In development for Microsoft Intune - July 2019

Is this page helpful?

To assist in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition:

  • If we anticipate that you'll need to take action prior to a change, we’ll publish a complementary Office Message Center post.
  • When a feature is launched in production, either as a preview or generally available, the feature description will move off this page and onto the What's New page.
  • This page and the What's New page are updated periodically. Check back for additional updates.
  • Refer to the M365 roadmap for strategic deliverables and timelines.


These items reflect Microsoft’s current expectations about Intune capabilities coming in a future release. Dates and individual features may change. Not all items in development have a feature description on this page.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:

App management

Customized notifications for users and groups

You'll soon be able to send custom ad-hoc push notifications from the Company Portal application to users on iOS and Android devices you manage with Intune. These custom notifications are not tied to particular Intune features and can be used for any purpose you require, including general notifications you want to send to some or all your employees.

Configure app notification content for organization accounts

Intune app protection policies (APP) on Android and iOS devices will allow you to control app notification content for Org accounts. This feature will require support from applications and may not be available for all APP enabled applications. For more about APP, see What are app protection policies?.

Available Google Play app reporting for Android work profiles

For available app installs on Android work profile devices, you can view app installation status as well as the installed version of managed Google Play apps. For more information, see How to monitor app protection policies, Manage Android work profile devices with Intune and Managed Google Play app type.

Device configuration

Support for IKEv2 VPN profiles for iOS

You'll be able to create VPN profiles for the iOS native VPN client using the IKEv2 protocol. IKEv2 is a new connection type in Device configuration > Profiles > Create profile > iOS for platform > VPN for profile type > Settings.

These VPN profiles configure the native VPN client. So, no VPN client apps are installed or pushed to managed devices. This feature requires devices be enrolled in Intune (MDM enrollment).

To see the current VPN settings you can configure, go to Configure VPN settings on iOS devices in Microsoft Intune.

Applies to: iOS

Use "applicability rules" when creating Windows 10 device configuration profiles

You create Windows 10 device configuration profiles (Device configuration > Profiles > Create profile > Windows 10 for platform). You'll be able to create an applicability rule so the profile only applies to a specific edition or specific version. For example, you create a profile that enables some BitLocker settings. Once you add the profile, use an applicability rule so the profile only applies to devices running Windows 10 Enterprise.

Applies to:

  • Windows 10 and later

Manage FileVault for macOS

You’ll be able to use an Intune endpoint protection device configuration profile to manage FileVault key encryption for macOS devices. This includes escrow of, viewing of and rotating the encryption keys of your corporate devices. End users will be able to retrieve those keys through the Company Portal website.

Advanced settings for Windows Defender Firewall

As a public preview, you'll soon be able to use Intune to manage the custom firewall rules on clients for Windows Defender.

New configuration designer when creating an OEMConfig profile for Android Enterprise

In Intune, you can create a device configuration profile that uses an OEMConfig app (Device Configuration > Profiles > Create profile > Android enterprise for platform > OEMConfig for profile type). When you do this, a JSON editor opens with a template and values for you to change. This update includes a Configuration Designer with an improved user experience that shows details embedded in the app, including titles, descriptions, and more. The JSON editor is still available, and shows any changes you make in the Configuration Designer.

To see the current settings, go to Use and manage Android Enterprise devices with OEMConfig.

Applies to: Android Enterprise

Device management

Improve device location

You'll be able to zoom in to the exact coordinates of a device using the Locate device action. For more information about locating lost iOS devices, see Find lost iOS devices.

Configure automatic device clean-up time limit down to 30 days

You'll be able to set the automatic device clean-up time limit as short as 30 days (instead of current limit of 90 days) after the last sign-in. To do so, go to Intune > Devices > Setup > Device Clean Up Rules.


Import and export security baselines

We’re adding the capability to export and import security baselines so you can take your customizations with you and share them between Intune environments.


These notices provide important information that can help you prepare for future Intune changes and features.

Update your Android Company Portal app to the latest version

Intune periodically releases updates to the Android Company Portal App. In November 2018 we released a company portal update, which included a back-end switch to prepare for Google’s change from their existing notification platform to Google’s Firebase Cloud Messaging (FCM). When Google retires their existing notification platform and moves to FCM, end users will need to have updated their company portal app to at least November 2018 release to continue communicating with the Google play store.

How does this affect me?

Our telemetry indicates you have devices with a Company Portal version earlier than 5.0.4269.0. If this version or later of the company portal app is not installed, IT pro initiated device actions like wipe, reset password, available and required app installs, and certificate enrollment may not work as expected. If your devices are MDM enrolled in Intune, then you can see the company portal versions and users by going to Client apps – Discovered apps. Selecting earlier versions of the Company Portal will allow you to see what end users have the devices that haven’t updated the company portal.

What do I need to do to prepare for this change?

Ask end users of Android devices that have not updated to update the company portal through Google play. Notify your help desk in case a user has not kept auto-updating of the company portal app. See the link in Additional Information for more on Google’s FCM platform and change.

Additional information

New Fullscreen experience coming to Intune

We’re rolling out updated create and edit UI experiences to Intune in the Azure portal. This new experience will simplify the existing workflows by using a wizard style format condensed within one blade. This update will do away with “blade sprawl” or any create and edit flows that require you to drill down into deep blade journeys. The create workflows will also be updated to include Assignments (except for App assignment).

How does this affect me?

The full screen experience will be rolled out to Intune both at and over the next few months. This update to the UI will not impact functionality of your existing policies and profiles, but you will see a slightly modified workflow. When you create new policies, for example, you will be able to set some assignments as part of this flow instead of doing so after creating the policy. See the blog post at Additional information for screenshots of what the new experience will look like in the console.

What can I do to prepare for this change?

You do not need to take any action but can consider updating your IT pro guidance if necessary. We’ll update our documentation as this experience rolls out to various blades in the Intune on Azure portal.

Additional information

Plan for Change: Intune moving to support iOS 11 and higher in September

In September, we expect iOS 13 to be released by Apple. Intune enrollment, the Company Portal, and the Managed Browser will move to support iOS 11 and higher shortly after the iOS 13 release.

How does this affect me?

Provided that O365 mobile apps are supported on iOS 11.0 and higher, this may not affect you; you’ve likely already upgraded your OS or devices. However, if you have any of the devices listed below, or decide to enroll any of the devices listed below, know that the devices below do not support an OS greater than iOS 10. These devices will need to be upgraded to a device that supports iOS 11 or higher:

  • iPhone 5
  • iPhone 5c
  • iPad (4th Generation)

Starting in July, MDM enrolled devices with iOS 10 and the Company Portal will receive a prompt to upgrade their OS or device. If you use Application Protection Policies (APP) you can also set the “Require minimum iOS operating system (Warning only)” access setting.

What do I need to do to prepare for this change?

Check your Intune reporting to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running iOS 10. Request that your end users upgrade their devices to a supported OS version before September.

Plan for Change: Support for version 8.1.1 and higher of Intune App SDK for iOS

Starting in September 2019, Intune will move to support iOS apps with Intune App SDK 8.1.1 and higher. Apps built with SDK versions less than 8.1.1 will no longer be supported. This change will go into effect with Apple’s release of iOS 13 which is expected to come around September and also been announced in MC181399.

How does this affect me?

With Intune App SDK or App Wrapping integration, you can protect corporate data from unapproved applications and users via data encryption. The Intune App SDK for iOS will use 256-bit encryption keys by default when encryption is enabled by Intune App Protection Policies (APP). After this change, any iOS apps on SDK versions prior to 8.1.1, which use 128-bit encryption keys, will no longer be able to share data with applications integrated with SDK 8.1.1 or using the 256-bit keys. All iOS apps will need to have an SDK version 8.1.1 or higher to allow protected data sharing.

What can I do to prepare for this change?

Check your Microsoft, third-party, and line-of-business (LOB) apps. You should ensure all that all your applications protected with Intune APP are using SDK version 8.1.1 or later.

  • For LOB apps: You may need to republish your apps integrated with SDK version 8.1.1 or later. We recommend the latest SDK version. For information on how to prepare your LOB apps for App protection policies, see Prepare line-of-business apps for app protection policies.
  • For Microsoft/Third Party apps: Ensure that you are deploying the latest version of these apps to your users.

You should also update your documentation or developer guidance if applicable to include this change in support for the SDK.

Additional information

Plan for change: New Windows updates settings in Intune

Starting with the August release to the Intune service or 1908, we’re adding in new “Deadline settings” which you can configure instead of the “Allow user to restart (engaged restart)” settings. We plan to disable the engaged restart settings in the UI in 1909 or the September update and then completely remove them from the console towards the end of October.

How does this affect me?

If you manage Windows 10 devices in your environment:

  • With the August Intune update or 1908, you will see new deadline settings in the console in addition to the old engaged restart settings.
  • When both these old and new settings are configured, the deadline settings values will override the engaged restart setting values.
  • Deadline settings will replace the “Allow user to restart (engaged restart) option in the console in the 1910 update.

What can I do to prepare for this change?

Start using the deadline settings in 1908 by configuring them with your desired values. Once you have that in place, you can set the engaged restart setting to “Not configured” to prepare for these being removed from the console in October.

Update your documentation and any automation scripts if needed.

We’ll keep you updated and post a reminder to the Message center before we remove the engaged restart settings.

See also

See What’s New in Microsoft Intune for details on recent developments.