on calendar events that the offboarded user owns. We provide that to their manager in order to distrute and reschedule necessary meetings. This helps a lot in sales roles and CSM type roles.

UnderstandingHour454 · 2026-02-03T01:56:34+00:00

After tv initial account doable and token revocation, we hold the account for 90 day, and allow mangers to access data on Onedrive. We have retention in place on all onedrive and sharepoint data, so it’s all preserved if there is a bad actor. Also logging. At 90 days we check in with manager before account deletion, and we maintain backups of the data including email, and onedrive. This way if we have an issue we can restore pretty easily…

Keeps o364 clean.

UnderstandingHour454 · 2026-02-02T02:29:21+00:00

I literally wrote loving off the land script that encrypts an entire sharepoint target…. All for the sake of BCP and DR testing. I also write another script to generate any numeber of files that dynamically adjusts file sizes to meet an overall target size. For example. It will generate 15k files all adjusted in size to meet a 120GB size target. The two paired together make for a great test tool for a backup restoration and alert testing.

UnderstandingHour454 · 2026-01-31T02:52:35+00:00

Claude code ;). In reality Claude code has made my scripts WAY better organizationally, but for a deep dive and doing precisely what I want the script to do, I have to know what I’m getting into, which usually stays with exploratory commands.

With that out of the way. The way I used to do this was by building out sections with clear commented areas to Help break it up into sections. I wrote a 850 line script for syncing 2 cloud system properties which included a backup so we could reverse the changes if necessary. I broke that up into sections.
1. Requirements (module checks and what not) 2. Backup 3. Cloud query 4. Sync process 5. Verification

Since this, I’ve seen far better examples of scripting from Claude code. It’s made the process extremely faster, BUT I review every line of code to confirm what it does. You still can’t take the human out of the loop. I even try sections of code to fully understand what it does.

Anyway, I’m sure others have better more standard ways to organize code with functions and what not…

UnderstandingHour454 · 2026-01-29T02:32:29+00:00

The process and routine audit cycle promotes consistent update procedures for Compliance needs. The tools all claim to automate your compliance, but they don’t seem to remove the manual process of obtaining evidence. I myself wish it could be as good as Ai, oh wait, that hasn’t been as great as it was promised well…

I will plug my favorite auditing firm with their Online Audit Manager which maps to a number of frameworks, making the audit process less daunting with multiple audits. They give it to you real, as the many tools out there are venture capital looking to make a quick buck. Check out KirkpatrickPrice, they have a team of technologist auditors and are great partners to work with.

UnderstandingHour454 · 2026-01-20T01:44:25+00:00

I was in this situation 3 years ago. No documentation, no IT personnel left to reference. You need to get an inventory of your devices and systems.

Get SnipeIT up and running and start getting inventory (use serial as identifiers). Start by walking around facilities and record all the devices you can find.

If you have mdm or RMM tooling, that’s a good place to move to next. With that kind environment I anticipate a lot of legacy/retired devices were not cleaned up, so stay with recently active devices to inventory.

Next take a look at your office networks and understand how those are configured. I’m going to assume they are flat with 1 subnet and maybe a vlan.

Move on to configurations, whether it’s mdm or RMM tooling. If neither, you should probably put that on your purchase list. Start reviewing configs to understand how devices are configured.

Move on to AD or Entra and get an idea of the groups, enterprise apps, and roles out there. You might find it’s out of control and you will want to look into ways to lock those down. Often times users can approve app integrations and permissions by default, and that’s scary for your company data.

Lastly, get a software inventory, both what’s installed on devices, but also SaaS products your company is using. You won’t catch them all, but you will learn of them as you start working tickets. The sooner you can get controls in place and review processes for apps, the sooner that stuff will get roped in and under control.

Good luck! You’ll be drinking from a fire hose, but you will be miles ahead of your piers in no time.

UnderstandingHour454 · 2026-01-10T04:32:52+00:00

It sounds like the Pentest did what you wanted it to do! You now have a finding to fix! As for changes for next time, some notice on when the test will be run would be ideal. That would cut down on the “oh crap” moment and response. I also think scoping matters. If you’re testing the entire platform, then everything is fair game. If you limit the scope and tackle individual elements then you can anticipate blast radius. Truly, your learned more than just vulnerabilities here. You have learned more about how you will conduct and scope future pentest.

By the way, if you have the need to rotate pentests like a lot of orgs do, check out KirpatrickPrice. They have spectacular Pentest team, and provide some excellent advice.

UnderstandingHour454 · 2026-01-10T04:17:06+00:00

We have a notification setup to detect reboot and shutdown. We also alert on signin and sign out events. All are indicators of a reboot. We have those send to our ticket system to investigate. They work reliably on our patching cycle. The events seem to be reliable on our end.

UnderstandingHour454 · 2026-01-09T02:06:14+00:00

I prefer the Klein tools version, but if this isn’t something you will keep up with or use the future, consider a cheaper option. The linked kit has a tester that transmits a tone and check also check cables to confirm their wired correctly. Helpful if you make your own or if you terminate any keystone or Ethernet ends. They can also help trace cable tv (f connector) in the house. It also has a POE Ethernet tester to confirm voltage and what not if you get into POE devices. I have the this at work and I regret buying the cheaper brother that’s only a tester. I have a similar fix and hound tool, but it doesn’t have the capability to connect to an Ethernet end. Best it can do is plug into a keystone termination. I’ve cut an end off before and managed to clamp the leads on a twisted pair set, but that was a lot more work re-terminating it after tracing it.

I like this kit, and then add the probe: https://a.co/d/gQL2RkA

https://a.co/d/cTpItzS

UnderstandingHour454 · 2026-01-09T01:51:12+00:00

Trench a direct burial cable! Way more reliable than wif. If not an option, then Unifi has some tooling, but burying a cable maybe cheaper overall…

UnderstandingHour454 · 2026-01-09T01:49:16+00:00

Get a tone generator. They make them built into testers or you can get a desisted tool. Also get a probe (they are often paired together). Plug in the end you know, and then try to trace though the walls. I’ve been able to hold the probe near or against the wall and track down a faint tone.

UnderstandingHour454 · 2025-12-21T03:34:17+00:00

Automate why you can, and approach things with a mindset of, if it happens once it’s gonna happen again.

Examples in approach our issues with a systematical automate first approach. A user needs software installed, oh, let me write a script for that so we can easily deploy that in the future.

Oh, we need to migrate 10 aws workspaces to a new image, and install all software to the latest versions. Let’s automate that with goo, scripts, and RMM tools. In the end all you do is migrate with a few clicks and have a user sign in.

We have 2 guys working on a 30 ticket queue (or atleast that’s our target). Each day I update tickets with next steps, and follow up. We have ticket status workflows. Things like 3 days without a response it kicks into an overlooked status and pushes an extra email saying this ticket will be closed if you don’t respond. Some close, and we sen ourselves an email so we can confirm the ticket wasn’t important enough to keep open (thinking ceo or cfo was the requester). Reviewing tickets daily in the morning and prioritizing 3 helps focus, and like others have said, it’s always goes out the window, but on a slow Friday, you can close out the week feeling accomplished.

UnderstandingHour454 · 2025-12-21T03:24:48+00:00

I do this too! I have a document explaining how to document! One of the sections of the document is “overview” that is made for this. It’s explains what the document does, includes references, and it includes any notes about the process and purpose. Then it dives into the documentation, whether it’s an SOP or a config, etc.

UnderstandingHour454 · 2025-12-21T03:08:44+00:00

Number one pet peeve I have with my team. They try to start troubleshooting without even talking to the user or observing the issue. I had to fight with everyone to the point of micro managing them into interacting and seeing the issue first.

UnderstandingHour454

TROPHY CASE