Owner: Desktop Engineering · Platforms: Microsoft Intune, Citrix DaaS · Review Cycle: 6 months
Application delivery is the process of packaging, testing, and distributing software to endpoints. The organisation uses Microsoft Intune for physical and personally-managed endpoints, and Citrix DaaS for virtual desktop and published-app delivery. Legacy MSI/EXE installers are migrated to MSIX where feasible.
| Channel | Platform | Audience | Use Case |
|---|---|---|---|
| Intune — Required | Intune | All corporate Windows/macOS | Mandatory software (security tools, M365) |
| Intune — Available (Company Portal) | Intune | Self-service | Optional/departmental apps |
| Citrix Published App | Citrix DaaS | VDI/app users | Legacy, resource-heavy, or regulated apps |
| Citrix Virtual Desktop (full) | Citrix DaaS | Task workers, contractors | Full VDI session |
| Microsoft Store for Business | Intune + Store | — | Modern UWP apps (limited) |
| Web App (Intune MAM) | Intune MAM | BYOD | M365 apps on personal devices |
| Format | Preferred? | Notes |
|---|---|---|
| MSIX / MSIX App Attach | ✅ Preferred | Modern, clean install/uninstall, supports App Attach for VDI |
| Win32 (EXE/MSI wrapped) | ✅ Acceptable | Required for apps that cannot be MSIX packaged |
| PowerShell Script (Intune) | ⚠️ Conditional | For configuration, not application installs |
| AppX / UWP (Store) | ✅ Acceptable | For Microsoft Store apps |
| MSI (legacy direct) | ❌ Avoid | Use Win32 wrapper in Intune for detection rules |
Before submission to the application library, every package must pass:
/quiet /norestart or equivalent)%APPDATA%) — must install to %ProgramFiles%%TEMP%\install-{appname}.log for troubleshootingAll approved applications are catalogued in ServiceNow Software Asset Management (SAM). The library is the single source of truth for:
Applications not in the library cannot be deployed via Intune or Citrix without a change request approved by the Desktop Architecture team.
Request → Review → Package → Test → Approve → Deploy → Monitor → Retire
│ │ │ │ │ │ │ │
ServiceNow Desktop Packaging Lab VM Change Intune/ Intune Retire
App Request Arch team testing Board Citrix reports ticket
| Phase | SLA | Owner |
|---|---|---|
| Initial review (new app) | 5 business days | Desktop Architect |
| Packaging | 10 business days | Desktop Engineering |
| Lab testing | 5 business days | Desktop Engineering |
| Change approval | Per ITIL Change process | CAB |
| Production deployment | Per change window | Desktop Engineering |
MSIX App Attach separates application layers from the VDI golden image, enabling:
VDI Session Boot
│
├── Base OS Layer (Windows 11 golden image via MCS)
│
├── App Attach Layer A: Microsoft Office 365
├── App Attach Layer B: SAP GUI
├── App Attach Layer C: Dept-specific tooling
│
└── User Profile Layer (Citrix Profile Management)
App Attach VHD files are stored on the dedicated file share: \\fileserver.corp.company.internal\appattach$
Software licences are tracked in ServiceNow SAM Pro:
| Licence Type | Tracking Method |
|---|---|
| Per-device | Intune device inventory |
| Per-user | Entra ID group membership + app assignment |
| Concurrent | Citrix licence server (on-prem) |
| Subscription (SaaS) | ServiceNow integration via vendor APIs |
The following categories of software are not permitted on corporate endpoints and are blocked via Intune compliance policy and Defender AppLocker policy:
https://itsm.internal/samhttps://applib.internal