Mobile Device Management is quickly becoming a viable alternative to Group Policy in today's cloud-first world. What used to require a domain-joined machine with group policy can now be achieved with an MDM-enrolled machine and configuration or compliance policies.
Several things have made this possible: Microsoft overhauled Intune last year to make it part of the native Azure interface, recent Windows 10 builds shipped with an MDM agent built in, and Azure Active Directory join is taking the place of (or supplementing) legacy Active Directory.
I'll preface this by saying: Intune is powerful, and only getting more powerful by the day. It can configure endpoint encryption, Windows 10 updates, Office apps, LOB apps, and even run remote PowerShell scripts at this point. The latter piece REALLY unlocks a lot of potential, but I'd rather focus on what's natively possible today in the interface.
For this post, we'll focus on Google Chrome, which is fairly ubiquitous on corporate PCs today.
To get started, you need to download the Google Chrome Enterprise bundle and unzip it.
In the unzipped folder, go to the "Installers" folder. You'll see a "GoogleChromeStandaloneEnterprise" MSI file. You'll use this later when you upload the app to Intune.
- go to "Mobile apps"
- then click "Apps"
- Click "Add" at the top
An "Add app" blade appears. Click the drop-down and select "Line-of-business" app at the very bottom.
- Click "App package file" and select the "GoogleChromeStandaloneEnterprise" MSI file you downloaded earlier.
Save and exit. Now, click the "App information" button.
- Publisher: Google
- Ignore app version: YES
- and update anything else you want
- Click ok. The MSI file will begin uploading in the background.
Once the upload is complete, the only thing to do is decide how you want to assign the app. I assign Chrome to all devices, but you may have other apps that need to be restricted. For that, you can create device-specific groups in Azure AD to limit the scope.