Rediger

Del via

What's new in Microsoft Intune

  • Artikel

Learn what's new each week in Microsoft Intune.

You can also read:

Note

Each monthly update can take up to three days to roll out and will be in the following order:

  • Day 1: Asia Pacific (APAC)
  • Day 2: Europe, Middle East, Africa (EMEA)
  • Day 3: North America
  • Day 4+: Intune for Government

Some features roll out over several weeks and might not be available to all customers in the first week.

For a list of upcoming Intune feature releases, see In development for Microsoft Intune.

For new information about Windows Autopilot solutions, see:

You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Week of February 5, 2025 (Service release 2501)

Microsoft Intune Suite

Use Microsoft Security Copilot with Endpoint Privilege Manager to help identify potential elevation risks

When your Azure Tenant is licensed for Microsoft Security Copilot, you can now use Security Copilot to help you investigate Endpoint Privilege Manager (EPM) file elevation requests from within the EPM support approved work flow.

With this capability, while reviewing the properties of a file elevation request, you'll now find option to Analyze with Copilot. Use of this option directs Security Copilot to use the files hash in a prompt Microsoft Defender Threat Intelligence to evaluate the file potential indicators of compromise so you can then make a more informed decision to either approve or deny that file elevation request. Some of the results that are returned to your current view in the admin center include:

  • The files’ reputation
  • Information about the trust of the publisher
  • The risk score for the user requesting the file elevation
  • The risk score of the device from which the elevation was submitted

EPM is available as an Intune Suite add-on-capability. To learn more about how you can currently use Copilot in Intune, see Microsoft Copilot in Intune.

To learn more about Microsoft Security Copilot, see, Microsoft Security Copilot.

App management

Update to Apps workload experience in Intune

The Apps area in Intune, commonly known as the Apps workload, is updated to provide a more consistent UI and improved navigation structure so you can find the information you need faster. To find the App workload in Intune, navigate to Microsoft Intune admin center and select Apps.

Device configuration

New settings available in the Windows settings catalog to Configure multiple display mode

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There are new settings in the Settings Catalog to Configure Multiple Display Mode for Windows 24H2. To see available settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.

The Configure Multiple Display Mode setting allows monitors to extend or clone the display by default, facilitating the need for manual setup. It streamlines the multi-monitor configuration process, ensuring a consistent and user-friendly experience.

Applies to:

  • Windows

Device security

Updated security baseline for Microsoft Edge v128

You can now deploy the Intune security baseline for Microsoft Edge version 128. This update brings support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge.

View the default configuration of settings in the updated baseline.

For information about security baselines with Intune, see Use security baselines to configure Windows devices in Intune.

Applies to:

  • Windows

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • MoveInSync by MoveInSync Technologies

For more information about protected apps, see Microsoft Intune protected apps.

Week of January 27, 2025

Device security

Security baselines for HoloLens 2

You can now deploy two distinct instances of the security baseline for HoloLens 2. These baselines represent Microsoft’s best practice guidelines and experience from deploying and supporting HoloLens 2 devices to customers across various industries. The two baselines instances:

To learn more about security baselines with Intune, see Use security baselines to configure Windows devices in Intune.

Applies to:

  • Windows

Week of January 20, 2025

Monitor and troubleshoot

Use Support Assistant to resolve issues

Support Assistant is now available in Intune. It leverages AI to enhance your help and support experience, ensuring more efficient issue resolution. Support Assistant is available in the Microsoft Intune admin center by selecting Troubleshoot + support > Help and Support, or by selecting the question mark near your profile pic. Currently, the Support Assistant is in preview. You can enable and disable Support Assistant by choosing to opt in and opt out at any time. For related information, see How to get support in the Microsoft Intune admin center.

Week of December 30, 2024

Device enrollment

Intune ends support for Android device administrator on devices with access to Google Mobile Services

As of December 31, 2024, Microsoft Intune no longer supports Android device administrator management on devices with access to Google Mobile Services (GMS). This change comes after Google deprecated Android device administrator management and ceased support. Intune support and help documentation remains for devices without access to GMS running Android 15 or earlier, and Microsoft Teams devices migrating to Android Open Source Project (AOSP) management. For more information about how this change impacts your tenant, see Intune ending support for Android device administrator on devices with GMS access in December 2024.

Week of December 16, 2024 (Service release 2412)

App management

Increased scale for Customization policies

You can now create up to 25 policies that customize the Company Portal and Intune app experience. The previous maximum number of Customization policies was 10. Navigate to the Intune admin center, and select Tenant administration > Customization.

For more information about customizing the Company Portal and Intune apps, see Customizing the user experience.

Device security

Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint

Note

Rollout of this feature is delayed and now expected to be available in mid-February.

You can now manage the Microsoft Defender for Endpoint CSP setting for tamper protection on unenrolled devices you manage as part of the Defender for Endpoint security settings management scenario.

With this support, tamper protection configurations from Windows Security Experience profiles for Antivirus policies now apply to all devices instead of only to those that are enrolled with Intune.

Device configuration

Ending support for administrative templates when creating a new configuration profile

Customers cannot create new Administrative Templates configuration profile through Devices > Configuration > Create > New policy > Windows 10 and later > Administrative Templates. A (retired) tag is seen next to Administrative Templates and the Create button is now greyed out. Other templates will continue to be supported.

However, customers can now use the Settings Catalog for creating new Administrative Templates configuration profile by navigating to Devices > Configuration > Create > New policy > Windows 10 and later > Settings Catalog.

There are no changes in the following UI experiences:

  • Editing an existing Administrative template.
  • Deleting an existing Administrative template.
  • Adding, modifying, or deleting settings in an existing Administrative template.
  • Imported Administrative templates (Preview) template, which is used for Custom ADMX.

For more information, see Use ADMX templates on Windows 10/11 devices in Microsoft Intune.

Applies to:

  • Windows

Device management

More Wi-Fi configurations are now available for personally-owned work profile devices

Intune Wi-Fi configuration profiles for Android Enterprise personally-owned work profile devices now support configuration of pre-shared keys and proxy settings.

You can find these settings in the admin console in Devices > Manage devices > Configuration > Create > New Policy. Set Platform to Android Enterprise and then in the Personally-Owned Work Profile section, select Wi-Fi and then select the Create button.

In the Configuration settings tab, when you select Basic Wi-Fi type, several new options are available:

  1. Security type, with options for Open (no authentication), WEP-Pre-shared key, and WPA-Pre-shared key.

  2. Proxy settings, with the option to select Automatic and then specify the proxy server URL.

It was possible to configure these in the past with Custom Configuration policies, but going forward, we recommend setting these in the Wi-Fi Configuration profile, because Intune is ending support for Custom policies in April 2024..

For more information, see Wi-Fi settings for personally-owned work profile devices..

Applies to:

  • Android Enterprise

Week of December 9, 2024

Tenant administration

Intune now supports Ubuntu 24.04 LTS for Linux management.

We're now supporting device management for Ubuntu 24.04 LTS. You can enroll and manage Linux devices running Ubuntu 24.04, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

For more information, see the following in Intune documentation:

Applies to:

  • Linux Ubuntu Desktops

Week of December 2, 2024

Device enrollment

Change to enrollment behavior for iOS enrollment profile type

At Apple WWDC 2024, Apple ended support for profile-based Apple user enrollment. For more information, see Support has ended for profile-based user enrollment with Company Portal. As a result of this change, we updated the behavior that occurs when you select Determine based on user choice as the enrollment profile type for bring-your-own-device (BYOD) enrollments.

Now when users select I own this device during a BYOD enrollment, Microsoft Intune enrolls them via account-driven user enrollment, rather than profile-based user enrollment, and then secures only work-related apps. Less than one percent of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. There is no change for iOS users who select My company owns this device during a BYOD enrollment. Intune enrolls them via device enrollment with Intune Company Portal, and then secures their entire device.

If you currently allow users in BYOD scenarios to determine their enrollment profile type, you must take action to ensure account-driven user enrollment works by completing all prerequisites. For more information, see Set up account driven Apple user enrollment. If you don't give users the option to choose their enrollment profile type, there are no action items.

Device management

Device Inventory for Windows

Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.

You can now choose what you want to collect from your devices, using the catalog of properties and then view the collected properties in the Resource Explorer view.

For more information, see:

Applies to:

  • Windows 10 and later (Corporate owned devices managed by Intune)

Week of November 18, 2024 (Service release 2411)

App management

Configuration values for specific managed applications on Intune enrolled iOS devices

Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values are automatically sent to managed applications on Intune enrolled iOS devices for the following apps:

  • Microsoft Excel
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Teams
  • Microsoft Word

For more information, see Plan for Change: Specific app configuration values will be automatically sent to specific apps and Intune Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases.

Additional installation error reporting for LOB apps on AOSP devices

Additional details are now provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes and detailed error messages for LOB apps in Intune.

For information about app installation error details, see Monitor app information and assignments with Microsoft Intune.

Applies to:

  • Android Open Source Project (AOSP) devices

Microsoft Teams app protection on VisionOS devices (preview)

Microsoft Intune app protection policies (APP) are now supported on the Microsoft Teams app on VisionOS devices.

To learn more about how to target policies to VisionOS devices, see Managed app properties for more information about filters for managed app properties.

Applies to:

  • Microsoft Teams for iOS on VisionOS devices

Week of October 28, 2024

Device security

Defender for Endpoint security settings support in government cloud environments (generally available)

Now generally available, customer tenants in the Government Community Cloud (GCC), US Government Community High (GCC High), and Department of Defense (DoD) environments can use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. Previously, support for Defender security settings was in public preview.

This capability is known as Defender for Endpoint security settings management.

Week of October 14, 2024 (Service release 2410)

App management

Updates to app configuration policies for Android Enterprise devices

App configuration policies for Android Enterprise devices now support overriding the following permissions:

  • Access background location
  • Bluetooth (connect)

For more information about app configuration policies for Android Enterprise devices, see Add app configuration policies for managed Android Enterprise devices.

Applies to:

  • Android Enterprise devices

Device configuration

Windows Autopilot device preparation support in Intune operated by 21Vianet in China

Intune now supports Windows Autopilot device preparation policy for Intune operated by 21Vianet in China cloud. Customers with tenants located in China can now use Windows Autopilot device preparation with Intune to provision devices.

For information about this Autopilot support, see the following in the Autopilot documentation:

Device management

Minimum OS version for Android devices is Android 10 and later for user-based management methods

Beginning in October 2024, Android 10 and later is the minimum Android OS version that is supported for user-based management methods, which includes:

  • Android Enterprise personally-owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

For enrolled devices on unsupported OS versions (Android 9 and lower)

  • Intune technical support isn't provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune doesn't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices aren't affected by this change.

Collection of additional device inventory details

Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature.

Applies to:

  • Windows

Week of October 7, 2024

App management

New UI for Intune Company Portal app for Windows

The UI for the Intune Company Portal app for Windows is updated. Users now see an improved experience for their desktop app without changing the functionality they've used in the past. Specific UI improvements are focused on the Home, Devices, and Downloads & updates pages. The new design is more intuitive and highlights areas where users need to take action.

For more information, see New look for Intune Company Portal app for Windows. For end user details, see Install and share apps on your device.

Device security

New strong mapping requirements for SCEP certificates authenticating with KDC

The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that a Simple Certificate Enrollment Protocol (SCEP) certificate's subject alternative name (SAN) must have a security identifier (SID) extension that maps to the user or device SID in Active Directory. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.

To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a URI attribute and the OnPremisesSecurityIdentifier variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID.

For more information and steps, see Update certificate connector: Strong mapping requirements for KB5014754.

Applies to:

  • Windows 10/11, iOS/iPadOS, and macOS user certificates
  • Windows 10/11 device certificates

This requirement isn't applicable to device certificates used with Microsoft Entra joined users or devices, because the SID attribute is an on-premises identifier.

Defender for Endpoint security settings support in government cloud environments (public preview)

In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices that onboarded to Defender without enrolling those devices with Intune. This capability is known as Defender for Endpoint security settings management.

For more information about the Intune features supported in GCC High and DoD environments, see Intune US Government service description.

Week of September 30, 2024

Device security

Updates to PKCS certificate issuance process in Microsoft Intune Certificate Connector, version 6.2406.0.1001

We updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in KB5014754. As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID.

The SID update is available for user certificates across all platforms, and for device certificates specifically on Microsoft Entra hybrid joined Windows devices.

For more information, see:

Week of September 23, 2024 (Service release 2409)

App management

Working Time settings for app protection policies

Working time settings allow you to enforce policies that limit access to apps and mute message notifications received from apps during non-working time. The limit access setting is now available for the Microsoft Teams and Microsoft Edge apps. You can limit access by using App Protection Policies (APP) to block or warn end users from using the iOS/iPadOS or Android Teams and Microsoft Edge apps during non-working time by setting the Non-working time conditional launch setting. Also, you can create a non-working time policy to mute notifications from the Teams app to end users during non-working time.

For more information, see:

Applies to:

  • Android
  • iOS/iPadOS

Streamlined app creation experience for apps from Enterprise App Catalog

We've streamlined the way apps from Enterprise App Catalog are added to Intune. We now provide a direct app link rather than duplicating the app binaries and metadata. App contents now download from a *.manage.microsoft.com subdomain. This update helps to improve the latency when adding an app to Intune. When you add an app from Enterprise App Catalog, it syncs immediately and is ready for additional action from within Intune.

Update Enterprise App Catalog apps

Enterprise App Management is enhanced to allow you to update an Enterprise App Catalog app. This capability guides you through a wizard that allows you to add a new application and use supersedence to update the previous application.

For more information, see Guided update supersedence for Enterprise App Management.

Device configuration

Samsung ended support for multiple Android device administrator (DA) settings

On Android device administrator managed (DA) devices, Samsung has deprecated many Samsung Knox APIs (opens Samsung's web site) configuration settings.

In Intune, this deprecation impacts the following device restrictions settings, compliance settings, and trusted certificate profiles:

In the Intune admin center, when you create or update a profile with these settings, the impacted settings are noted.

Though the functionality might continue to work, there's no guarantee that it will continue working for any or all Android DA versions supported by Intune. For more information on Samsung support for deprecated APIs, see What kind of support is offered after an API is deprecated? (opens Samsung's web site).

Instead, you can manage Android devices with Intune using one of the following Android Enterprise options:

Applies to:

  • Android device administrator (DA)

Device Firmware Configuration Interface (DFCI) supports VAIO devices

For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In Microsoft Intune admin center, select Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Templates > Device Firmware Configuration Interface for profile type.

Some VAIO devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.

For more information about DFCI profiles, see:

Applies to:

  • Windows 10
  • Windows 11

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Math Settings:

  • Calculator

    • Basic Mode
    • Math Notes Mode
    • Scientific Mode

  • System Behavior

    • Keyboard Suggestions
    • Math Notes

Web Content Filter:

  • Hide Deny List URLs
macOS

Declarative Device Management (DDM) > Math Settings:

  • Calculator

    • Basic Mode
    • Math Notes Mode
    • Programmer Mode
    • Scientific Mode

  • System Behavior

    • Keyboard Suggestions
    • Math Notes

System Configuration > System Extensions:

  • Non Removable From UI System Extensions
  • Non Removable System Extensions

End users might see a different consent experience for remote log collection after the Android APP SDK 10.4.0 and iOS APP SDK 19.6.0 updates. End users no longer see a common prompt from Intune and only see a prompt from the application, if it has one.

Adoption of this change is per-application and is subject to each applications release schedule.

Applies to:

  • Android
  • iOS/iPadOS

Device enrollment

New Setup Assistant screens available for configuration for ADE

New Setup Assistant screens are available to configure in the Microsoft Intune admin center. You can hide or show these screens during automated device enrollment (ADE).

For macOS:

  • Wallpaper: Show or hide the macOS Sonoma wallpaper setup pane that appears after an upgrade on devices running macOS 14.1 and later.
  • Lockdown mode: Show or hide the lockdown mode setup pane on devices running macOS 14.1 and later.
  • Intelligence: Show or hide the Apple Intelligence setup pane on devices running macOS 15 and later.

For iOS/iPadOS:

  • Emergency SOS: Show or hide the safety setup pane on devices running iOS/iPadOS 16 and later.
  • Action button: Show or hide the setup pane for the action button on devices running iOS/iPadOS 17 and later.
  • Intelligence: Show or hide the Apple Intelligence setup pane on devices running iOS/iPadOS 18 and later.

You can configure these screens in new and existing enrollment policies. For more information and additional resources, see:

Extended expiration date for corporate-owned, user-associated AOSP enrollment tokens

Now when you create an enrollment token for Android Open Source Project (AOSP) corporate-owned, user-associated devices, you can select an expiration date that's up to 65 years into the future, an improvement over the previous 90 day expiration date. You can also modify the expiration date of existing enrollment tokens for Android Open Source Project (AOSP) corporate-owned, user-associated devices.

Device security

New disk encryption template for Personal Data Encryption

You can now use the new Personal Data Encryption (PDE) template that is available through endpoint security disk encryption policy. This new template configures the Windows PDE configuration service provider (CSP), which was introduced in Windows 11 22H2. The PDE CSP is also available through the settings catalog.

PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.

Applies to:

  • Windows 11 version 22h2 or later

For more information about PDE, including prerequisites, related requirements, and recommendations, see the following articles in the Windows security documentation:

Intune Apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

  • Notate for Intune by Shafer Systems, LLC

For more information about protected apps, see Microsoft Intune protected apps.

Week of September 9, 2024

App management

Managed Home Screen user experience update

All Android devices automatically migrate to the updated Managed Home Screen (MHS) user experience. For more information, see Updates to the Managed Home Screen experience.

Device enrollment

Support has ended for Apple profile-based user enrollment with Company Portal

Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: profile-based enrollment and account-driven enrollment. Apple ended support for profile-based user enrollment, known in Intune as user enrollment with Company Portal. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for profile-based user enrollment with Company Portal. Users can no longer enroll devices targeted with this enrollment profile type. This change doesn't affect devices that are already enrolled with this profile type, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices.

There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected.

We recommend account-driven user enrollment as a replacement method for devices. For more information about your BYOD enrollment options in Intune, see:

For more information about the device enrollment types supported by Apple, see Intro to Apple device enrollment types in the Apple Platform Deployment guide.

Device management

Intune now supports iOS/iPadOS 16.x as the minimum version

Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.

For more information on this change, see Plan for change: Intune is moving to support iOS/iPadOS 16 and later.

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement for supported versus allowed iOS/iPadOS versions for user-less devices.

Applies to:

  • iOS/iPadOS

Intune now supports macOS 13.x as the minimum version

With Apple's release of macOS 15 Sequoia, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 13 (Ventura) and later.

For more information on this change, see Plan for change: Intune is moving to support macOS 13 and later

Note

macOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see Support statement.

Applies to:

  • macOS

Week of August 19, 2024 (Service release 2408)

Microsoft Intune Suite

Easy creation of Endpoint Privilege Management elevation rules from support approval requests and reports

You can now create Endpoint Privilege Management (EPM) elevation rules directly from a support approved elevation request or from details found in the EPM Elevation report. With this new capability, you won’t need to manually identify specific file detection details for elevation rules. Instead, for files that appear in the Elevation report or a support approved elevation request, you can select that file to open its elevation detail pane, and then select the option to Create a rule with these file details.

When you use this option, you can then choose to add the new rule to one of your existing elevation policies, or create a new policy with only the new rule.

Applies to:

  • Windows 10
  • Windows 11

For information about this new capability, see Windows elevation rules policy in the Configure policies for Endpoint Privilege management article.

Introducing the Resource performance report for physical devices in Advanced Analytics

We're introducing the Resource performance report for Windows physical devices in Intune Advanced Analytics. The report is included as an Intune-add on under Microsoft Intune Suite.

The resource performance scores and insights for physical devices are aimed to help IT admins make CPU/RAM asset management and purchase decisions that improve the user experience while balancing hardware costs.

For more information, see:

App management

Managed Home Screen for Android Enterprise Fully Managed devices

Managed Home Screen (MHS) is now supported on Android Enterprise Fully Managed devices. This capability offers organizations the ability to leverage MHS in scenarios where a device is associated with a single user.

For related information, see:

Updates to the Discovered Apps report

The Discovered Apps report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we're including it as a column in the Discovered Apps report.

For more information, see Intune Discovered apps.

Improvements to Intune Management Extension logs

We have updated how log activities and events are made for Win32 apps and the Intune Management Extension (IME) logs. A new log file (AppWorkload.log) contains all logging information related to app deployment activities conducted by the IME. These improvements provide better troubleshooting and analysis of app management events on the client.

For more information, see Intune management extension logs.

Device configuration

New settings available in the Apple settings catalog

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Apple Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS

Declarative Device Management (DDM) > Safari Extension Settings:

  • Managed Extensions
    • Allowed Domains
    • Denied Domains
    • Private Browsing
    • State

Declarative Device Management (DDM) > Software Update Settings:

  • Automatic Actions

    • Download
    • Install OS Updates

  • Deferrals

    • Combined Period In Days

  • Notifications

  • Rapid Security Response

    • Enable
    • Enable Rollback

  • Recommended Cadence

Restrictions:

  • Allow ESIM Outgoing Transfers
  • Allow Genmoji
  • Allow Image Playground
  • Allow Image Wand
  • Allow iPhone Mirroring
  • Allow Personalized Handwriting Results
  • Allow Video Conferencing Remote Control
  • Allow Writing Tools
macOS

Authentication > Extensible Single Sign On (SSO):

  • Platform SSO
    • Authentication Grace Period
    • FileVault Policy
    • Non Platform SSO Accounts
    • Offline Grace Period
    • Unlock Policy

Authentication > Extensible Single Sign On Kerberos:

  • Allow Password
  • Allow SmartCard
  • Identity Issuer Auto Select Filter
  • Start In Smart Card Mode

Declarative Device Management (DDM) > Disk Management:

  • External Storage
  • Network Storage

Declarative Device Management (DDM) > Safari Extension Settings:

  • Managed Extensions
    • Allowed Domains
    • Denied Domains
    • Private Browsing
    • State

Declarative Device Management (DDM) > Software Update Settings:

  • Allow Standard User OS Updates

  • Automatic Actions

    • Download
    • Install OS Updates
    • Install Security Update

  • Deferrals

    • Major Period In Days
    • Minor Period In Days
    • System Period In Days

  • Notifications

  • Rapid Security Response

    • Enable
    • Enable Rollback

Restrictions:

  • Allow Genmoji
  • Allow Image Playground
  • Allow iPhone Mirroring
  • Allow Writing Tools

System Policy > System Policy Control:

  • Enable XProtect Malware Upload

Enhancements to multi administrative approval

Multi administrative approval adds the ability to limit application access policies to Windows applications or all non-Windows applications or both. We're adding a new access policy to the multiple administrative approval feature to allow approvals for changes to multiple administrative approval.

For more information, see Multi admin approval.

Device enrollment

Account-driven Apple User Enrollment now generally available for iOS/iPadOS 15+

Intune now supports account-driven Apple User Enrollment, the new, and improved version of Apple User Enrollment, for devices running iOS/iPadOS 15 and later. This new enrollment method utilizes just-in-time registration, removing the Company Portal app for iOS as an enrollment requirement. Device users can initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience.

For more information, see Set up account driven Apple User Enrollment on Microsoft Learn.

Apple announced they are ending support for profile-based Apple User Enrollment. As a result, Microsoft Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account-driven Apple User Enrollment for similar functionality and an improved user experience.

Use corporate Microsoft Entra account to enable Android Enterprise management options in Intune

Managing Intune-enrolled devices with Android Enterprise management options previously required you to connect your Intune tenant to your managed Google Play account using an enterprise Gmail account. Now you can use a corporate Microsoft Entra account to establish the connection. This change is happening in new tenants, and doesn't affect tenants that have already established a connection.

For more information, see Connect Intune account to Managed Google Play account - Microsoft Intune | Microsoft Learn.

Device management

21Vianet support for Mobile Threat Defense connectors

Intune operated by 21Vianet now supports Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors are available.

Applies to:

  • Android
  • iOS/iPadOS

For more information, see:

New cpuArchitecture filter device property for app and policy assignments

When you assign an app, compliance policy, or configuration profile, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.

A new cpuArchitecture device filter property is available for Windows and macOS devices. With this property, you can filter app and policy assignments depending on the processor architecture.

For more information on filters and the device properties you can use, see:

Applies to:

  • Windows 10
  • Windows 11
  • macOS

Device security

Windows platform name change for endpoint security policies

When you create an endpoint security policy in Intune, you can select the Windows platform. For multiple templates in endpoint security, there are now only two options to choose for the Windows platform: Windows and Windows (ConfigMgr).

Specifically, the platform name changes are:

Original New
Windows 10 and later​ Windows
Windows 10 and later (ConfigMgr)​ Windows (ConfigMgr)​
Windows 10, Windows 11, and Windows Server Windows
Windows 10, Windows 11, and Windows Server​ (ConfigMgr) Windows (ConfigMgr)​

These changes apply to the following policies:

  • Antivirus
  • Disk encryption
  • Firewall
  • Endpoint Privilege Management
  • Endpoint detection and response
  • Attack surface reduction
  • Account protection
What you need to know
  • This change is only in the user experience (UX) that admins see when they create a new policy. There is no effect on devices.
  • The functionally is the same as the previous platform names.
  • There are no additional tasks or actions for existing policies.

For more information on endpoint security features in Intune, see Manage endpoint security in Microsoft Intune.

Applies to:

  • Windows

Target Date Time setting for Apple software update enforcement schedules updates using the local time on devices

You can specify the time that OS updates are enforced on devices in their local time zone. For example, configuring an OS update to be enforced at 5pm schedules the update for 5pm in the device's local time zone. Previously, this setting used the time zone of the browser where the policy was configured.

This change only applies to new policies that are created in the August 2408 release and later. The Target Date Time setting is in the settings catalog at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update.

In a future release, the UTC text will be removed from the Target Date Time setting.

For more information on using the settings catalog to configure software updates, see Managed software updates with the settings catalog.

Applies to:

  • iOS/iPadOS
  • macOS

Intune Apps

Newly available protected apps for Intune

The following protected apps are now available for Microsoft Intune:

  • Singletrack for Intune (iOS) by Singletrack
  • 365Pay by 365 Retail Markets
  • Island Browser for Intune (Android) by Island Technology, Inc.
  • Recruitment.Exchange by Spire Innovations, Inc.
  • Talent.Exchange by Spire Innovations, Inc.

For more information about protected apps, see Microsoft Intune protected apps.

Tenant administration

Organizational messages now in Microsoft 365 admin center

The organizational message feature has moved out of the Microsoft Intune admin center and into its new home in the Microsoft 365 admin center. All organizational messages you created in Microsoft Intune are now in the Microsoft 365 admin center, where you can continue to view and manage them. The new experience includes highly requested features such as the ability to author custom messages, and deliver messages on Microsoft 365 apps.

For more information, see:

Week of July 29, 2024

Microsoft Intune Suite

Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 are available for GCC High and DoD

We are excited to announce that the following capabilities from the Microsoft Intune Suite are now supported in U.S. Government Community Cloud (GCC) High and U.S. Department of Defense (DoD) environments.

Add-on capabilities:

Plan 2 capabilities:

For more information, see:

Device enrollment

ACME protocol support for iOS/iPadOS and macOS enrollment

As we prepare to support managed device attestation in Intune, we are starting a phased rollout of an infrastructure change for new enrollments that includes support for the Automated Certificate Management Environment (ACME) protocol. Now when new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. ACME provides better protection than SCEP against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.

Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. There is no change to the end user's enrollment experience, and no changes to the Microsoft Intune admin center. This change only impacts enrollment certificates and has no impact on any device configuration policies.

ACME is supported for Apple Device Enrollment, Apple Configurator enrollment, and Automated device enrollment (ADE) methods. Eligible OS versions include:

  • iOS 16.0 or later
  • iPadOS 16.1 or later
  • macOS 13.1 or later

This capability is also supported in GCC High tenants.

What's new archive

For previous months, see the What's new archive.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for change: User alerts on iOS for when screen capture actions are blocked

In an upcoming version (20.3.0) of the Intune App SDK and Intune App Wrapping Tool for iOS, support is added to alert users when a screen capture action (including recording and mirroring) is detected in a managed app. The alert is only visible to users if you have configured an app protection policy (APP) to block screen capture.

How does this affect you or your users?

If APP has been configured to block screen capturing, users see an alert indicating that screen capture actions are blocked by their organization when they attempt to screenshot, screen record, or screen mirror.

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions, screen capture is blocked if you've configured “Send Org data to other apps” to a value other than “All apps”. To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting “com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Update your IT admin documentation and notify your helpdesk or users as needed. You can learn more about blocking screen capture in the blog: New block screen capture for iOS/iPadOS MAM protected apps

Move to new Microsoft Graph Beta API properties for Windows Autopilot self-deploying mode and pre-provisioning

In late February 2025, a select number of old Microsoft Graph Beta API windowsAutopilotDeploymentProfile properties used for Windows Autopilot self-deploying mode and pre-provisioning will be removed and stop working. The same data can be found using newer Graph API properties.

How does this affect you or your users?

If you have automation or scripts using the following Windows Autopilot properties, you must update to the new properties to prevent them from breaking.

Old New
enableWhiteglove preprovisioningAllowed
extractHardwareHash hardwareHashExtractionEnabled
language Locale
outOfBoxExperienceSettings outOfBoxExperienceSetting
outOfBoxExperienceSettings.HidePrivacySettings outOfBoxExperienceSetting.PrivacySettingsHidden
outOfBoxExperienceSettings.HideEULA outOfBoxExperienceSetting.EULAHidden
outOfBoxExperienceSettings.SkipKeyboardSelectionPage outOfBoxExperienceSettings.KeyboardSelectionPageSkipped
outOfBoxExperienceSettings.HideEscapeLink outOfBoxExperienceSettings.EscapeLinkHidden

How can you prepare?

Update your automation or scripts to use the new Graph API properties to avoid deployment issues.

Additional information:

Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis and writing tools in response to the new AI features in iOS/iPadOS 18.2.

How does this affect you or your users?

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you've configured “Send Org data to other apps” to a value other than “All apps”. To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting “com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Review your app protection policies and if needed, create a Managed apps app configuration policy to allow screen capture by configuring the above setting (Apps > App configuration policies > Create > Managed apps > Step 3 ‘Settings’ under General configuration). For more information review, iOS app protection policy settings – Data protection and App configuration policies - Managed apps.

Take Action: Update to the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

To support the upcoming release of iOS/iPadOS 18.2, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. Important: If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:

As a best practice, always update your iOS apps to the latest App SDK or App Wrapping Tool to ensure that your app continues to run smoothly.

How does this affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool, you'll need to update to the latest version to support iOS 18.2.

How can you prepare?

For apps running on iOS 18.2, you must update to the new version of the Intune App SDK for iOS:

For apps running on iOS 18.2, you must update to the new version of the Intune App Wrapping Tool for iOS:

Important

The listed SDK releases support blocking screen capture, Genmojis and writing tools in response to new AI features in iOS 18.2. For apps that have updated to these SDK versions, screen capture block is applied if you have configured Send Org data to other apps to a value other than All apps. See iOS/iPadOS app protection policy settings for more info. You can configure app configuration policy setting com.microsoft.intune.mam.screencapturecontrol = Disabled if you wish to allow screen capture for your iOS devices. See App configuration policies for Microsoft Intune for more info. Intune will be providing more granular controls for blocking specific AI features in the future. Follow What's new in Microsoft Intune to stay up to date.

Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.2. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to Apps > Monitor > App protection status, then review Platform version and iOS SDK version.

If you have questions, leave a comment on the applicable GitHub announcement. Additionally, if you haven't already, navigate to the applicable GitHub repository and subscribe to Releases and Discussions (Watch > Custom > select Releases, Discussions) to ensure you stay up-to-date with the latest SDK releases, updates, and other important announcements.

Plan for Change: Specific app configuration values will be automatically sent to specific apps

Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values will be automatically sent to managed applications on Intune enrolled iOS devices for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. Intune will continue to expand this list to include additional managed apps.

How does this affect you or your users?

If these values aren't configured correctly for iOS devices, there's a possibility of either the policy not getting delivered to the app or the wrong policy is delivered. For more information, see Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases.

How can you prepare?

No additional action is needed.

Plan for Change: Implement strong mapping for SCEP and PKCS certificates

With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on February 11, 2025.

To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates

How does this affect you or your users?

These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:

  • SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
  • PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.

For detailed steps and additional guidance, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates

How can you prepare?

If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:

Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support

We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.

How does this affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.

How can you prepare?

If you choose to build apps targeting Android API 35, you'll need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you’ve wrapped your app and are targeting API 35 you'll need to use the new version of the App wrapper (v1.0.4549.6).

Note

As a reminder, while apps must update to the latest SDK if targeting Android 15, apps don't need to update the SDK to run on Android 15.

You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.

Here are the public repositories:

Take Action: Enable multifactor authentication for your tenant before October 15, 2024

Starting on or after October 15, 2024, to further increase security, Microsoft will require admins to use multi-factor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. To take advantage of the extra layer of protection MFA offers, we recommend enabling MFA as soon as possible. To learn more, review Planning for mandatory multifactor authentication for Azure and admin portals.

Note

This requirement also applies to any services accessed through the Intune admin center, such as Windows 365 Cloud PC.

How does this affect you or your users?

MFA must be enabled for your tenant to ensure admins are able to sign-in to the Azure portal, Microsoft Entra admin center and Intune admin center after this change.

How can you prepare?

  • If you haven't already, set up MFA before October 15, 2024, to ensure your admins can access the Azure portal, Microsoft Entra admin center, and Intune admin center.
  • If you're unable to set up MFA before this date, you can apply to postpone the enforcement date.
  • If MFA hasn't been set up before the enforcement starts, admins will be prompted to register for MFA before they can access the Azure portal, Microsoft Entra admin center, or Intune admin center on their next sign-in.

For more information, refer to: Planning for mandatory multifactor authentication for Azure and admin portals.

Plan for Change: Intune is moving to support iOS/iPadOS 16 and later

Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 16/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).

Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 16/iPadOS 16 while the allowed OS version will change to iOS 13/iPadOS 13 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 13 and higher later this year

Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Ventura is compatible with these computers.

Note

Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they're running macOS 12.x or below.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

  • Android Enterprise personally owned work profile
  • Android Enterprise corporate owned work profile
  • Android Enterprise fully managed
  • Android Open Source Project (AOSP) user-based
  • Android device administrator
  • App protection policies (APP)
  • App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

  • Intune technical support won't be provided.
  • Intune won't make changes to address bugs or issues.
  • New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

  • Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
  • Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
  • Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles aren't impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after January 31, 2025.

Note that customers in some environments can't be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

  1. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
  2. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.