Trying out Scappman – Automated Third-Party patching in Intune

Scappman is a cloud only solution that automates the installation and updating of applications within Microsoft Intune. Over 400 different third-party applications are supported as of today. In this blog post, I will take a look at setting up Scappman and trying out the service as an automated solution for third-party patching within Intune. Basically, Scappman is installed as an enterprise application (Azure AD) in your tenant and the service principal then needs several Microsoft Graph permissions to do its job in Microsoft Intune.

Initial Setup
I headed to the Scappman portal and registered a trial.
I authenticated with a Global Admin Microsoft Account from my tenant and Scappman requested several permissions which I reviewed and then granted to the application.

Scappman requires the following permissions:

Microsoft GraphMaintain access to data you have given it access toDelegated
Microsoft GraphSign in and read user profileDelegated
Microsoft GraphRead and write all groupsApplication
Microsoft GraphRead directory dataApplication
Microsoft GraphRead and write Microsoft Intune devicesApplication
Microsoft GraphRead and write Microsoft Intune appsApplication

Adding Applications to Scappman
At this time of writing, Scappman supports over 400+ third-party applications.
Lets look at Adobe as an example. The following Adobe Applications are supported today:

As an example, let’s install Adobe Acrobat Reader DC. I have customized the displayname with my own Prefix called “Global”. Default, pressing install would assign the application as required to All Computers.

Since Scappman can read Users and Groups from Azure AD we can also select a specific user or a group for the application assignment (excellent for testing purposes for example). For the group assignment we can select a single group or multiple groups and select if the assignment should be include or exclude, per group.

If we select Advanced we get several more useful deployment options. For example, we get the option to specify our own custom pre-install commands if we need to do anything specific before this application deployment is installed.

In this case, I want to make sure other non-managed versions of Adobe Reader already installed in the device gets uninstalled prior to Scappmans deployment. This is provided for us by Scappman as a default pre-installation command.

As I mentioned before, default of an application deployment in Scappman is required but we can change this to available if needed instead, which also lets us decide if we want future updates of the application to arrive to All Users, All Devices or only the specific assigned group we assigned before. When everything we want is selected, press Install to start the provisioning of the application.

Viewing Installations, we can now see that the application deployment is being prepared.

Selecting the application will provide more details about its version, if updates are enabled and current assignments.

Editing of the application is also possible from this view if needed.

Navigating to Microsoft Endpoint Manager, the initial application and it’s update deployment has been created and assigned.

Viewing Global – Adobe Acrobat Reader DC in MEM, we can see what Scappman created for us, including it’s install/uninstall commands and detection methods.

Before installation I wanted to add the Microsoft Information Protection plugin as a dependency to Adobe Reader.
I added MIP Plugin for Acrobat Reader DC and selected the newly created Global – Adobe Acrobat Reader DC as dependency.

As seen below several Scappman published applications arrived in Company Portal.

I selected the MIP Plugin for installation and because of the dependency both Adobe Acrobat Reader DC + MIP Plugin got installed successfully.

For troubleshooting purposes logs are available at C:\ProgramData\Scappman\Logs.
According to the documentation Scappman collects logs for the IT Admin to view when an installation has failed.

To change the branding of Scappman from the default values, navigate to Settings / Branding and there we can easily change the Intune publisher name and also add the organizations own logo for the prompts issued by the Powershell App Deployment Toolkit.

Naming Convention
Scappman supports adjustment of prefix, postfix and custom naming on the different release rings of an application deployment.

Notifications & Reporting
When Scappman automatically have updated an application, this can be notified via email today. Hopefully in the future webhook-functionality gets implemented for Scappman so that this type of notification can arrive in for example Teams.

As an overview, the amount of application installations, computers and subscribed applications through Scappman can be viewed at the built-in Dashboard.

Overall status of all Applications published through Scappman is available under Reports. Here, version and amount of installed, failed, postponed, pending and other status values of application deployments can be viewed.

Existing Applications on Intune managed devices
Scappman cannot automatically detect existing applications from your Intune managed devices unless the application deployments are managed by Scappman. Hopefully this functionality gets added in the future, but as of now you need to know that a device has an older version of Adobe Reader for example and that can then be replaced with a Scappmans deployment which then gets automatically updated in the future.

Pricing of course depends on the size of the environment, but the current target price is 1€ per user per month. What I personally am hoping to see in the future is more reporting functionality and also integration with existing application deployments in Intune, all of the features launched and in development can be viewed at Scappmans Roadmap. Based on my testing Scappman is easy to setup, has fairly good support in terms of its application library and several customizable options for deployments. That Scappman is 100% Cloud only is a big plus. Suitable for small to mid cloud only environments where Intune is used, implementing the product could easily save lots of hours in terms of manual labor as long as the applications in use on the endpoints are supported by Scappman. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: