Automatic push only

If you plan to manually upload the integrated app to the Endpoint Manager or distribute it via another channel, you do not need this setup.


Adding the Intune App SDK with the Microsoft Authentication Library to your apps allows the Microsoft identity platform to provide authentication and authorization services for your app and its users. To do this, you need to register each mobile app on your Azure Active Directory tenant and configure API permissions using the Azure Active Directory admin center. You use the app registration properties for each app when you configure the Intune step for that app on the Blue Cedar Platform. (See No-Code Integration - Microsoft Intune.)

Likewise, to use the Microsoft Endpoint Manager extension to automatically deploy Intune-enabled apps for distribution, the Blue Cedar Platform must have an app registration on your Azure AD tenant with permissions configured so that the Platform can publish apps to the Endpoint Manager. This setup is a one-time configuration, no matter how many mobile apps you might deploy to the Endpoint Manager with the Blue Cedar Platform.

Set up the Blue Cedar Platform and distribution extension

Do these steps once (per Microsoft tenant in your Blue Cedar organization).

Registering the Blue Cedar Platform as an "app" in Azure AD allows the platform to be able to authenticate to your tenant on the Endpoint Manager in order to upload the Intune-enabled apps. Follow these steps to create a configuration profile that can be used when you use automatic push in a Microsoft Endpoint Manager distribution step.

Register the platform on the Microsoft portal

Create a Microsoft Azure AD service app to give the Platform access to your tenant. (You must be an admin for your Microsoft tenant.) 

  1. Log into the Azure Active Directory admin center:

    https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
  2. Create a new registration.
    1. Click + New registration.
    2. On the "Register an application" screen, enter a name.
    3. Under "Supported account types," select "Accounts in this organizational directory only." 
    4. Click Register.
  3. On the screen for your new app registration, copy these values from the Essentials section and save them to use on the Blue Cedar Platform for configuration:
    • Application (client) ID
    • Directory (tenant) ID
  4. On the same application screen, click API permissions, and add the following permissions in the Microsoft Graph API:
    • DeviceManagementApps.ReadWrite.All
    • Application.ReadWrite.All
    • Directory.ReadWrite.All
    • User.Read.All
  5. On the application screen, click Certificates & secrets. 
    1. Select + New client secret, and give the secret a name.
    2. Copy the Value and save it to use on the Blue Cedar Platform for configuration.

Configure the extension on the Blue Cedar Platform

Enable and configure the Microsoft Endpoint Manager extension.

  1. Log into the Blue Cedar Platform as an organization admin, and navigate to the Extensions > Distribution screen.
  2. On the Microsoft Endpoint Manager card, click Add Extension (if not already added), and click the configuration gear.
  3. On the Configure Microsoft Endpoint Manager screen, click Add Config.
  4. Create a configuration using the values copied from the setup above:

    Platform fieldMicrosoft value
    ​Config NameChoose a name for this platform config—it doesn't have a corresponding Microsoft value.
    Authority

    Use the Directory (tenant) ID value in this format:

    https://login.microsoftonline.com/directory-id

    For example:

    https://login.microsoftonline.com/231fb3b8-1234-1234-a1a1-73d6a378dfab

    SecretSecret value as copied
    Client IDApplication (client) ID as copied
  5. Click Add to save the configuration. 

Configure the workflow for an app

Do these steps for each mobile app.

  1. Configure the Intune step with the app's Azure AD registration as described in No-Code Integration - Microsoft Intune. (Add any other stages and steps desired.)
  2. In the workflow builder for the app, add a Testing or Production stage with a Microsoft Endpoint Manager step.
  3. Configure the Microsoft Endpoint Manager step as described in Distribution - Microsoft Endpoint Manager. Choose Automatic push, and select the configuration created above.

Now when you run the workflow, the app is automatically deployed to your Microsoft Endpoint Manager tenant.

https://docs.microsoft.com/en-us/mem/intune/developer/intune-graph-apis