What's new in Microsoft Intune

Learn what’s new each week in Microsoft Intune. You can also find upcoming changes, important notices, and information about past releases. Some features may roll out over several weeks and might not be available to all customers in the first week.

Note

For information on new functionality in hybrid mobile device management (MDM), check out the hybrid What’s New page.

Week of November 5, 2018

Support for iOS 12 OAuth in iOS email profiles

Intune's iOS email profiles support iOS 12 Open Authorization (OAuth). To see this feature, create a new profile (Device Configuration > Profiles > Create profile > iOS for platform > Email for profile type), or update an existing iOS email profile. If you enable OAuth in a profile that's already deployed to users, then users are prompted to reauthenticate, and download their email again.

iOS email profiles has more information on using OAuth in an email profile.

Autopilot support for hybrid Azure Active Directory joined devices (Preview)

You can now set up hybrid Azure Active Directory joined devices by using Autopilot. Devices must be joined to your organization's network to use the hybrid Autopilot feature. For more information, see Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot. This feature is rolling out across the user base over the next few days. Therefore, you might not be able to follow these steps until it rolls out to your account.

App Protection Policy (APP) settings for web data

APP policy settings for web content on both Android and iOS devices have been updated to better handle both http and https web links, as well as data transfer via iOS Universal Links and Android App Links.

Week of October 29, 2018

App management

Require non-biometric PIN after a specified timeout

By requiring a non-biometric PIN after an admin-specified timeout, Intune provides improved security for Mobile Application Management (MAM) enabled apps by restricting the use of biometric identification for access to corporate data. The settings affect users who rely on Touch ID (iOS), Face ID (iOS), Android Biometric, or other future biometric authentication methods to access their APP/MAM-enabled applications. These settings enable Intune admins to have more granular control over user access, eliminating cases where a device with multiple fingerprints or other biometric access methods can reveal corporate data to an incorrect user. In the Azure portal, open Microsoft Intune. Select Client apps > App protection policies > Add a policy > Settings. Locate the Access section for specific settings. For information about access settings, see iOS settings and Android settings.

Intune APP data transfer settings on iOS MDM enrolled devices

You can separate the control of Intune APP data transfer settings on iOS MDM enrolled devices from specifying the enrolled user's identity, also known as the User Principal Name (UPN). Admins not using the IntuneMAMUPN will not observe a behavior change. When this functionality is available, admins using the IntuneMAMUPN to control data transfer behavior on enrolled devices should review the new settings and update their APP settings as needed.

Windows 10 Win32 apps

You can configure your Win32 apps to be installed in user context for individual users, versus installing the app for all users of the device.

Windows Win32 apps and PowerShell scripts

End users are no longer required to be logged in on the device to install Win32 apps or execute PowerShell scripts.

Troubleshooting client app installation

You can troubleshoot the installation success of client apps by reviewing the column labeled App install in the Troubleshoot blade. To view the Troubleshoot blade, in the Intune portal, select Troubleshoot under Help and support.

Device configuration

Network access control support on iOS VPN clients

With this update, there's a new setting to enable Network Access Control (NAC) when your create a VPN configuration profile for Cisco AnyConnect, F5 Access, and Citrix SSO for iOS. This setting allows the NAC ID of the device to be included in the VPN profile. Currently, there aren't any VPN clients or NAC partner solutions that support this new NAC ID, but we will keep you informed through our support blog post when they do.

To use NAC, you'll need to:

  1. Opt in to allow Intune to include device IDs in VPN profiles
  2. Update your NAC provider software/firmware, using guidance directly from your NAC provider

For information on this setting within an iOS VPN profile, see Add VPN settings on iOS devices in Microsoft Intune. For more information on network access control, see Network access control (NAC) integration with Intune.

Applies to: iOS

Remove an email profile from a device, even when there's only one email profile

Previously, you couldn't remove an email profile from a device if it's the only email profile. With this update, this behavior changes. Now, you can remove an email profile, even if it's the only email profile on the device. See Add email settings to devices using Intune for details.

PowerShell scripts and AAD

PowerShell scripts in Intune can be targeted to AAD device security groups.

New "Required password type" default setting for Android, Android enterprise

When you create a new compliance policy (Intune > Device compliance > Policies > Create policy > Android or Android enterprise for Platform > System Security), the default value for Required password type changes:

From: Device default To: At least numeric

Applies to: Android, Android Enterprise

To see these settings, go to Android and Android Enterprise.

Use a pre-shared key in a Windows 10 Wi-Fi profile

With this update, you can use a pre-shared key (PSK) with the WPA/WPA2-Personal security protocol to authenticate a Wi-Fi configuration profile for Windows 10. You can also specify the cost configuration for a metered network for devices on Windows 10 October 2018 update.

Currently, you must import a Wi-Fi profile, or create a custom profile to use a pre-shared key. Wi-Fi settings for Windows 10 lists the current settings.

Remove PKCS and SCEP certificates from your devices

In some scenarios, PKCS and SCEP certificates remained on devices, even when removing a policy from a group, deleting a configuration or compliance deployment, or an admin updating an existing SCEP or PKCS profile. This update changes the behavior. There are some scenarios where PKCS and SCEP certificates are removed from devices, and some scenarios where these certificates remain on the device. See Remove SCEP and PKCS certificates in Microsoft Intune for these scenarios.

Use Gatekeeper on macOS devices for compliance

This update includes the macOS Gatekeeper to evaluate devices for compliance. To set the Gatekeeper property, Add a device compliance policy for macOS devices.

Device enrollment

Enrollment abandonment report

A new report that provides details on abandoned enrollments is available under Device enrollment > Monitor. For more information, see Company portal abandonment report.

Assign Autopilot profiles to the All devices virtual group

You'll be able to assign Autopilot profiles to the All devices virtual group. To do so, choose Device enrollment > Windows enrollment > Deployment Profiles > choose a profile > Assignments > under Assign to choose All devices. For more information about Autopilot profiles, see Enroll Windows devices by using Windows Autopilot.

New Azure Active Directory terms of use feature

Azure Active Directory has a terms of use feature that you can use instead of existing Intune terms and conditions. The Azure AD terms of use feature provides more flexibility on which terms to show and when to show them, better localization support, more control in how terms are rendered and improved reporting. The Azure AD terms of use feature does require Azure Active Directory Premium P1 which is also part of the Enterprise Mobility + Security E3 suite. To learn more, see the Manage your company's terms and conditions for user access article.

Android Device Owner mode support

For Samsung Knox Mobile Enrollment, Intune now supports enrolling devices to the Android Device Owner mode of management. Users on WiFi or cellular networks can enroll with just a few taps when they turn on their devices for the first time. For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.

Device management

Group Windows Autopilot-enrolled devices by correlator ID

Intune now supports grouping Windows devices by a correlator ID when enrolled using Autopilot for existing devices through Configuration Manager. The correlator ID is a parameter of the Autopilot configuration file. Intune will automatically set the Azure AD device attribute enrollmentProfileName to equal "OfflineAutopilotprofile-". This allows arbitrary Azure AD dynamic groups to be created based off correlator ID via the enrollmentprofileName attribute for offline Autopilot enrollments. For more information, see Windows Autopilot for existing devices.

Intune app protection policies

Intune app protection policies allow you to configure various data protection settings for Intune protected apps, such as Microsoft Outlook and Microsoft Word. We’ve change the look and feel of these settings for both iOS and Android to make it easier to find individual settings. There are three categories of policy settings:

  • Data relocation - This group includes the data loss prevention (DLP) controls, like cut, copy, paste, and save-as restrictions. These settings determine how users interact with data in the apps.
  • Access requirements - This group contains the per-app PIN options that determine how the end user accesses the apps in a work context.
  • Conditional launch - This group holds settings like the minimum OS settings, jailbreak and rooted device detection, and offline grace periods.

The functionality of the settings doesn’t change, but it will be easier to find them when you work in the policy authoring flow.

New Intune device subscription SKU !--3312071-->

To help lower the cost of managing devices in enterprises, a new device-based subscription SKU is now available. This Intune device SKU is licensed per device on a monthly basis. Price varies by the licensing program. It's available in Direct Channel, Enterprise Agreement (EA), Microsoft Products and Services Program (MPSA), and Open and Cloud Solution Provider (CSP).

Intune apps

Intune will support a maximum package size of 8 GB for LOB apps

Intune increased the maximum package size to 8 GB for Line-of-business (LOB) apps. For more information, see Add apps to Microsoft Intune.

Add custom brand image for Company Portal app

As the Microsoft Intune admin, you can upload a custom brand image which will be displayed as a background image on the user's profile page in the iOS Company Portal app. For more information about configuring the Company Portal app, see How to configure the Microsoft Intune Company Portal app.

Intune will maintain the Office localized language when updating Office on end users machines

When Intune installs Office on your end user's machines, end users automatically get the same language packs that they had with previous .MSI Office installations. For more information, see Assign Office 365 apps to Windows 10 devices with Microsoft Intune.

Monitor and troubleshoot

New Intune Support Experience in the Microsoft 365 Device Management portal

We are rolling out a new Help and Support experience for Intune in the Microsoft 365 Device Management portal. The new experience lets you describe your problem in your own words and receive troubleshooting insight and web-based remediation content. These solutions are offered via a rule-based machine learning algorithm, driven by user inquiries.

In addition to issue-specific guidance, you can also use the new case creation workflow to open a support case by email or phone.

For customers who are part of the rollout, this new experience replaces the current Help and Support experience of a static set of pre-selected options that are based on the area of the console you are in when you open Help and Support.

This new Help and Support experience is being rolled out to some but not all tenants and is available in the Device Management portal. Participants for this new experience are randomly selected from the available Intune tenants. New tenants will be added as we expand the rollout.

For more information, see New Help and Support experience in How to get support for Microsoft Intune.

PowerShell module for Intune – Preview available

A new PowerShell module, which provides support for the Intune API through Microsoft Graph, is now available for preview on GitHub. For details about how to use this module, see the README in that location.

Week of October 15, 2018

PIN prompt when you change fingerprints or face ID on an iOS device

Users are now prompted for a PIN after making biometric changes on their iOS device. This includes changes to registered fingerprints or face ID. The timing of the prompt depends on how the configuration of the Recheck access requirements after (minutes) timeout. When no PIN is set, the user is prompted to set one.

This feature is only available for iOS, and requires the participation of applications that integrate the Intune APP SDK for iOS, version 9.0.1 or later. Integration of the SDK is necessary so that the behavior can be enforced on the targeted applications. This integration happens on a rolling basis and is dependent on the specific application teams. Some apps that participate include WXP, Outlook, Managed Browser, and Yammer.

Week of October 1, 2018

App management

Access to key profile properties using the company portal app

End users can now access key account properties and actions, such as password reset, from the Company portal app.

3rd-party keyboards can be blocked by APP settings on iOS

On iOS devices, Intune admins can block the use of 3rd-party keyboards when accessing organization data in policy protected apps. When the Application Protection Policy (APP) is set to block 3rd-party keyboards, the device user receives a message the first time they interact with corporate data when using a 3rd-party keyboard. All options, other than the native keyboard, are blocked and device users will not see them. Device users will only see the dialog message once.

User account access of Intune apps on managed Android and iOS devices

As the Microsoft Intune admin, you can control which user accounts are added to Microsoft Office applications on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices.

Outlook iOS and Android app configuration policy

You can now create an Outlook iOS and Android app configuration policy for iOS and Android for on-premises users that leverage Basic authentication with the ActiveSync protocol. Additional configuration settings will be added as they are enabled for the Outlook for iOS and Android.

Office 365 Pro Plus language packs

As the Intune admin, you will be able to deploy additional languages for Office 365 Pro Plus apps managed through Intune. The list of available languages includes the Type of language pack (core, partial, and proofing). In the Azure portal, select Microsoft Intune > Client apps > Apps > Add. In the App type list of the Add app blade, select Windows 10 under Office 365 Suite. Select Languages in the App Suite Settings blade.

Windows line-of-business (LOB) apps file extensions

The file extensions for Windows LOB apps will now include .msi, .appx, .appxbundle, .msix and .msixbundle. You can add an app in Microsoft Intune by selecting Client apps > Apps > Add. The Add app pane is displayed which allows you to select the App type. For Windows LOB apps, select Line-of-business app as the app type, select the App package file, and then enter an installation file with the appropriate extension.

Windows 10 app deployment using Intune

Building upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps, administrators can use Intune to deploy most of their organization’s existing applications to end users on Windows 10 devices. ​Administrators can add, install, and uninstall applications for Windows 10 users in a variety of formats, such as MSIs, Setup.exe, or MSP. Intune will evaluate requirement rules before downloading and installing, notifying end users of the status or reboot requirements using the Windows 10 Action Center. This functionality will effectively unblock organizations interested in shifting this workload to Intune and the cloud. This feature is currently in public preview and we expect to add significant new capabilities to the feature over the next few months.

End user device and app content menu

End users can now use the context menu on device and apps to trigger common actions like renaming a device or checking compliance.

Windows Company Portal keyboard shortcuts

End users will now be able to trigger app and device actions in the Windows Company Portal using keyboard shortcuts (accelerators).

Device configuration

Create DNS suffixes in VPN configuration profiles on devices running Windows 10

When you create a VPN device configuration profile (Device configuration > Profiles > Create profile > Windows 10 and later platform > VPN profile type), you enter some DNS settings. With this update, you can also enter multiple DNS suffixes in Intune. When using DNS suffixes, you can search for a network resource using its short name, instead of the fully qualified domain name (FQDN). This update also lets you change the order of the DNS suffixes in Intune. Windows 10 VPN settings lists the current DNS settings. Applies to: Windows 10 devices

Support for always-on VPN for Android enterprise work profiles

In this update, you can use Always-on VPN connections on Android enterprise devices with managed work profiles. Always-on VPN connections stay connected, or immediately reconnect when the user unlocks their device, when the device restarts, or when the wireless network changes. You can also put the connection in "lockdown" mode, which blocks all network traffic until the VPN connection is active. You can enable Always-on VPN in Device configuration > Profiles > Create profile > Android enterprise for platform > Device restrictions > Connectivity settings.

Issue SCEP certificates to user-less devices

Currently, certificates are issued to users. With this update, SCEP certificates can be issued to devices, including user-less devices such as kiosks (Device configuration > Profiles > Create profile > Windows 10 and later for platform > SCEP certificate for profile). Other updates include:

  • The Subject property in an SCEP profile is now a custom textbox and can include new variables.

  • The Subject alternative name (SAN) property in an SCEP profile is now a table format and can include new variables. In the table, an admin can add an attribute and fill out the value in a custom textbox. The SAN will support the following attributes:

    • DNS
    • Email address
    • UPN

    These new variables can be added with static text in a custom value textbox. For example, the DNS attribute can be added as DNS = {{AzureADDeviceId}}.domain.com.

    Note

    Curly brackets, semicolons, and pipe symbols “ { } ; | ” will not work in the static text of the SAN. Curly brackets must only enclose one of the new device certificate variables to be accepted for either Subject or Subject alternative name.

New device certificate variables:

"{{AAD_Device_ID}}",
"{{Device_Serial}}",
"{{Device_IMEI}}",
"{{SerialNumber}}",
"{{IMEINumber}}",
"{{AzureADDeviceId​}}",
"{{WiFiMacAddress}}",
"{{IMEI}}",
"{{DeviceName}}",
"{{FullyQualifiedDomainName}}",
"{{MEID}}",

Note

  • {{FullyQualifiedDomainName}} only works for Windows and domain-joined devices.
  • When specifying device properties such as IMEI, Serial Number, and Fully Qualified Domain Name in the subject or SAN for a device certificate, be aware that these properties could be spoofed by a person with access to the device.

Create a SCEP certificate profile lists the current variables when creating an SCEP configuration profile.

Applies to: Windows 10 and later and iOS, supported for Wi-Fi

Remotely lock uncompliant devices

When a device is not compliant, you can create an action on the compliance policy that locks the device remotely. In Intune > Device compliance, create a new policy, or select an existing policy > Properties. Select Actions for noncompliance > Add, and choose to remotely lock the device. Supported on:

  • Android
  • iOS
  • macOS
  • Windows 10 Mobile
  • Windows Phone 8.1 and later

Windows 10 and later Kiosk profile improvements in the Azure portal

This update includes the following improvements to the Windows 10 Kiosk device configuration profile (Device configuration > Profiles > Create profile > Windows 10 and later for platform > Kiosk preview for profile type):

  • Currently, you can create multiple kiosk profiles on the same device. With this update, Intune will support only one kiosk profile per device. If you still need multiple kiosk profiles on a single device, you can use a Custom URI.
  • In a Multi-app kiosk profile, you can select the application tile size and order for the Start menu layout in the application grid. If you prefer more customization, you can continue to upload an XML file.
  • The Kiosk Browser settings are moving into the Kiosk settings. Currently, the Kiosk web browser settings have their own category in the Azure portal. Applies to: Windows 10 and later

Device enrollment

Apply Autopilot profile to enrolled Win 10 devices not already registered for Autopilot

You can apply Autopilot profiles to enrolled Win 10 devices that have not already been registered for Autopilot. In the Autopilot profile, choose the Convert all targeted devices to Autopilot option to automatically register non-Autopilot devices with the Autopilot deployment service. Allow 48 hours for the registration to be processed. When the device is unenrolled and reset, Autopilot will provision it.

Create and assign multiple Enrollment Status Page profiles to Azure AD groups

You can now create and assign multiple Enrollment Status Page profiles to Azure ADD groups.

Migration from Device Enrollment Program to Apple Business Manager in Intune

Apple Business Manager (ABM) works in Intune and you can upgrade your account from Device Enrollment Program (DEP) to ABM. The process in Intune is the same. To upgrade your Apple account from DEP to ABM, go to https://support.apple.com/en-us/HT208817.

Alert and enrollment status tabs on the Device enrollment overview page

Alerts and enrollment failures now appear on separate tabs on the Device enrollment overview page.

Device management

Restricts apps, and block access to company resources on Android devices

In Device compliance > Policies > Create policy > Android > System Security, there is a new setting under the Device Security section, named Restricted apps. The Restricted apps setting uses a compliance policy to block access to company resources if certain apps are installed on the device. The device is considered non-compliant until the restricted apps are removed from the device. Applies to:

  • Android

Week of September 24, 2018

Microsoft 365 Device Management administration center

One of the promises of Microsoft 365 is simplified administration, and over the years we’ve integrated the back-end Microsoft 365 services to deliver end-to-end scenarios such as Intune and Azure AD conditional access. The new Microsoft 365 administration center is the place to consolidate, simplify, and integrate the admin experience. The specialist workspace for Device Management provides easy access to all of the device and app management information and tasks that your organization needs. We expect this to become the primary cloud workspace for enterprise end user computing teams.

Support for more third-party certification authorities (CA)

By using the Simple Certificate Enrollment Protocol (SCEP), you can now issue new certificates and renew certificates on mobile devices using Windows, iOS, Android, and macOS.

Intune moves to support iOS 10 and later

Intune enrollment, the Company Portal, and the managed browser now only support iOS devices running iOS 10 and later. To check for devices or users that are affected in your organization, go to Intune in the Azure portal > Devices > All devices. Filter by OS and then click Columns to surface OS version details. Ask these users to upgrade their devices to a supported OS version.

If you have any of the devices listed below, or want to enroll any of the devices listed below, be aware that they only support iOS 9 and earlier. To continue to access the Intune Company Portal, you must upgrade these devices to devices that support iOS 10 or later:

  • iPhone 4S
  • iPod Touch
  • iPad 2
  • iPad (3rd Generation)
  • iPad Mini (1st Generation)

Week of September 17, 2018

App management

Remove duplication of app protection status tiles

The User status for iOS and the User status for Android tiles were present in both the Client Apps - Overview page, as well as the Client Apps - App protection status page. The status tiles have been removed from the Client Apps - Overview page to avoid duplication.

Week of August 27, 2018

App management

Packet tunnel support for iOS per-app VPN profiles for custom and Pulse Secure connection types

When using iOS per-app VPN profiles, you can choose to use app-layer tunneling (app-proxy) or packet-level tunneling (packet-tunnel). These options are available with the following connection types:

  • Custom VPN
  • Pulse Secure If you are not sure which value to use, consult your VPN provider's documentation.

Delay when iOS software updates are shown on the device

In Intune > Software Updates > Update policies for iOS, you can configure the days and times when you don't want devices to install any updates. In a future update, you'll be able to delay when a software update is visibly shown on the device, from 1-90 days. Configure iOS update policies in Microsoft Intune lists the current settings.

Office 365 ProPlus version

When assigning the Office 365 ProPlus apps to Windows 10 devices using Intune, you will be able to select the version of Office. In the Azure portal, select Microsoft Intune > Apps > Add App. Then, select Office 365 ProPlus Suite (Windows 10) from the Type dropdown list. Select App Suite Settings to display the associated blade. Set the Update Channel to a value, such as Monthly. Optionally, remove other version of Office (msi) from end user devices by selecting Yes. Select Specific to install a specific version of Office for the selected channel on end user devices. At this point, you can select the Specific version of Office to use. The available versions will change over time. Therefore, when creating a new deployment, the versions available may be newer and not have certain older versions available. Current deployments will continue to deploy the older version, but the version list will be continually updated per channel. For more information, see Overview of update channels for Office 365 ProPlus.

Support for Register DNS setting for Windows 10 VPN

With this update, you can configure Windows 10 VPN profiles to dynamically register the IP addresses assigned to the VPN interface with the internal DNS, without needing to use custom profiles. For information about the current VPN profile settings available, see Windows 10 VPN settings.

The macOS Company Portal installer now includes the version number in the installer file name

iOS automatic app updates

Automatic app updates work for both device and user licensed apps for iOS Version 11.0 and above.

Device configuration

Windows Hello will target users and devices

When you create a Windows Hello for Business policy, it applies to all users within the organization (tenant-wide). With this update, the policy can also be applied to specific users or specific devices using a device configuration policy (Device Configuration > Profiles > Create profile > Identity Protection > Windows Hello for Business). In Intune in the Azure portal, the Windows Hello configuration and settings now exists in both Device enrollment and Device configuration. Device enrollment targets the entire organization (tenant-wide), and supports Windows AutoPilot (OOBE). Device configuration targets devices and users using a policy that's applied during check-in. This feature applies to:

  • Windows 10 and later
  • Windows Holographic for Business

Zscaler is an available connection for VPN profiles on iOS

When you create an iOS VPN device configuration profile (Device configuration > Profiles > Create profile > iOS platform > VPN profile type), there are several connection types, including Cisco, Citrix, and more. This update adds Zscaler as a connection type. VPN settings for devices running iOS lists the available connection types.

FIPS mode for Enterprise Wi-Fi profiles for Windows 10

You can now enable Federal Information Processing Standards (FIPS) mode for Enterprise Wi-Fi profiles for Windows 10 in the Intune Azure portal. Be sure FIPS mode is enabled on your Wi-Fi infrastructure if you enable it in your Wi-Fi profiles. Wi-Fi settings for Windows 10 and later devices in Intune shows you how to create a Wi-Fi profile.

Control S-mode on Windows 10 and later devices - public preview

With this feature update, you can create a device configuration profile that switches a Windows 10 device out of S-mode, or prevent users from switching the device out of S-mode. This feature is in Intune > Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch. Introducing Windows 10 in S mode provides more information on S mode. Applies to: the most recent Windows Insider build (while in preview).

Windows Defender ATP configuration package automatically added to configuration profile

When using Advanced Threat Protection and onboarding devices in Intune, you previously had to download a configuration package, and add it to your configuration profile. With this update, Intune automatically gets the package from Windows Defender Security Center, and adds it to your profile. Applies to Windows 10 and later.

Require users to connect during device setup

You can now set device profiles to require that the device connects to a network before proceeding past the Network page during Windows 10 setup. While this feature is in preview, a Windows Insider build 1809 or later is required to use this setting. Applies to: the most recent Windows Insider build (while in preview).

Restricts apps, and block access to company resources on iOS and Android Enterprise devices

In Device compliance > Policies > Create policy > iOS > System Security, there is a new Restricted applications setting. This new setting uses a compliance policy to block access to company resources if certain apps are installed on the device. The device is considered non-compliant until the restricted apps are removed from the device. Applies to: iOS

Modern VPN support updates for iOS

This update adds support the following iOS VPN clients:

  • F5 Access (version 3.0.1 and higher)
  • Citrix SSO
  • Palo Alto Networks GlobalProtect version 5.0 and higher Also in this update:
  • Existing F5 Access connection type is renamed to F5 Access Legacy for iOS.
  • Existing Palo Alto Networks GlobalProtect connection type is renamed to Palo Alto Networks GlobalProtect (legacy) for iOS. Existing profiles with these connection types continue to work with their respective legacy VPN client. If you're using Cisco Legacy AnyConnect, F5 Access Legacy, Citrix VPN, or Palo Alto Networks GlobalProtect version 4.1 and earlier with iOS, you should move to the new apps. Do this as soon as possible to ensure that VPN access is available for iOS devices as they update to iOS 12. For more information about iOS 12 and VPN profiles, see the Microsoft Intune Support Team Blog.

Export Azure classic portal compliance policies to recreate these policies in the Intune Azure portal

Compliance policies created in the Azure classic portal will be deprecated. You can review and delete any existing compliance policies, however you can't update them. If you need to migrate any compliance policies to the current Intune Azure portal, you can export the policies as a comma-separated file (.csv file). Then, use the details in the file to recreate these policies in the Intune Azure portal.

Important

When the Azure classic portal retires, you will no longer be able to access or view your compliance policies. Therefore, be sure to export your policies and recreate them in the Azure portal before the Azure classic portal retires.

Better Mobile - New Mobile Threat Defense partner

You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Better Mobile, a Mobile Threat Defense solution that integrates with Microsoft Intune.

Device enrollment

Lock the Company Portal in single app mode until user sign-in

You now have the option to run the Company Portal in Single App mode if you authenticate a user through the Company Portal instead of Setup Assistant during DEP enrollment. This option locks the device immediately after Setup Assistant completes so that a user must sign in to access the device. This process makes sure that the device completes onboarding and is not orphaned in a state without any user tied.

Assign a user and friendly name to an Autopilot device

You can now assign a user to a single Autopilot device. Admins will also be able to give friendly names to greet the user when setting up their device with Autopilot. Applies to: the most recent Windows Insider build (while in preview).

Use VPP device licenses to pre-provision the Company Portal during DEP enrollment

You can now use Volume Purchase Program (VPP) device licenses to pre-provision the Company Portal during Device Enrollment Program (DEP) enrollments. To do so, when you create or edit an enrollment profile, specify the VPP token that you want to use to install the Company Portal. Make sure that your token doesn't expire and that you have enough licenses for the Company Portal app. In cases where the token expires or runs out of licenses, Intune will push the App Store Company Portal instead (this will prompt for an Apple ID).

Confirmation required to delete VPP token that is being used for Company Portal pre-provisioning

A confirmation is now required to delete a Volume Purchase Program (VPP) token if it is being used to pre-provision the Company Portal during DEP enrollment.

Block Windows personal device enrollments

You can block Windows personal devices from enrolling with mobile device management in Intune. Devices enrolled with Intune PC agent can't be blocked with this feature. This feature is rolling out over the next couple weeks so you might not see it immediately in the user interface.

Specify machine name patterns in an Autopilot profile

You can specify a computer name template to generate and set the computer name during Autopilot enrollment. Applies to: the most recent Windows Insider build (while in preview).

For Windows Autopilot profiles, hide the change account options on the company sign-in page and domain error page

There are new Windows Autopilot profile options for admins to hide the change account options on the company sign-in and domain error pages. Hiding these options requires Company Branding to be configured in Azure Active Directory. Applies to: the most recent Windows Insider build (while in preview).

Device management

Delete Jamf devices

You can delete JAMF-managed devices by going to Devices > choose the Jamf device > Delete.

Change terminology to "retire" and "wipe"

To be consistent with the Graph API, the Intune user interface and documentation has changed the following terms:

  • Remove company data will be changed to "retire"
  • Factory reset will be changed to wipe

Confirmation dialog if admin tries to delete MDM Push Certificate

If anyone tries to delete an Apple MDM Push certificate, a confirmation dialog box displays the number of related iOS and macOS devices. If the certificate is deleted, these devices will need to be re-enrolled.

Additional security settings for Windows installer

You can allow users to control app installs. If enabled, installations that may otherwise be stopped due to a security violation would be permitted to continue.​ You can direct the Windows installer to use elevated permissions when it installs any program on a system.​ Additionally, you can enabled Windows Information Protection (WIP) items to be indexed and the metadata about them stored in an unencrypted location. When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. The functionality for these options are disabled by default.

New user experience update for the Company Portal website

We’ve added new features, based on feedback from customers, to the Company Portal website. You'll experience a significant improvement in existing functionality and usability from your devices. Areas of the site–such as device details, feedback and support, and device overview–have received a new, modern, responsive design. You'll also see:

  • Streamlined workflows across all device platforms
  • Improved device identification and enrollment flows
  • More helpful error messages
  • Friendlier language, less tech jargon
  • Ability to share direct links to apps
  • Improved performance for large app catalogs
  • Increased accessibility for all users

The Intune Company Portal website documentation has been updated to reflect these changes. To view an example of the app enhancements, see UI updates for Intune end-user apps.

Monitor and troubleshoot

Enhanced jailbreak detection in compliance reporting

The enhanced jailbreak detection setting states now appears in all compliance reporting in the admin console.

Role-based access control

Scope tags for policies

You can create scope tags to limit access to Intune resources. Add a scope tag to a role assignment and then add the scope tag to a configuration profile. The role will only have access to resources with configuration profiles that have matching scope tags (or no scope tag).

Week of August 14, 2018

macOS support for Apple Device Enrollment Program

Intune now supports enrolling macOS devices into the Apple Device Enrollment Program (DEP). For more information, see Automatically enroll macOS devices with Apple's Device Enrollment Program.

Week of July 23, 2018

App management

Line-of-business (LOB) app support for macOS

Microsoft Intune allows macOS LOB apps to be deployed as Required or Available with enrollment. End users can get apps deployed as Available using the Company Portal for macOS or the Company Portal website.

iOS built-in app support for kiosk mode

In addition to Store Apps and Managed Apps, you can now select a Built-In App (such as Safari) that runs in kiosk mode on an iOS device.

Edit your Office 365 Pro Plus app deployments

As the Microsoft Intune admin, you have greater ability to edit your Office 365 Pro Plus app deployments. Additionally, you no longer have to delete your deployments to change any of the suite’s properties. In the Azure portal, select Microsoft Intune > Client apps > Apps. From the list of apps, select your Office 365 Pro Plus Suite.

Updated Intune App SDK for Android is now available

An updated version of the Intune App SDK for Android is available to support the Android P release. If you are an app developer and use the Intune SDK for Android, you must install the updated version of the Intune app SDK to ensure that Intune functionality within your Android apps continue to work as expected on Android P devices. This version of the Intune App SDK provides a built-in plugin that performs the SDK updates. You do not need to rewrite any existing code that’s integrated. For details, see Intune SDK for Android. If you are using the old badging style for Intune, we recommend that you use the briefcase icon. For branding details, see this GitHub repository.

Device configuration

Use S/MIME to encrypt and sign a user's multiple devices

This update includes S/MIME email encryption using a new imported certificate profile (Device configuration > Profiles > Create profile > select the platform > PKCS imported certificate profile type). In Intune, you can import certificates in PFX format. Intune can then deliver those same certificates to multiple devices enrolled by a single user. This also includes:

  • The native iOS email profile supports enabling S/MIME encryption using imported certificates in PFX format.
  • The native mail app on Windows Phone 10 devices automatically use the S/MIME certificate.
  • The private certificates can be delivered across multiple platforms. But, not all email apps support S/MIME.
  • On other platforms, you may need to manually configure the mail app to enable S/MIME.
  • Email apps that support S/MIME encryption may handle retrieving certificates for S/MIME email encryption in a way that an MDM cannot support, such as reading from their publisher's certificate store.

Supported on: Windows, Windows Phone 10, macOS, iOS, Android

Create device compliance policy using Firewall settings on macOS devices

When you create a new macOS compliance policy (Device compliance > Policies > Create policy > Platform: macOS > System security), there are some new Firewall settings available:

  • Firewall: Configure how incoming connections are handled in your environment.
  • Incoming connections: Block all incoming connections except those required for basic internet services, such as DHCP, Bonjour, and IPSec. This setting also blocks all sharing services.
  • Stealth Mode: Enable stealth mode to prevent the device from responding to probing requests. The device continues to answer incoming requests for authorized apps.

Applies to: macOS 10.12 and later

New Wi-Fi device configuration profile for Windows 10 and later

Currently, you can import and export Wi-Fi profiles using XML files. With this update, you can create a Wi-Fi device configuration profile directly in Intune, just like some other platforms.

To create the profile, open Device configuration > Profiles > Create Profile > Windows 10 and later > Wi-Fi.

Applies to Windows 10 and later.

Kiosk - obsolete is grayed out, and can't be changed

The Kiosk feature (Device configuration > Profiles > Create profile > Windows 10 and later > Device restrictions) is obsolete, and replaced with Kiosk settings for Windows 10 and later. With this update, the Kiosk - Obsolete feature is grayed out, and the user interface can't be changed or updated.

To enable kiosk mode, see Kiosk settings for Windows 10 and later.

Applies to Windows 10 and later, Windows Holographic for Business

APIs to use 3rd party certification authorities

In this update, there is a Java API that enables third-party certificate authorities to integrate with Intune and SCEP. Then, users can add the SCEP certificate to a profile, and apply it to devices using MDM.

Currently, Intune supports SCEP requests using Active Directory Certificate Services.

Toggle to show or not show the End Session button on a Kiosk browser

You can now configure whether or not Kiosk browsers show the End Session button. You can see the control at Device configuration > Kiosk (preview) > Kiosk Web Browser. If turned on, when a user clicks the button, the app prompts for confirmation to end the session. When confirmed, the browser clears all browsing data and navigates back to the default URL.

Create an eSIM cellular configuration profile

In Device configuration, you can create an eSIM cellular profile. You can import a file that contains cellular activation codes provided by your mobile operator. You can then deploy these profiles to your eSIM LTE enabled Windows 10 devices, such as the Surface Pro LTE and other eSIM capable devices.

Check to see if your devices support eSIM profiles.

Applies to Windows 10 and later.

Device enrollment

Automatically mark Android devices enrolled by using Samsung Knox Mobile Enrollment as "corporate".

By default, Android devices enrolled using Samsung Knox Mobile Enrollment are now marked as corporate under Device Ownership. You don't need to manually identify corporate devices using IMEI or serial numbers prior to enrolling using Knox Mobile Enrollment.

Device management

Bulk delete devices on devices blade

You can now delete multiple devices at a time on the Devices blade. Choose Devices > All devices > select the devices you want to delete > Delete. For devices that can't be deleted, an alert will be displayed.

Week of July 16, 2018

More opportunities to sync in the Company portal app for Windows

The Company Portal app for Windows now lets you initiate a sync directly from the Windows taskbar and Start menu. This feature is especially useful if your only task is to sync devices and get access to corporate resources. To access the new feature, right-click the Company portal icon that's pinned to your taskbar or Start menu. In the menu options (also referred to as a jump list), select Sync this device. The Company Portal will open to the Settings page and initiate your sync. For a look at the new functionality see What's new in the UI.

New browsing experiences in the Company portal app for Windows

Now when browsing or searching for apps in the Company Portal app for Windows, you can toggle between the existing Tiles view and the newly added Details view. The new view lists application details such as name, publisher, publication date and installation status.

The Apps page's Installed view lets you see details about completed and in-progress app installations. To see what the new view looks like, see What's new in the UI.

Improved Company Portal app experience for device enrollment managers

When a device enrollment manager (DEM) signs in to the Company Portal app for Windows, the app will now only list the DEM's current, running device. This improvement will reduce timeouts that previously occurred when the app tried to show all DEM-enrolled devices.

Week of July 9, 2018

App management

Block app access based on unapproved device vendors and models

The Intune IT admin can enforce a specified list of Android manufacturers, and/or iOS models through Intune App Protection Policies. The IT admin can provide a semicolon separated list of manufacturers for Android policies and device models for iOS policies. Intune App Protection Policies are for Android and iOS only. There are two separate actions that can be performed on this specified list:

  • A block from app access on devices that are not specified.
  • Or, a selective wipe of corporate data on devices that are not specified.

The user will be unable to access the targeted application if the requirements through the policy are not met. Based on settings, the user may either be blocked, or selectively wiped of their corporate data within the app. On iOS devices, this feature requires the participation of applications (such as WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for this feature to be enforced with the targeted applications. This integration happens on a rolling basis and is dependent on the specific application teams. On Android, this feature requires the latest Company Portal.

On end-user devices, the Intune client will take action based on a simple matching of the strings specified in the Intune blade for Application Protection Policies. This depends entirely on the value that the device reports. As such, the IT administrator is encouraged to ensure that the intended behavior is accurate. This can be accomplished by testing this setting based on a variety of device manufacturers and models targeted to a small user group. In Microsoft Intune, select Client apps > App protection policies to view and add app protection policies. For more information about app protection policies, see What are app protection policies and Selectively wipe data using app protection policy access actions in Intune.

Access to macOS Company Portal pre-release build

Using Microsoft AutoUpdate, you can sign up to receive builds early by joining the Insider program. Signing up will enable you to use the updated Company Portal before it’s available to your end users. For more information, see the Microsoft Intune blog.

Week of July 2, 2018

App management

Monitor iOS app configuration status per device

As the Microsoft Intune admin, you can monitor iOS app configuration status for each managed device. From Microsoft Intune in the Azure portal, select Devices > All devices. From the list of managed devices, select a specific device to display a blade for the device. On the device blade, select App configuration.

Access actions for app protection policies

You can configure app protection policies to explicitly wipe, block, or warn non-compliant devices. The wipe action removes your company’s corporate data from a device. If a wipe occurs, the device's user is notified of both the reason for the wipe and remediation steps. For some settings, like minimum OS version, you will be able to apply multiple actions, such as block and wipe. Note that these actions are triggered when the app is launched.

Selective wipe of organization's app data

Administrators can now configure a selective wipe of the organization's data as a new action when the conditions of Application Protection Policies (APP) Access settings are not met. This feature helps administrators automatically protect and remove sensitive organization data from applications based on pre-configured criteria.

Revoking an iOS app purchased through VPP

As the Microsoft Intune admin, you can revoke all the licenses for a selected iOS app purchased through the volume-purchase program (VPP). You can notify users when a user licensed app is no longer assigned to them. Revoking an app license will not uninstall the related VPP app from the device. To uninstall a VPP app, you must change the assignment action to Uninstall. The reclaimed license count will be reflected in Licensed Apps node in the App workload of Intune. For more information related to iOS VPP apps, see How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.

Updates to out-of-compliance messages in Company Portal app

We revised the messages that device users see when a device is out-of-compliance. Messages retain their original meanings but have been updated with friendlier language and less technical jargon. We also refreshed links to documentation and remediation steps to keep them up-to-date. The following before and after text is one example of the improvements in messaging you'll see:

  • Before: This device hasn’t contacted the Intune service in the specified time period required by your IT admin. To resolve this issue, please open the company portal app on your device and click on the Check Compliance button.
  • After: Your device has not checked in with your organization in a while. To reestablish a connection, open the Company Portal app on your device and tap Check Settings for your device.

Revoke iOS VPP app license

As the admin, you can reclaim an iOS VPP app license assigned to a user or device. Uninstalling an iOS VPP app will also allow you to reclaim the app license. Before uninstalling the app, the user or the device needs to be removed from the group to which the app is targeted. Removing the user or the device from the group avoids a reinstall of the app. Once these steps are complete, you can choose to assign the app license to another user or device. For more information about iOS VPP app licenses, see Manage iOS volume-purchased apps in Microsoft Intune.

Device configuration

Select device categories by using the Access Work or School settings

If you've enabled device group mapping, users on Windows 10 will now be prompted to select a device category after enrolling through the Connect button in Settings > Accounts > Access work or school.

Use sAMAccountName as the account username for email profiles

You can use the on-premises sAMAccountName as the account username for email profiles for Android, iOS, and Windows 10. You can also get the domain from the domain or ntdomain attribute in Azure Active Directory (Azure AD). Or, enter a custom static domain.

To use this feature, you must sync the sAMAccountName attribute from your on-premises Active Directory environment to Azure AD.

Applies to Android, iOS, Windows 10 and later

See device configuration profiles in conflict

In Device Configuration, a list of the existing profiles is shown. With this update, a new column is added that provides details on profiles that have a conflict. You can select a conflicting row to see the setting and profile that has the conflict.

More on manage configuration profiles.

New status for devices in device compliance

In Device compliance > Policies > select a policy > Overview, the following new states are added:

  • succeeded
  • error
  • conflict
  • pending
  • not-applicable An image that shows the device count of a different platform is also shown. For example, if you're looking at an iOS profile, the new tile shows the count of non-iOS devices that are also assigned to this profile. See Device compliance policies.

Device compliance supports 3rd party anti-virus solutions

When you create a device compliance policy (Device compliance > Policies > Create policy > Platform: Windows 10 and later > Settings > System Security), there are new Device Security options:

  • Antivirus: When set to Require, you can check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Windows Defender.
  • AntiSpyware: When set to Require, you can check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Windows Defender.

Applies to: Windows 10 and later

Device enrollment

Devices without profiles column in the list of enrollment program tokens

In the enrollment program tokens list, there is a new column showing the number of devices without a profile assigned. This helps admins assign profiles to these devices before handing them out to users. To see the new column, go to Device enrollment > Apple enrollment > Enrollment program tokens.

Device management

Google name changes for Android for Work and Play for Work

Intune has updated "Android for Work" terminology to reflect Google branding changes. The terms "Android for Work" and "Play for Work" are no longer be used. Different terminology is used depending on the context:

  • "Android enterprise" refers to the overall modern Android management stack.
  • "Work profile" or "Profile Owner" refers to BYOD devices managed with work profiles.
  • "Managed Google Play" refers to the Google app store.

Rules for removing devices

New rules are available that let you automatically remove devices that haven't checked in for a number of days that you set. To see the new rule, go to the Intune pane, select Devices, and select Device cleanup rules.

Corporate-owned, single use support for Android devices

Intune now supports highly-managed, locked-down, kiosk-style Android devices. This allows admins to further lock down the usage of a device to a single app or small set of apps, and prevents users from enabling other apps or performing other actions on the device. To set up Android kiosk, go to Intune > Device enrollment > Android enrollment > Kiosk and task device enrollments. For more information, see Set up enrollment of Android enterprise kiosk devices.

Per-row review of duplicate corporate device identifiers uploaded

When uploading corporate IDs, Intune now provides a list of any duplicates and gives you the option to replace or keep the existing information. The report will appear if there are duplicates after you choose Device enrollment > Corporate Device Identifiers > Add Identifiers.

Manually add corporate device identifiers

You can now manually add corporate device IDs. Choose Device enrollment > Corporate Device Identifiers > Add.

Week of June 25, 2018

Pradeo - New Mobile Threat Defense partner

You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Pradeo, a Mobile Threat Defense solution that integrates with Microsoft Intune.

Week of June 18, 2018

Microsoft Edge mobile support for Intune app protection policies

The Microsoft Edge browser for mobile devices now supports app protection policies defined in Intune.

Week of June 11, 2018

Use FIPS mode with the NDES Certificate connector

When you install the NDES Certificate connector on a computer with Federal Information Processing Standard (FIPS) mode enabled, issuing and revoking certificates didn't work as expected. With this update, support for FIPS is included with the NDES Certificate connector.

This update also includes:

  • The NDES Certificate connector requires .NET 4.5 Framework, which is automatically included with Windows Server 2016 and Windows Server 2012 R2. Previously, .NET 3.5 Framework was the minimum required version.
  • TLS 1.2 support is included with the NDES Certificate connector. So if the server with NDES Certificate connector installed supports TLS 1.2, then TLS 1.2 is used. If the server doesn't support TLS 1.2, then TLS 1.1 is used. Currently, TLS 1.1 is used for authentication between the devices and server.

For more information, see Configure and use SCEP certificates and Configure and use PKCS certificates.

Week of June 4, 2018

App management

Retrieve the associated app user model ID (AUMID) for Microsoft Store for Business apps in kiosk mode

Intune can now retrieve the app user model ids (AUMIDs) for Microsoft Store for Business (WSfB) apps to provide improved configuration of the kiosk profile.

For more information about Microsoft Store for Business apps, see Manage apps from Microsoft Store for Business.

New Company Portal branding page

The Company Portal branding page has a new layout, messages, and tooltips.

Device configuration

Support for Palo Alto Networks GlobalProtect VPN profiles

With this update, you can choose Palo Alto Networks GlobalProtect as a VPN connection type for VPN profiles in Intune (Device configuration > Profiles > Create profile > Profile type > VPN). In this release, the following platforms are supported:

  • iOS
  • Windows 10

Additions to Local Device Security Options settings

You can now configure additional Local Device Security Options settings for Windows 10 devices. Additional settings are available in the areas of Microsoft Network Client, Microsoft Network Server, Network access and security, and Interactive logon. Find these settings in the Endpoint Protection category when you create a Windows 10 device configuration policy.

Enable kiosk mode on Windows 10 devices

On Windows 10 devices, you can create a configuration profile and enable kiosk mode (Device Configuration > Profiles > Create profile > Windows 10 > Device Restrictions > Kiosk). In this update, the Kiosk (preview) setting is renamed to Kiosk (obsolete). Kiosk (obsolete) is no longer recommended for use, but will continue to function until the July update. Kiosk (obsolete) is replaced by the new Kiosk profile type (Create profile > Windows 10 > Kiosk (preview)), which will contain the settings to configure Kiosks on Windows 10 RS4 and later.

Applies to Windows 10 and later.

Device profile graphical user chart is back

While improving the numeric counts shown on the device profile graphical chart (Device configuration > Profiles > select an existing profile > Overview), the graphical user chart was temporarily removed.

With this update, the graphical user chart is back, and shown in the Azure portal.

Device enrollment

Support for Windows Autopilot enrollment without user authentication

Intune now supports Windows Autopilot enrollment without user authentication. This is a new option in the Windows Autopilot deployment profile "Autopilot Deployment mode" set to "Self-Deploying". The device must be running Windows 10 Insider Preview Build 17672 or later and possess a TPM 2.0 chip to successfully complete this type of enrollment. Since no user authentication is required, you should only assign this option to devices that you have physical control over.

New language/region setting when configuring OOBE for Autopilot

A new configuration setting is available to set the language and region for Autopilot profiles during the Out of Box Experience. To see the new setting, choose Device enrollment > Windows enrollment > Deployment profiles > Create profile > Deployment mode = Self-deploying > Defaults configured.

New setting for configuring device keyboard

A new setting will be available to configure the keyboard for Autopilot profiles during the Out of Box Experience. To see the new setting, choose Device enrollment > Windows enrollment > Deployment profiles > Create profile > Deployment mode = Self-deploying > Defaults configured.

Autopilot profiles moving to group targeting

AutoPilot deployment profiles can be assigned to Azure AD groups containing AutoPilot devices.

Device management

Set compliance by device location

In some situations, you may want to restrict access to corporate resources to a specific location, defined by a network connection. You can now create a compliance policy (Device compliance > Locations) based on the IP address of the device. If the device moves outside the IP range, then the device cannot access corporate resources.

Applies to: Android devices 6.0 and higher, with the updated Company Portal app

Prevent consumer apps and experiences on Windows 10 Enterprise RS4 Autopilot devices

You will be able to prevent the installation of consumer apps and experiences on your Windows 10 Enterprise RS4 AutoPilot devices. To see this feature, go to Intune > Device configuration > Profiles > Create profile > Platform = Windows 10 or later > Profile type = Device restrictions > Configure > Windows Spotlight > Consumer features.

Uninstall the latest from Windows 10 software updates

Should you discover a breaking issue on your Windows 10 machines, you can choose to uninstall (rollback) the latest feature update or the latest quality update. Uninstalling a feature or quality update is only available for the servicing channel the device is on. Uninstalling will trigger a policy to restore the previous update on your Windows 10 machines. For feature updates specifically, you can limit the time from 2-60 days that an uninstall of the latest version can be applied. To set software update uninstall options, select Software updates from the Microsoft Intune blade within the Azure portal. Then, select Windows 10 Update Rings from the Software updates blade. You can then choose the Uninstall option from the Overview section.

Search all devices for IMEI and serial number

You can now search for IMEI and serial numbers on the All devices blade (email, UPN, device name, and management name are still available). In Intune, choose Devices > All devices > enter your search in the search box.

Management name field will be editable

You can now edit the management name field on a device’s Properties blade. To edit this field, choose Devices > All devices > choose the device > Properties. You can use the management name field to uniquely identify a device.

New All devices filter: Device category

You can now filter the All devices list by device category. To do so, choose Devices > All devices > Filter > Device category.

Use TeamViewer to screen share iOS and MacOS devices

Administrators can now connect to TeamViewer, and start a screen sharing session with iOS and macOS devices. iPhone, iPad, and macOS users can share their screens live with any other desktop or mobile device.

Multiple Exchange Connector support

You're no longer limited to one Microsoft Intune Exchange Connector per tenant. Intune now supports multiple Exchange Connectors so that you can set up Intune conditional access with multiple on-premises Exchange organizations.

With an Intune on-premises Exchange connector, you can manage device access to your on-premises Exchange mailboxes based on whether a device is enrolled in Intune and complies with Intune device compliance policies. To set up a connector, you download the Intune on-premises Exchange connector from the Azure portal and install it on a server in your Exchange organization. On the Microsoft Intune dashboard, choose On-premises access, and then under Setup, choose Exchange ActiveSync connector. Download the Exchange on-premises connector and install it on a server in your Exchange organization. Now that you're no longer limited to one Exchange connector per tenant, if you have additional Exchange organizations, you can follow this same process to download and install a connector for each additional Exchange organization.

New device hardware detail: CCID

The Chip Card Interface Device (CCID) information is now included for each device. To see it, choose Devices > All devices > choose a device > Hardware> check under Network details>

Assign all users and all devices as scope groups

You can now assign all users, all devices, and all users and all devices in scope groups. To do this, choose Intune roles > All roles > Policy and profile manager > Assignments > choose an assignment > Scope (groups).

UDID information now included for iOS and macOS devices

To see the Unique Device Identifier (UDID) for iOS and macOS devices, go to Devices > All devices > choose a device > Hardware. UDID is only available for corporate devices (as set under Devices > All devices > choose a device > Properties > Device ownership).

Intune apps

Improved troubleshooting for app installation

On Microsoft Intune MDM-managed devices, sometimes app installations can fail. When these app installs fail, it can be challenging to understand the failure reason or troubleshoot the issue. We're shipping a Public Preview of our App Troubleshooting features. You will notice a new node under each individual device called Managed Apps. This lists the apps that have been delivered via Intune MDM. Inside the node, you'll see a list of app install states. If you select an individual app, you'll see the troubleshooting view for that specific app. In the troubleshooting view, you'll see the end-to-end lifecycle of the app, such as when the app was created, modified, targeted, and delivered to a device. Additionally, if the app install was not successful, you'll be presented with the error code and a helpful message about the cause of the error.

Intune app protection policies and Microsoft Edge

The Microsoft Edge browser for mobile devices (iOS and Android) now supports Microsoft Intune app protection policies. Users of iOS and Android devices who sign in with their corporate Azure AD accounts in the Edge application will be protected by Intune. On iOS devices, the Require managed browser for web content policy will allow users to open links in Microsoft Edge when it is managed.

Week of May 14, 2018

App management

Require installation of policies, apps, certificate and network profiles

Admins can block end users from accessing the Windows 10 RS4 desktop until Intune installs policies, apps, and certificate and network profiles during the provisioning of AutoPilot devices. For more info, see Set up an enrollment status page.

Configuring your app protection policies

In the Azure portal, instead of going to the Intune App Protection service blade, you now just go to Intune. There is now only one location for app protection policies within Intune. Note that all of your app protection policies are on the Mobile app blade in Intune under App protection policies. This integration helps to simplify your cloud management administration. Remember, all app protection policies are already in Intune and you can modify any of your previously configured policies. Intune App Policy Protection (APP) and Conditional Access (CA) policies are now under Conditional access, which can be found under the Manage section in the Microsoft Intune blade or under the Security section in the Azure Active Directory blade. For more information about modifying conditional access policies, see Conditional access in Azure Active Directory. For additional information, see What are app protection policies?

Week of May 7, 2018

App management

Samsung Knox mobile enrollment support

When using Intune with Samsung Knox Mobile Enrollment (KME), you can enroll large numbers of company-owned Android devices. Users on WiFi or cellular networks can enroll with just a few taps when they turn on their devices for the first time. When using the Knox Deployment App, devices can be enrolled using Bluetooth or NFC. For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.

Requesting help in the Company Portal for Windows 10

The Company Portal for Windows 10 will now send app logs directly to Microsoft when the user initiates the workflow to get help with an issue. This will make it easier to troubleshoot and resolve issues that are raised to Microsoft.

Week of April 23, 2018

App management

Passcode support for MAM PIN on Android

Intune admins can set an application launch requirement to enforce a passcode instead of a numeric MAM PIN. If configured, the user is required to set and use a passcode when prompted before getting access to MAM-enlightened applications. A passcode is defined as a numeric PIN with at least one special character or upper/lowercase alphabet. Intune supports passcode in a similar way to the existing numeric PIN... being able to set a minimum length, allowing repeat characters and sequences through the admin console. This feature requires the latest version of Company Portal on Android. This feature is already available for iOS.

Line-of-business (LOB) app support for macOS

Microsoft Intune will provide the capability to install macOS LOB apps from the Azure portal. You will be able to add a macOS LOB app to Intune after it has been pre-processed by the tool available in GitHub. In the Azure portal, choose Client apps from the Intune blade. On the Client apps blade, choose Apps > Add. On the Add App blade, select Line-of-business app.

Built-in All Users and All Devices Group for Android Enterprise work profile app assignment

You can leverage the built-in All Users and All Devices groups for Android Enterprise work profile app assignment. For more information, see Include and exclude app assignments in Microsoft Intune.

Intune will reinstall required apps that are uninstalled by users

If an end user uninstalls a required app, Intune automatically reinstalls the app within 24 hours rather than waiting for the 7-day re-evaluation cycle.

Device configuration

Device profile chart and status list show all devices in a group

When you configure a device profile (Device configuration > Profiles), you choose the device profile, such as iOS. You assign this profile to a group that includes iOS devices and non-iOS devices. The graphical chart count shows that the profile is applied to the iOS and the non-iOS devices (Device configuration > Profiles > select an existing profile > Overview). When you select the graphical chart in the Overview tab, the Device status lists all the devices in the group, instead of only the iOS devices.

With this update, the graphical chart (Device configuration > Profiles > select an existing profile > Overview) only shows the count for the specific device profile. For example, if the configuration device profile applies to iOS devices, the chart only lists the count of the iOS devices. Selecting the graphical chart, and opening the Device status only lists the iOS devices.

While this update is being made, the graphical user chart is temporarily removed.

Always On VPN for Windows 10

Currently, Always On can be used on Windows 10 devices by using a custom virtual private network (VPN) profile created using OMA-URI.

With this update, admins can enable Always On for Windows 10 VPN profiles directly in Intune in the Azure portal. Always On VPN profiles will automatically connect when:

  • Users sign into their devices
  • The network on the device changes
  • The screen on the device turns back on after being turned off

New printer settings for education profiles

For education profiles, new settings are available under the Printers category: Printers, Default printer, Add new printers.

Show caller ID in personal profile - Android Enterprise work profile

When using a personal profile on a device, end users may not see the caller ID details from a work contact.

With this update, there is a new setting in Android Enterprise > Device restrictions > Work profile settings:

  • Display work contact caller-id in personal profile

When enabled (not configured), the work contact caller details are displayed in the personal profile. When blocked, the work contact caller number is not displayed in the personal profile.

Applies to: Android work profile devices on Android OS v6.0 and newer

New Windows Defender Credential Guard settings added to endpoint protection settings

With this update, Windows Defender Credential Guard (Device configuration > Profiles > Endpoint protection) includes the following settings:

  • Windows Defender Credential Guard: Turns on Credential Guard with virtualization-based security. Enabling this feature helps protect credentials at the next reboot when Platform Security Level with Secure Boot and Virtualization Based Security are both enabled. Options include:
    • Disabled: If Credential Guard was previously turned on with the Enabled without lock" option​, then it turns off Credential Guard remotely.

    • Enabled with UEFI lock: Ensures that Credential Guard cannot be disabled using a registry key or using Group Policy. To disable Credential Guard after using this setting, you must set the Group Policy to "Disabled". Then, remove the security functionality from each computer, with a physically present user. These steps clear the configuration persisted in UEFI. As long as the UEFI configuration persists, Credential Guard is enabled.​

    • Enabled without lock: Allows Credential Guard to be disabled remotely using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).

The following dependent technologies are automatically enabled when configuring Credential Guard:

  • Enable Virtualization-based Security (VBS): Turns on virtualization-based security (VBS) at next reboot. Virtualization-based security uses the Windows Hypervisor to provide support for security services, and requires Secure Boot.
  • Secure Boot with Direct Memory Access (DMA): Turns on VBS with Secure Boot and direct memory access. DMA protection require hardware support, and is only enabled on properly configured devices.

Use a custom subject name on SCEP certificate

You can use the OnPremisesSamAccountName the common name in a custom subject on an SCEP certificate profile. For example, you can use CN={OnPremisesSamAccountName}).

Block camera and screen captures on Android Enterprise work profiles

Two new properties are available to block when you configure device restrictions for Android devices:

  • Camera: Blocks access to all cameras on the device
  • Screen capture: Blocks the screen capture, and also prevents the content from being shown on display devices that don't have a secure video output

Applies to Android Enterprise work profiles.

Device enrollment

New enrollment steps for users on devices with macOS High Sierra 10.13.2+

macOS high Sierra 10.13.2 introduced the concept of "User Approved" MDM enrollment. Approved enrollments allow Intune to manage some security-sensitive settings. For more information, see Apple's support documentation here: https://support.apple.com/HT208019.

Devices enrolled using the macOS Company Portal are considered "Not User Approved" unless the end user opens System Preferences and manually provides approval. To this end, the macOS Company Portal now directs users on macOS 10.13.2 and above to go and manually approve their enrollment at the end of the enrollment process. The Intune admin console will report on if an enrolled device is user approved.

Device management

Advanced Threat Protection (ATP) and Intune are fully integrated

Advanced Threat Protection (ATP) shows the risk level of Windows 10 devices. In Windows Defender Security Center (ATP portal), you can create a connection to Microsoft Intune. Once created, an Intune compliance policy is used to determine an acceptable threat level. If the threat level is exceeded, an Azure Active Directory (AD) conditional access policy can then block access to different apps within your organization.

This feature allows ATP to scan files, detect threats, and report any risk on your Windows 10 devices.

See Enable ATP with conditional access in Intune.

Support for user-less devices

Intune supports the ability to evaluate compliance on a user-less device, such as the Microsoft Surface Hub. Compliance policy can target specific devices. So compliance (and noncompliance) can be determined for devices that don't have an associated user.

Delete Autopilot devices

Intune admins can delete Autopilot devices.

Improved device deletion experience

You're no longer be required to remove company data or factory reset a device before deleting a device from Intune.

To see the new experience, sign in to Intune and select Devices > All devices > the name of the device > Delete.

If you still want the wipe/retire confirmation, you can use the standard device lifecycle route by issuing a Remove company data and Factory Reset prior to Delete.

Play sounds on iOS when in Lost mode

When supervised iOS devices are in Mobile Device Management (MDM) Lost mode, you can play a sound (Devices > All devices > select an iOS device > Overview > More). The sound continues to play until the device is removed from Lost mode, or a user disables sound on the device. Applies to iOS devices 9.3 and newer.

Block or allow web results in searches made on an Intune device

Admins can now block web results from searches made on a device.

Improved error messaging for Apple MDM Push Certificate upload failure

The error message explains that the same Apple ID must be used when renewing an existing MDM certificate.

Test the Company Portal for macOS on virtual machines

We've published guidance to help IT admins test the Company Portal app for macOS on virtual machines in Parallels Desktop and VMware Fusion. Find out more in enroll virtual macOS machines for testing.

User interface

Improved device tiles in the Windows 10 Company Portal

The tiles have been updated to be more accessible to low-vision users and to perform better for screen reading tools.

Send diagnostic reports in Company Portal app for macOS

The Company Portal app for macOS devices was updated to improve how users report Intune-related errors. From the Company Portal app, your employees can:

  • Upload diagnostic reports directly to the Microsoft developer team.
  • Email an incident ID to your company's IT support team.

For more information see Send errors for macOS.

Intune adapts to Fluent Design System in the Company Portal app for Windows 10

The Intune Company Portal app for Windows 10 has been updated with the Fluent Design System's navigation view. Along the side of the app, you'll notice a static, vertical list of all top-level pages. Click any link to quickly view and switch between pages. This is the first of several updates you'll see as part of our ongoing effort to create a more adaptive, empathetic, and familiar experience in Intune. To see the updated look, go to What's new in the app UI.

Week of April 16, 2018

Use Cisco AnyConnect client for iOS

When you create a new VPN profile for iOS, there are now two options: Cisco AnyConnect and Cisco Legacy AnyConnect. Cisco AnyConnect profiles support 4.0.7x and newer versions. Existing iOS Cisco AnyConnect VPN profiles are labeled Cisco Legacy AnyConnect, and continue to work with Cisco AnyConnect 4.0.5x and older versions, as they do today.

Note

This change only applies to iOS. There continues to be only one Cisco AnyConnect option for Android, Android Enterprise work profiles, and macOS platforms.

Jamf-enrolled macOS devices can now register with Intune

Versions 1.3 and 1.4 of the macOS company portal did not successfully register Jamf devices with Intune. Version 1.4.2 of the macOS portal fixes this issue.

Week of April 9, 2018

Updated help experience in Company Portal app for Android

We've updated the help experience in the Company Portal app for Android to align with best practices for the Android platform. Now when users encounter a problem in the app, they can tap Menu > Help and:

  • Upload diagnostic logs to Microsoft.
  • Send an email that describes the problem and incident ID to a company support person.

To check out the updated help experience go to Send logs using email and Send errors to Microsoft.

New enrollment failure trend chart and failure reasons table

On the Enrollment Overview page, you can view the trend of enrollment failures and the top five causes of failures. By clicking on the chart or table, you can drill into details to find troubleshooting advice and remediation suggestions.

Update where to configure your app protection policies

In the Azure portal within the Microsoft Intune service, we’re going to temporarily redirect you from the Intune App Protection service blade to the Mobile app blade. Note that all of your app protection policies are already on the Mobile app blade in Intune under app configuration. Instead of going to Intune App Protection, you’ll just go to Intune. In April 2018, we will stop the redirection and fully remove the Intune App Protection service blade, so that there's only one location for app protection policies within Intune.

How does this affect me? This change will affect both Intune standalone customers and hybrid (Intune with Configuration Manager) customers. This integration will help simplify your cloud management administration.

What do I need to do to prepare for this change? Please tag Intune as a favorite instead of the Intune App Protection service blade and ensure you’re familiar with the App protection policy workflow in the Mobile app blade within Intune. We’ll redirect for a short period of time and then remove the App Protection blade. Remember, all app protection policies are already in Intune and you can modify any of your conditional access policies. For more information about modifying conditional access policies, see Conditional access in Azure Active Directory. For additional information, see What are app protection policies?

Week of April 2, 2018

Intune apps

User experience update for the Company Portal app for iOS

We've released a major user experience update to the Company Portal app for iOS. The update features a complete visual redesign that includes a modernized look and feel. We've maintained the functionality of the app, but increased its usability and accessibility.

You'll also see:

  • Support for iPhone X.
  • Faster app launch and loading responses, to save users time.
  • Additional progress bars to provide users with the most up-to-date status information.
  • Improvements to the way users upload logs, so if something goes wrong, it's easier to report.

To see the updated look, go to What's new in the app UI.

Protect on-premises Exchange data using Intune APP and CA

You can now use Intune App Policy Protection (APP) and Conditional Access (CA) to protect access to on-premises Exchange data with Outlook Mobile. To add or modify an app protection policy within the Azure portal, select Microsoft Intune > Client apps > App protection policies. Before using this feature, make sure you meet the Outlook for iOS and Android requirements.

Notices

Plan for change: Performance updates to Intune for Education

We’re adding some updates to Intune for Education to increase speed and reliability when you assign settings to your users or devices. As part of this change, towards the end of November, we’ll be moving your policies or settings assignments to new groups.

How does this affect me?

As an Intune for Education customer, you have two dynamic Azure Active Directory (Azure AD) groups: “All Users” and “All Devices”. With these updates, these “All Users” and “All devices” Azure AD groups will not be visible in the Intune for Education console. They will, however, still be visible in the Intune on Azure console and will be renamed as “All Users (Obsolete, do not use)” and “All Devices (Obsolete, do not use)”.

When the updates roll out, you will no longer need to use Azure AD groups to assign apps and settings in Intune. Instead, we will move your Settings assignments to new groups in the Intune for Education console that we’ll create for you that will still show up as “All Users” and “All Devices” as before. These changes are in the backend, so you will not notice anything different in the Intune for Education console. There is no impact anticipated to your end users or enrolled devices.

What do I need to do to prepare for this change?

You do not need to do anything while we move your policy assignments. If you currently assign policies in the Intune for Education console, continue doing so.

If you currently assign policies to the Azure AD groups mentioned above in Intune on Azure, start assigning these to the All Users and All Devices group in the Intune for Education console instead. When you see the Azure AD groups renamed as obsolete in the console, stop assigning policies in Azure AD. If you are not currently using the renamed groups for any other purpose, you should delete them.

Plan for Change: Intune will move to support macOS 10.12 and higher in December

Apple has just released macOS 10.14. Subsequently, Intune will move to support macOS 10.12 and higher in December 2018.

How does this affect me?

Starting in December, end users on devices with macOS 10.11 and prior won’t be able to use the Company Portal to enroll into Intune. They will need to upgrade their device to macOS 10.12 or higher and upgrade the Company Portal app to the latest version to continue to receive support and new features.

macOS versions 10.12 and higher are currently supported on:

  • MacBook (late 2009 or newer).
  • iMac (late 2009 or newer)
  • MacBook Air (late 2010 or newer).
  • MacBook Pro (late 2010 or newer).
  • Mac Mini (late 2010 or newer).
  • Mac Pro (late 2010 or newer).

After December, end users who have devices other than the ones listed above will not be able to access the latest version of the Company Portal app for macOS. Existing enrolled devices running unsupported versions below macOS 10.12 will continue to be managed and listed in the Intune Admin Console.

What do I need to do to prepare for this change?

  • Request your end users to upgrade their devices to a supported OS version before December 2018.
  • Check your Intune reporting in the Intune on Azure console, to see what devices or users may be affected. Go to Devices > All devices and filter by OS. You can add in additional columns to help identify who in your organization has devices running macOS 10.11.
  • If you are using hybrid mobile device management (MDM), go to Assets and Compliance > Devices in the Configuration Manager console, right-click the columns to add the Operating System and Client Version columns, and sort by OS. Note that hybrid MDM is now deprecated, and you should move to Intune on Azure as soon as possible.

Additional Information

For more information, see Enroll your macOS device in Intune with the Company Portal app.

Plan for Change: New Intune support experience for Premier customers

As a Microsoft Premier customer, you can currently use the Microsoft Premier Online (MPO) portal (premier.microsoft.com) and Intune on Azure (portal.azure.com) to create support requests for Intune. Starting on December 3, 2018, to continue enhancing the Premier support experience, you will be able to create support requests only in Intune on Azure.

How does this affect me?

After December 3, you will be not be able to create support requests in MPO. When you try to do this, you’ll see a prompt that you will not be able to dismiss, to be redirected to Intune on Azure. Here, you can create a support request which will be routed to Intune-dedicated Microsoft Support, to diagnose and resolve your issue in a timely manner. Support requests created in the MPO portal cannot be viewed in the Azure portal, so you should stop creating support requests in MPO.

If you use hybrid mobile device management (hybrid MDM) or use co-management, you can continue to use MPO to create support requests for ConfigMgr but use the Azure portal to create support requests for Intune. As a reminder, hybrid MDM is deprecated, and you should plan to move to Intune on Azure as soon as possible. For more information, see Move from Hybrid Mobile Device Management to Intune on Azure.

Note that only users with Global Administrator, Intune Service Administrator, and Service Support Administrator roles can create support tickets in the Azure portal.

What can I do to prepare for this change?

  • Stop using MPO and use Intune on Azure to create and manage all your Intune support requests.
  • Notify your helpdesk and update documentation if necessary.
  • If you have users without Global administrator or Intune Service Administrator roles currently creating support requests in MPO, assign them the Service Support Administrator role in Azure Active Directory, so they can continue to create support tickets in the Azure portal.
  • Click on Additional Information for more information and helpful links.

Additional Information

For more information, see the Microsoft Intune support team blog post.

Take action: Please update your Android device restriction or compliance policy password settings in Intune

Intune will be removing the available password type “device default” for Android 4.4 and higher devices. Due to differences in Android platforms and device defaults, that policy is often treated as optional by the device. To clear up confusion on when this setting is enforced on Android, we’ll remove this setting from the UI in an upcoming release.

How does this affect me?

  • If your intent is to require a password on the devices, we recommend instead of using “device default” you edit your Android platform profile(s) to clearly articulate the required password type.
  • If your intent is to let your end user to decide on whether to create a password, select the “Not configured” button. When we remove this setting from the UI, if the setting is still set, you will be prompted to choose a value other than “Device default” on your next edit of the profile. What do I need to do to prepare for this change? Review the password settings in your Android and Android enterprise device restriction and compliance policies. These are listed under System security for Compliance policies and under either Device password or Work profile settings for Device restrictions. Additional information has a link to more details and screenshots for where these settings are configured.

Additional information

https://aka.ms/PasswordSettings

Plan for Change: Change Password at Next Auth added to Intune

In the September service release, Intune plans to integrate Apple’s newly-released Change Password at Next Auth setting for devices running macOS versions 10.13 and newer. Before this setting, MDM providers can't verify that the device passcode was changed to be compliant. Intune’s configuration and compliance policies only validate that the next time a device password is changed, that it's marked as compliant. When this new Apple feature is added, your macOS users will receive a request to update their password, even if their password is compliant.

How does this affect me?

This impacts environments with a macOS device policy using Intune or a hybrid MDM. Now that Apple has this Change Password at New Auth setting, Intune can force users to update their password when a password policy is pushed. If you block company resources until the device is marked compliant, then your end users may be blocked from accessing company resources, such as email or SharePoint sites, until they reset their password. In the future, all updates to configuration and compliance password policies force targeted users to update their passwords.

What do I need to do to prepare for this change?

Let your helpdesk know. If you don't want to enforce this macOS device policy, we recommend you un-assign or delete your existing macOS policy. Customer research suggests most customers aren't affected by this change. Most end users update their password after receiving a request to enroll with a password, or reset their password to remain compliant.

Plan for Change: Intune moving to TLS 1.2

Starting on October 31, 2018, Intune will support Transport Layer Security (TLS) protocol version 1.2 to provide best-in-class encryption, to ensure our service is more secure by default, and to align with other Microsoft services such as Microsoft Office 365. Office communicated this change in MC128929.

The Company Portal will also move to support TLS 1.2 on October 31, 2018.

How does this affect me?

As of October 31, 2018, Intune will no longer support TLS protocol versions 1.0 or 1.1. All client-server and browser-server combinations should use TLS version 1.2 to ensure connection without issues to Intune. Note that this change will impact end-user devices that are no longer supported by Intune but are still receiving policy through Intune, and that cannot use TLS version 1.2. This includes devices such as those running Android 4.3 and earlier. For a list of affected devices and browsers, see Additional Information below.

After October 31, 2018, if you experience an issue related to the use of an old TLS version, you will be required to update to TLS 1.2 or to a device that supports TLS 1.2 as part of the resolution.

What do I need to do to prepare for this change?

We recommend that you proactively remove TLS 1.0 and 1.1 dependencies in your environments and disable TLS 1.0 and 1.1 at the operating system level where possible. Begin planning your migration to TLS 1.2 today. Check the support blog post below for the list of devices that are not supported by Intune today but might still be receiving policy, and that will not be able to communicate using TLS version 1.2. You might need to notify those end users that they’ll lose access to corporate resources.

Additional Information: Intune moving to TLS 1.2 for encryption

Plan for Change: Use Intune on Azure now for your MDM management

Over a year ago, we announced public preview of Intune on Azure and followed up six months ago with general availability of the new admin experience for Intune. Starting on August 31, 2018, we will turn off mobile device management (MDM) in the classic Silverlight console for those customers using Intune standalone. Instead, you can use Intune on Azure for your MDM needs. If you're still using the classic console for MDM, please stop and familiarize yourself with Intune on Azure. We do not expect any end user impact with this change. Classic PC management will remain in Silverlight. You can learn more about this change and how it affects you here.

Apple to require updates for Application Transport Security

Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers using the iOS Company Portal apps. We'll keep our Intune support blog with details.

See also