In development for Microsoft Intune

To help in your readiness and planning, this article lists Intune UI updates and features that are in development but not yet released. Also:

• If we anticipate that you'll need to take action before a change, we'll publish a complementary post in the Office message center.
• When a feature enters production, whether it's in preview or generally available, the feature description will move from this article to What's new.
• Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

This article and the What's new article are updated periodically. Check back for more updates.

Note

This article reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This article doesn't describe all features in development. It was last updated on the date shown under the title.

You can use RSS to be notified when this article is updated. For more information, see How to use the docs.

Microsoft Intune Suite

Endpoint Privilege Manager support for Arm64

You'll soon be able to use Endpoint Protection Manager (EPM) file elevations on devices that run on Arm64 architecture.

Applies to:

• Windows

Use Copilot with Endpoint Privilege Manager to help identify potential elevation risks

We’re adding support for Copilot to help you investigate Endpoint Privilege Manager (EPM) elevation details. Copilot will help you evaluate information from you EPM elevation requests to identify potential indicators of compromise by using information from Microsoft Defender.

EPM is available as an Intune Suite add-on-capability. To learn more about how you can use Copilot in Intune, see Microsoft Copilot in Intune.

Endpoint Privilege Manager elevation rule support for file arguments and parameters

Soon, the file elevation rules for Endpoint Privilege Manager (EPM) will support use of arguments or parameters that you want to allow. Arguments and parameters that aren't explicitly allowed will be blocked from use. This capability helps to improve control of the context for file elevations.

EPM is available as an Intune Suite add-on-capability.

App management

Apple VPP using new API v2.0

Apple recently updated how apps and books are managed through the Apple volume purchase program (VPP). Apple has updated their related API to version 2.0 and deprecated version 1.0. To support the Apple updates, Microsoft Intune will soon use the new API, which is faster and more scalable than the previous version.

Applies to:

• iOS/iPadOS
• macOS

Update to Apps workload experience in Intune

The Apps workload in Intune will be updated to provide a more consistent UI and improved navigation structure so you can find the information you need faster. To find the App workload in Intune, navigate to Microsoft Intune admin center and select Apps.

Add Enterprise App Catalog apps to ESP blocking apps list

Enterprise App Catalog apps will be supported with Windows Autopilot. Microsoft Intune Enterprise App Management enables IT admins to easily manage applications from the Enterprise App Catalog. Using Windows Autopilot, you'll be able to select blocking apps from the Enterprise App Catalog in the Enrollment Status Page (ESP) and the Device Preparation Page (DPP) profiles. This allows you to update apps more easily without needing to update those profiles with the latest versions.

For related information, see Set up the Enrollment Status Page, Overview of Windows Autopilot device preparation, and Add an Enterprise App Catalog app to Microsoft Intune.

Applies to:

• Windows

Added protection for iOS/iPadOS app widgets

To protect organizational data for MAM managed accounts and apps, Intune app protection policies now provide the capability to block data sync from policy managed app data to app widgets. App widgets can be added to end-user's iOS/iPadOS device lock screen, which can expose data contained by these widgets, such as meeting titles, top sites, and recent notes. In Intune, you'll be able to set the app protection policy setting Sync policy managed app data with app widgets to Block for iOS/iPadOS apps. This setting will be available as part of the Data Protection settings in app protection policies. This new setting will be an app protection feature similar to the Sync policy managed app data with native app or add-ins setting.

Applies to:

• iOS/iPadOS

Device configuration

Android settings in the Settings Catalog

The settings catalog will soon support Android Enterprise and AOSP.

Currently, to configure Android settings, you use the built-in templates. The settings from these templates are also available in the settings catalog. More settings will continue to be added.

In the Intune admin center, when you create a device configuration profile, you select the Profile Type (Devices > Manage devices > Configuration > Create > New policy > select your Platform > Profile Type). All the profile types are moved to Profile Type > Templates.

This change:

• Will be a UI change with no impact on your existing policies. Your existing policies won't changing. You will still be able to create, edit, and assign these policies the same way.
• Will be the same UI experience as iOS/iPadOS, macOS, and Windows templates.

To get started with settings catalog, go to Use the settings catalog to configure settings on your devices.

Applies to:

• Android Enterprise
• AOSP

The Settings Catalog lists all the settings you can configure in a device policy

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place.

There will soon be new settings in the Settings Catalog to Configure Multiple Display Mode for Windows 24H2. To see available settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.

The Configure Multiple Display Mode setting allows monitors to extend or clone the display by default, facilitating the need for manual setup. It streamlines the multi-monitor configuration process, ensuring a consistent and user-friendly experience.

Applies to:

• Windows

Low privileged account for Intune Connector for Active Directory for Hybrid join Autopilot flows

We're updating the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will no longer be available for download but will continue to work until deprecation.

For more information, see Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot.

Device management

Remote actions with multiple administrative approval (MAA)

Intune access policies help protect against a compromised administrative account by requiring that a second administrative account is used to approve a change before the change is applied. This capability is known as multiple administrative approval (MAA). The remote actions Retire, Wipe and Delete will support MAA. Onboarding Remote device actions to MAA, will help mitigate the risk of unauthorized or compromised remote actions being taken on device(s) by a single administrative account thereby enhancing the overall security posture of the environment.

For more information on multiple administrative approval, see Use multiple administrative approvals in Intune.

Remote Help supports Azure Virtual Desktop muti-session

Currently, Remote Help supports Azure Virtual Desktop (AVD) sessions with one user on one virtual machine (VM). Going forward, Remote Help will enable support for multi-session AVD with several users on a single virtual machine.

For more information, see:

• Remote Help
• Using Azure Virtual Desktop multi-session with Microsoft Intune

Introducing platform level targeting of Device Cleanup rule

We're adding a feature that will allow a customer to:

• Configure one device cleanup rule per platform (Windows, iOS/macOS,iPadOS, Android, Linux)
• Configure a different RBAC permission and assign the permission to different RBAC roles

Platform level targeting of the Device Cleanup rule will help administrators to remove stale and inactive devices from their tenant based on the active days rule specified by the admin. Scoped and targeted Device cleanup rules add an intermediate stage where an admin will be able to target removing stale devices by having a rule configured at the platform or OS level. 

For more information, see device cleanup rules.

Copilot assistant for device query

You'll soon be able to use Copilot to generate a KQL query to help you get data from across multiple devices in Intune. This capability will be available in the Microsoft Intune admin center by selecting Devices > Device query > Query with Copilot.

Device security

Updated security baseline for Microsoft Edge v128

We’re working on an update to add an Intune security baseline for Microsoft Edge v128. This update will bring support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge.

For information about security baselines with Intune, see Use security baselines to configure Windows devices in Intune.

Applies to:

• Windows

Updated security baseline for Windows version 24H2

We're working on an update to add an Intune security baseline for Windows version 24H2. The new baseline version will use the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles.

Use of Intune security baselines can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft.

As with all baselines, the default baseline will represent the recommended configurations for each setting, which you can modify to meet the requirements of your organization.

Applies to:

• Windows

Security baselines for HoloLens 2 in public preview

We’re working to release a public preview of two security baselines for HoloLens 2. These baselines represent Microsoft’s best practice guidelines and experience from deploying and supporting HoloLens 2 devices to customers across various industries. The baselines include:

• Standard Security Baseline for HoloLens 2: The standard security baseline for HoloLens 2 represents the recommendations for configuring security settings that are applicable to all types of customers irrespective of HoloLens 2 use case scenarios.

• Advanced Security Baseline for HoloLens 2: The advanced security baseline for HoloLens 2 represents the recommendations for configuring security settings for the customers who have strict security controls of their environment and require stringent security policies to be applied to any device used in their environment.

To learn more about security baselines with Intune, see Use security baselines to configure Windows devices in Intune.

Linux support for Endpoint detection and response exclusion settings

We're adding a new Endpoint Security template under Endpoint detection and response (EDR) for the Linux platform, that will be supported through the Microsoft Defender for Endpoint security settings management scenario.

The template will support settings related to global exclusion settings. Applicable to antivirus and EDR engines on the client, the settings can configure exclusions to stop associated real time protection EDR alerts for the excluded items. Exclusions can be defined by the file path, folder, or process explicitly defined by the admin in the policy.

Applies to:

• Linux

New Microsoft Tunnel readiness check for auditd package

We're updating the Microsoft Tunnel readiness tool to detect if the auditd package for Linux System Auditing (LSA) is installed on your Linux Server. When this check is in place, the mst-readiness tool will raise a warning if the audit package isn't installed. Auditing isn't a required prerequisite for the Linux Server, but recommended.

For more information on auditd and how to install it on your Microsoft Tunnel server, see Linux system auditing.

Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint

You'll be able to use the endpoint security policy for Device control (Attack surface reduction policy) from the Microsoft Intune with the devices you manage through the Microsoft Defender for Endpoint security settings management capability.

• Device control policies are part of endpoint security Attack surface reduction policy.

Applies to the following when you use the Windows 10, Windows 11, and Windows Server platform:

• Windows 10
• Windows 11

When this change takes effect, devices that are assigned this policy while managed by Defender for Endpoint but not enrolled with Intune, will now apply the settings from the policy. Check your policy to make sure only the devices you intend to receive this policy will get it.

Monitor and troubleshoot

Device Query for Multiple Devices

We're adding Device query for multiple devices. This feature allows you to gain comprehensive insights about your entire fleet of devices using Kusto Query Language (KQL) to query across collected inventory data for your devices.

Device query for multiple devices will be supported for devices running Windows 10 or later. This feature will be included as part of Advanced Analytics.

Applies to:

• Windows

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Plan for Change: Blocking screen capture in the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

We recently released updated versions of the Intune App SDK and the Intune App Wrapping Tool. Included in these releases (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) is the support for blocking screen capture, Genmojis and writing tools in response to the new AI features in iOS/iPadOS 18.2.

How does this affect you or your users?

For apps that have updated to the latest Intune App SDK or Intune App Wrapping Tool versions screen capture will be blocked if you've configured “Send Org data to other apps” to a value other than “All apps”. To allow screen capture for your iOS/iPadOS devices, configure the Managed apps app configuration policy setting “com.microsoft.intune.mam.screencapturecontrol" to Disabled.

How can you prepare?

Review your app protection policies and if needed, create a Managed apps app configuration policy to allow screen capture by configuring the above setting (Apps > App configuration policies > Create > Managed apps > Step 3 ‘Settings’ under General configuration). For more information review, iOS app protection policy settings – Data protection and App configuration policies - Managed apps.

Take Action: Update to the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS

To support the upcoming release of iOS/iPadOS 18.2, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. Important: If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:

• SDK for iOS: Update recommended prior to iOS 18.2 general availability - microsoftconnect/ms-intune-app-sdk-ios - Discussion #495
• Wrapper for iOS: Update recommended prior to iOS 18.2 general availability - microsoftconnect/intune-app-wrapping-tool-ios - Discussion #128

As a best practice, always update your iOS apps to the latest App SDK or App Wrapping Tool to ensure that your app continues to run smoothly.

How does this affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool, you will need to update to the latest version to support iOS 18.2.

How can you prepare?

For apps running on iOS 18.2, you must update to the new version of the Intune App SDK for iOS:

• For apps built with XCode 15 use v19.7.6 - Release 19.7.6 - microsoftconnect/ms-intune-app-sdk-ios - GitHub
• For apps built with XCode 16 use v20.2.1 - Release 20.2.1 - microsoftconnect/ms-intune-app-sdk-ios - GitHub

For apps running on iOS 18.2, you must update to the new version of the Intune App Wrapping Tool for iOS:

• For apps built with XCode 15 use v19.7.6 - Release 19.7.6 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub
• For apps built with XCode 16 use v20.2.1 - Release 20.2.1 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub

Important

The listed SDK releases support blocking screen capture, Genmojis and writing tools in response to new AI features in iOS 18.2. For apps that have updated to these SDK versions, screen capture block is applied if you have configured Send Org data to other apps to a value other than All apps. See iOS/iPadOS app protection policy settings for more info. You can configure app configuration policy setting com.microsoft.intune.mam.screencapturecontrol = Disabled if you wish to allow screen capture for your iOS devices. See App configuration policies for Microsoft Intune for more info. Intune will be providing more granular controls for blocking specific AI features in the future. Follow What's new in Microsoft Intune to stay up to date.

Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.2. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to Apps > Monitor > App protection status, then review Platform version and iOS SDK version.

If you have questions, leave a comment on the applicable GitHub announcement. Additionally, if you haven't already, navigate to the applicable GitHub repository and subscribe to Releases and Discussions (Watch > Custom > select Releases, Discussions) to ensure you stay up-to-date with the latest SDK releases, updates, and other important announcements.

Plan for Change: Specific app configuration values will be automatically sent to specific apps

Starting with Intune's September (2409) service release, the IntuneMAMUPN, IntuneMAMOID, and IntuneMAMDeviceID app configuration values will be automatically sent to managed applications on Intune enrolled iOS devices for the following apps: Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Teams and Microsoft Word. Intune will continue to expand this list to include additional managed apps.

How does this affect you or your users?

If these values aren't configured correctly for iOS devices, there is a possibility of either the policy not getting delivered to the app or the wrong policy is delivered. For more information, see Support tip: Intune MAM users on iOS/iPadOS userless devices may be blocked in rare cases.

How can you prepare?

No additional action is needed.

Plan for Change: Implement strong mapping for SCEP and PKCS certificates

With the May 10, 2022, Windows update (KB5014754), changes were made to the Active Directory Kerberos Key Distribution (KDC) behavior in Windows Server 2008 and later versions to mitigate elevation of privilege vulnerabilities associated with certificate spoofing. Windows will enforce these changes on February 11, 2025.

To prepare for this change, Intune has released the ability to include the security identifier to strongly map SCEP and PKCS certificates. For more information, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates

How does this affect you or your users?

These changes will impact SCEP and PKCS certificates delivered by Intune for Microsoft Entra hybrid joined users or devices. If a certificate can't be strongly mapped, authentication will be denied. To enable strong mapping:

• SCEP certificates: Add the security identifier to your SCEP profile. We strongly recommend testing with a small group of devices and then slowly rollout updated certificates to minimize disruptions to your users.
• PKCS certificates: Update to the latest version of the Certificate Connector, change the registry key to enable the security identifier, and then restart the connector service. Important: Before you modify the registry key, review how to change the registry key and how to back up and restore the registry.

For detailed steps and additional guidance, review the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates

How can you prepare?

If you use SCEP or PKCS certificates for Microsoft Entra Hybrid joined users or devices, you'll need to take action before February 11, 2025 to either:

• (Recommended) Enable strong mapping by reviewing the steps described in the blog: Support tip: Implementing strong mapping in Microsoft Intune certificates
• Alternatively, if all certificates cannot be renewed before February 11, 2025, with the SID included, enable Compatibility mode by adjusting the registry settings as described in KB5014754. Compatibility mode will remain valid until September 2025.

Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support

We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.

How does this affect you or your users?

If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.

How can you prepare?

If you choose to build apps targeting Android API 35, you'll need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you’ve wrapped your app and are targeting API 35 you'll need to use the new version of the App wrapper (v1.0.4549.6).

Note

As a reminder, while apps must update to the latest SDK if targeting Android 15, apps do not need to update the SDK to simply run on Android 15.

You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.

Here are the public repositories:

• Intune App SDK for Android
• Intune App Wrapping Tool for Android

Take Action: Enable multifactor authentication for your tenant before October 15, 2024

Starting on or after October 15, 2024, to further increase security, Microsoft will require admins to use multi-factor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. To take advantage of the extra layer of protection MFA offers, we recommend enabling MFA as soon as possible. To learn more, review Planning for mandatory multifactor authentication for Azure and admin portals.

Note

This requirement also applies to any services accessed through the Intune admin center, such as Windows 365 Cloud PC.

How does this affect you or your users?

MFA must be enabled for your tenant to ensure admins are able to sign-in to the Azure portal, Microsoft Entra admin center and Intune admin center after this change.

How can you prepare?

• If you haven't already, set up MFA before October 15, 2024, to ensure your admins can access the Azure portal, Microsoft Entra admin center, and Intune admin center.
• If you're unable to set up MFA before this date, you can apply to postpone the enforcement date.
• If MFA hasn't been set up before the enforcement starts, admins will be prompted to register for MFA before they can access the Azure portal, Microsoft Entra admin center, or Intune admin center on their next sign-in.

For more information, refer to: Planning for mandatory multifactor authentication for Azure and admin portals.

Plan for Change: Intune is moving to support iOS/iPadOS 16 and later

Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS 16/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.

How does this affect you or your users?

If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).

Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.

To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:

• Supported iPhone models
• Supported iPad models

Note

Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. The minimum supported OS version will change to iOS 16/iPadOS 16 while the allowed OS version will change to iOS 13/iPadOS 13 and later. See this statement about ADE Userless support for more information.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to Devices > All devices and filter by OS. For devices with app protection policies, go to Apps > Monitor > App protection status and use the Platform and Platform version columns to filter.

To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see Manage operating system versions with Intune.

Plan for change: Intune is moving to support macOS 13 and higher later this year

Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices.

How does this affect you or your users?

This change only affects you if you currently manage, or plan to manage, macOS devices with Intune. This change might not affect you because your users have likely already upgraded their macOS devices. For a list of supported devices, see macOS Ventura is compatible with these computers.

Note

Devices that are currently enrolled on macOS 12.x or below will continue to remain enrolled even when those versions are no longer supported. New devices will be unable to enroll if they are running macOS 12.x or below.

How can you prepare?

Check your Intune reporting to see what devices or users might be affected. Go to Devices > All devices and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.

Intune moving to support Android 10 and later for user-based management methods in October 2024

In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:

• Android Enterprise personally owned work profile
• Android Enterprise corporate owned work profile
• Android Enterprise fully managed
• Android Open Source Project (AOSP) user-based
• Android device administrator
• App protection policies (APP)
• App configuration policies (ACP) for managed apps

Moving forward, we'll end support for one or two versions annually in October until we only support the latest four major versions of Android. You can learn more about this change by reading the blog: Intune moving to support Android 10 and later for user-based management methods in October 2024.

Note

Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices won't be impacted by this change.

How does this affect you or your users?

For user-based management methods (as listed above), Android devices running Android 9 or earlier won't be supported. For devices on unsupported Android OS versions:

• Intune technical support won't be provided.
• Intune won't make changes to address bugs or issues.
• New and existing features aren't guaranteed to work.

While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.

How can you prepare?

Notify your helpdesk, if applicable, about this updated support statement. The following admin options are available to help warn or block users:

• Configure a conditional launch setting for APP with a minimum OS version requirement to warn and/or block users.
• Use a device compliance policy and set the action for noncompliance to send a message to users before marking them as noncompliant.
• Set enrollment restrictions to prevent enrollment on devices running older versions.

For more information, review: Manage operating system versions with Microsoft Intune.

Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment

Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

Note

For web enrollment, you need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: Set up just in time registration in Microsoft Intune.

How does this affect you or your users?

This is an update to the user interface when creating new iOS/iPadOS enrollment profiles to display “Web based device enrollment” as the default method, existing profiles are not impacted. For new tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.

How can you prepare?

Update your documentation and user guidance as needed. If you currently use device enrollment with Company Portal, we recommend moving to web based device enrollment and deploying the SSO extension policy to enable JIT registration.

Additional information:

• Set up just in time registration in Microsoft Intune
• Set up web based device enrollment for iOS

Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance

We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after January 31, 2025.

Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

How does this affect you or your users?

If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation.

After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.

How can you prepare?

If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance.

Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024

Google has deprecated Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning December 31, 2024. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: Microsoft Intune ending support for Android device administrator on devices with GMS access.

How does this affect you or your users?

After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:

1. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
2. Intune technical support will no longer support these devices.

How can you prepare?

Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to Devices > All devices and filter the OS column to Android (device administrator) to see the list of devices.

Read the blog, Microsoft Intune ending support for Android device administrator on devices with GMS access, for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.

See also

For details about recent developments, see What's new in Microsoft Intune.