In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. In addition to the information in this article:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
  • When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

App management

Improved report data experience on the Managed Apps pane

The Managed Apps pane will be updated to better display app data. You will be able to switch between displaying app data for the primary user and other users on a device, or display data for the device without any user. The generated app data will be displayed using the primary user of the device when the report is initially loaded, or displayed with no primary user if none exists. This capability will be available in Microsoft Endpoint Manager admin center by selecting Devices > Managed Apps.

Photo library outgoing data transfer support via app protection policies

You will be able to select to include Photo Library as a supported application storage service for outgoing data. This support is in addition to incoming data transfer support for Photo Library. By selecting Photo Library in the Allow users to open data from selected services setting within Intune, you can allow managed accounts to send outgoing data to their device's photo library from their managed apps on iOS and Android platforms. In Microsoft Endpoint Manager admin center, select Apps > App protection policies > Create Policy. Choose either iOS/iPadOS or Android. This setting will be available as part of the Data protection step and specifically for Policy managed apps. For related information, see Data protection.

Deploy macOS LOB apps by uploading PKG-type installer files

The capability to deploy macOS LOB apps by uploading PKG-type installer files to Intune will be generally available. You can upload and deploy PKG-type installer files as macOS line-of-business apps. To add a macOS LOB app from Microsoft Endpoint Manager admin center, select Apps > macOS > Add > Line-of-business app. Additionally, the App Wrapping Tool for macOS will no longer be required to deploy macOS LOB apps.

Use MAM policies with COSU devices

Intune-managed Android Enterprise corporate owned dedicated devices (COSU) in Azure Active Directory (AAD) shared mode will be able to receive MAM policies and be targeted separately from other Android enterprise devices. For more information about COSU, see Android Enterprise dedicated devices.

Push notification will always be sent when device ownership changes from Personal to Corporate

We’ll soon change push notification behavior to ensure a notification is always sent when an admin changes a device's ownership from Personal to Corporate. With this change, we’re removing the following setting from the Customization node of the Microsoft Endpoint Manager admin center, which currently allows admins to turn off this notification behavior:

  • Send a push notification to users when their device ownership type changes from personal to corporate (Android and iOS/iPadOS only)​

These notifications are pushed through the Company Portal app on Android and iOS/iPadOS devices.

iOS Company Portal minimum required version

With an upcoming release of the MS Authenticator app, users will be required to update to v5.2205 of the iOS Company Portal. If you have enabled the Block installing apps using App Store device restriction setting, you will likely need to push an update to the related devices that use this setting. Otherwise, no action is needed. If you have a helpdesk, you may want to make them aware of the prompt to update the Company Portal app. In most cases, users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. Users that have an earlier app version will be prompted to update to the latest Company Portal app.

iOS/iPadOS notifications will require March Company Portal or newer

We plan to make service side updates to iOS/iPadOS notifications in Intune's May (2205) service release that will require users to have the March Company Portal (version 5.2203.1) or newer. If you are using functionality that could generate iOS/iPadOS Company Portal push notifications, you will want to ensure your users update the iOS/iPadOS Company Portal to continue receiving push notifications. There is no additional change in functionality. For related information, see Update the Company Portal app.

Device management

Support for Retire on Android Enterprise corporate-owned work-profiles devices

You'll be able to use the Retire admin action in the Endpoint Manager admin center to remove the work profile including all corporate apps, data, and policies from an Android Enterprise corporate-owned work profile device. Go to Endpoint Manager admin center >Devices pane >All Devices > then select the name of the device you want to retire and select Retire.

When you select Retire, the device is unenrolled from Intune management. However, all the data and apps associated with your personal profile will remain untouched on the device. For more information, see Retire or wipe devices using Microsoft Intune.

Initiate compliance checks for your AOSP devices from the Microsoft Intune app

You'll be able to initiate a compliance check for your AOSP devices from the Microsoft Intune app. Go to Device details. This feature will be available on devices that are enrolled in Microsoft Intune app as user-associated (Android) AOSP devices.

View a managed device's group membership

In the monitor section of the Devices workload of Intune, you'll be able to view the group membership of all AAD groups for a managed device. When this is available, you will be able to select Group Membership by signing in to Microsoft Endpoint Manager admin center and selecting Devices.

Device enrollment

Enroll to co-management from Windows Autopilot

You'll be able to configure device enrollment in Intune to enable co-management, which happens during the Windows Autopilot process. This behavior directs the workload authority in an orchestrated manner between Configuration Manager and Intune.

If the device is targeted with an Autopilot enrollment status page (ESP) policy, the device will wait for Configuration Manager. The Configuration Manager client installs, registers with the site, and applies the production co-management policy. Then the Autopilot ESP continues.

Improvements for enrollment profiles for Apple Automated Device Enrollment

Two Setup Assistant skip panes are becoming generally available for Apple Automated Device Enrollment (ADE). The screen configurations were previously released in Intune for public preview. The following screens will be generally available for both iOS/iPadOS and macOS under the Setup Assistant tab:

  • iOS/iPadOS 13 and later

    • Pane name: **Get Started **
    • Default: Show pane
    • You can configure a setting in Intune that hides the Get Started pane in Setup Assistant during ADE enrollment.
  • macOS 12 and later

    • Pane name: Auto Unlock with Apple Watch
    • Default: Show pane
    • You can configure a setting in Intune that hides the Unlock Your Mac with your Apple Watch pane in Setup Assistant during ADE enrollment.

There is no change to functionality from the previous public preview release.

Device configuration

New macOS settings in the Settings Catalog

The Settings Catalog has new macOS settings you can configure (Devices > Configuration profiles > Create profile > macOS for platform >Settings catalog (preview) for profile type):

Accounts > Accounts:

  • Disable Guest Account
  • Enable Guest Account

Accounts > Caldav:

  • Cal DAV Account Description
  • Cal DAV Host Name
  • Cal DAV Password
  • Cal DAV Port
  • Cal DAV Principal URL
  • Cal DAV Use SSL
  • Cal DAV Username

Accounts > Carddav:

  • Card DAV Account Description
  • Card DAV Host Name
  • Card DAV Password
  • Card DAV Port
  • Card DAV Principal URL
  • Card DAV Use SSL
  • Card DAV Username

Networking > Firewall:

  • Allow Signed
  • Allow Signed App
  • Enable Logging
  • Logging Option

Parental Controls > Parental Controls Time Limits:

  • Family Controls Enabled
  • Time Limits

Proxies > Network Proxy Configuration:

  • Proxies
  • Exceptions List
  • Fall Back Allowed
  • FTP Enable
  • FTP Passive
  • FTP Port
  • FTP Proxy
  • Gopher Enable
  • Gopher Port
  • Gopher Proxy
  • HTTP Enable
  • HTTP Port
  • HTTP Proxy
  • HTTPS Enable
  • HTTPS Port
  • HTTPS Proxy
  • Proxy Auto Config Enable
  • Proxy Auto Config URL String
  • Proxy Captive Login Allowed
  • RTSP Enable
  • RTSP Port
  • RTSP Proxy
  • SOCKS Enable
  • SOCKS Port Integer
  • SOCKS Proxy

Security > Smart Card:

  • Allow Smart Card
  • Check Certificate Trust
  • Enforce Smart Card
  • One Card Per User
  • Token Removal Action
  • User Pairing

Software Update:

  • Allow Pre Release Installation
  • Automatic Check Enabled
  • Automatic Download
  • Automatically Install App Updates
  • Automatically Install Mac OS Updates
  • Config Data Install
  • Critical Update Install
  • Restrict Software Update Require Admin To Install

User Experience > Screensaver User:

  • Idle Time
  • Module Name
  • Module Path

There isn't any conflict resolution between policies created using the Settings catalog and policies created using Templates. When creating new policies in the Settings Catalog, be sure there are no conflicting settings with your current policies.

For more information about configuring Settings catalog profiles in Intune, see Create a policy using settings catalog in Microsoft Intune.

Applies to:

  • macOS

Create and deploy Wi-Fi profiles to Android AOSP devices

You'll be able to configure and deploy a Wi-Fi profile to your Android AOSP devices.

Applies to:

  • Android (AOSP)

Unlock Android Enterprise devices after a set time using password, PIN, or pattern

On Android Enterprise devices, you can create a device restrictions configuration profile that manages device settings (Devices > Configuration profiles > Create profile > Android Enterprise > Fully managed, dedicated, and corporate-owned work profile for platform > Device restrictions for profile type).

There will be a new How often pin, password, or pattern is needed to unlock setting. Select how long users must unlock the device using a strong authentication method (password, PIN, or pattern). Your options:

  • 24 hours since last pin, password, or pattern unlock: The screen locks 24 hours after users last used a strong authentication method to unlock the device or work profile.
  • Device default (default): The screen locks using the device's default time.

For a list of settings you can currently configure, go to Android Enterprise device settings to allow or restrict features using Intune.

2.3.4. Advanced passcode management (opens Android's web site)

Applies to:

  • Android 8.0 and newer
  • Android Enterprise corporate owned fully managed (COBO)
  • Android Enterprise corporate owned dedicated devices (COSU)
  • Android Enterprise corporate owned work profile (COPE)

Import custom ADMX and ADML administrative templates to create a device configuration profile

You can create a device configuration policy that uses built-in ADMX templates (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > Templates > Administrative templates).

You'll be able to import custom and 3rd party/partner ADMX and ADML templates into the Endpoint Manager admin center. Once imported, you can create a device configuration policy, assign the policy to your devices, and manage the settings in the policy.

For information on the built-in ADMX templates, see Use Windows 10/11 templates to configure group policy settings in Microsoft Intune.

Applies to:

  • Windows 11
  • Windows 10

Use the Settings Catalog to create a Universal Print policy on Windows 11 devices

Many organizations are moving their printer infrastructure to the cloud. Universal Print is a cloud-based printing solution for Microsoft 365 customers. It uses built-in cloud printers, built-in legacy printers, and runs entirely in Microsoft Azure. When Universal Print is deployed with Universal Print-compatible printers, it doesn't require any on-premises infrastructure.

In the Endpoint Manager admin center, you'll be able to use the Settings Catalog to create a printer policy (Device configuration > Create profile > Windows 10 and later for platform > Settings catalog for profile type > Printer provisioning). When you deploy the policy, users select the printer from a list of registered Universal Print printers, and can also select a default printer.

Currently, you must use the Universal Print printer provisioning tool, which requires more manual steps, and has some limitations.

Applies to:

  • Windows 11

Device security

New settings to manage removable devices for Endpoint security Device control profiles

We’re adding five new settings for Windows 10/11 to the device control profile template for Attack surface reduction policy in Endpoint Security. The new settings will help you manage the use of removable devices like a USB device, and to manage read and write access to removable disks like media players, cellular phones, displays, and CE devices.

The new settings include:

Microsoft Defender for Endpoint as the Tunnel client app for iOS will soon be out of Preview

The preview version of Microsoft Defender for Endpoint that supports Microsoft Tunnel on iOS/iPadOS will soon be out of preview and become generally available.

When the Microsoft Defender for Endpoint app with support for Microsoft Tunnel becomes generally available for iOS, the standalone tunnel client app for iOS will be deprecated with support ending 60 days later.

If you are using the standalone tunnel app for iOS, prepare for this change by planning to migrate to the Microsoft Defender for Endpoint app before support for the standalone app ends.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: iOS/iPadOS notifications will require minimum version 5.2203.0 of the Company Portal

We will be making service side updates to iOS/iPadOS notifications in Microsoft Intune's May (2205) service release that will require users to have updated to at least version 5.2203.0 of the iOS/iPadOS Company Portal (released in March 2022).

How does this affect you or your users?

There is no change in functionality for push notifications, however, users will need to update to at least version 5.2203.0 of the Company Portal. If users do not update the app prior to this change, they will not receive messages sent by your organization and will instead receive a notification telling them to update their app. Once they update their app, push notifications will resume.

Scenarios that send push notifications to the Company Portal include:

How can you prepare?

The required version of the Company Portal has been released, so most users have likely updated the app and will not be impacted. However, you may want to notify users of this change to ensure all users continue to receive push notifications sent by your organization.

Plan for change: Intune is moving to support Android 8.0 and later in January 2022

Microsoft Intune will be moving to support Android version 8.0 (Oreo) and later for mobile device management (MDM) enrolled devices on or shortly after January 7, 2022.

How does this affect you or your users?

After January 7, 2022, MDM enrolled devices running Android version 7.x or earlier will no longer receive updates to the Android Company Portal or the Intune App. Enrolled devices will continue to have Intune policies applied but are no longer supported for any Intune scenarios. Company Portal and the Intune App will not be available for devices running Android 7.x and lower beginning mid-February; however, these devices will not be blocked from completing enrollment if the requisite app has been installed prior to this change. If you have MDM enrolled devices running Android 7.x or below, update them to Android version 8.0 (Oreo) or higher or replace them with a device on Android version 8.0 or higher.

Note

Microsoft Teams devices are not impacted by this announcement and will continue to be supported regardless of their Android OS version.

How can you prepare?

Notify your helpdesk, if applicable, of this upcoming change in support. You can identify how many devices are currently running Android 7.x or below by navigating to Devices > All devices > Filter. Then filter by OS and sort by OS version. There are two admin options to help inform your users or block enrollment.

Here's how you can warn users:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that warns users.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise and set the action for non-compliance to send an email or push notification to users before marking them noncompliant.

Here's how you can block devices running on versions earlier than Android 8.0:

  • Create an app protection policy and configure conditional launch with a min OS version requirement that blocks users from app access.
  • Utilize a device compliance policy for Android device administrator or Android Enterprise to make devices running Android 7.x or earlier non-compliant.
  • Set enrollment restrictions that prevent devices running Android 7.x or earlier from enrolling.

Note

Intune app protection policies are supported on devices running Android 9.0 and later. See MC282986 for more details.

Plan for change: Intune APP/MAM is moving to support Android 9 and higher

With the upcoming release of Android 12, Intune app protection policies (APP, also known as mobile application management) for Android will move to support Android 9 (Pie) and later on October 1, 2021. This change will align with Office mobile apps for Android support of the last four major versions of Android.

Based on your feedback, we've updated our support statement. We're doing our best to keep your organization secure and protect your users and devices, while aligning with Microsoft app lifecycles.

Note

This announcement doesn't affect Microsoft Teams Android devices. Those devices will continue to be supported regardless of their Android OS version.

How does this affect you or your users?

If you're using app protection policies (APP) on any device that's running Android version 8.x or earlier, or you decide to enroll any device that's running Android version 8.x or earlier, these devices will no longer be supported for APP.

APP policies will continue to be applied to devices running Android 6.x to Android 8.x. But if you have problems with an Office app and APP, support will request that you update to a supported Office version for troubleshooting. To continue to receive support for APP, update your devices to Android version 9 (Pie) or later, or replace them with a device on Android version 9.0 or later before October 1, 2021.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. You also have two admin options to warn users:

Plan for change: Enrollment restrictions will no longer be included in policy sets

With the Microsoft Intune service release (2109), you'll no longer be able to configure enrollment restrictions in policy sets. Instead, you'll need to go to Devices > Policy section > Enrollment restrictions to create and manage all enrollment restrictions.

How does this affect you or your users?

If our service telemetry indicates that your existing policy sets include enrollment restrictions, we'll migrate your policies when the new restrictions are in place. To create and manage enrollment restrictions going forward, go to Devices > Policy section > Enrollment restrictions.

How can you prepare?

Update your documentation. Be sure to configure all new enrollment restrictions in the Enrollment restrictions section of Intune. We'll start migrating existing policies with the 2109 service release.

Take action: Update to the latest version of the Android Company Portal app

Starting with the October (2110) service release, Intune will no longer support new Android device administrator enrollments that use Company Portal version 5.04993.0 or earlier. The reason is a change in the integration of Intune with Samsung devices.

How does this affect you or your users?

Users who need to enroll Samsung devices in an Android device administrator by using an older version of the Company Portal app (any version earlier than 5.04993.0) will no longer be successful. They'll need to update the Company Portal app to successfully enroll.

How can you prepare?

Update any older version of the Company Portal staged in your environment to support Android device administrator enrollments before the Intune October (2110) service release. Inform your users that they'll need to update to the latest version of the Android Company Portal to enroll their Samsung device.

If applicable, inform your helpdesk in case users don't update the app before enrolling. We also recommend that you keep the Company Portal app updated to ensure that the latest fixes are available on your devices.

More information

Plan for change: Safe boot and debugging features in Android Enterprise device restrictions will be replaced

Google announced that it has deprecated several settings in the Android Management API and will stop supporting the settings for Intune on November 1, 2021. This change affects the Safe boot and Debugging features configuration settings for Android Enterprise device restrictions. These settings will not be available after support ends. To prepare for this change, we'll add a new setting called Developer settings in September's (2109) service release.

How does this affect you or your users?

With the Intune October (2110) service release, Safe boot and Debugging features will be removed from the admin center UI. Those features will then be removed shortly after from Microsoft Graph API on October 31, 2021. If applicable, you should use the new setting, Developer settings.

Developer settings will be available for new and existing profiles in the September (2109) service release. By default, it's set as Not configured. If you choose to set this to Allow, users will be able to access developer settings. Developer settings might include the ability to enable debugging features and/or reboot the device in Safe boot mode.

Note

If Developer settings is set to Allow, it will override both the Safe boot and Debugging features settings.

How can you prepare?

Review the configuration settings for your Android Enterprise device restrictions. If you want users to have access to developer settings after Safe boot and Debugging features are removed, you'll need to set Developer settings to Allow. Otherwise, it will remain as Not configured, and users won't have access to any developer settings.

Plan for change: Announcing end of support for the existing Use Locations (network fence) feature in Intune

Intune is announcing end of support for the network fence feature for use only in devices enrolled through an Android device administrator. Google has reduced support for devices enrolled through a device administrator. Intune customers provided feedback that led to a re-envisioning of location-based fencing to better meet customer needs across multiple Android enrollment options.

How does this affect you or your users?

This change will affect you only if you currently use a location-based (network fence) compliance policy, on either your trial account or your paid account. In 90 days from the date of this feature end-of-support announcement (on or around October 7, 2021 unless otherwise updated), any network location-based compliance policies targeted to devices enrolled through an Android device administrator will no longer work to provide a network fence.

How can you prepare?

No action is needed at this time. Review our In Development page for advanced notice of upcoming new features. We'll follow up with more information about re-envisioned location-based services when that information is available.

Plan for change: Intune is moving to support iOS/iPadOS 13 and later

Apple has released iOS 15. Microsoft Intune, including Intune Company Portal and Intune app protection policies (APP, also known as mobile application management), now requires iOS/iPadOS 13 and later.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS/iPadOS 13).

Because Office 365 mobile apps are supported on iOS/iPadOS 13.0 and later, this change might not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 13 or iPadOS 13 (if applicable), see the following Apple documentation:

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management, go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status > App Protection report: iOS, Android.

To manage the supported OS version in your organization, you can use Microsoft Endpoint Manager controls for both mobile device management and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 10.15 and later with the release of macOS 12

Apple is expected to release macOS 12 Monterey in the fall of 2021. Shortly after the release, Microsoft Intune, the Company Portal app, and the Intune mobile device management agent will move to support macOS 10.15 (Catalina) and later.

How does this affect you or your users?

This change will affect you only if you currently manage, or plan to manage, macOS devices by using Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Catalina is compatible with these computers.

Note

Devices that are currently enrolled on macOS 10.13.x and 10.14 will remain enrolled after those versions are no longer supported. New devices will be unable to enroll if they're running macOS 10.14 or earlier.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 10.14 or earlier. Ask your users to upgrade their devices to a supported OS version before the release of macOS 12.

Upgrade to the Microsoft Intune Management Extension

We've released an upgrade to the Microsoft Intune Management Extension to improve handling of Transport Layer Security (TLS) errors on Windows 10 devices.

The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to this latest version. To check the version of the extension on a device, review the version for Microsoft Intune Management Extension in the program list under Apps & features.

For more information, see the information about security vulnerability CVE-2021-31980 in the Microsoft Security Response Center.

How does this affect you or your users?

No action is required. As soon as the client connects to the service, it automatically receives a message to upgrade.

Update to Endpoint Security antivirus Windows 10 profiles

We've made a minor change to improve the antivirus profile experience for Windows 10. There's no user effect, because this change affects only what you'll see in the UI.

How does this affect you or your users?

Previously, when you configured a Windows security profile for the Endpoint Security antivirus policy, you had two options for most settings: Yes and Not configured. Those settings now include Yes, Not configured, and a new option of No.

Previously configured settings that were set to Not configured remain as Not configured. When you create new profiles or edit an existing profile, you can now explicitly specify No.

In addition, the setting Hide the Virus and threat protection area in the Windows Security app has a child setting, Hide the Ransomware data recovery option in the Windows Security app. If the parent setting is set to Not configured and the child setting is set to Yes, both the parent and child settings will be set to Not configured. That change will take effect when you edit the profile.

How can you prepare?

No action is needed. However, you might want to notify your helpdesk about this change.

Plan for change: Intune is ending Company Portal support for unsupported versions of Windows

Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.

How does this affect you or your users?

Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change will affect you only if you're still managing unsupported Windows 10 versions.

Windows and Company Portal versions that this change affects include:

  • Windows 10 version 1507, Company Portal version 10.1.721.0
  • Windows 10 version 1511, Company Portal version 10.1.1731.0
  • Windows 10 version 1607, Company Portal version 10.3.5601.0
  • Windows 10 version 1703, Company Portal version 10.3.5601.0
  • Windows 10 version 1709, any Company Portal version

We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.

If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.

How can you prepare?

In the Microsoft Endpoint Manager admin center, use the discovered apps feature to find apps with these versions. On a user's device, the Company Portal version is shown on the Settings page of the Company Portal. Update to a supported Windows and Company Portal version.

See also

For details about recent developments, see What's new in Microsoft Intune.