In development for Microsoft Intune - December 2019

To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:

  • If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.
  • When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.
  • This page and the What's new page are updated periodically. Check back for additional updates.
  • Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.


This page reflects our current expectations about Intune capabilities in a future release. Dates and individual features might change. This page doesn't describe all features in development.

RSS feed: Find out when this page is updated by copying and pasting the following URL into your feed reader:

App management

iOS user-licensed VPP apps

For User Enrollment iOS devices, end-users will no longer be presented with device-licensed VPP applications deployed as available. However, end-users will continue to see all user-licensed VPP apps within the Company Portal. For more information about VPP apps, see How to manage iOS and macOS apps purchased through Apple Volume Purchase Program with Microsoft Intune.

Retrieve personal recovery key from MEM encrypted macOS devices

End-users will be able to retrieve their personal recovery key (FileVault key) using the iOS Company Portal app. The device that has the personal recovery key must be enrolled with Intune and encrypted with FileVault through Intune. Using the iOS Company Portal app, an end-user can open the Safari web view and retrieve their personal recovery key. In Intune, select Devices > the encrypted and enrolled macOS device > Get recovery key. For more information about FileVault, see FileVault encryption for macOS.

Microsoft app icons update

The icons used for Microsoft apps in the app targeting pane for App protection policies and App configuration policies will be updated.

S/MIME support for Microsoft Outlook Mobile

Intune will support delivering S/MIME signing and encryption certificates that can be used with Outlook Mobile on iOS and Android. For related information, see email settings for iOS devices and e-mail settings for Android devices.

Custom settings support for macOS applications

Intune will support custom settings, allowing you to add specific keys and values to an existing preferences property list (.plist) file to configure macOS apps and the device. Not all apps support managed preferences, and in some cases only specific settings can be managed. The settings are deployed via the device channel only. You should only upload property list files or .xml files that target device channel settings.

Display notifications for the Company Portal app on Windows

We'll update the Company Portal app on Windows devices to display toast notifications to users, even when the application is closed. The update will show notifications for available apps only when the installation status is completed or failed. The Company Portal app won't show notifications for required applications.

Display installation status messages for the Company Portal app

The Company Portal app will show additional app installation status messages to end users. The following conditions will apply to new Win32 dependency features:

  • App failed to install. Dependencies defined by the admin were not met.

Configure app notification content for organization accounts

Intune APP on Android and iOS devices will allow you to control app notification content for organization accounts. This feature will require support from applications and might not be available for all APP-enabled applications. For more information about APP, see What are app protection policies?

Device configuration

Block users from configuring certificate credentials in the managed keystore on Android Enterprise device owner devices

On Android Enterprise device owner devices, there'll be a new setting to block users from configuring their certificate credentials in the managed keystore (Device configuration > Profiles > Create profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile type > Users + Accounts).

To see the current settings, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise device owner, including dedicated and fully managed devices

Wired network device configuration profiles for macOS devices

On macOS devices, a future update will include a new device configuration profile that configures wired networks (Device configuration > Profiles > Create profile > macOS for platform > Wired Network for profile type). Use this feature to create 802.1x profiles to manage wired networks, and deploy these wired networks to your macOS devices.

Applies to:

  • macOS

Add automatic proxy settings to Wi-Fi profiles for Android Enterprise work profiles

On Android Enterprise Work Profile devices, you can create Wi-Fi profiles. When you choose the Wi-Fi Enterprise type, you can also enter the Extensible Authentication Protocol (EAP) type used on your Wi-Fi network.

In a future update, when you choose the Enterprise type, you'll be able to enter automatic proxy settings, including a proxy server URL, such as

To see the current Wi-Fi settings you can configure, go to Add Wi-Fi settings for devices running Android Enterprise and Android kiosk in Microsoft Intune.

Applies to:

  • Android Enterprise work profile

Enable network access control (NAC) with Cisco AnyConnect VPN on iOS devices

On iOS devices, you can create a VPN profile, and use different connection types, including Cisco AnyConnect (Device configuration > Profiles > Create profile > iOS for platform > VPN for profile type > Cisco AnyConnect for connection type).

In a future update, you'll be able to enable network access control (NAC) with Cisco AnyConnect. To use this feature:

  1. At Cisco Identity Services Engine Administrator Guide, use the steps in Configuring Microsoft Intune as an MDM Server to configure the Cisco Identity Services Engine (ISE) in Azure.
  2. In the Intune device configuration profile, select the Enable Network Access Control (NAC) setting.

To see all the available VPN settings, go to Configure VPN settings on iOS devices.

Applies to:

  • iOS

Updated single sign-on experience for apps and websites on your iOS, iPadOS, and macOS devices

Intune is adding more single sign-on settings for iOS, iPadOS, and macOS devices. Currently, you can configure credential SSO app extensions and Apple's built-in Kerberos extension in Intune. In a future update, you'll be able to configure redirect SSO app extensions written by your organization or by your identity provider.

Use these settings to configure a seamless single sign-on experience for apps and websites that use modern authentication methods, such as OAuth and SAML2.

To see the SSO app extension settings you can configure, go to SSO on iOS and SSO on macOS.

Applies to:

  • iOS/iPadOS
  • macOS

Require use of approved keyboards on Android

You'll be able to specify a list of approved keyboards for use in managed Android apps. From the managed app, the user will be prompted to switch to one of the approved keyboards already installed on their device or, if needed, they will be directed to the Google Play Store to download and set-up one of the approved keyboards. The user will only be able to edit text fields in a managed app if their active keyboard is one of the approved keyboards.

Use PKCS certificates with Wi-Fi profiles on Windows 10 and later devices

Currently, you can authenticate Windows Wi-Fi profiles with SCEP certificates (Device configuration > Profiles > Create profile > Windows 10 and later for platform > Wi-Fi for profile type > Enterprise > EAP type). You'll be able use PKCS certificates with your Windows Wi-Fi profiles. This feature allows users to authenticate Wi-Fi profiles using new or existing PKCS certificate profiles in your tenant.

For more information on Wi-Fi profiles, see Add Wi-Fi settings for Windows 10 and later devices in Intune.

Applies to:

  • Windows 10 and later

New ExchangeActiveSync settings when creating an Email device configuration profile on iOS devices

On iOS/iPadOS devices, you can configure email connectivity in a device configuration profile (Device configuration > Profiles > Create profile > iOS/iPadOS for platform > Email for profile type).

There will be new ExchangeActiveSync settings available, including:

  • Choose the services to sync (or block syncing), such as email, calendar, and contacts.
  • Allow (or block) users to change the sync settings for these services on their devices.

To see the current settings, go to Email profile settings for iOS devices in Intune.

Applies to:

  • iOS 13.0 and newer
  • iPadOS 13.0 and newer

Prevent users from adding personal Google accounts to Android Enterprise device owner and dedicated devices

You'll be able to prevent users from creating personal Google accounts on Android Enterprise device owner and dedicated devices (Device configuration > Profiles > Create profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile type > Users and Accounts settings).

To see the current settings you can configure, go to Android Enterprise device settings to allow or restrict features using Intune.

Applies to:

  • Android Enterprise device owner
  • Android Enterprise dedicated devices

Server-side logging for Siri commands setting is removed in iOS device restrictions profile

On iOS devices, you can create a device restrictions profiles that configures server-side logging for Siri commands (Device configuration > Profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type > Built-in apps). The Server-side logging for Siri commands setting will be removed.

This setting will be removed from the Intune admin console. This setting has no effect on the device even though existing policies that have this setting configured will continue to show the setting. If you want to remove the setting from existing policies, go to the policy, make a minor edit, save it, and the policy will be updated.

To see the settings you can configure, see iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

  • iOS

Monitoring and troubleshooting

Centralized audit logs

A new centralized audit log experience will collect audit logs for all categories into one page. You'l be able to filter the logs to get the data you're looking for. To see the audit logs, go to Tenant administration > Audit logs. For more information, see Upcoming change to Audit logs in Intune.


Use PKCS certificate profiles to provision devices with certificates

You’ll be able to use a PKCS certificate profile to issue certificates to devices, expanding on our current support for user-based certificates. Device-based certificates will be supported the Android, iOS, and Windows platforms, and can be used for Wi-Fi and VPN profiles.


These notices provide important information that can help you prepare for future Intune changes and features.

Updated support statement for 'Adobe Acrobat Reader for Intune' mobile app

We shared in MC188653 at the end of August, that the Adobe Acrobat Reader for Intune mobile app was reaching end-of-life on December 1, 2019 and that Adobe was planning on supporting Intune’s app protection policies within their main Acrobat Reader app. Since then, we received customer feedback that we needed to provide more time to continue allowing IT admins to target, and end users to begin using Adobe Acrobat Reader for Intune. Given the high usage of Adobe Acrobat Reader for Intune on end user devices and its importance in enterprise scenarios, we want to make sure any experience meets your organization's app protection needs.

While we still recommend targeting the general Acrobat Reader mobile app in your policies since the Acrobat Reader mobile app supports App Protection Policies and has integrated the Intune SDK, the Adobe Acrobat Reader for Intune app will continue to be supported until March 31, 2020.

How does this affect me?

You are receiving this message because our reporting indicates one or more policies in your organization are targeting the Adobe Acrobat Reader for Intune application and/or you may have received our previous EOL communication.

What do I need to do to prepare for this change?

Let your end users and helpdesk know of this change. You can use the Company Portal's support information functionality to establish a channel for Intune-related questions.

Additional Information

End Support for Windows Phone 8.1

Microsoft mainstream support for Windows Phone 8.1 ended in July 2017, and extended support ended in June 2019. The Company Portal app for Windows Phone 8.1 has been in sustain mode since October 2017. Microsoft Intune will now end support on February 20, 2020 for Windows Phone 8.1.

How does this affect me?

After February 20, 2020 these devices won't receive any security updates, and you won't be able to enroll any new devices. Existing Windows Phone 8.1 devices will stay enrolled (policy, apps, reporting) but note any troubleshooting of an existing enrollment won't be supported after this date, as many components, such as third party certificates, have already ended support for the platform. Intune will stop compatibility testing with Intune and Windows Phone 8.1.

What do I need to do to prepare for this change?

You can check your Intune reporting to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running Windows Phone 8.1. Request that your end users upgrade their devices to a supported OS version.

Update your Intune Outlook App protection policies (APP)

You may need to take action if you received MC195618 In your Message Center. As shared in Microsoft 365 roadmap feature IDs: 56325 and 56326, Intune and Outlook for iOS and Android are rolling out support for limiting sensitive data in mail notifications and calendar reminders. As a result of these improvements, Outlook for iOS and Android will be removing support for several data protection app configuration keys you are currently leveraging to manage notifications.

How does this affect me?

While the new features have not shipped, when they do, the following app configuration keys will no longer function in Outlook for iOS and Android:


What do I need to do to prepare for this change?

We recommend you configure the Intune App Protection Policy data protection setting “Org data notifications” with a value of “Block Org Data” in preparation for this new feature. Beginning on December 16, 2019, Outlook for iOS and Android will honor the “Org data notifications” data protection setting and no longer support the aforementioned keys. Configuring this new setting will ensure sensitive data isn't leaked when the above configuration keys are no longer supported. Additionally, Outlook is providing additional granularity when the data protection setting “Org data notifications” is set to “Block Org Data” with an additional app configuration setting, “Calendar notifications”. The combination of the App Protection Policy setting and this app configuration setting limits sensitive information in mail notifications, while exposing sensitive information in calendar notifications, so that users can get to their meetings by glancing quickly at the notification or notification center.

Additional information

For more information on APP settings and Outlook’s settings, see:

Intune Plan for Change: Windows 10, version 1703 Company Portal moving out of Support

Windows 10, version 1703 (also known as Windows 10, RS2) has moved out of service on October 8, 2019 for enterprise and EDU editions. Intune will end support for the corresponding Company Portal app for RS2/RS1 starting on December 26, 2019.

How does this affect me?

Moving forward, you won't see new features in the specific version of the Company Portal app, although we will continue to support this version of the Company Portal app through December 26, 2019, including providing any security updates to the Company Portal app as needed. However, since Windows 10, version 1703 won't receive any security updates once it moves out of servicing, we highly recommend you update your Windows devices to a more recent Windows version and make sure you’re on the latest Company Portal app so you continue to get new features and additional functionality.

What do I need to do to prepare for this change?

The steps you take depends on how your environment is configured. In general though, you should identify the devices that have the older version of the OS and/or the Company Portal on their device, and update. To set your Windows 10 update rings, log into Intune -> Software updates – Windows 10 update rings. The latest version of the Company Portal is version 10.3.5601.0. Please direct your users to acquire it from the Microsoft Store to stay up to date with future releases. You can also use Intune to install the latest on your Windows devices through the Microsoft Store for Business.

Additional information

Manually add the Windows 10 Company Portal app by using Microsoft Intune

Take Action: Use Microsoft Edge for your Protected Intune Browser Experience

As we have been sharing over the past year, Microsoft Edge mobile supports the same set of management features as the Managed Browser, while providing a much-improved end user experience. To make way for the robust experiences provided in Microsoft Edge, we will be retiring the Intune Managed Browser. Starting on January, 27, 2020, Intune will no longer support the Intune Managed Browser.

How does this affect me?

Starting on February 1, 2020, the Intune Managed Browser will no longer be available in the Google Play Store or the iOS App Store. At this point, you will still be able to target new app protection policies to the Intune Managed Browser, though new users won't be able to download the Intune Managed Browser app. In addition, on iOS, new web clips that are pushed down to MDM-enrolled device will open in Microsoft Edge instead of the Intune Managed Browser.

On March, 31 2020, the Intune Managed Browser will be removed from the Azure console. This means you will no longer be able to create new policies for the Intune Managed Browser. If you have existing Intune Managed Browser policies in place, they won't be affected. The Intune Managed Browser will show up in the console as an LOB app with no icon, and existing policies will show as targeted to the app still. At this point, we will also remove the option to redirect web content to the Intune Managed Browser within the Data Protection section of App protection policies.

What do I need to do to prepare for this change?

To ensure a smooth transition from the Intune Managed Browser to Microsoft Edge, we recommend you take the following steps proactively:

  1. Target Microsoft Edge for iOS and Android with app protection policy (also referred to as MAM) and app config settings. You can reuse your Intune Managed Browser policies for Microsoft Edge by targeting those existing policies to Microsoft Edge as well.
  2. Ensure all MAM-protected apps in your environment have the app protection policy setting "Restrict web content transfer with other apps" set to "Policy managed browsers".
  3. Target all the MAM-protected with the managed app configuration setting "" set to true. Starting next month with the release of 1911, you will be able to accomplish steps 2 and 3 simply by configuring the setting "Restrict web content transfer with other apps" to have "Microsoft Edge" selected in the Data Protection section of your app protection policies.

Support for web clips on iOS and Android is coming. When this support is released, you will need to retarget pre-existing web clips to ensure they open in in Microsoft Edge instead of the Managed Browser.

Additional information

Please visit our docs on using Microsoft Edge with app protection policies for more info, or view our support blog post.

Plan for Change: Updated experience when enrolling Android Enterprise dedicated devices in Intune

With the November or 1911 release to Intune, we’re adding support for SCEP device certificate deployment to Android Enterprise dedicated devices to enable certificate-based access to Wi-Fi profiles. This change also involves some minor changes the flow when enrolling Android Enterprise dedicated devices.

How does this affect me?

If you manage Android Enterprise dedicated devices in your environment, you will start to see some changes roll out in November.

  • For new Android Enterprise dedicated device enrollments: End users will see a different set of steps on devices during enrollment. Enrollment will still start the way it does today (with QR, NFC, Zero-touch, or device identifier) but after the November service release, there will be a mandatory app install step.
  • For existing Android devices enrolled as dedicated devices: Intune will start to automatically install the Microsoft Intune app on devices starting in early November. You don't need to take any action. The app will automatically download and install on devices.

What can I do to prepare for this change?

You should plan to update your end user guidance and let your helpdesk know of this change. Click Additional Information for more details and screenshots. We’ll update our What’s New page when this change starts to roll out.

Additional information

End of support for legacy PC management

Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.

Learn more

Decreasing support for Android device administrator

Android device administrator (sometimes referred to "legacy" Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is now available with Android Enterprise (released with Android 5.0). In an effort to move to modern, richer, and more secure device management, Google is decreasing device administrator support in new Android releases.

How does this affect me?

Because of these changes by Google, Intune users will be impacted in the following ways:

  • Intune will only be able to provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices that are running Android 10 or later after this time won't be able to be entirely managed. In particular, impacted devices won’t receive new password requirements.
    • Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you more time to plan the transition off device admin management.   
  • Device administrator-managed Android devices that remain on Android versions below Android 10 won't be impacted and can continue to be entirely managed with device administrator.
  • For all devices running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device updates to Android 10 or later:
    • Network access control for VPN will no longer work.
    • Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned.
    • The IMEI and serial number will no longer be visible to IT admins in Intune.


      This only impacts device administrator-managed devices on Android 10 and later and does not affect devices being managed as Android Enterprise.

What do I need to do to prepare for this change?

To avoid the reduction in functionality coming in Q3 CY2020, we recommend the following:

  • Don't onboard new devices into device administrator management.
  • If a device is expected to receive an update to Android 10, migrate it off of device administrator management to Android Enterprise management and/or app protection policies.

Additional information

Plan for change: Intune App SDK and app protection policies for Android moving to support Android 5.0 and higher in an upcoming release

Intune will be moving to support Android 5.x (Lollipop) and higher in an upcoming release. Update any wrapped apps with the latest Intune App SDK and update your devices.

How does this affect me?

If you're not using or plan to use either the SDK or APP for Android, this change won't affect you. If you are using the Intune App SDK, be sure to update to the latest version and also update your devices to Android 5.x and higher. If you don't update, apps won't receive updates, and the quality of their experience will diminish over time.

Below find a list of common devices enrolled in Intune that run Android version 4.x. If you have one of these devices, take the appropriate steps to make sure that this device will support Android version 5.0 or higher or that it will be replaced with a device that supports Android version 5.0 or higher. This list isn't exhaustive of all devices that may need to be evaluated:

  • Samsung SM-T561
  • Samsung SM-T365
  • Samsung GT-I9195
  • Samsung SM-G800F
  • Samsung SM-G357FZ
  • Motorola XT1080
  • Samsung GT-I9305
  • Samsung SM-T231

What do I need to do to prepare for this change?

Wrap your apps with the latest Intune App SDK. You may also set the "Require minimum OS version (Warning only)" conditional launch setting to notify end users on personal devices to upgrade.

Intune plan for change: Nearing end of support for Windows 7

As we messaged in MC148476, posted last September 2018, and again in MC176794 back in March 2019, Windows 7 reaches its end of extended support on January 14, 2020. At that time, Intune will retire support for devices running Windows 7 so we can focus our investment on supporting newer technologies and providing great new end-user experiences. After that date, technical assistance and automatic updates that help protect your Windows 7 PC will no longer be available through Intune. Microsoft strongly recommends that you move to Windows 10 before January 2020 to avoid a scenario where you need service or support that is no longer available. Read more about the Windows support lifecycle here.

How does this affect me?

You are receiving this message because you are currently managing Windows 7 PCs using the legacy Intune PC software agent. Because less than a year remains before the end of Windows 7 extended support, we strongly encourage your organization to begin upgrading to Windows 10 as soon as possible.

PC management capabilities are built directly into the Windows 10 operating system, and you no longer need to install a client agent such as the Intune software client for Windows 7. Starting with Windows 8.1, Microsoft uses the Mobile Device Management (MDM) architecture to provision, configure, update, and manage Windows PCs. When you have set up Intune, you can simplify Windows enrollment by enrolling Windows 10 PCs into Intune through the MDM channel. We recommend that you use this "agentless" MDM management solution to manage your Windows 10 PCs.

What do I need to do to prepare for this change?

We encourage your organization to immediately consider this action plan:

  • Plan and upgrade the Windows 7 fleet to Windows 10 before January 14, 2020.
  • Explore Windows 10 deployment support to learn more about how to upgrade your existing fleet of Windows 7 PCs to Windows 10.
  • Review the Desktop App Assure offer through FastTrack, which will assist with the Microsoft application compatibility promise.
  • Transition existing legacy Intune software client managed devices to the Microsoft-recommended solution to manage Windows 10 using MDM management. Enroll all new Windows 10 PCs using MDM management for Intune in the Azure portal.

See the blog post here for more information.

See also

For details about recent developments, see What's new in Microsoft Intune.