Scappman Application List

[Margaret Sigars]

PDQConnect is a new product from the company who created PDQ Deploy which is fully cloud based. It does not have Intune integration but runs using its own agent. This is a new offering with an exciting roadmap.

Intune Enterprise App Management is an addition to the Microsoft Intune suite which manages application deployment and updates all within the Intune console. A new release with a lot of applications planned!

We could push this out as a Powershell script directly in Intune, but wrapping and packaging as an application is my preferred approach to keep things similar across applications and also give the option for users to self-service install. Wrapping using PowerShell Application Deployment Toolkit (PSADT) would be a good choice for this.

Patch My PC has a GUI application which runs on a Windows device (usually a deployment server), either on-prem, or could be in Azure. Once configured, deploying an application is a case of finding the application in the list and marking it for deployment:

Clicking Advanced gives a lot of additional options some of which are very powerful. As well as the assignments (which links directly to your Entra tenancy to discover groups), you can configure pre and post-install tasks and even deployment rings to deploy updates in a staggered manner.

The first step with PDQ Connect is to deploy the agent to your devices. I did this by packaging as a Win32 and then deploying via Intune which did seem a little counter-productive, but this solution is designed to also work stand-alone.

As you would expect with a native feature, deploying apps is incredibly straight forward, you select the application as you would when deploying a store application. It then converts to a Win32 and deploys to your environment. Similar to the other options, all application details are pre-configured

Once you have added your tenant in the Settings menu, it is simply a case of searching for your application and clicking Import. Once in your apps, you can then deploy to Intune. You can also configure assignments as required with some default templates in place which work well.

Similar to Winget, updating is via a command line to either specify an application, or kick off an update on all applications. Fortunately Chocolatey does have an exclude command so at least I can remove some applications, but this does mean hard-coding a list of applications to exclude and there is always the chance that one particular application slips through and causes issues.

Patch My PC works differently. For each new version of an application, it publishes a new package into Intune automatically. This gives you the ability to test the new applications prior to deployment and then deploy when happy (either manually assigning, or use supercedence).

Updates are handled automatically via a checkbox during deployment which leverages the Graph API to push out latest versions with versioning. There is also the option to deploy an update only application which uses custom requirements scripts to deploy accordingly.

By leveraging the Automations functionality, you can set your applications to remain always updated automatically. You can also configure Device Groups should you wish to use rings to test initially and configure the schedules accordingly.

Chocolatey has a free version using the community repository or you can host your own on the free plan as well. There is also a business version which adds extra functionality (comparison here) for $15.60 per machine, per year.

Intune Pckgr runs at device-based licensing with different tiers depending on the number of devices. You do not pay per-device, it is a fixed rate for the device levels (100, 1000, 2500, 5000). The costs range from $19 per month to $79 per month (with discounts for annual subscriptions). The basic 100 device subscription is also single-tenant so any small MSPs will need 1000 devices.

Ignoring the Intune Suite here to keep it a fair comparison, this costs $2 per user, per month which is considerably more than the likes of Scappman and PMPC, if we compare to PMPC, even if a user has two devices, it is still 10 times the cost. For large environments this could be problematic, especially on top of the M365 licensing costs

Winget currently has roughly 6000 packages in the community repository (here) which can be searched using the very useful winstall.app website. You can also add your own to the main repository, a private one, or a UNC path to deploy using a custom manifest file.

Chocolatey, at the time of writing, has just over 9000 packages in the community repository which can be searched here. You can, of course, add your own either to the community repository, or a private one.

At present, this has around 400 applications (full list here) which are all using the Winget community catalogue, but with further testing carried out by the Intune Pckgr team to extra peace of mind. There are also some packaged curated by them directly available. All install scripts have been digitally code signed for additional security.

At the time of writing, there are 154 packages available for deployment with the option to add your own custom applications (full list here). This is a very new product so I expect this to grow, but rating is as of June 2024

At the time of writing, there roughly 100 packages available for deployment including a few which are quite niche. The roadmap looks exciting, but rating is based on the current catalogue (June 2024). Daniel Bradley keeps a list of them here

From my testing, the user experience is the same across all platforms, as long as the work is put in to handle deployments and updates, the experience within Company Portal, or when updating applications should not differ in any way. The only thing I did notice is that some applications would uninstall and re-install rather than a straight upgrade, but this is something which can easily be picked up with some user-comms.

Patch My PC has no requirements on the end-user devices, but does require a machine of some sort to run the Publishing Server (instructions here). The requirements are minimal, but it will require storage for the application installers.

Scappman is fully cloud based and hosted so no requirements on the end-user devices, or any back-end infrastructure. If adding custom applications, an internet accessible location to host the install files will be required.

Patch My PC is currently one install per tenant so you will need multiple hosts to run the clients. The config work is all done in the publishing application though so there is less effort on the Intune side.

Mutli-tenant deployments are covered via App Sets so an application can be deployed to multiple tenants in one single deployment. This is potentially a game changer for any mutli-tenant MSPs! Rating increased accordingly

As there is currently no Entra ID or Intune integration, tenants do not exist at this point, all devices are treated the same. This does mean you will need to put in some more effort on grouping if supporting multiple companies

With chocolatey, you can easily host your own repository for your own custom apps. Customizing install commands would require forking the package into your own repo though so it is a bit more of a hassle

Full access to create your own apps, including bulk import and also import from SCCM. By default installations use PSADT so you can specify different command line, pre/post installs even at a per-tenant level.

Patch My PC is a solid and cost effective offering with a good selection of applications and if you prefer to keep things in-house rather than using a hosted platform, it is an excellent option. The addition of a hosted option is extremely welcome and well worth considering. They have a huge customer base and the package inventory is constantly growing.

PDQ Connect is a different option altogether as it completely bypasses Intune application management (apart from deploying the agent). The app deployment speed is impressive, but the app catalogue is currently too small to justify the cost. Looking at the roadmap though, this could be one to watch.

There really is no standout winner on this one, if looking at the paid options, please make sure you check the application list first. All have different price levels so you need to see how many apps apply to you then work out the yearly cost per app, this will give an idea of the cost effectiveness of the different platforms.

I believe there is new pricing planned for PMPC with the launch of the MSP version, so it may get cheaper if you can share a license pool across multiple Customers.

That leads onto the question for Scappman, if you need to buy a pool of licences per Customer, or per MSP? Plus I assume the cost per user comes down after 1,000?

App Control for Business, the new name for Windows Defender Application Control (WDAC), is a security feature that lets you block unauthorized and harmful software from running on your devices. More importantly, it also comes with a new managed installer for Intune.

Applocker pays close attention to any files created on the disk during this operation. As these files are written, they are labeled to indicate their origin as coming from a managed installer and tagged by the managed installer. Each application marked by the managed installer will then be permitted to execute.

Right now, our folder is still empty, but after a few minutes, we will see that a new .cip codeintegrity file is placed in the folder C:Windows\System32\CodeIntegrity\CiPolicies\Active. This shows that your base code integrity policy is delivered & activated, which means the process was successful.

I quickly grabbed an install package from the IME cache folder and copied it over to another location in my OneDrive. I will now scan the install package from Patch My PC with PowerShell. Here are the steps:

The PowerShell New-CIPolicy creates a new Code Integrity policy (WDAC policy) as an .xml file (Note: I had to add the parameter -UserPE to include user-mode files. Otherwise, you will end up with an .xml that has no information in it!).

3a8082e126