What's new in Microsoft Intune

Applies to: Intune in the Azure portal
Looking for documentation about Intune in the classic portal? Go here.

Learn what’s new each week in Microsoft Intune. You can also find out about upcoming changes, important notices about the service, and information about past releases.

Note

For information on new functionality in hybrid mobile device management (MDM), check out our hybrid What’s New page.

Week of December 11, 2017

Device configuration

New Windows Defender Security Center (WDSC) device configuration profile settings

Intune adds a new section of device configuration profile settings under the Endpoint protection named Windows Defender Security Center. IT admins can configure which pillars of the Windows Defender Security Center app end-users can access. If an IT admin hides a pillar in the Windows Defender Security Center app, all notifications related to the hidden pillar do not display on the user's device.

These are the pillars admins can hide from the Windows Defender Security Center device configuration profile settings:

  • Virus and threat protection
  • Device performance and health
  • Firewall and network protections
  • App and browser control
  • Family options

IT admins can also customize which notifications users receive. For example, you can configure whether the users receive all notifications generated by visible pillars in the WDSC, or only critical notifications. Non-critical notifications include periodic summaries of Windows Defender Antivirus activity and notifications when scans have completed. All other notifications are considered critical. Additionally, you can also customize the notification content itself, for example, you can provide the IT contact information to embed in the notifications that appear on the users' devices.

Multiple connector support for SCEP and PFX certificate handling

Customers who use the on-premise NDES connector to deliver certificates to devices can now configure multiple connectors in a single tenant.

This new capability supports the following scenario:

  • High availability

Each NDES connector pulls certificate requests from Intune. If one NDES connector goes offline, the other connector can continue to process requests.

Customer subject name can use AAD_DEVICE_ID variable

When you create a SCEP certificate profile in Intune, you can now use the AAD_DEVICE_ID variable when you build the custom subject name. When the certificate is requested using this SCEP profile, the variable is replaced with the AAD device ID of the device making the certificate request.

Device management

Manage Jamf-enrolled macOS devices with Intune's device compliance engine

You can now use Jamf to send macOS device state information to Intune, which will then evaluate it for compliance with policies defined in the Intune console. Based on the device compliance state as well as other conditions (such as location, user risk, etc.), conditional access will enforce compliance for macOS devices accessing cloud and on-premises applications connected with Azure AD, including Office 365. Find out more about setting up Jamf integration and enforcing compliance for Jamf-managed devices.

New iOS device action

You can now shut down iOS 10.3 supervised devices. This action shuts down the device immediately without warning to the end user. The Shut down (supervised only) action can be found at the device properties when you select a device in the Device workload.

Disallow date/time changes to Samsung KNOX devices

We've added a new feature that allows you to block date and time changes on Samsung KNOX devices. You can find this in Device configuration profiles > Device restrictions (Android) > General.

Surface Hub resource account supported

A new device action has been added so administrators can define and update the resource account associated with a Surface Hub.

The resource account is used by a Surface Hub to authenticate with Skype/Exchange so it can join a meeting. You can create a unique resource account so the Surface Hub appears in the meeting as the conference room. For example, the resource account might appear as Conference Room B41/6233. The resource account (known as the device account) for the Surface Hub typically needs to be configured for the conference room location and when other resource account parameters need to be changed.

When administrators want to update the resource account on a device, they must provide the current Active Directory/Azure Active Directory credentials associated with the device. If password rotation is on for the device, administrators must go to Azure Active Directory to find the password.

Note

All fields get sent down in a bundle and overwrite all fields that were previously configured. Empty fields also overwrite existing fields.

The following are the settings administrators can configure:

  • Resource account

    • Active Directory user

      Domainname\username or User Principle Name (UPN): user@domainname.com

    • Password

  • Optional resource account parameters (must be set using the specified resource account)

    • Password rotation period

      Ensures the account password is updated automatically by the Surface Hub every week for security reasons. To configure any parameters after this has been enabled, the account in Azure Active Directory must have the password reset first.

    • SIP (Session Initiation Protocol) address

      Only used when autodiscovery fails.

    • Email

      Email address of the device/resource account.

    • Exchange server

      Only required when autodiscovery fails.

    • Calendar sync

      Specifies whether calendar sync and other Exchange server services are enabled. For example: meeting sync.

Install Office apps on macOS devices

You will now be able to install Office apps on macOS devices. This new app type will allow you to install Word, Excel, PowerPoint, Outlook, and OneNote. These apps also come with the Microsoft AutoUpdate (MAU), to help keep your apps secure and up-to-date.

App management

Delete an iOS Volume Purchasing Program token

You can delete the iOS Volume Purchasing Program (VPP) token using the console. This may be necessary when you have duplicate instances of a VPP token.

Intune apps

End user messaging for accounts

Users of the Company Portal website, will be blocked from taking actions that require write access to your tenant. They will see appropriate error messaging explaining that their account is under maintenance. Similar changes are coming to the Company Portal apps for Android, iOS, macOS, and Windows soon. You can see this error in the what's new in app UI.

Role-based access control

A new entity collection named Current User is limited to currently active user data

The Users entity collection contains all the Azure Active Directory (Azure AD) users with assigned licenses in your enterprise. For example, a user may be added to Intune and then removed during the course of the last month. While this user is not present at the time of the report, the user and state are present in the data. You could create a report that would show the duration of the user's historic presence in your data.

In contrast, the new Current User entity collection only contains users who have not been removed. The Current User entity collection only contains currently active users. For information about the current user entity collection, see Reference for current user entity.

Updated Graph APIs

In this release, we've updated a few of the Graph API's for Intune that are in beta. Please check out the monthly Graph API changelog for more information.

Week of December 4, 2017

Monitor and troubleshoot

Intune supports Windows Information Protection (WIP) denied apps

You can specify denied apps in Intune. If an app is denied, it is blocked from accessing corporate information, effectively the opposite of the allowed apps list. For more information, see Recommended deny list for Windows Information Protection.

Week of November 27, 2017

Device enrollment

Troubleshoot enrollment issues

The Troubleshoot workspace now shows user enrollment issues. Details about the issue and suggested remediation steps can help administrators and help desk operators troubleshoot problems. Certain enrollment issues aren't captured and some errors might not have remediation suggestions.

Group-assigned enrollment restrictions

As an Intune administrator, you can now create custom Device Type and Device Limit enrollment restrictions for user groups.

The Intune Azure Portal lets you create up to 25 instances of each restriction type which can then be assigned to user groups. Group-assigned restrictions override the default restrictions.

All the instances of a restriction type are maintained in a strictly ordered list. This order defines a priority value for conflict resolution. A user impacted by more than one restriction instance is only restricted by the instance with the highest priority value. You can change a given instance's priority by dragging it to a different position in the list.

This functionality will be released with the migration of Android for Work settings from the Android For Work enrollment menu to the Enrollment Restrictions menu. Since this migration may take several days, your account may be upgraded for other parts of the November release before you see group assignment become enabled for Enrollment Restrictions.

Support for multiple Network Device Enrollment Service (NDES) connectors

NDES allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). With this update, multiple NDES connectors are supported.

Manage Android for Work devices independently from Android devices

Note: The following changes will start rolling out with the November update, but may take time to execute on your account. You will receive a confirmation notification in the Office 365 portal when these changes are effective for your account. After the roll out, you’ll have additional manageability options. There will be no change to the end user experience during the rollout.

Intune supports managing enrollment of Android for Work devices independently from the Android platform. These settings are managed under Device Enrollment > Enrollment restrictions > Device Type Restrictions. (They were previously located under Device Enrollment > Android for Work Enrollment > Android for Work Enrollment Settings.)

By default, your Android for Work devices settings are the same as your settings for your Android devices. However, after you change your Android for Work settings that will no longer be the case.

If you block personal Android for Work enrollment, only corporate Android devices can enroll as Android for Work.

When working with the new settings, consider the following:

If you have never previously onboarded Android for Work enrollment

The new Android for Work platform is blocked in the default Device Type Restrictions. After you onboard the feature, you can allow devices to enroll with Android for Work. To do so, change the default or create a new Device Type Restriction to supersede the default Device Type Restriction.

If you have onboarded Android for Work enrollment

If you’ve previously onboarded, your situation depends on the setting you chose:

Setting Android for Work status in default Device Type Restriction Notes
Manage all devices as Android Blocked All Android devices must enroll without Android for Work.
Manage supported devices as Android for Work Allowed All Android devices that support Android for Work must enroll with Android for Work.
Manage supported devices for users only in these groups as Android for Work Blocked A separate Device Type Restriction policy was created to override the default. This policy defines the groups you previously selected to allow Android for Work enrollment. Users within the selected groups will continue to be allowed to enroll their Android for Work devices. All other users are restricted from enrolling with Android for Work.

In all cases, your intended regulation is preserved. No action is required on your part to maintain the global or per-group allowance of Android for Work in your environment.

App management

App install report updated to include Install Pending status

The App install status report accessible for each app through the App list in the Mobile apps workload now contains an Install Pending count for Users and Devices.

iOS 11 app inventory API for Mobile Threat Detection

Intune collects app inventory information from both personal and corporate-owned devices and makes it available for Mobile Thread Detection (MTD) providers to fetch, such as Lookout for Work. You can collect an app inventory from the users of iOS 11+ devices.

App inventory
Inventories from both corporate-owned iOS 11+ and personally owned devices are sent to your MTD service provider. Data in the app inventory includes:

  • App ID
  • App Version
  • App Short Version
  • App Name
  • App Bundle Size
  • App Dynamic Size
  • App is validated or not
  • App is managed or not

Device management

Migrate hybrid MDM users and devices to Intune standalone

We have a new process and tools for moving users and their devices from hybrid MDM to Intune in the Azure portal, which allow you to do the following:

  • Copy policies and profiles from the Configuration Manager console to Intune in the Azure portal
  • Move a subset of users to Intune in the Azure portal, while keeping the rest in hybrid MDM
  • Migrate devices to Intune in the Azure portal without needing to re-enroll them

For details, see Migrate hybrid MDM users and devices to Intune standalone.

On-premises Exchange connector high availability support

After the Exchange connector creates a connection to Exchange using the specified CAS, the connector now has the ability to discovery other CASs. If the primary CAS becomes unavailable, the connector will failover to another CAS, if available, until the primary CAS becomes available. For details, see On-premises Exchange connector high availability support.

Remotely restart iOS device (supervised only)

You can now trigger a supervised iOS 10.3+ device to restart using a device action. For more information on using the device restart action, see Remotely restart devices with Intune.

Note

This command requires a supervised devices and the Device Lock access right. The device restarts immediately. Passcode-locked iOS devices will not rejoin a Wi-Fi network after restart; after restart, they may not be able to communicate with the server.

Single Sign-on support for iOS

You can use Single Sign-on for iOS users. The iOS apps that are coded to look for user credentials in the Single Sign-on payload are functional with this payload configuration update. You can also use UPN and Intune Device ID to configure the Principal Name and Realm. For details, see Configure Intune for iOS device single sign-on.

Add "Find my iPhone" for personal devices

You can now view whether iOS devices have Activation Lock turned on. This feature previously could be found in the Intune in the classic portal.

Remotely lock managed macOS device with Intune

You can lock a lost macOS device, and set a 6-digit recovery PIN. When locked, the Device overview blade displays the PIN until another device action is sent.

For more information, see Remotely lock managed devices with Intune.

New SCEP profile details supported

Administrators are now able to set additional settings when creating a SCEP profile on Windows, iOS, macOS, and Android platforms. Administrators can set IMEI, serial number, or common name including email in the subject name format.

Retain data during a factory reset

When resetting Windows 10 version 1709 and later to factory settings, a new capability is available. Admins can specify if device enrollment and other provisioned data are retained on a device through a factory reset.

The following data is retained through a factory reset:

  • User accounts associated with the device
  • Machine state (domain join, Azure Active Directory-joined )
  • MDM enrollment
  • OEM installed apps (store and Win32 apps)
  • User profile
  • User data outside of user profile
  • User autologon

The following data is not retained:

  • User files
  • User installed apps (store and Win32 apps)
  • Non-default device settings

Monitor and troubleshoot

Window 10 update ring assignments are displayed

When you are Troubleshooting, for the user you are viewing, you are able to see any Windows 10 update rings assignments.

Windows Defender Advanced Threat Protection reporting frequency settings

Windows Defender Advanced Threat Protection (WDATP) service allows admins to manage reporting frequency for managed devices. With the new Expedite telemetry reporting frequency option, WDATP collects data and assesses risks more frequently. The default for reporting optimizes speed and performance. Increasing the frequency of reporting can be valuable for high-risk devices. This setting can be found in the Windows Defender ATP profile in Device configurations.

Audit updates

Intune auditing provides a record of change operations related to Intune. All create, update, delete and remote task operations are captured and retained for one year. The Azure portal provides a view of the last 30 days of audit data in each workload, and is filterable. A corresponding Graph API allows retrieval of the auditing data stored for the last year.

Auditing is found under the MONITOR group. There is an Audit Logs menu item for each workload.

Week of November 20, 2017

App management

Google Play Protect support on Android

With the release of Android Oreo, Google introduces a suite of security features called Google Play Protect that allow users and organizations to run secure apps and secure Android images. Intune will support Google Play Protect features, including SafetyNet remote attestation. Admins can set compliance policy requirements that require Google Play Protect be configured and healthy. The SafetyNet device attestation setting requires the device to connect with a Google service to verify that the device is healthy and is not compromised. Admins can also set a configuration profile setting for Android for Work to require that installed apps are verified by Google Play services. Conditional access might block users from accessing corporate resources if a device is not compliant with Google Play Protect requirements.

Text protocol allowed from managed Apps

Apps managed by the Intune App SDK are able to send SMS messages.

Week of November 13, 2017

Intune Apps

Company Portal app for macOS is available

The Intune Company Portal on macOS has an updated experience, which has been optimized to cleanly display all the information and compliance notifications your users need for all the devices they have enrolled. And, once the Intune Company Portal has been deployed to a device, Microsoft AutoUpdate for macOS will provide updates to it. You can download the new Intune Company Portal for macOS by logging into the Intune Company Portal website from a macOS device.

Microsoft Planner is now part of the mobile app management (MAM) list of approved apps

The Microsoft Planner app for iOS and Android is now part of the approved apps for mobile app management (MAM). The app can be configured through the Intune App Protection blade in the Azure portal to all tenants.

Per-App VPN requirement update frequency on iOS devices

Administrators may now remove Per-App VPN requirements for apps on iOS devices; affected devices will after their next Intune check-in, which generally occurs within 15 minutes.

Monitor and troubleshoot

Support for System Center Operations Manager management pack for Exchange connector

The System Center Operations Manager (SCOM) management pack for Exchange connector is now available to help you parse the Exchange connector logs. This gives you different ways of monitoring the service when you need to troubleshoot issues.

Week of November 6, 2017

Device enrollment

Co-management for Windows 10 devices

Co-management is a solution that provides a bridge from traditional to modern management, and it provides you with a path to make the transition using a phased approach. At its foundation, co-management is a solution where Windows 10 devices are concurrently managed by Configuration Manager and Microsoft Intune, as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD). This configuration provides you with a path to modernize over time, at the pace that’s right for your organization if you can’t move all at once.

New enrollment status page for Windows 10 enrollments

You can now configure a greeting that appears when your users enroll Windows 10 devices. Use the Enrollment Status Screen to configure a custom message and a hyperlink to be displayed to your end users when they enroll their Windows 10 devices. The Enrollment Status Screen will also give end users a view into the progress of policy settings that are being applied to their device.

Restrict Windows Enrollment by OS version

As an Intune administrator, you can now specify a minimum and maximum version of Windows 10 for device enrollments. You can set these restrictions in the Platform Configurations blade.

Intune will continue to support enrolling Windows 8.1 PCs and phones. However, only Windows 10 versions can be set with minimum and maximum limits. To permit enrollment of 8.1 devices, leave the minimum limit empty.

Alerts for Windows AutoPilot unassigned devices

A new alert is available for Windows AutoPilot unassigned devices on the Microsoft Intune > Device enrollment > Overview page. This alert shows how many devices from the AutoPilot program do not have AutoPilot deployment profiles assigned. Use the information in the alert to create profiles and assign them to the unassigned devices. When you click the alert, you see a full list of Windows AutoPilot devices and detailed information about them. For more information, see Enroll Windows devices using Windows AutoPilot deployment program.

Device management

Refresh button for Devices list

Because the Device list does not refresh automatically, you can use the new Refresh button to update the devices that display in the list.

Support for Symantec Cloud Certification Authority (CA)

Intune now supports Symantec Cloud CA which allows the Intune Certificate Connector to issue PKCS certificates from the Symantec Cloud CA to Intune managed devices. If you're already using the Intune Certificate Connector with Microsoft Certification Authority (CA), you can leverage the existing Intune Certificate Connector setup to add the Symantec CA support.

New items added to device inventory

In this release, we've added the following new items to the inventory taken by enrolled devices:

  • Wi-Fi MAC address
  • Total storage space
  • Total free space
  • MEID
  • Subscriber carrier

App management

Set access for apps by minimum Android security patch on the device

An administrator is able to define the minimum Android security patch that must be installed on the device in order to gain access to a managed application under a managed account.

Note

This feature only restricts security patches released by Google on Android 6.0+ devices.

App-conditional launch support

IT admins can now set a requirement through the Azure admin portal to enforce a passcode instead a numeric PIN through the mobile app management (MAM) when the application launch. If configured, the user is required to set and use a passcode when prompted before getting access to MAM-enlightened applications. A passcode is defined as a numeric PIN with at least one special character or upper/lowercase alphabet. This release of Intune will enable this feature on iOS only. Intune supports passcode in a similar way to numeric PIN, it sets a minimum length, allowing repeat characters and sequences. This feature requires the participation of applications (i.e., WXP, Outlook, Managed Browser, Yammer) to integrate the Intune App SDK with the code for this feature in place for the passcode settings to be enforced in the targeted applications.

App Version number for line-of-business in device install status report

With this release, the Device install status report displays the app version number for the line-of-business apps for iOS and Android. You may use this information to troubleshoot your apps, or find devices that are running outdated app versions.

Device configuration

Admins can now configure the Firewall settings on a device using a device configuration profile

Admins can turn on firewall for devices, and also configure various protocols for domain, private, and public networks. These firewall settings can be found in the "Endpoint protection" profile.

Windows Defender Application Guard helps protect devices from untrusted websites, as defined by your organization

Admins can define sites as "trusted" or "corporate" using a Windows Information Protection workflow or the new "Network boundary" profile under device configurations. Any sites that aren't listed in on a 64-bit Windows 10 device’s trusted network boundary, if they are viewed with Microsoft Edge, open instead in a browser within a Hyper-V virtual computer.

Application Guard can be found in the device configuration profiles, in the "Endpoint protection" profile. From there, admins can configure interaction between the virtualized browser and the host machine, nontrusted sites and trusted sites, and storing data generated in the virtualized browser. To use Application Guard on a device, a network boundary first must be configured. It's important to define only one network boundary for a device.

Windows Defender Application Control on Windows 10 Enterprise provides mode to trust only authorized apps

With thousands of new malicious files created every day, using antivirus signature-based detection to fight against malware might no longer provide an adequate defense against new attacks. Using Windows Defender Application Control on Windows 10 Enterprise, you can change device configuration from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You assign trust to apps in Windows Defender Application Control.

Using Intune, you can configure the application control policies either in "audit only" mode or enforce mode. Apps will not be blocked when running in “audit only” mode. “Audit only” mode logs all events in local client logs. You can also configure whether only Windows components and Windows Store apps are allowed to run or whether additional apps with good reputations as defined by the Intelligent Security Graph are allowed to run.

Window Defender Exploit Guard is a new set of intrusion prevention capabilities for Windows 10

Window Defender Exploit Guard includes custom rules to reduce the exploitability of applications, prevents macro and script threats, automatically blocks network connections to low reputation IP addresses, and can secure data from ransomware and unknown threats. Windows Defender Exploit Guard consists of the following components:

  • Attack Surface Reduction (ASR) provides rules that allow you to prevent macro, script, and email threats.
  • Controlled Folder access automatically blocks access to content to protected folders.
  • Network Filter blocks outbound connection from any app to low rep IP/domain
  • Exploit Protection provides memory, control flow, and policy restrictions that can be used to protect an application from exploits.

Manage PowerShell scripts in Intune for Windows 10 devices

The Intune management extension lets you upload PowerShell scripts in Intune to run on Windows 10 devices. The extension supplements Windows 10 mobile device management (MDM) capabilities and makes it easier for you to move to modern management. For details, see Manage PowerShell scripts in Intune for Windows 10 devices.

New device restriction settings for Windows 10

  • Messaging (mobile only) - disable testing or MMS messages
  • Password - settings to enable FIPS and the use of Windows Hello devices secondary devices for authentication
  • Display - settings to turn on or off GDI Scaling for legacy apps

Windows 10 kiosk mode device restrictions

You can restrict Windows 10 device users to kiosk mode, which limits users to a set of predefined apps. To do so, create a Windows 10 device restriction profile and set the Kiosk settings.

Kiosk mode supports two modes: single app (allows a user to run just one app) or multi app (permits access to a set of apps). You define the user account and device name, which determines the supported apps). When the user is logged in, they're limited to the defined apps. To learn more, see AssignedAccess CSP.

Kiosk mode requires:

  • Intune must be the MDM authority.
  • The apps must already be installed on the target device.
  • The device must be properly provisioned.

New device configuration profile for creating network boundaries

We have created a device configuration profile called Network boundary that can be found with your other device configuration profiles. Use this profile to define online resources that you want to be considered corporate and trusted. You must define a network boundary for a device before features such as Windows Defender Application Guard and Windows Information Protection can be used on the device. It’s important to define only one network boundary for each device.

You can define enterprise cloud resources, IP address ranges, and internal proxy servers that you want to be considered trusted. Once defined, the network boundary can be consumed by other features such as Windows Defender Application Guard and Windows Information Protection.

Two additional settings for Windows Defender Antivirus

File blocking level

Not Configured Not Configured uses the default Windows Defender Antivirus blocking level and provides strong detection without increasing the risk of detecting legitimate files.
High High applies a strong level of detection.
High + High + provides the High level with additional protection measures that might impact client performance.
Zero tolerance Zero tolerance blocks all unknown executables.

While unlikely, setting to High may cause some legitimate files to be detected. We recommend you set File blocking level to the default, Not configured.

Timeout extension for file scanning by the cloud

Number of seconds (0-50) Specify the maximum amount of time that Windows Defender Antivirus should block a file while waiting for a result from the cloud. The default amount is 10 seconds: any additional time specified here (up to 50 seconds) is added to those 10 seconds. In most cases, the scan takes much less time than the maximum. Extending the time allows the cloud to thoroughly investigate suspicious files. We recommend that you enable this setting and specify at least 20 additional seconds.

Citrix VPN added for Windows 10 devices

You can configure Citrix VPN for their Windows 10 devices. You can choose the Citrix VPN in the Select a connection type list in the Base VPN blade when configuring a VPN for Windows 10 and later.

Note

Citrix configuration existed for iOS and Android.

Wi-Fi connections support pre-shared keys on iOS

Customers can configure Wi-Fi profiles to use pre-shared keys (PSK) for WPA/WPA2 Personal connections on iOS devices. These profiles are pushed to user's device when the device is enrolled into Intune.

When the profile has been pushed to the device, the next step depends on the profile configuration. If set to connect automatically, it does so when the network is next needed. When the profile is connects manually, the user must activate the connection manually.

Intune apps

Access to managed app logs for iOS

End users with the managed Browser installed can now view the management status of all Microsoft published apps and send logs for troubleshooting their managed iOS apps.

Learn how to enable the troubleshooting mode in the Managed Browser on an iOS device, see How to access to managed app logs using the Managed Browser on iOS.

Improvements to device setup workflow in the Company Portal for iOS in version 2.9.0

We've improved the device setup workflow in the Company Portal app for iOS. The language is more user-friendly and we've combined screens where possible. We have also made the language more specific to your company by using your company name throughout the setup text. You can see this updated workflow on the what's new in app UI page.

Monitor and troubleshoot

User entity contains latest user data in Data Warehouse data model

The first version of the Intune Data Warehouse data model only contained recent, historical Intune data. Report makers could not capture the current state of a user. In this update, the User entity is populated with the latest user data.

Week of October 30, 2017

App management

iOS and Android line-of-business app version number is visible

Apps in Intune now display the version number for iOS and Android line-of-business apps. The number displays in the Azure portal in the app list and in the app overview blade. End users can see the app number in the Company Portal app and in the web portal.

Full version number The full version number identifies a specific release of the app. The number appears as Version(Build). For example, 2.2(2.2.17560800)

The full version number has two components:

  • Version
    The version number is the human-readable release number of the app. This is used by end users to identify different releases of the app.

  • Build Number
    The build number is an internal number that can be used in app detection and to programmatically manage the app. The build number refers to an iteration of the app that references changes in the code.

Learn more about version numbers and developing line-of-business apps in Get started with the Microsoft Intune App SDK.

Device and app management integration

Now that Intune’s mobile device management (MDM) and mobile application management (MAM) are both accessible from the Azure portal, Intune started integrating the IT admin experience around application and device management. These changes are geared to simplify your device and app management experience.

Learn more about the MDM and MAM changes announced in the Intune support team blog.

New enrollment alerts for Apple devices

The overview page for enrollment will show useful alerts for IT admins regarding management of Apple devices. Alerts will show up on Overview page when the Apple MDM push certificate is expiring or has already expired; when the Device Enrollment Program token is expiring or has already expired; and when there are unassigned devices in the Device Enrollment Program.

Support token replacement for app configuration without device enrollment

You can use tokens for dynamic values in app configurations for apps on devices that are not enrolled. For more information, see Add app configuration policies for managed apps without device enrollment.

Intune apps

Updates to the Company Portal app for Windows 10

The Settings page in the Company Portal app for Windows 10 has been updated to make the settings and intended user actions to be more consistent across all settings. It has also been updated to match the layout of other Windows apps. You can find before/after images in the what's new in app UI page.

Inform end users what device information can be seen for Windows 10 devices

We have added Ownership Type to the Device Details screen on the Company Portal app for Windows 10. This will allow users to find out more about privacy directly from this page from the Intune end user docs. They will also be able to locate this information on the About screen.

Feedback prompts for the Company Portal app for Android

The Company Portal app for Android now requests end user feedback. This feedback is sent directly to Microsoft, and provide end users with an opportunity to review the app in the public Google Play store. Feedback is not required, and can easily be dismissed so users can continue using the app.

Helping your users help themselves with the Company Portal app for Android

The Company Portal app for Android has added instruction for end users to help them understand and, where possible, self-solve on new use cases.

New 'Resolve' action available for Android devices

The Company Portal app for Android is introducing a 'Resolve' action on the Update device settings page. Selecting this option will take the end user directly to the setting that is causing their device to be noncompliant. The Company Portal app for Android currently supports this action for the device passcode, USB debugging, and Unknown Sources settings.

Device setup progress indicator in Android Company Portal

The Company Portal app for Android shows a device setup progress indicator when a user is enrolling their device. The indicator shows new statuses, beginning with "Setting up your device...", then "Registering your device...", then "Finishing registering your device...", then "Finishing setting up your device...".

Week of October 23, 2017

Intune apps

Certificate-based authentication support on the Company Portal for iOS

We have added support for certificate-based authentication (CBA) in the Company Portal app for iOS. Users with CBA enter their username, then tap the “Sign in with a certificate” link. CBA is already supported on the Company Portal apps for Android and Windows. You can learn more on the sign in to the Company Portal app page.

Apps that are available with or without enrollment can now be installed without being prompted for enrollment.

Company apps that have been made available with or without enrollment on the Android Company Portal app can now be installed without a prompt to enroll.

Week of October 16, 2017

Device enrollment

Windows AutoPilot Deployment Program support in Microsoft Intune

You can now use Microsoft Intune with Windows AutoPilot Deployment Program to empower your users to provision their corporate devices without involving IT. You can customize the out-of-box experience (OOBE) and guide users to join their device to Azure AD and enroll in Intune. Working together, Microsoft Intune and Windows AutoPilot eliminate the need to deploy, maintain, and manage operating system images. For details, see Enroll Windows devices using Windows AutoPilot Deployment Program.

Quick start for device enrollment

Quick start is now available in Device enrollment and provides a table of references for managing platforms and configuring the enrollment process. A brief description of each item and links to documentation with step-by-step instructions provides useful documentation to simplify getting started.

Device categorization

The enrolled devices platform chart of the Devices > Overview blade organizes devices by platform, including Android, iOS, macOS, Windows, and Windows Mobile. Devices running other operating systems are grouped into "Other." This includes devices manufactured by Blackberry, NOKIA, and others.

To learn which devices are affected in your tenant, choose Manage > All devices and then use Filter to limit the OS field.

Device management

Zimperium - New Mobile Threat Defense partner

You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Zimperium, a Mobile Threat Defense solution that integrates with Microsoft Intune.

How integration with Intune works

Risk is assessed based on telemetry collected from devices running Zimperium. You can configure EMS conditional access policies based on Zimperium risk assessment enabled through Intune device compliance policies, which you can use to allow or block non-compliant devices to access corporate resources based on detected threats.

New settings for Windows 10 device restriction profile

We are adding new settings to the Windows 10 device restriction profile in the Windows Defender SmartScreen category.

For details about the Windows 10 device restriction profile, see Windows 10 and later device restriction settings.

Remote support for Windows and Windows Mobile devices

Intune can now use the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Windows, and Windows Mobile devices.

Scan devices with Windows Defender

You can now run a Quick scan, Full scan, and Update signatures with Windows Defender Antivirus on managed Windows 10 devices. From the device's overview blade, choose the action to run on the device. You are prompted to confirm the action before the command is sent to the device.

Quick scan: A quick scan scans locations where malware registers to start, such as registry keys and known Windows startup folders. A quick scan takes an average of five minutes. Combined with the Always-on real-time protection setting that scans files when they are opened, closed, and whenever a user navigates to a folder, a quick scan helps provide protection from malware that might be in the system or the kernel. Users see the scan results on their devices when it finishes.

Full scan: A full scan can be useful on devices that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and is useful for running on-demand scans. Full scan can take an hour to run. Users see the scan results on their devices when it finishes.

Update signatures: The update signature command updates Windows Defender Antivirus malware definitions and signatures. This helps ensure Windows Defender Antivirus is effective in detecting malware. This feature is for Windows 10 devices only, pending device internet connectivity.

The Enable/Disable button is removed from the Intune Certificate Authority page of the Intune Azure portal

We are eliminating an extra step in setting up the certificate connector on Intune. Currently, you download the certificate connector and then enable it in the Intune console. However, if you disable the connector in the Intune console, the connector continues to issue certificates.

How does this affect me?

Starting in October, the Enable/Disable button will no longer appear on the Certificate Authority page in the Azure portal. Connector functionality remains the same. Certificates are still deployed to devices enrolled in Intune. You can continue to download and install the certificate connector. To stop certificates from being issued, you now uninstall the certificate connector rather than disable it.

What do I need to do to prepare for this change?

If you currently have the certificate connector disabled, you should uninstall it.

Device configuration

New settings for Windows 10 Team device restriction profile

In this release, we’ve added many new settings to the Windows 10 Team device restriction profile to help you control Surface Hub devices.

For more information about this profile, see Windows 10 Team device restriction settings.

Prevent users of Android devices from changing their device date and time

You can use an Android custom device policy to prevent Android device users from changing the device date and time.

To do this, configure an Android custom policy with the setting URI ./Vendor/MSFT/PolicyManager/My/System/AllowDateTimeChange Set this to TRUE, and then assign it to the required groups.

BitLocker device configuration

The Windows Encryption > Base Settings include a new Warning for another disk encryption setting that lets you disable the warning prompt for other disk encryption that might be in use on the user's device. The warning prompt requires end-user consent before setting up BitLocker on the device and blocks BitLocker setup until confirmed by the end-user. The new setting disables the end-user warning.

App management

Volume Purchase Program for Business apps will now sync to your Intune Tenant

Third-party developers can privately distribute apps to authorized Volume Purchase Program (VPP) for Business members specified in iTunes Connect. These VPP for Business members can sign in to the Volume Purchase Program App Store and purchase their apps.

With this release, the VPP for Business apps purchased by the end user will now start syncing to their Intune tenants.

Select Apple country store to sync VPP apps

You can configure the Volume Purchase Program (VPP) country store when uploading your VPP token. Intune synchronizes VPP apps for all locales from the specified VPP country store.

Note

Today, Intune only synchronizes VPP apps from the VPP country store that match the Intune locale in which the Intune tenant was created.

Intune apps

Block copy and paste between work and personal profiles in Android for Work

With this release, you are able to configure the work profile for Android for Work to block copy and paste between work and personal apps. You can find this new setting in the Device restrictions profile for the Android for Work Platform in Work profile settings.

Create iOS apps limited to specific regional Apple App Stores

You will be able to specify the country locale during the creation of an Apple App Store managed app.

Note

Currently, you can only create Apple App Store managed apps that are present in the US country store.

Update iOS VPP user and device licensed apps

You will be able to configure the iOS VPP token to update all apps purchased for that token through the Intune service. Intune will detect the VPP app updates inside the app store and automatically push them to the device when the device checks-in.

For steps to set an VPP token and enable automatic updates, see How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.

Monitor and troubleshoot

User device association entity Collection added to Intune Data Warehouse data model

You can now build reports and data visualizations using the user device association information that associates user and device entity collections. The data model can be accessed through the Power BI file (PBIX) retrieved from the Data Warehouse Intune page, through the OData endpoint, or by developing a custom client.

Review policy compliance for Windows 10 update rings

You will be able to review a policy report for your Windows 10 update rings from Software updates > Per update ring deployment state. The policy report includes deployment status for the update rings that you have configured.

New report that lists iOS devices with older iOS versions

The Out-of-date iOS Devices report is available from the Software updates workspace. In the report, you can view a list of supervised iOS devices that were targeted by an iOS update policy and have available updates. For each device, you can view a status for why the device has not been automatically updated.

View app protection policy assignments for troubleshooting

In this upcoming release, App protection policy option will be added to the Assignments drop-down list available on the troubleshooting blade. You can now select app protection policies to see app protection policies assigned to the selected users.

Week of October 2, 2017

Intune apps

Improvements to device setup workflow in Company Portal

We've improved the device setup workflow in the Company Portal app for Android. The language is more user-friendly and specific to your company, and we've combined screens where possible. You can see these on the what's new in app UI page.

Improved guidance around the request for access to contacts on Android devices

The Company Portal app for Android often requires the end user to accept the Contacts permission. If an end user declines this access, they will now see an in-app notification that alerts them to grant it for conditional access.

Secure startup remediation for Android

End users with Android devices will be able to tap the non-compliance reason in the Company Portal app. When possible, this will take them directly to the correct location in the settings app to fix the issue.

Additional push notifications for end users on the Company Portal app for Android Oreo

End users will see additional notifications to indicate to them when the Company Portal app for Android Oreo is performing background tasks, such as retrieving policies from the Intune service. This increases transparency for end users about when the Company Portal is performing administrative tasks on their device. This is part of the overall optimization of the Company Portal UI for the Company Portal app for Android Oreo.

There are further optimizations for new UI elements that are enabled in Android Oreo. End users will see additional notifications that will indicate to them when Company Portal is performing background tasks such as retrieving policy from the Intune service. This increases transparency for end users about when Company Portal is performing administrative tasks on the device.

New behaviors for the Company Portal app for Android with work profiles

When you enroll an Android for Work device with a work profile, it's the Company Portal app in the work profile that performs management tasks on the device.

Unless you are using a MAM-enabled app in the personal profile, the Company Portal app for Android no longer serves any use. To improve the work profile experience, Intune will automatically hide the personal Company Portal app after a successful work profile enrollment.

The Company Portal app for Android can be enabled at any time in the personal profile by browsing for Company Portal in the Play Store and tapping Enable.

Company Portal for Windows 8.1 and Windows Phone 8.1 moving to sustaining mode

Beginning in October 2017, the Company Portal apps for Windows 8.1 and Windows Phone 8.1 will move to sustaining mode. This means that the apps and existing scenarios, such as enrollment and compliance, will continue to be supported for these platforms. These apps will continue to be available for download through existing release channels, such as the Microsoft Store.

Once in sustaining mode, these apps will only will receive critical security updates. There will be no additional updates or features released for these apps. For new features, we recommend that you update devices to Windows 10 or Windows 10 Mobile.

Device enrollment

Block unsupported Samsung Knox device enrollment

The Company Portal app only attempts to enroll supported Samsung Knox devices. To avoid KNOX activation errors that prevent MDM enrollment, device enrollment is only attempted if the device appears in the list of devices published by Samsung. Samsung devices can have model numbers that support KNOX while others that don't. Verify Knox compatibility with your device reseller before purchase and deployment. You can find the full list of verified devices in the Android and Samsung KNOX Standard policy settings.

End of support for Android 4.3 and lower

Managed apps and the Company Portal app for Android will require Android 4.4 and higher to access company resources. By December, all enrolled devices will be force retired in December, resulting in loss of access to company resources. If you are using app protection policies without MDM, apps will not receive updates, and the quality of their experience will diminish over time.

Inform end users what device information can be seen on enrolled devices

We are adding Ownership Type to the Device Details screen on all Company Portal apps. This will allow users to find out more about privacy directly from the What information can your company see? article. This will be rolling out across all Company Portal apps in the near future. We announced this for iOS in September.

Week of September 25, 2017

Device enrollment

Intune supports iOS 11

Intune supports iOS 11. This was previously announced on the Intune Support blog.

End of support for iOS 8.0

Managed apps and the Company Portal app for iOS will require iOS 9.0 and higher to access company resources. Devices that aren't updated before this September will no longer be able to access the Company Portal or those apps.

Intune apps

Refresh action added to the Company Portal app for Windows 10

The Company Portal app for Windows 10 allows users to refresh the data in the app by either pulling to refresh or, on desktops, pressing F5.

Notices

Plan for Change: Easy Assist End-of-Life

Intune uses the Microsoft Easy Assist for PC management remote assistance. One thing you may not know is that Microsoft Easy Assist is a component of Office Live Meeting, a service that is being deprecated December 31, 2017. Therefore, Intune’s Easy Assist offering will also reach end of life on December 31, 2017.

Manage Android for Work devices independently from Android devices

Note: The following changes will start rolling out with the November update, but may take time to execute on your account. You will receive a confirmation notification in the Office 365 portal when these changes are effective for your account. After the roll out, you’ll have additional manageability options. There will be no change to the end user experience during the rollout.

Intune supports managing enrollment of Android for Work devices independently from the Android platform. These settings are managed under Device Enrollment > Enrollment restrictions > Device Type Restrictions. (They were previously located under Device Enrollment > Android for Work Enrollment > Android for Work Enrollment Settings.)

By default, your Android for Work devices settings will be the same as your settings for your Android devices. However, after you change your Android for Work settings that will no longer be the case.

If you block personal Android for Work enrollment, only corporate Android devices can enroll as Android for Work.

When working with the new settings, consider the following:

If you have never previously onboarded Android for Work enrollment

The new Android for Work platform is blocked in the default Device Type Restrictions. After you onboard the feature, you can allow devices to enroll with Android for Work. To do so, change the default or create a new Device Type Restriction to supersede the default Device Type Restriction.

If you have onboarded Android for Work enrollment

If you’ve previously onboarded, your situation depends on the setting you chose:

Setting Android for Work status in default Device Type Restriction Notes
Manage all devices as Android Blocked All Android devices must enroll without Android for Work.
Manage supported devices as Android for Work Allowed All Android devices that support Android for Work must enroll with Android for Work.
Manage supported devices for users only in these groups as Android for Work Blocked A separate Device Type Restriction policy was created to override the default. This policy defines the groups you previously selected to allow Android for Work enrollment. Users within the selected groups will continue to be allowed to enroll their Android for Work devices. All other users are restricted from enrolling with Android for Work.

In all cases, your intended regulation is preserved. No action is required on your part to maintain the global or per-group allowance of Android for Work in your environment.

Deprecating support for OS X Mavericks 10.10 and previous versions of macOS

We are announcing that we will begin deprecation of enrollment for devices with OS X Yosemite 10.10 and previous versions of macOS in February 2018. Intune fully supports OS X El Capitan 10.11 and newer.

New path for managed devices in Graph API

We are making a change to the path used to access managed devices in the beta version of the Graph API.

Current path https://graph.microsoft.com/beta/managedDevices
New path https://graph.microsoft.com/beta/deviceManagement/managedDevices

Both paths will work through the month of October. After the October service release, only the new path will work. If you are using the Graph API to access managed devices, update and verify your scripts and applications with the new path. For additional changes, check the monthly Graph API changelog.

Direct access to Apple enrollment scenarios

For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only accessible from links in the Intune classic portal. Intune accounts created before January 2017 require a one-time migration before these features are available in Azure. The schedule for migration has not been announced yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the Azure portal.

Administration roles being replaced in Azure portal

The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only) used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration controls (RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to reassign your admins to these new administration roles. For more information about RBAC and the new roles, see Role-based access control for Microsoft Intune.

What's coming

Conditional Access policies for Intune will only be available from the Azure portal

We are simplifying where you configure and manage conditional access. Currently, you can manage conditional access from the Intune App Protection (MAM) blade, and through the classic Azure AD experience in the Windows Azure Portal. Starting in January, you will only be able to configure and manage your policies in the Azure portal from Azure Active Directory > Conditional Access. For your convenience, you can also access this blade from Intune in the Azure portal at Intune > Conditional Access.

Manage Jamf-enrolled macOS devices with Intune's device compliance engine

Beginning in early 2018, Jamf will send macOS device state information to Intune, which will then evaluate it for compliance with policies defined in the Intune console. Based on the device compliance state as well as other conditions (such as location, user risk, etc.), conditional access will enforce compliance for macOS devices accessing cloud and on-premises applications connected with Azure AD, including Office 365.

Changes in support for the Intune iOS Company Portal app

Coming soon, there will be a new version of the Microsoft Intune Company Portal app for iOS that will support only devices running iOS 9.0 or later. The version of the Company Portal that supports iOS 8 will still be available for a very short period of time. However, note that if you also use MAM-enabled iOS apps we support iOS 9.0 and later, so you'll want to ensure your end users update to the latest OS.

How does this affect me?

We are letting you know this in advance, even though we don't have specific dates, so you have time to plan. Ensure your users are updated to iOS 9+ and when the Company Portal app releases, request that your end users update their Company Portal app.

What do I need to do to prepare for this change?

Encourage your users to update to iOS 9.0 or later to take full advantage of new Intune features. Encourage users to install the new version of the Company Portal and take advantage of the new features it will offer.

Go to the Intune in the Azure portal and view Devices > All Devices and filter by iOS version to see any current devices with operating systems earlier than iOS 9.

Apple to require updates for Application Transport Security

Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers using the iOS Company Portal apps.

We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email CompanyPortalBeta@microsoft.com with your first name, last name, email address, and company name. Review our Intune support blog for more details.

See also