ASD's Blueprint for Secure Cloud

Application Management

This section describes the design decisions associated with the management of Applications deployed to endpoints for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Mobile Application Management (MAM) enables the management and protection of an organisation’s data within an application. It controls data flows into and out of the application container that houses corporate data.

Using MAM, a corporate app that contains sensitive data can be managed on a wide variety of devices. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. MAM can protect data within the application container using authentication methods and copy/paste controls. However, these controls must be balanced with any MDM controls of the device to maintain usability of the solution.

When deploying a hybrid solution, the management of Windows devices should be considered when choosing to implement MAM for clients. Management solutions such as Group Policy and Microsoft Endpoint Configuration Manager (MECM) can provide functionality to control applications that negates the use of MAM on Windows machines.

Cloud native deployments

Hybrid deployments

Application lifecycle

The lifecycle of applications can be managed using Microsoft Intune, which enables deployment, configuration, patching, and removal of applications. Microsoft Intune can provision managed applications to the following platforms:

  • Android & Android Enterprise
  • iOS & iPadOS
  • macOS
  • Windows 10 / 11

Application types that can be managed include:

  • Store Apps (Android, iOS, Windows Phone, Microsoft Store, and Google Play)
  • The Microsoft Office suite
  • Microsoft Edge
  • Microsoft Defender ATP
  • Web links
  • Built-In applications
  • Line-of-Business applications
  • Win32 applications
  • Android Enterprise system applications

Applications can also be deployed via PowerShell Scripts or similarly through Detect / Remediation PowerShell Scripts.

When deploying a hybrid solution, the application lifecycle should be considered as other management solutions such as MECM may be performing the same service.

See App management capabilities by platform for full information on capabilities.

Application deployment

ASD’s Blueprint for Secure Cloud details a range of methods to deploy different applications:

  • Windows Package Manager - This is the successor technology to Microsoft Store for Business. Leveraging the command line tool WinGet, it enables Platform Administrators with the relevant assigned rights to add applications.
  • Windows (MSI) line-of-business app - This app packaging method uses .MSI files to publish the application. The main disadvantage is that the ability to update the app by using Win32 app supersedence is unable to be controlled, unless it is being used as a required deployment to a group. If the application has a high application update cadence, it is best to use the Windows app (Win32) method that enables application updates.
  • Win 32 - This method involves sourcing the application executable directly from the vendor and packaging it using the Intune Win App Utility to deploy as a Intune application.
  • Powershell Scripts - scripts are used to do advanced application configuration and deployment where they cannot be packaged using the methods above.

Application patching

The configuration recommended by the Blueprint assumes a patching policy in line with ASD’s recommendations for Patching Applications and Operating Systems, which states that application updates are to be deployed with 48 hours for patching Zero Day or Extreme Vulnerabilities, and within two weeks for other updates.

The following three methods are recommended within the Blueprint to meet this requirement for application updates:

  1. Relevant applications are allowed to self-update - These include Microsoft 365 Apps, including Teams, Google Chrome Enterprise Edition, Microsoft Edge, etc. These applications do not require any more work beyond the ability to check the Internet for updates. The main challenge is being able to package the initial installer to actually download the latest version. If this is not possible, then it may be necessary to rely on application auto-update mechanisms to activate. Please note the application must be able to update itself without the user having administrator rights to facilitate this approach.
  2. Applications have a remediation task that runs daily to check for new versions - These include Docker Desktop, Git for Windows, Microsoft Visual Studio Code. These applications have a daily update check run to see if there is an update, using automated Proactive Remediations and consist of a detection script to validate the deployed version is the most up-to-date version and a remediation script that will deploy the latest version of the detection scripts determines the latest version is not installed.
  3. Manual application package updates - These are done by regular monitoring of new versions. It is recommended that these applications be monitored for updates manually, checking updates every 2 weeks at a minimum.

Applications by persona / role

Applications can be deployed to devices based on the authenticated persona or role. Applications managed via this means are controlled though application based Entra ID Security Groups. Example personas include: Information Worker (standard user), Developer and Platform Administrator.

Platform Administrators, for example, can also have a separate set of applications, which are deployed to separate Privileged Access Workstation (PAW) devices. The PAW is a separate device that will receive different sets of compliance, security, and configuration profiles. The PAW is used for all privileged administration activities for the Microsoft 365 tenant. It should be a separate build, not built on other profiles, and should not be installed with collaboration applications such as Teams or Outlook.

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra