What's new in Microsoft Intune

Applies to: Intune in the Azure portal
Looking for documentation about Intune in the classic portal? Go here.

Learn what’s new each week in Microsoft Intune. You can also find out about upcoming changes, important notices about the service, and information about past releases.

Note

Many of these features will eventually be supported for hybrid deployments with Configuration Manager. For more information about new hybrid features, check out our hybrid What’s New page.

Week of October 2, 2017

Intune apps

Improvements to device setup workflow in Company Portal

We've improved the device setup workflow in the Company Portal app for Android. The language is more user-friendly and specific to your company, and we've combined screens where possible. You can see these on the what's new in app UI page.

Improved guidance around the request for access to contacts on Android devices

The Company Portal app for Android often requires the end user to accept the Contacts permission. If an end user declines this access, they will now see an in-app notification that alerts them to grant it for conditional access.

Secure startup remediation for Android

End users with Android devices will be able to tap the non-compliance reason in the Company Portal app. When possible, this will take them directly to the correct location in the settings app to fix the issue.

Additional push notifications for end users on the Company Portal app for Android Oreo

End users will see additional notifications to indicate to them when the Company Portal app for Android Oreo is performing background tasks, such as retrieving policies from the Intune service. This increases transparency for end users about when the Company Portal is performing administrative tasks on their device. This is part of the overall optimization of the Company Portal UI for the Company Portal app for Android Oreo.

There are further optimizations for new UI elements that are enabled in Android Oreo. End users will see additional notifications that will indicate to them when Company Portal is performing background tasks such as retrieving policy from the Intune service. This increases transparency for end users about when Company Portal is performing administrative tasks on the device.

New behaviors for the Company Portal app for Android with work profiles

When you enroll an Android for Work device with a work profile, it's the Company Portal app in the work profile that performs management tasks on the device.

Unless you are using a MAM-enabled app in the personal profile, the Company Portal app for Android no longer serves any use. To improve the work profile experience, Intune will automatically hide the personal Company Portal app after a successful work profile enrollment.

The Company Portal app for Android can be enabled at any time in the personal profile by browsing for Company Portal in the Play Store and tapping Enable.

Company Portal for Windows 8.1 and Windows Phone 8.1 moving to sustaining mode

Beginning in October 2017, the Company Portal apps for Windows 8.1 and Windows Phone 8.1 will move to sustaining mode. This means that the apps and existing scenarios, such as enrollment and compliance, will continue to be supported for these platforms. These apps will continue to be available for download through existing release channels, such as the Microsoft Store.

Once in sustaining mode, these apps will only will receive critical security updates. There will be no additional updates or features released for these apps. For new features, we recommend that you update devices to Windows 10 or Windows 10 Mobile.

Device enrollment

Block unsupported Samsung Knox device enrollment

The Company Portal app only attempts to enroll supported Samsung Knox devices. To avoid KNOX activation errors that prevent MDM enrollment, device enrollment is only attempted if the device appears in the list of devices published by Samsung. Samsung devices can have model numbers that support KNOX while others that don't. Verify Knox compatibility with your device reseller before purchase and deployment. You can find the full list of verified devices in the Android and Samsung KNOX Standard policy settings.

End of support for Android 4.3 and lower

Managed apps and the Company Portal app for Android will require Android 4.4 and higher to access company resources. By December, all enrolled devices will be force retired in December, resulting in loss of access to company resources. If you are using app protection policies without MDM, apps will not receive updates, and the quality of their experience will diminish over time.

Inform end users what device information can be seen on enrolled devices

We are adding Ownership Type to the Device Details screen on all Company Portal apps. This will allow users to find out more about privacy directly from the What information can your company see? article. This will be rolling out across all Company Portal apps in the near future. We announced this for iOS in September.

Week of September 25, 2017

Device enrollment

Intune supports iOS 11

Intune supports iOS 11. This was previously announced on the Intune Support blog.

End of support for iOS 8.0

Managed apps and the Company Portal app for iOS will require iOS 9.0 and higher to access company resources. Devices that aren't updated before this September will no longer be able to access the Company Portal or those apps.

Intune apps

Refresh action added to the Company Portal app for Windows 10

The Company Portal app for Windows 10 allows users to refresh the data in the app by either pulling to refresh or, on desktops, pressing F5.

Week of September 11, 2017

Device enrollment

Inform end users what device information can be seen for iOS

We have added Ownership Type to the Device Details screen on the Company Portal app for iOS. This will allow users to find out more about privacy directly from this page from the Intune end user docs. They will also be able to locate this information on the About screen.

Allow end users to access the Company Portal app for Android without enrollment

End users will soon not have to enroll their device to access the Company Portal app for Android. End users at organizations that are using App Protection Policies will no longer receive prompts to enroll their device when they open the Company Portal app. End users will also be able to install apps from the Company Portal without enrolling the device.

Easier-to-understand phrasing for the Company Portal app for Android

The enrollment process for the Company Portal app for Android has been simplified with new text to make it easier for end users to enroll. If you have custom enrollment documentation, you will want to update it to reflect the new screens. You can find sample images on our UI updates for Intune end user apps page.

Windows 10 Company Portal app added to Windows Information Protection allow policy

The Windows 10 Company Portal app has been updated to support Windows Information Protection (WIP). The app can be added to the WIP allow policy. With this change, the app no longer has to be added to the Exempt list.

Week of August 21, 2017

Device enrollment

Improvements to device overview

Improvements to the device overview now display enrolled devices but excludes devices managed by Exchange ActiveSync. Exchange ActiveSync devices do not have the same management options as enrolled devices. To view the number of enrolled devices and number of enrolled devices by platform in Intune in the Azure portal, go Devices > Overview.

Device management

Improvements to device inventory collected by Intune

In this release, we’ve made the following improvements to the inventory information collected by devices you manage:

  • For Android devices, you can now add a column to device inventory that shows the latest patch level for each device. Add the Security patch level column to your device list to see this.
  • When you filter the device view, you can now filter devices by their enrollment date. For example, you could display only devices that were enrolled after a date you specify.
  • We’ve made improvements to the filter used by the Last Check-in Date item.
  • In the device list, you can now display the phone number of corporate owned devices. Additionally, you can use the filter pane to search for devices by phone number.

For more details about device inventory, see How to view Intune device inventory.

Conditional access support for macOS devices

You can now set a conditional access policy that requires Mac devices to be enrolled into Intune and compliant with its device compliance policies. For example, users can download the Intune Company Portal app for macOS and enroll their Mac devices into Intune. Intune evaluate whether the Mac device is compliant or not with requirements like PIN, encryption, OS version, and System Integrity.

Company Portal app for macOS is in public preview

The Company Portal app for macOS is now available as part of the public preview for conditional access in Enterprise Mobility + Security. This release supports macOS 10.11 and above. Get it at https://aka.ms/macOScompanyportal.

New device restriction settings for Windows 10

In this release, we’ve added new settings for the Windows 10 device restriction profile in the following categories:

  • Windows Defender SmartScreen
  • App store

Updates to the Windows 10 endpoint protection device profile for BitLocker settings

In this release, we’ve made the following improvements to how BitLocker settings work in a Windows 10 endpoint protection device profile:

Under Bitlocker OS drive settings, for the setting BitLocker with non-compatible TPM chip, when you select Block, previously, this would cause BitLocker to actually be allowed. We have now fixed this to block BitLocker when it is selected. Under Bitlocker OS drive settings, for the setting Certificate-based data recovery agent, you can now explicitly block the certificate-based data recovery agent. By default, however, the agent is allowed. Under BitLocker fixed data-drive settings, for the setting Data recovery agent, you can now explicitly block the data recovery agent. For more information, see Endpoint protection settings for Windows 10 and later.

App management

New signed-in experience for Android Company Portal users and App Protection Policy users

End users can now browse apps, manage devices, and view IT contact information using the Android Company Portal app without enrolling their Android devices. In addition, if an end user already uses an app protected by Intune App Protection Policies and launches the Android Company Portal, the end user no longer receive a prompt to enroll the device.

New setting in the Android Company Portal app to toggle battery optimization

The Settings page in the Company Portal app for Android has a new setting that easily lets users turn off battery optimization for Company Portal and Microsoft Authenticator apps. The app name shown in the setting will vary depending on which app manages the work account. We recommend that users turn battery optimization off for better performance of work apps that sync email and data.

Multi-identity support for OneNote for iOS

End users can now use different accounts (work and personal) with Microsoft OneNote for iOS. App protection policies can be applied to corporate data in work notebooks without affecting their personal notebooks. For example, a policy can allow a user to find information in work notebooks, but will prevent the user from copying and pasting and corporate data from the work notebook to a personal notebook.

New settings to allow and block apps on Samsung KNOX Standard devices

In this release, we are adding new device restriction settings that let you specify the following app lists:

  • Apps that users are allowed to install
  • Apps that users are blocked from running
  • Apps that are hidden from the user on the device

You can specify the app by URL, package name or from the list of apps you manage.

IT admins can now set app-based conditional policies via the new conditional access policy UI in the Azure AD workload. The app-based conditional access that is in the Intune App Protection section in the Azure portal will remain there for the time being and will be enforced side-by-side. There’s also a convenience link to the new conditional access policy UI in the Intune workload.

Notices

IP addresses for Intune updated

An updated list of DNS names and IP addresses is available for firewall proxy settings.

Use Azure Active Directory for conditional access

Conditional access is available in the Azure Active Directory section of the Azure portal and provides a more powerful and flexible framework for setting policies for cloud apps like Office 365 Exchange Online and SharePoint Online. Use the Conditional access in Azure Active Directory blade to configure policies instead of the Intune console. Existing policies in the Intune console need to be re-created in the Azure portal. For more information, see Create Azure AD conditional access policies.

Direct access to Apple enrollment scenarios

For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only accessible from links in the Intune classic portal. Intune accounts created before January 2017 require a one-time migration before these features are available in Azure. The schedule for migration has not been announced yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the Azure portal.

Administration roles being replaced in Azure portal

The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only) used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration controls (RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to reassign your admins to these new administration roles. For more information about RBAC and the new roles, see Role-based access control for Microsoft Intune.

What's coming

iOS 11 Mail app will support OAuth

Conditional access with Intune supports more secure authentication on iOS devices with OAuth. To support this, there will now be a different flow on the Company Portal app for iOS to allow for more secure authentication. When end users try to sign in to a new Exchange account in the Mail app, they will see a web view prompt. Upon enrollment in Intune, users will see a prompt to allow the native Mail app to access a certificate. Most end users will not see any more quarantined emails. Existing mail accounts will continue to use basic authentication protocol, so these users will still have quarantine emails delivered to them. This sign in experience for end users is similar to the one on Office mobile apps.

UI updates to the Company Portal website

Updates to Featured Apps
We've added a dedicated page to the site where users can browse apps that you've chosen to feature, and made some UI tweaks to the Featured section on the homepage. You can see what these changes look like on the what's new in app UI page.

Platform Support Reminder: Windows Phone 8.1 mainstream support ended July 11, 2017

On July 11, 2017, the Windows Phone 8.1 platform reached end of mainstream support. Windows 8.1 PC support is not impacted.

There is no immediate impact to any Windows Phone 8.1 device that is managed by the Intune service. Devices that are enrolled will continue to work and all policies, configurations, and apps will continue to work as expected. Note that there are no improvements targeted for the Windows Phone 8.1 platform within the Intune Service, and for the Windows Phone 8.1 Company Portal app.

We recommend that you upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile at your earliest opportunity.

Changes in support for the Intune iOS Company Portal app

Coming soon, there will be a new version of the Microsoft Intune Company Portal app for iOS that will support only devices running iOS 9.0 or later. The version of the Company Portal that supports iOS 8 will still be available for a very short period of time. However, note that if you also use MAM-enabled iOS apps we support iOS 9.0 and later, so you'll want to ensure your end users update to the latest OS.

How does this affect me?

We are letting you know this in advance, even though we don't have specific dates, so you have time to plan. Ensure your users are updated to iOS 9+ and when the Company Portal app releases, request that your end users update their Company Portal app.

What do I need to do to prepare for this change?

Encourage your users to update to iOS 9.0 or later to take full advantage of new Intune features. Encourage users to install the new version of the Company Portal and take advantage of the new features it will offer.

Go to the Intune in the Azure portal and view Devices > All Devices and filter by iOS version to see any current devices with operating systems earlier than iOS 9.

Apple to require updates for Application Transport Security

Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers using the iOS Company Portal apps.

We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email CompanyPortalBeta@microsoft.com with your first name, last name, email address, and company name. Review our Intune support blog for more details.

See also