We have a 2 ring approach for new apps/updates. With Ring01 being IT and a handful of business users. We also have a handful of required apps most of which are in our autopilot ESP.
When I was first introduced to PMPC I was of the understanding that APPS were greenfields and UPDATES were brownfields deployments. I have since been informed that this is true only for "available" apps and not "required" apps.
As it stands PMPC APPS will install over the top of existing brownfields installations.
There is no option in PMPC to prevent this.
If i set an availability date in the future to coincide with our Ringed update process of 7 days... Then any new devices provisioned in that 7 days will be unable to get the required apps.
The alternative is to assign those groups as available ASAP but these autopilot security groups contain all legacy devices and would install to all existing devices.
A possible solution could be a variation on the following options:
Change the default behaviour of PMPC apps to be only Greenfields installations. The detection rules will be updated such that if they are deployed to an endpoint with the app already installed then the PMPC app will report it as not required. Any updates to this endpoint will be managed by an PMPC update task. APP=new install. UPDATE=existing install patches.
Give direct access in PMPC to set additional requirement rules. Ideally with a check box option to enforce respecting existing installations and prevent PMPC apps installing on brownfields.