In development for Microsoft Intune - September 2019

To assist in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition:

  • If we anticipate that you'll need to take action before a change, we’ll publish a complementary Office Message Center post.
  • When a feature is launched in production, either as a preview or generally available, the feature description will move off this page and onto the What's New page.
  • This page and the What's New page are updated periodically. Check back for additional updates.
  • Refer to the M365 roadmap for strategic deliverables and timelines.


These items reflect Microsoft’s current expectations about Intune capabilities coming in a future release. Dates and individual features may change. Not all items in development have a feature description on this page.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:

App management

Managed Google Play private LOB apps

Intune will allow IT admins to publish private Android LOB apps to Managed Google Play via an iframe embedded in the Intune console. Currently, IT admins need to publish LOB apps directly to Google's Play publishing console, which requires many steps and is very time consuming. This new feature allows for easy publishing of LOB apps with a minimal set of steps without needing to leave the Intune console. Any of the Android Enterprise management scenarios that use Managed Google Play can take advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune, select Client apps > Apps > Add. Then, select Managed Google Play from the App type list. For more information about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices with Intune.

Company Portal app installation status messages

The Company Portal app will show additional app installation status messages to end users. The following conditions will apply to new Win32 dependency features:

  • App failed to install. Dependencies defined by the admin were not met.
  • App installed successfully but requires a restart.
  • App is in the process of installing, but requires a restart to continue.

Managed Google Play iframe support

Intune will provide support for adding and managing web links directly in the Intune console, via the Managed Google Play iframe. This lets IT admins submit a URL and icon graphic, and then deploy those links to devices just like regular Android apps. Any of the Android Enterprise management scenarios that use Managed Google Play can take advantage of this feature (work profile, dedicated, fully managed, and non-enrolled devices). From Intune, select Client apps > Apps > Add. Then, select Managed Google Play from the App type list. For more information about Managed Google Play apps, see Add Managed Google Play apps to Android Enterprise devices with Intune.

macOS support for VPP apps

macOS apps you have purchased using Apple Business Manager will be displayed in the console when Apple VPP tokens are synced in Intune. You can assign, revoke and reassign device and user-based licenses for groups using the console. Microsoft Intune helps you manage VPP apps purchased for use at your company by:

macOS support for web apps

You'll be able to install Web apps, which allow you to add a shortcut to a URL on the web, to the Dock using the macOS Company Portal. End-users can access the Install action from the app details page for a web app in the macOS Company Portal. For more information about the Web link app type, see Add apps to Microsoft Intune.

Assign Microsoft Edge beta for macOS

You'll be able to add and assign the latest version of Microsoft Edge beta to Intune for macOS devices. From Intune, select Client apps > Apps > Add app > Microsoft Edge - macOS. Then, assign Microsoft Edge beta to the intended groups. Microsoft AutoUpdate (MAU) keeps Microsoft Edge up-to-date. For more information about Microsoft Edge, see Manage web access by using Microsoft Edge with Microsoft Intune.

Read and write Graph API operations for Intune apps

Applications will be able to call the Intune Graph API with both read and write operations using app identity without user credentials. For more information about accessing the Microsoft Graph API for Intune, see Working with Intune in Microsoft Graph.

Configure app notification content for organization accounts

Intune app protection policies (APP) on Android and iOS devices will allow you to control app notification content for Org accounts. This feature will require support from applications and may not be available for all APP enabled applications. For more about APP, see What are app protection policies?.

Available Google Play app reporting for Android work profiles

For available app installs on Android work profile devices, you can view app installation status and the installed version of managed Google Play apps. For more information, see How to monitor app protection policies, Manage Android work profile devices with Intune and Managed Google Play app type.

Device configuration

Device features, device restrictions, and extension profiles for iOS and macOS settings are shown by enrollment type

In Intune, you create profiles for iOS and macOS devices (Device configuration > Profiles > Create profile > iOS or macOS for platform > Device features, Device restrictions, or Extensions for profile type). Currently, the available settings in these profiles are listed.

In a future update, the available settings in the Intune portal will be categorized by the enrollment type that they apply to:

  • iOS

    • All enrollment types
    • Device enrollment and automated device enrollment
    • Automated device enrollment
  • macOS

    • All enrollment types
    • Device enrollment
    • User approved and automated device enrollment
    • Automated device enrollment

Applies to:

New voice control settings for supervised iOS devices running in kiosk mode

In Intune, you can create policies to run supervised iOS devices as a kiosk, or dedicated device (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > Kiosk (supervised only)).

In a future update, there will be new settings you can control:

  • Voice control: Enables Voice Control on the device while in kiosk mode.
  • Modification of voice control: Allow users to change the Voice Control setting on the device while in kiosk mode.

To see the current settings, go to iOS Kiosk (supervised only) settings.

Applies to:

  • iOS 13.0 and later

Use single sign-on for apps and websites on your iOS and macOS devices

In a future update, there will be some new single sign-on settings for iOS and macOS devices (Device configuration > Profiles > Create profile > iOS or macOS for platform > Device features for profile type).

Use these settings to configure a single sign-on experience, especially for apps and websites that use Kerberos authentication. You can choose between a generic credential single sign-on app extension, and Apple's built-in Kerberos extension.

To see the current device features you can configure, go to iOS device features and macOS device features.

Applies to:

  • iOS 13.0 and newer
  • macOS 10.15 and newer

Associate domains to apps on macOS 10.15+ devices

On macOS devices, you can configure different features, and push these features to your devices using a policy (Device configuration > Profiles > Create profile > macOS for platform > Device features for profile type). In a future update, you'll be able to associate domains to your apps. This feature helps share credentials with websites related to your app, and can be used with Apple’s single sign-on extension, universal links, and password autofill.

To see the current features you can configure, go to macOS device feature settings in Intune.

Applies to:

  • macOS 10.15 and newer

Use "itunes" and "apps" in the iTunes App store URL when showing or hiding apps on iOS supervised devices

In Intune, you can create policies to show or hide apps on your supervised iOS devices (Device configuration > Profiles > Create profile > iOS for platform > Device restrictions for profile type > Show or hide apps (supervised only)). ​ You can enter the iTunes App store URL, such as In a future update, you'll be able to use both apps and itunes in the URL, such as:​ ​

  •​ ​ For more information on these settings, see Show or hide apps (supervised only).

Applies to:

  • iOS

Support for IKEv2 VPN profiles for iOS

You'll be able to create VPN profiles for the iOS native VPN client using the IKEv2 protocol. IKEv2 is a new connection type in Device configuration > Profiles > Create profile > iOS for platform > VPN for profile type > Settings.

These VPN profiles configure the native VPN client. So, no VPN client apps are installed or pushed to managed devices. This feature requires devices be enrolled in Intune (MDM enrollment).

To see the current VPN settings you can configure, go to Configure VPN settings on iOS devices in Microsoft Intune.

Applies to: iOS

Device enrollment

New tenants will default away from Android device administrator management

Android's device administrator capabilities have been superseded by Android Enterprise. Therefore, we recommend using Android Enterprise for new enrollments instead. In a future update, new tenants will need to complete the following prerequisite steps in Android enrollment to use device administrator management: Go to Intune > Device enrollment > Android enrollment > Personal and corporate-owned devices with device administration privileges > Use device administrator to manage devices.

Existing tenants will experience no change in their environments.

For more information about Android device administrator in Intune, see Android device administrator enrollment.

For iOS devices, customize the enrollment process privacy screen of the Company Portal

Using markdown, you'll be able to customize the Company Portal's privacy screen that end users see during iOS enrollment. Specifically, you'll be able to customize the list of things that your organization can't see or do on the device.

Device management

Deploy Software Updates to macOS devices

You'll be able to deploy Software Updates to groups of macOS devices. This feature includes critical, firmware, configuration file, and other updates. You'll be able to send updates on the next device check-in or select a weekly schedule to deploy updates in or out of time windows that you set. This helps when you want to update devices outside standard work hours or when your help desk is fully staffed. You'll also get a detailed report of all macOS devices with updates deployed. You can drill into the report on a per-device basis to see the statuses of particular updates.

Send custom notifications to a device

You'll be able to send custom notifications to specific devices that have the Company Portal or Intune app installed. To do so, go to Intune > Devices > All devices > choose a device > More > Send custom notification.

Updates to Android Enterprise Fully Managed features

We'll be adding the following support for Android Fully Managed devices:

  • SCEP certificates for fully managed Android will be available for cert authentication on devices managed as Device Owner. SCEP certificates are already supported on Work Profile devices. With SCEP certificates for Device Owner, you will be able to:
    • create SCEP profile under DO section of Android Enterprise
    • link SCEP certificates to DO Wi-Fi profile for authentication
    • link SCEP certificates to DO VPN profiles for authentication
    • link SCEP certificates to DO Email profiles for authentication (via AppConfig)
  • System apps will be supported on Android Enterprise devices. In Intune, you will add an Android Enterprise system app by selecting Client apps > Apps > Add. In the App type list, select Android Enterprise system app. For more information about adding apps to Intune, see Add apps to Microsoft Intune.
  • In Device compliance > Android Enterprise > Device Owner, you'll be able to create a compliance policy that sets the Google SafetyNet attestation level.
  • On Android Enterprise fully managed devices, the mobile threat defense providers will be supported. In Device compliance > Android Enterprise > Device Owner, you can choose an acceptable threat level. Android Enterprise settings to mark devices as compliant or not compliant using Intune lists the current settings.

Applies to:

  • Android Enterprise fully managed devices

Monitor and troubleshoot

Updated support experience

As part of continuing improvements, we’ll be updating the in-console support experience for Intune. We’ll be improving the in-console search and feedback for common issues, and streamlining the workflow to contact support.


Tamper Protection for Windows Defender Antivirus

We'll be adding Tamper Protection to the settings that Intune can manage for Windows Defender Antivirus. You'll be able to use a device configuration profile for Windows 10 endpoint protection to turn Tamper Protection on or off. For more information about Tamper Protection, see Prevent security settings changes with tamper protection in the Windows documentation.


These notices provide important information that can help you prepare for future Intune changes and features.

Decreasing support for Android device administrator

Android device administrator (sometimes referred to “legacy” Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is now available with Android Enterprise (released with Android 5.0). In an effort to move to modern, richer, and more secure device management, Google is decreasing device administrator support in new Android releases.

How does this affect me?

Because of these changes by Google, Intune users will be impacted in the following ways:

  • Intune will only be able to provide support for device administrator-managed Android devices running Android 10 and later (also known as Android Q) through Summer 2020. This date is when the next major version of Android is expected to release.
  • Device administrator-managed devices that are running Android 10 or later after summer 2020 will no longer be able to be entirely managed.   
  • Device administrator-managed Android devices that remain on Android versions below Android 10 will not be impacted and can continue to be entirely managed with device administrator.
  • For all Android 10 and later devices, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This impacts the following Intune features after a device updates to Android 10 or later:
    • Network access control for VPN will no longer work.
    • Identifying devices as corporate-owned with IMEI or serial number will not automatically mark devices as corporate-owned.
    • IMEI and serial number will no longer be visible to IT admins in the Intune.


      This only impacts device administrator-managed devices on Android 10 and later, and does not affect devices being managed as Android Enterprise.

What do I need to do to prepare for this change?

To avoid the reduction in functionality coming in Summer 2020, we recommend the following:

  • Don’t onboard new devices into device administrator management.
  • If a device is expected to receive an update to Android 10, migrate it off of device administrator management to Android Enterprise management and/or App Protection Policies.

Additional information

Update your Android Company Portal app to the latest version

Intune periodically releases updates to the Android Company Portal App. In November 2018 we released a company portal update, which included a back-end switch to prepare for Google’s change from their existing notification platform to Google’s Firebase Cloud Messaging (FCM). When Google retires their existing notification platform and moves to FCM, end users will need to have updated their company portal app to at least November 2018 release to continue communicating with the Google play store.

How does this affect me?

Our telemetry indicates you have devices with a Company Portal version earlier than 5.0.4269.0. If this version or later of the company portal app is not installed, IT pro initiated device actions like wipe, reset password, available and required app installs, and certificate enrollment may not work as expected. If your devices are MDM enrolled in Intune, then you can see the company portal versions and users by going to Client apps – Discovered apps. Selecting earlier versions of the Company Portal will allow you to see what end users have the devices that haven’t updated the company portal.

What do I need to do to prepare for this change?

Ask end users of Android devices that have not updated to update the company portal through Google play. Notify your help desk in case a user has not kept auto-updating of the company portal app. See the link in Additional Information for more on Google’s FCM platform and change.

Additional information

New Fullscreen experience coming to Intune

We’re rolling out updated create and edit UI experiences to Intune in the Azure portal. This new experience will simplify the existing workflows by using a wizard style format condensed within one blade. This update will do away with “blade sprawl” or any create and edit flows that require you to drill down into deep blade journeys. The create workflows will also be updated to include Assignments (except for App assignment).

How does this affect me?

The full screen experience will be rolled out to Intune both at and over the next few months. This update to the UI will not impact functionality of your existing policies and profiles, but you will see a slightly modified workflow. When you create new policies, for example, you will be able to set some assignments as part of this flow instead of doing so after creating the policy. See the blog post at Additional information for screenshots of what the new experience will look like in the console.

What can I do to prepare for this change?

You do not need to take any action but can consider updating your IT pro guidance if necessary. We’ll update our documentation as this experience rolls out to various blades in the Intune on Azure portal.

Additional information

Plan for Change: Intune moving to support iOS 11 and higher in September

In September, we expect iOS 13 to be released by Apple. Intune enrollment, the Company Portal, and the Managed Browser will move to support iOS 11 and higher shortly after the iOS 13 release.

How does this affect me?

Provided that O365 mobile apps are supported on iOS 11.0 and higher, this may not affect you; you’ve likely already upgraded your OS or devices. However, if you have any of the devices listed below, or decide to enroll any of the devices listed below, know that the devices below do not support an OS greater than iOS 10. These devices will need to be upgraded to a device that supports iOS 11 or higher:

  • iPhone 5
  • iPhone 5c
  • iPad (4th Generation)

If you use Application Protection Policies (APP), you can also set the “Require minimum iOS operating system (Warning only)” access setting.

What do I need to do to prepare for this change?

Check your Intune reporting to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running iOS 10. Request that your end users upgrade their devices to a supported OS version before September.

Plan for Change: Support for version 8.1.1 and higher of Intune App SDK for iOS

Starting in September 2019, Intune will move to support iOS apps with Intune App SDK 8.1.1 and higher. Apps built with SDK versions less than 8.1.1 will no longer be supported. This change will go into effect with Apple’s release of iOS 13, which is expected to come around September and also been announced in MC181399.

How does this affect me?

With Intune App SDK or App Wrapping integration, you can protect corporate data from unapproved applications and users via data encryption. The Intune App SDK for iOS will use 256-bit encryption keys by default when encryption is enabled by Intune App Protection Policies (APP). After this change, any iOS apps on SDK versions prior to 8.1.1, which use 128-bit encryption keys, will no longer be able to share data with applications integrated with SDK 8.1.1 or using the 256-bit keys. All iOS apps will need to have an SDK version 8.1.1 or higher to allow protected data sharing.

What can I do to prepare for this change?

Check your Microsoft, third-party, and line-of-business (LOB) apps. Make sure all that all your applications protected with Intune APP are using SDK version 8.1.1 or later.

  • For LOB apps: You may need to republish your apps integrated with SDK version 8.1.1 or later. We recommend the latest SDK version. For information on how to prepare your LOB apps for App protection policies, see Prepare line-of-business apps for app protection policies.
  • For Microsoft/Third Party apps: Ensure that you are deploying the latest version of these apps to your users.

You should also update your documentation or developer guidance if applicable to include this change in support for the SDK.

Additional information

Plan for change: New Windows updates settings in Intune

Starting with the August release to the Intune service or 1908, we’re adding in new “Deadline settings”, which you can configure instead of the “Allow user to restart (engaged restart)” settings. We plan to disable the engaged restart settings in the UI in 1909 or the September update and then completely remove them from the console towards the end of October.

How does this affect me?

If you manage Windows 10 devices in your environment:

  • With the August Intune update or 1908, you will see new deadline settings in the console in addition to the old engaged restart settings.
  • When both these old and new settings are configured, the deadline settings values will override the engaged restart setting values.
  • Deadline settings will replace the “Allow user to restart (engaged restart) option in the console in the 1910 update.

What can I do to prepare for this change?

Start using the deadline settings in 1908 by configuring them with your desired values. Once you have that in place, you can set the engaged restart setting to “Not configured” to prepare for these settings being removed from the console in October.

Update your documentation and any automation scripts if needed.

We’ll keep you updated and post a reminder to the Message center before we remove the engaged restart settings.

Plan for change: Intune App SDK and app protection policies for Android moving to support Android 5.0 and higher in October

Intune will be moving to support Android 5.x (Lollipop) and higher in October. Update any wrapped apps with the latest Intune App SDK and update your devices.

How does this affect me?

If you’re not using or plan to use either the SDK or APP for Android, this change won’t affect you. If you are using the Intune App SDK, be sure to update to the latest version and also update your devices to Android 5.x and higher. If you don’t update, apps will not receive updates, and the quality of their experience will diminish over time.

Below find a list of common devices enrolled in Intune that run Android version 4.x. If you have one of these devices, take the appropriate steps to make sure that this device will support Android version 5.0 or higher or that it will be replaced with a device that supports Android version 5.0 or higher. This list is not exhaustive of all devices that may need to be evaluated:

  • Samsung SM-T561
  • Samsung SM-T365
  • Samsung GT-I9195
  • Samsung SM-G800F
  • Samsung SM-G357FZ
  • Motorola XT1080
  • Samsung GT-I9305
  • Samsung SM-T231

What do I need to do to prepare for this change?

Wrap your apps with the latest Intune App SDK. You may also set the “Require minimum OS version (Warning only)” conditional launch setting to notify end-users on personal devices to upgrade.

See also

See What’s New in Microsoft Intune for details on recent developments.