Publish apps to Intune

I’ve been taking you through the process of getting you apps in Intune. In the previous post I explained how to package apps for Intune. In this post I’ll go into publishing apps to Intune.

Series: Intune

• Get your apps in Intune
• Package apps for Intune
• Publish apps to Intune
• Remove platform dependency for WingetIntune
• Analysing Win32 Content Prep Tool
• Decrypting intunewin files
• Introducing Content Prep PowerShell
• Creating IntuneWin files with C#

Publishing apps to Intune

I though packaging an app for Intune was hard, and publishing it would be easy. Oh boy, was I wrong. Packaging an app for Intune is pretty complicated, publishing that same app to Intune is really hard!

Pre-requisites

Before you can publish to Intune you need to make sure you have all the pre-requisites in place. You’ll need an active Intune license and you’ll need to have access to an Azure AD account with the correct permissions.

Overview

To give you an overall idea of what’s needed to publish an app to Intune (after you packaged it into an .intunewin file), here is a list of things you need to do:

1. Create a new app in Intune Create win32LobApp
2. Create a content version Create mobileAppContent, but you have to change the url to match the correct type. Which is currently undocumented, but might be fixed if they accept my metadata pull request
3. Create a mobileAppContentFile, for the just created content version Create mobileAppContentFile You’ll need the size and the encryptedSize that you need to extract from the just created .intunewin file from the packaging step
4. Pull the just created mobileAppContentFile until you see there is an AzureStorageUri Get mobileAppContentFile
5. Upload the .intunewin file to the AzureStorageUri, mind the required chunking Upload a file
6. “Commit” the just uploaded content file commit for committing the file, you’ll need information extracted from the metadata inside the intunewin file
7. Pull the just created mobileAppContentFile again, until there is a “final” state. Get mobileAppContentFile if you’re lucky the uploadState will change from commitFilePending to commitFileSuccess

Usage

After you installed the tool, you can publish the winget package for Intune by executing this command:

winget-intune publish JanDeDobbeleer.OhMyPosh --package-folder C:\\Tools\\packages\\

Also check out the other parameters:

> winget-intune publish --help

Description:
  Publish a packaged app to Intune

Usage:
  WingetIntune.Cli publish [<packageId>] [command] [options]

Arguments:
  <packageId>  Package identifier

Options:
  -v, --version <version>                       Package Version
  --package-folder <package-folder> (REQUIRED)  Folder with your packaged apps
  --tenant <tenant>                             Tenant ID to use for authentication
  --username <username>                         Username to use for authentication
  --token <token>                               Token to use against Intune (instead of tenant & username)
  --category <category>                         Categories to use for the app
  --available <available>                       Group guid or 'allusers' or 'alldevices'
  --required <required>                         Group guid or 'allusers' or 'alldevices'
  --uninstall <uninstall>                       Group guid or 'allusers' or 'alldevices'
  --verbose                                     Super verbose logging
  --json                                        Output json logging
  -?, -h, --help                                Show help and usage information


Commands:
  store               Publish a Microsoft Store app to Intune
  image <image-path>  Convert an image to base64, to upload to Intune.

Feedback

I only started this open-source project like 3 weeks ago (August 7th), and I’m really looking for feedback. Check out the latest release discussion, and let me know what you think.

Any feedback is welcome! Even if you just want to say hi, or tell me you’re using it. I’d love to hear from you.

Challenges

I have several issues with uploading apps to Intune, and I’ll try to explain them here.

Extracting the IntuneWin file

The .intunewin file is just a zip with a different extension. So you can just rename it to .zip and extract it. Inside this zip file you’ll find a Detection.xml file in the Metadata folder which contains all the encryption information. And there is also an additional IntunePackage.intunewin inside. This is the encrypted and compressed version of the original installer.

So first you create the IntuneWin file with a closed-source tool, then you need to extract it to get the file size of the encrypted file. You then upload the initial .intunewin file to Intune. And then you need to parse the encryption information from the xml file inside the extracted data. You then send this decryption data to Intune and it will validate the file with the data you just send to it.

This process is really strange, since the file you’re uploading actually contains the data you need to decrypt it. This makes the process of uploading files to Intune really complicated.

Chunked upload to blob

The part that the blobs had to be in smaller chunk is no where to be found. The only reference I found was this answer.

My trick was to just use AzCopy, this worked like 25 percent of the time. My guess is that because of how the uploading works, you cannot do a post request to the blob storage, but you have to do a put request. And that’s where I got stuck. Guessing here, if AzCopy finds a small file it does not use chunked uploads, but just does a single post, which does not work.

There are absolutely no examples how to do chuncked uploads using the Azure storage SDK, so I eventually checked several PowerShell samples and created my own ChunkedAzureFileUploader, which never failed me. It has a 100 percent success rate.

The upload would always succeed, but the commit step in the graph api would fail immediately with a commitFileFailed upload state.

Hidden feature

If you made it this far, you’re worthy to see a hidden feature of this tool. Until now, you had to package an app and then publish it. This makes debugging so much easier, so if you report bugs, please don’t use this feature. Add the --auto-package parameter to the publish command and it will automatically package the app for you with a single command.

winget-intune publish JanDeDobbeleer.OhMyPosh --package-folder C:\\Tools\\packages\\ --auto-package

Conclusion

I’ve finally did it, I’ve built a tool all sysadmins can use to package and publish apps to Intune. I’ve been working on this for the last 3 weeks, and I’m really proud of the result. I hope you like it too.

I understand this tool might save you a lot of hours, so if you want to support me, you can sponsor me on Github, or get in touch for premium support. I’m also available for consultancy work, so if you need help with Intune, Azure or any other cloud related stuff, feel free to contact me. And for companies in the EU, we can also work out an official invoice with VAT.

What app will you be publishing to Intune? Let me know on Twitter or in the discussion