Skip to main content
Intune Commander provides comprehensive application management capabilities including app deployment, mobile application management (MAM), app configuration, and policy sets.

Applications

Overview

Manage all application types deployed through Microsoft Intune across Windows, macOS, iOS/iPadOS, and Android platforms. Graph Endpoint: /deviceAppManagement/mobileApps
Service: ApplicationService
Permission: DeviceManagementApps.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all applications
GetGetAsync(id)Retrieve a specific application by ID
Get AssignmentsGetAssignmentsAsync(id)Retrieve assignment information

Application Types

Windows Applications

  • Win32 apps - Traditional desktop applications packaged as .intunewin files
  • Microsoft Store apps - Apps from the Microsoft Store (online and offline)
  • Microsoft 365 Apps - Office suite deployment and configuration
  • Web links - Shortcuts to web applications
  • Windows app (Win32) catalog apps - Pre-packaged Win32 apps from Microsoft

macOS Applications

  • macOS apps (.pkg, .dmg) - Native macOS installers
  • macOS line-of-business apps - Custom enterprise apps
  • Microsoft 365 Apps for Mac - Office suite for macOS
  • Web links - Shortcuts to web applications

iOS/iPadOS Applications

  • iOS store apps - Apps from the Apple App Store
  • iOS line-of-business apps (.ipa) - Enterprise-signed apps
  • iOS VPP apps - Volume-purchased apps
  • Managed iOS app store apps - Store apps with MAM policies
  • Web links - Shortcuts to web applications

Android Applications

  • Android store apps - Apps from Google Play
  • Android line-of-business apps (.apk) - Sideloaded enterprise apps
  • Managed Google Play apps - Apps from managed Google Play store (Android Enterprise)
  • Web links - Shortcuts to web applications

Assignment Types

Applications can be assigned with different intents:
IntentDescriptionPlatforms
RequiredApp is automatically installedAll
AvailableApp appears in Company Portal for user installationAll
UninstallApp is automatically removedAll
Available with or without enrollmentApp is available to unenrolled devicesiOS, Android

Graph API Details

GET https://graph.microsoft.com/beta/deviceAppManagement/mobileApps
GET https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{id}
GET https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{id}/assignments

Export/Import

Applications export to: 
ExportFolder/
└── Applications/
    ├── Microsoft_365_Apps.json
    ├── CompanyApp_v2.3.json
    └── WebLink_Intranet.json
Application content files (.intunewin, .ipa, .apk) are not exported—only the app metadata and assignment configuration. You must manually re-upload content files when importing to a new tenant.

App Protection Policies

Overview

App protection policies (also called MAM policies) protect corporate data in mobile apps without requiring device enrollment. Graph Endpoint: /deviceAppManagement/managedAppPolicies
Service: AppProtectionPolicyService
Permission: DeviceManagementApps.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all app protection policies
GetGetAsync(id)Retrieve a specific policy by ID
CreateCreateAsync(policy)Create a new app protection policy
UpdateUpdateAsync(id, policy)Update an existing policy
DeleteDeleteAsync(id)Delete an app protection policy

Platform Support

iOS/iPadOS App Protection

  • Data protection (copy/paste, save as, backup restrictions)
  • Encryption requirements
  • Access requirements (PIN, biometrics, OS version)
  • Conditional launch (device conditions, threat level)
  • App configuration
  • App-based Conditional Access integration

Android App Protection

  • Data protection (copy/paste, save as, backup restrictions)
  • Encryption requirements
  • Access requirements (PIN, biometrics, OS version)
  • Conditional launch (device conditions, threat level, SafetyNet attestation)
  • App configuration
  • App-based Conditional Access integration

Data Protection Settings

SettingDescription
BackupAllow or block backup to cloud services
Send org data to other appsRestrict data transfer to policy-managed apps
Receive data from other appsRestrict data receipt to policy-managed apps
Save copies of org dataBlock save-as functionality
Cut, copy, and pasteRestrict clipboard operations
Screen captureBlock screenshots of corporate data
Org data notificationsControl whether org data appears in notifications
Print org dataAllow or block printing

Access Requirements

RequirementDescription
PINRequire app-level PIN (separate from device PIN)
BiometricRequire fingerprint or face recognition
Minimum OS versionBlock access on outdated operating systems
Minimum app versionRequire specific app version
Minimum SDK versionRequire minimum Intune App SDK version

Conditional Launch

Automatically block access or wipe data when device conditions are not met:
  • Jailbroken/rooted devices
  • Device threat level (requires MTD partner)
  • Minimum OS version
  • Disabled device encryption
  • Max PIN attempts
  • Offline grace period
  • Failed SafetyNet attestation (Android)

Graph API Details

GET https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies
GET https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies/{id}
POST https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies
PATCH https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies/{id}
DELETE https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies/{id}

Export/Import

App protection policies export to: 
ExportFolder/
└── ManagedAppPolicies/
    ├── iOS_MAM_Corporate.json
    └── Android_MAM_BYOD.json

App Configuration Policies

Overview

App configuration policies deliver configuration settings to mobile apps on enrolled devices or managed apps without enrollment. Graph Endpoints:
  • /deviceAppManagement/mobileAppConfigurations (device-based)
  • /deviceAppManagement/targetedManagedAppConfigurations (user-based MAM)
Service: ManagedAppConfigurationService
Permission: DeviceManagementApps.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all app configurations (both types)
GetGetAsync(id)Retrieve a specific configuration by ID
CreateCreateAsync(config)Create a new app configuration
UpdateUpdateAsync(id, config)Update an existing configuration
DeleteDeleteAsync(id)Delete an app configuration

Configuration Types

Managed Devices (MDM)

  • Target enrolled devices
  • Delivered through MDM channel
  • Platform: iOS/iPadOS, Android Enterprise
  • App must support Apple Managed App Configuration or Android Enterprise configuration

Managed Apps (MAM)

  • Target apps without device enrollment
  • Delivered through Intune App SDK
  • Platform: iOS/iPadOS, Android
  • App must integrate Intune App SDK

Configuration Settings

App configuration supports multiple data types:
  • String - Text values
  • Integer - Numeric values
  • Boolean - True/false flags
  • String array - Multiple text values
  • Configuration designer - Platform-specific settings (iOS plist, Android JSON)

Common Use Cases

  • Email settings - Configure email server, account settings
  • VPN configuration - Set VPN connection parameters
  • App behavior - Control feature flags and UI options
  • Enterprise resources - Configure SharePoint URLs, API endpoints
  • Branding - Set company logo, colors, welcome messages

Graph API Details

# Managed Devices
GET https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations
GET https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations/{id}
POST https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations
PATCH https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations/{id}
DELETE https://graph.microsoft.com/beta/deviceAppManagement/mobileAppConfigurations/{id}

# Managed Apps (MAM)
GET https://graph.microsoft.com/beta/deviceAppManagement/targetedManagedAppConfigurations
GET https://graph.microsoft.com/beta/deviceAppManagement/targetedManagedAppConfigurations/{id}
POST https://graph.microsoft.com/beta/deviceAppManagement/targetedManagedAppConfigurations
PATCH https://graph.microsoft.com/beta/deviceAppManagement/targetedManagedAppConfigurations/{id}
DELETE https://graph.microsoft.com/beta/deviceAppManagement/targetedManagedAppConfigurations/{id}

Export/Import

App configurations export to: 
ExportFolder/
├── MobileAppConfigurations/
│   └── Outlook_Email_Settings.json
└── TargetedManagedAppConfigurations/
    └── MAM_App_Config.json

Policy Sets

Overview

Policy sets allow you to group applications and policies together for unified assignment and reporting. Graph Endpoint: /deviceAppManagement/policySets
Service: PolicySetService
Permission: DeviceManagementApps.ReadWrite.All

Supported Operations

OperationMethodDescription
ListListAsync()Retrieve all policy sets
GetGetAsync(id)Retrieve a specific policy set by ID

Policy Set Items

A policy set can include:
  • Applications (Win32, Store, LOB)
  • App protection policies
  • App configuration policies
  • Device configuration profiles
  • Compliance policies
  • Enrollment restrictions

Use Cases

  • Department onboarding - Group all apps and policies for a specific department
  • Platform bundles - Combine Windows or macOS apps with platform-specific policies
  • Security baselines - Package security policies and approved apps together
  • Role-based deployment - Create sets for specific job roles (e.g., sales, finance, IT)
  • Project-based provisioning - Bundle resources for temporary projects or contractors

Benefits

  1. Simplified assignment - Assign multiple items with a single group assignment
  2. Consistent deployment - Ensure related policies deploy together
  3. Easier management - Update assignments across multiple items at once
  4. Reporting - View deployment status for entire sets
  5. Reduced errors - Eliminate missing dependencies or orphaned policies

Graph API Details

GET https://graph.microsoft.com/beta/deviceAppManagement/policySets
GET https://graph.microsoft.com/beta/deviceAppManagement/policySets/{id}

Export/Import

Policy sets export to: 
ExportFolder/
└── PolicySets/
    ├── Sales_Department_Bundle.json
    └── BYOD_User_Package.json
Policy set exports include references to the member items but not the full item definitions. When importing, ensure all referenced apps and policies exist in the target tenant.

Volume Purchase Program (VPP)

Overview

Manage Apple Business Manager and Microsoft Store for Business volume purchase tokens. Service: VppTokenService
Permission: DeviceManagementApps.ReadWrite.All VPP tokens enable:
  • Volume app purchases and licensing
  • App assignment to devices or users
  • License reclamation when apps are unassigned
  • Automatic app updates

Multi-Cloud Support

All application management features are supported across all four cloud environments:
CloudGraph Base URLAuthority Host
Commercialhttps://graph.microsoft.com/betalogin.microsoftonline.com
GCChttps://graph.microsoft.com/betalogin.microsoftonline.com
GCC-Highhttps://graph.microsoft.us/betalogin.microsoftonline.us
DoDhttps://dod-graph.microsoft.us/betalogin.microsoftonline.us
Each cloud environment requires a separate app registration. See the cloud configuration pages for setup details.

Caching

Application data is cached locally for 24 hours using an AES-encrypted LiteDB database: Cache Location:
  • Windows: %LocalAppData%\Intune.Commander\cache.db
  • Linux: ~/.config/Intune.Commander/cache.db
  • macOS: ~/Library/Application Support/Intune.Commander/cache.db

Build docs developers (and LLMs) love

Get started for freeTalk to us