Professional Documents
Culture Documents
OVERVIEW OVERVIEW
What is Intune? What's new in Intune
OVERVIEW OVERVIEW
Features in development Microsoft Intune Suite add-ons
Plan Deploy
Microsoft Intune planning guide Migrate: Set up or move to Intune
Supported operating systems and browsers Deploy: Steps to deploy Intune
Intune endpoints
Recommended levels of protection and
configuration
How-to guides
i Role-based access control Browse all manage apps c Monitor app protection
articles T policies
Browse all Intune subscription
articles T Browse all apps protection
policies articles T
c Use policy sets to group p Device enrollment Browse all articles in this area
collections of management restrictions overview T
objects
Browse all articles in this area
Browse all articles in this area T
T
p Endpoint analytics docs c Microsoft Tunnel for p Use the Microsoft Intune
Mobile Application Data Warehouse
Browse all reporting and Management
monitoring articles T Browse all developer articles T
p Data storage and p Use audit logs to track and p Troubleshoot policies and
processing in Intune monitor events profiles in Intune
Browse all privacy and personal Browse all help and support Browse all troubleshooting
data articles T articles T articles T
Related services
Azure Active Directory Windows client docs for IT Windows 365 docs
Azure Active Directory (Azure Pros Windows 365 is a cloud-based
AD) is a cloud-based identity Evaluate, plan, deploy, secure, service that automatically
and access management and manage devices running creates a new type of Windows
service. Windows 10 and Windows 11. virtual machine (Cloud PCs) f…
You can protect access and data on organization-owned and users personal devices.
And, Intune has compliance and reporting features that support the Zero Trust security
model.
Tip
To get Intune, go to Licenses available for Microsoft Intune and Intune 30-
day trial.
For more information on what it means to be cloud-native, go to Learn more
about cloud-native endpoints.
You can manage users and devices, including devices owned by your organization
and personally owned devices. Microsoft Intune supports Android, Android Open
Source Project (AOSP), iOS/iPadOS, macOS, and Windows client devices. With
Intune, you can use these devices to securely access organization resources with
policies you create.
7 Note
Intune simplifies app management with a built-in app experience, including app
deployment, updates, and removal. You can connect to and distribute apps from
your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app
protection policies, and manage access to apps and their data.
For more information, go to Manage apps using Microsoft Intune.
Employees and students can use the self-service features in the Company Portal
app to reset a PIN/password, install apps, join groups, and more. You can
customize the Company Portal app to help reduce support calls.
For more information, go to Configure the Intune Company Portal apps, Company
Portal website, and Intune app.
This admin center uses Microsoft Graph REST APIs to programmatically access the
Intune service. Every action in the admin center is a Microsoft Graph call. If you’re
not familiar with Graph, and want to learn more, go to Graph integrates with
Microsoft Intune.
With Windows Autopilot, you can provision new devices and send these devices
directly to users from an OEM or device provider. For existing devices, you can
reimage these devices to use Windows Autopilot and deploy the latest Windows
version.
Endpoint analytics for visibility and reporting on end user experiences, including
device performance and reliability
You can use Endpoint analytics to help identify policies or hardware issues that
slow down devices. It also provides guidance that can help you proactively
improve end user experiences and reduce help desk tickets.
Microsoft 365 for end user productivity Office apps, including Outlook, Teams,
Sharepoint, OneDrive, and more
Using Intune, you can deploy Microsoft 365 apps to users and devices in your
organization. You can also deploy these apps when users sign in for the first time.
Windows Autopatch for automatic patching of Windows, Microsoft 365 apps for
enterprise, Microsoft Edge, and Microsoft Teams
Windows Autopatch is a cloud based service. It keeps software current, gives users
the latest productivity tools, minimizes on-premises infrastructure, and helps free
up your IT admins to focus on other projects. Windows Autopatch uses Microsoft
Intune to manage patching for Intune-enrolled devices or devices using co-
management (Intune + Configuration Manager).
Managed Google Play: When you connect to your Managed Google Play account,
admins can access your organization's private store for Android apps, and deploy
these apps to your devices.
For more information, go to Add Managed Google Play apps to Android Enterprise
devices with Intune.
Apple tokens and certificates: When they're added, your iOS/iPadOS and macOS
devices can enroll in Intune and receive policies from Intune. Admins can access
your volume purchased iOS/iPad and macOS app licenses, and deploy these apps
to your devices.
For more information, go to:
Get an Apple MDM push certificate
Automatically enroll iOS/iPadOS devices by using Apple's Automated Device
Enrollment
Manage iOS and macOS apps purchased through Apple Business Manager with
Microsoft Intune
TeamViewer: When you connect to your TeamViewer account, you can use
TeamViewer to remotely assist devices.
For more platform-specific requirements to enroll third party partner devices in Intune,
go to:
In Intune, you create policies that configure features & settings and provide security &
protection. The devices are fully managed by your organization, including the user
identities that sign in, the apps that are installed, and the data that's accessed.
When devices enroll, you can deploy your policies during the enrollment process. When
enrollment completes, the device is ready to use.
For personal devices in bring-your-own-device (BYOD) scenarios, you can use Intune for
mobile application management (MAM). MAM is user centric, so the app data is
protected regardless of the device used to access this data. There's a focus on apps,
including securely accessing apps and protecting data within the apps.
You can also use MDM and MAM together. If your devices are enrolled and there are
apps that need extra security, then you can also use MAM app protection policies.
For organization-owned devices, you want full control over the devices, especially
security. When devices enroll, they receive your security rules and settings.
Create and deploy policies that configure security settings, set password
requirements, deploy certificates, and more.
Use mobile threat defense services to scan devices, detect threats, and remediate
threats.
View data and reports that measure compliance with your security settings and
rules.
Use conditional access to only allow managed and compliant devices access to
organization resources, apps, and data.
Remove organization data if a device is lost or stolen.
For personal devices, users might not want their IT admins to have full control. To
support a hybrid work environment, give users options. For example, users enroll their
devices if they want full access to your organization's resources. Or, if these users only
want access to Outlook or Microsoft Teams, then use app protection policies that
require multi-factor authentication (MFA).
Use mobile threat defense services to protect app data by scanning devices,
detecting threats, and assessing risk.
Prevent organization data from being copied and pasted into personal apps.
Use app protection policies on apps and on unmanaged devices enrolled in a third
party or partner MDM.
Use conditional access to restrict the apps that can access organization email and
files.
Remove organization data within apps.
Simplify access
Intune helps organizations support employees who can work from anywhere. There are
features you can configure that allow users to connect to an organization, wherever they
might be.
This section includes some common features that you can configure in Intune.
Windows Hello for Business replaces passwords using a PIN or biometrics, such as
fingerprint, facial recognition. This biometric information is stored locally on the devices
and is never sent to external devices or servers.
Using common VPN connection partners, including Check Point, Cisco, Microsoft
Tunnel, NetMotion, Pulse Secure, and more, you can create a VPN policy with your
network settings. When the policy is ready, you deploy this policy to your users and
devices that need to connect to your network remotely.
In the VPN policy, you can use certificates to authenticate the VPN connection. When
you use certificates, your end users don't need to enter usernames and passwords.
In the Wi-Fi policy, you can use certificates to authenticate the Wi-Fi connection. When
you use certificates, your end users don't need to enter usernames and passwords.
When the policy is ready, you deploy this policy to your on-premises users and devices
that need to connect to your on-premises network.
Specifically:
On Windows devices, SSO is automatically built in and used to sign in to apps and
websites that use Azure AD for authentication, including Microsoft 365 apps. You
can also enable SSO on VPN and Wi-Fi policies.
On iOS/iPadOS and macOS devices, you can use the Microsoft Enterprise SSO
plug-in to automatically sign in to apps and websites that use Azure Active
Directory (AD) for authentication, including Microsoft 365 apps.
On Android devices, you can use the Microsoft Authentication Library (MSAL) to
enable SSO to Android apps.
Next steps
Manage identities using Microsoft Intune
Manage devices using Microsoft Intune
Manage apps using Microsoft Intune
Manage user and group identities in
Microsoft Intune
Article • 04/03/2023
Microsoft Intune can do all these tasks, and more. Intune is a cloud-based service that
can manage user identities through policy, including security and authentication
policies. For more information on Intune and its benefits, go to What is Microsoft
Intune?.
From a service perspective, Intune uses Azure Active Directory (AD) for identity storage
and permissions. Using the Microsoft Intune admin center, you can manage these tasks
in a central location designed for endpoint management.
This article discusses concepts and features you should consider when managing your
identities.
In on-premises environments, user accounts and groups are created and managed in
on-premises Active Directory. You can update these users and groups using any domain
controller in the domain.
The Intune admin center includes a central location to manage users and groups. The
admin center is web-based and can be accessed from any device that has an internet
connection. Admins just need to sign into the admin center with their Intune
administrator account.
An important decision is to determine how to get the user accounts and groups into
Intune. Your options:
If you currently use Microsoft 365 and have your users and groups in the
Microsoft 365 admin center, then these users and groups are also available in the
Intune admin center.
Azure AD and Intune use a "tenant", which is your organization, such as Contoso or
Microsoft. If you have multiple tenants, sign into the Intune admin center in the
same Microsoft 365 tenant as your existing users and groups. Your users and
groups will automatically be shown and available.
If you currently use on-premises Active Directory, then you can use Azure AD
Connect to synchronize your on-premises AD accounts to Azure AD. When these
accounts are in Azure AD, then they're also available in the Intune admin center.
You can also import existing users and groups from a CSV file into the Intune
admin center, or create the users and groups from scratch. When adding groups,
you can add users and devices to these groups to organize them by location,
department, hardware, and more.
By default, Intune automatically creates the All users and All devices groups. When your
users and groups are available to Intune, then you can assign your policies to these
users and groups.
Move from machine accounts
When a Windows endpoint, like a Windows 10/11 device, joins an on-premises Active
Directory (AD) domain, a computer account is automatically created. The
computer/machine account can be used to authenticate on-premises programs,
services, and apps.
These machine accounts are local to the on-premises environment and can't be used on
devices that are joined to Azure AD. In this situation, you need to switch to user-based
authentication to authenticate to on-premises programs, services, and apps.
For more information and guidance, go to Known issues and limitations with cloud-
native endpoints.
Since Intune uses Azure AD, you also have access to the built-in Azure AD roles, such as
Global Administrator and Intune Service Administrator.
Each role has its own create, read, update or delete permissions as needed. You can also
create custom roles if your admins need a specific permission. When you add or create
your administrator-type of users and groups, you can assign these accounts to the
different roles. The Intune admin center has this information in a central location and
can be easily updated.
For more information, go to Role-based access control (RBAC) with Microsoft Intune
Any policies assigned or deployed to the user identity go with the user to all of their
devices. When a user is associated with the device, they can access their email accounts,
their files, their apps, and more.
When you don't associate a user with a device, then the device is considered user-less.
This scenario is common for kiosks devices dedicated to a specific task and devices that
are shared with multiple users.
In Intune, you can create policies for both scenarios on Android, iOS/iPadOS, macOS,
and Windows. When getting ready to manage these devices, be sure you know the
intended purpose of the device. This information helps in the decision making process
when devices are being enrolled.
For more specific information, go to the enrollment guides for your platforms:
Intune is cloud-based. Policies created in Intune include settings that control device
features, security rules, and more. These policies are assigned to your users and groups.
There isn't a traditional hierarchy like LSDOU.
Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS
devices
Common questions and answers with device policies and profiles in Microsoft
Intune
Windows Hello for Business replaces username and password sign-in and is part
of a password-less strategy.
Passwords are entered on a device and then transmitted over the network to the
server. They can be intercepted and used by anyone and anywhere. A server
breach can reveal stored credentials.
With Windows Hello for Business, users sign in and authenticate with a PIN or
biometric, such as facial and fingerprint recognition. This information is stored
locally on the device and isn't sent to external devices or servers.
When Windows Hello for Business is deployed to your environment, you can use
Intune to create Windows Hello for Business policies for your devices. These
policies can configure PIN settings, allowing biometric authentication, use security
keys, and more.
Multi-factor authentication (MFA) is a feature available with Azure AD. For users
to successfully authenticate, at least two different verification methods are
required. When MFA is deployed to your environment, you can also require MFA
when devices are enrolling into Intune.
Zero Trust verifies all endpoints, including devices and apps. The idea is to help
keep organization data in the organization, and prevent data leaks from accidental
or malicious intent. It includes different feature areas, including Windows Hello for
Business, using MFA, and more.
Next steps
Manage devices
Manage apps
Manage your devices and control device
features in Microsoft Intune
Article • 04/19/2023
Enter Microsoft Intune. Intune is a cloud-based service that can control devices through
policy, including security policies. For more information on Intune and its benefits, go to
What is Microsoft Intune?.
The goal of any organization that's managing devices is to secure devices and the data
they access. This task includes organization owned devices and personally owned
devices that access your organization resources.
From a service perspective, Intune uses Azure Active Directory (AD) for device storage
and permissions. Using the Microsoft Intune admin center, you can manage device tasks
and policies in a central location designed for endpoint management.
This article discusses concepts and features you should consider when managing your
devices.
You can require personal devices be enrolled in your organization's device management
services. On these personal devices, your admins can deploy policies, set rules, configure
device features, and more. Or, you can use app protection policies that focus on
protecting app data, such as Outlook, Teams, and Sharepoint. You can also use a
combination of device enrollment and app protection policies.
For organization owned devices, they should be fully managed by your organization,
and receive policies that enforce rules and protect data.
There are some things you should know. For example, if existing devices are managed
by another MDM provider, they may need to be factory reset. If the devices are using an
older OS version, they may not be supported.
If your organization is investing in new devices, then it's recommended to start with a
cloud approach using Intune.
You can create compliance policies that block simple passwords, require a firewall, set
the minimum OS version, and more. You can use these policies and built-in reporting to
see noncompliant devices and see the noncompliant settings on these devices. This
information gives you an idea of the overall health of the devices accessing your
organization resources.
Conditional Access is a feature of Azure AD. With Conditional Access, you can enforce
compliance. For example, if a device doesn't meet your compliance rules, then you can
block access to organization resources, including Outlook, SharePoint, Teams, and more.
Conditional Access helps your organization secure your data and protect your devices.
For many organizations, it's common to create device groups. Device groups are Azure
AD groups that only include devices. They don't include user identities.
When you have device groups, you create policies that focus on the device experience
or task, like running a single app or scanning bar codes. You can also create policies that
include settings that you want to always be on the device, regardless of who's using the
device.
You can group devices by OS platform, by function, by location, and anything else you
prefer.
Device groups can also include devices that are shared with many users or aren't
associated with a specific user. These dedicated or kiosk devices are typically used by
front line workers and can also be managed by Intune.
When the groups are ready, you can assign your policies to these device groups.
Integrate with Mobile Threat Defense (MTD) partners to help protect organization
owned devices and personally owned devices. These MTD services scan the devices
and can help remediate vulnerabilities.
For more specific information, go to Mobile Threat Defense integration with Intune
If you're not sure where to start, then look at Security Baselines and the built-in
guided scenarios.
Manage software updates, encrypt hard disks, configure built-in firewalls, and
more using built-in policy settings. You can also use Windows Autopatch for
automatic patching of Windows, including Windows quality updates and Windows
feature updates.
Manage devices remotely using the Intune admin center. You can remotely lock,
restart, locate a lost device, restore a device to its factory settings, and more. These
tasks are helpful if a device is lost or stolen, or if you're remotely troubleshooting a
device.
Next steps
Manage identities in Intune
Manage apps
Manage your apps and app data in
Microsoft Intune
Article • 05/15/2023
Managing and protecting apps and their data is a significant part of any endpoint
management strategy and solution. In most environments, users can install public retail
apps and possibly access organization data from these apps. Many organizations also
have their own private apps and line-of-business apps that need to be deployed &
managed, and make sure this app data stays within the organization.
App management can be challenging and Intune can help. Microsoft Intune is a cloud-
based service that can manage many apps types. Using Intune, admins can deploy,
configure, protect, and update apps that access your organization resources. For more
information on Intune and its benefits, go to What is Microsoft Intune?.
Microsoft Intune supports Android, iOS/iPadOS, macOS and Windows client devices. So,
you can use Intune's app management features across your many devices.
From a service perspective, Intune uses Azure Active Directory (AD) for identity
management. To use some apps, these Azure AD user identities must have licenses
assigned to them. The Microsoft Intune admin center can also help you manage
licensing.
This article discusses concepts and features you should consider when managing and
securing apps.
Deploy apps your organization uses
Organizations use many different types of apps, including store apps, line-of-business
(LOB) apps, web apps, and more. You can add apps to Intune and then use its app policy
management to deploy these apps to your devices.
The app features in the Intune admin center make it easier to deploy these different
kinds of apps. Intune supports Android, iOS/iPadOS, macOS, and Windows client
devices:
For Android devices, the Intune admin center automatically connects to the public
Play Store and gives you the ability to search for apps. You can also sync with your
Managed Google Play account to access your Android Enterprise apps, including
private apps.
If you use Google Mobile Services (GMS) (opens Android's web site), you can
purchase licenses to GMS, which typically happens when you purchase Android
devices. GMS gives users access to the public Play Store and its public apps.
If your organization doesn't use Google Mobile Services (GMS) (opens Android's
web site), then Intune can also manage devices using the Android Open Source
Project (AOSP) platform.
For iOS/iPadOS devices, the Intune admin center automatically connects to the
public App Store and gives you the ability to search for apps. You can also sync
with your Apple Business Manager or Apple School Manager account to access
your volume-licensed apps. When you sync, the apps you purchase (your licensed
apps) are automatically shown in the admin center.
For macOS devices, the Intune admin center has built-in features that include apps
commonly deployed to macOS, including Microsoft Edge and Microsoft 365 apps.
You can also sync with your Apple Business Manager or Apple School Manager
account to access your volume-licensed apps. When you sync, the apps you
purchase (your licensed apps) are automatically shown in the admin center.
For Windows devices, the Intune admin center automatically connects to the
public Microsoft Store and gives you the ability to search for apps. You can also
sync with your Microsoft Store for Business account to access your volume-
licensed apps. When you sync, the apps you purchase (your licensed apps) are
automatically shown in the admin center.
7 Note
Microsoft Store for Business is being retired. Starting with Windows 11, you
have a new option for your private volume-licensed apps. For more
information, go to Private app repository in Windows 11 and Update to
Microsoft Intune integration with the Microsoft Store on Windows .
App configuration policies give you these features. You can create app configuration
policies that automatically configure apps. Depending on your policy settings, users
might not need to enter any configuration information when they open the app.
For example, in an app configuration policy, you can enter the app language, add your
organization's logo, block apps from using personal accounts, and more.
Your app configuration policies can be deployed at any time. If you want to configure
apps before users open them the first time, then you can include the app configuration
policy when users enroll their devices. During enrollment, your app configuration
policies are automatically deployed and the apps include your configuration settings.
You can use Intune to create, configure, and deploy app protection policies to your
users and your devices, including personally owned devices and devices managed by
another MDM provider. Typically, organization owned devices are managed by your
organization. If there are apps on these managed devices that require extra security,
then you can also use app protection policies on these devices.
App protection policies also help separate personal data from organization data. For
example, you can create policies that block copy-and-paste between apps, require a PIN
when opening an app, block backups to personal cloud services, and more.
You can also use Windows Autopatch for automatic patching of Microsoft 365 Apps for
enterprise, Microsoft Edge, and Microsoft Teams.
If users install apps themselves, including from a public app store, then these apps will
need updated manually. In this situation, you can use app protection policies to enforce
a minimum app version, and even wipe organization data on devices that don't meet
your standards.
Next steps
Manage identities
Manage devices
Frequently asked questions about application management and app protection
Zero Trust with Microsoft Intune
Article • 04/03/2023
Zero Trust is a security strategy for designing and implementing the following set of
security principles:
Always Limit user access with Just-In- Minimize blast radius and segment
authenticate and Time and Just-Enough-Access access. Verify end-to-end encryption and
authorize based (JIT/JEA), risk-based adaptive use analytics to get visibility, drive threat
on all available policies, and data protection. detection, and improve defenses.
data points.
Verify Intune allows you to configure policies for apps, security settings, device
explicitly configuration, compliance, Azure Active Directory (AD) Conditional Access, and more.
These policies become part of the authentication and authorization process of
accessing resources.
Use least Intune simplifies app management with a built-in app experience, including app
privilege deployment, updates, and removal. You can connect to and distribute apps from your
access private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app
protection policies, and manage access to apps and their data.
With Endpoint Privilege Management (EPM), your user base can run with least
privilege, and allow users to still run tasks allowed by your organization.
Assume Intune integrates with mobile threat defense services, including Microsoft Defender
breach for Endpoint and third party partner services. With these services, you can create
policies for endpoint protection that respond to threats, do real-time risk analysis, and
automate remediation.
Next steps
Learn more about Zero Trust and how to build an enterprise-scale strategy and
architecture with the Zero Trust Guidance Center.
For device-centric concepts and deployment objectives, see Secure endpoints with Zero
Trust
For Intune in Microsoft 365, see Manage devices with Intune Overview.
Learn more about other Microsoft 365 capabilities that contribute to a strong Zero Trust
strategy and architecture with Zero Trust deployment plan with Microsoft 365.
High-level architecture for Microsoft
Intune
Article • 05/04/2023
This reference architecture shows options for integrating Microsoft Intune in your Azure
environment with Azure Active Directory.
Service information for Microsoft Intune
release updates
Article • 02/22/2023
New feature releases for Intune typically have a six to eight week cadence, from
planning to release. This cadence is called a sprint. Intune releases use a YYMM naming
convention. For example, 2301 is the January 2023 release.
This article provides information about the frequency of the Microsoft Intune service
updates, the release cadence, and how to check your tenant release version.
An internal environment called Self Host is the first environment to receive the release.
Self Host is used only by the Intune engineering teams. After Self Host, the service
release is deployed to the Microsoft tenant that manages many devices. Once it's
validated that there are no key issues with the service release, the release begins
deploying to customer environments in a phased approach. Once all tenants are
successfully updated, the Microsoft Intune admin center is updated. This phased
approach helps identify issues before they affect the service or our customers.
Updating the Company Portal app is a different process. Microsoft is subject to the
release requirements and processes of the Apple App Store, Google Play, and
sometimes mobile carriers. It isn’t always possible to align the Intune release updates
with updates to the Company Portal app. For more information on the Company Portal
app updates, go to UI updates for Intune end-user apps.
What's new in Intune: Learn what’s new in a Microsoft Intune release. When a
feature is released, some information about that feature is added to this article. It
also includes an overview of the current release, any notices, information about
earlier releases, and other information.
Content is published at the end of the current sprint, which is when the UI updates
start deploying to the Microsoft Intune admin center.
In development for Microsoft Intune: Learn more about what features are in
development for Microsoft Intune. This article is updated regularly with upcoming
features and changes.
Microsoft 365 message center: When the service update finishes deploying, you’ll
see a message posted in the Message center. Or, you can view the same messages
in the Message Center at portal.office.com . Service APIs pull only the Microsoft
Intune messages from Microsoft 365 into the Microsoft Intune admin center.
Microsoft Intune tenant status: This message center is a centralized hub where
you can view current information and communications about the Intune service
and your tenant status.
Staying up to date on Intune new features, service changes, and service health
Tips and tricks for managing Intune
The following resources can help you understand privacy and personal data in Intune:
Next steps
Get started with Microsoft Intune
Planning guide to move to Microsoft Intune
What does device management mean?
Article • 06/07/2023
As organizations support remote and hybrid workforces, it's more important than ever
to have a solid device management strategy. Organizations must protect and secure
their resources and data on any device.
This article describes the features and benefits of device management, and how it can
help organizations, including Microsoft 365 small & medium business, and enterprise. It
also describes the different approaches to device management, including mobile device
management (MDM) and mobile application management (MAM), and how Microsoft
Intune can help.
The toolset to manage devices, including the ability to deploy and update
software, configure settings, enforce policies, and monitor with data and reports
The ability to administer and manage virtual and physical devices, regardless of
their physical location
Maintain a network of devices running common operating systems, including
Windows, macOS, iOS/iPadOS, and Android
Automate policy management and deployment for apps, device features, security,
and compliance
Optimize device features for business use
Provide a single point of management for devices, including the ability to manage
devices from a central console
Secure and protect data on devices, including safeguards and measures to prevent
unauthorized access
With device management solutions, organizations can make sure that only authorized
people and devices get access to proprietary information. Similarly, device users can feel
at ease accessing work data from their phone, because they know their device meets
their organization's security requirements.
As an organization, you might ask - What should we use to protect our resources?.
With Intune, you can manage multiple devices per person, and the different platforms
that run on each device, including Android, iOS/iPadOS, Linux, macOS, and Windows.
Intune separates policies and settings by device platform. So it's easy to manage and
view devices of a specific platform.
What is co-management
Configuration Manager tenant attach
Users "enroll" their devices, and use certificates to communicate with Intune. As an IT
administrator, you push apps on devices, restrict devices to a specific operating system,
block personal devices, and more. If a device is ever lost or stolen, you can also remove
all data from the device.
Users can use their personal devices to access organizational resources. When users
open an app, such as Outlook or SharePoint, they can be prompted to authenticate. If a
device is ever lost or stolen, you can remove all organization data from the Intune
managed applications.
What is Intune?
Microsoft Intune planning guide
Next steps
Microsoft Intune planning guide
Manage user and group identities in Microsoft Intune
Manage your devices and control device features in Microsoft Intune
Manage your apps and app data in Microsoft Intune
What's new in Microsoft Intune
Article • 08/30/2023
Important notices
Past releases in the What's new archive
Information about how Intune service updates are released
7 Note
Each monthly update may take up to three days to rollout and will be in the
following order:
Some features may roll out over several weeks and might not be available to all
customers in the first week.
For a list of upcoming Intune feature releases, see In development for Microsoft
Intune. For new information about Autopilot, see Windows Autopilot What's new.
You can use RSS to be notified when this page is updated. For more information, see
How to use the docs.
Device configuration
Windows and Android support for 4096-bit key size for SCEP and
PFX certificate profiles
Intune SCEP certificate profiles and PKCS certificate profiles for Windows and Android
devices now support a Key size (bits) of 4096. This key size is available for new profiles
and existing profiles you choose to edit.
SCEP profiles have always included the Key size (bits) setting and now support
4096 as an available configuration option.
PKCS profiles don’t include the Key size (bits) setting directly. Instead, an admin
must modify the certificate template on the Certification Authority to set the
Minimum key size to 4096.
If you use a third-party Certificate Authority (CA), you might need to contact your
vendor for assistance with implementing the 4096-bit key size.
When updating or deploying new certificate profiles to take advantage of this new key
size, we recommend use of a staggered deployment approach to help avoid creating
excessive demand for new certificates across a large number of devices at the same
time.
4096-bit key storage is supported only in the Software Key Storage Provider (KSP).
The following do not support storing keys of this size:
The hardware TPM (Trusted Platform Module). As a workaround you can use the
Software KSP for key storage.
Windows Hello for Business. There is no work around at this time.
Tenant administration
Access policies for multiple Administrator Approval are out of public preview and are
now generally available. With these policies you can protect a resource, like App
deployments, by requiring any change to the deployment be approved by one of a
group of users who are approvers for the resource, before that change is applied.
For more information, see Use Access policies to require multiple administrative
approval.
App management
Managed Home Screen end-users prompted to grant exact alarm
permission
Managed Home Screen uses the exact alarm permission to do the following actions:
Automatically sign users out after a set time of inactivity on the device
Launch a screen saver after a set period of inactivity
Automatically relaunch MHS after a certain period of time when a user exits kiosk
mode
For devices running Android 14 and higher, by default, the exact alarm permission will
be denied. To make sure critical user functionality is not impacted, end-users will be
prompted to grant exact alarm permission upon first launch of Managed Home Screen.
For more information, see Configure the Microsoft Managed Home Screen app for
Android Enterprise and Android's developer documentation .
In Intune, end users can pin web apps to the dock on your macOS devices (Apps >
macOS > Add > macOS web clip). For related information about the settings you can
configure, see Add web apps to Microsoft Intune.
Applies to:
macOS
Win32 app configurable installation time
In Intune, you can set a configurable installation time to deploy Win32 apps. This time is
expressed in minutes. If the app takes longer to install than the set installation time, the
system will fail the app install. Max timeout value is 1440 minutes (1 day). For more
information about Win32 apps, see Win32 app management in Microsoft Intune.
Device configuration
Applies to:
Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze
your on-premises group policy objects (GPOs) for their migration to Intune policy
settings.
For more information about Group Policy analytics, go to Analyze your on-premises
GPOs using Group Policy analytics in Microsoft Intune.
Applies to:
Windows 11
Windows 10
There are new settings in the Settings Catalog. To see these settings, in the Microsoft
Intune admin center , go to Devices > Configuration profiles > Create profile >
iOS/iPadOS or macOS > Settings catalog for profile type.
Applies to:
Autologin Password
Autologin Username
Restrictions:
Applies to:
Restrictions:
Applies to:
Process's arguments
Process path
Process's Signing Identifier
Process's Team Identifier
Process exclusions
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
Device enrollment
Just-in-time registration and compliance remediation for
iOS/iPadOS Setup Assistant with modern authentication now
generally available
Just in time registration and compliance remediation for Setup Assistant with modern
authentication are now out of preview and generally available. With just in time (JIT)
registration, the device user doesn't need to use the Company Portal app for Azure
Active Directory registration and compliance checking. JIT registration and compliance
remediation is embedded into the user's provisioning experience, so they can view their
compliance status and take action within the work app they're trying to access.
Additionally, this establishes single-sign on across the device. For more information
about how to set up JIT registration, see Set up Just in Time Registration.
iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
iOS/iPadOS 13+ devices enrolling without user affinity
iOS/iPadOS 13+ devices enrolling with Azure AD shared mode
This setting is applied once during the out-of-box automated device enrollment
experience in Setup Assistant. The device user doesn't experience it again unless they
re-enroll their device. Awaiting final configuration is enabled by default for new
enrollment profiles. For information about how to enable awaiting final configuration,
see Create an Apple enrollment profile.
Device management
We've updated how our Android apps handle notification permissions to align with
recent changes made by Google to the Android platform. As a result of Google changes,
notification permissions are granted to apps as follows:
You and your device users can expect to see the following changes now that our apps
target API 33:
Company Portal used for work profile management: Users see a notification
permission prompt in the personal instance of the Company Portal when they first
open it. Users don't see a notification permission prompt in the work profile
instance of Company Portal because notification permissions are automatically
permitted for Company Portal in the work profile. Users can silence app
notifications in the Settings app.
Company Portal used for device administrator management: Users see a
notification permission prompt when they first open the Company Portal app.
Users can adjust app notification settings in the Settings app.
Microsoft Intune app: No changes to existing behavior. Users don't see a prompt
because notifications are automatically permitted for the Microsoft Intune app.
Users can adjust some app notification settings in the Settings app.
Microsoft Intune app for AOSP: No changes to existing behavior. Users don't see
a prompt because notifications are automatically permitted for the Microsoft
Intune app. Users can't adjust app notification settings in the Settings app.
Device security
The profile Defender Update controls for Intune Endpoint security Antivirus policy,
which manages update settings for Microsoft Defender, is now generally available. This
profile is available for the Windows 10, Windows 11, and Windows Server platform. While
in public preview, this profile was available for the Windows 10 and later platform.
The profile includes settings for the rollout release channel by which devices and users
receive Defender Updates that are related to daily security intelligence updates, monthly
platform updates, and monthly engine updates.
This profile includes the following settings, which are all directly taken from Defender
CSP - Windows Client Management.
These settings are also available from the settings catalog for the Windows 10 and later
profile.
You’ll find the report in the Report node for EPM in the Intune admin center . Navigate
to Endpoint security > Endpoint Privilege Management and then select the Reports
tab.
Antivirus engine – The following settings are new in this this category:
User interface preferences – A new category that includes the following settings:
Control sign-in to consumer version - Specify whether users can sign into the
consumer version of Microsoft Defender.
Show / hide status menu icon – Specify whether the status menu icon (shown in
the top-right corner of the screen) is hidden or not.
User initiated feedback – Specify whether users can submit feedback to Microsoft
by going to Help > Send Feedback.
New profiles that you create include the original settings as well as the new settings.
Your existing profiles automatically update to include the new settings, with each new
setting set to Not configured until you choose to edit that profile to change it.
For more information about how to set preferences for Microsoft Defender for Endpoint
on macOS in enterprise organizations, see Set preferences for Microsoft Defender for
Endpoint on macOS.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
Log file:
%temp%\CloudDesktop*.log
Device cohorts are identified in devices associated with a high or medium severity
anomaly. Devices are correlated into groups based on one or more factors they have in
common like an app version, driver update, OS version, device model. A correlation
group will contain a detailed view with key information about the common factors
between all affected devices in that group. You can also view a breakdown of devices
currently affected by the anomaly and 'at risk' devices, those that haven't yet shown
symptoms of the anomaly.
For more information about these changes, see the Intune Support Team blog at
https://aka.ms/Intune/device_compl_report .
App management
Use the Turn off the Store application setting to disable end user
access to Store apps, and allow managed Intune Store apps
In Intune, you can use the new Store app type to deploy Store apps to your devices.
Now, you can use the Turn off the Store application policy to disable end users' direct
access to Store apps. When it's disabled, end users can still access and install Store apps
from the Windows Company Portal app and through Intune app management. If you
want to allow random store app installs outside of Intune, then don't configure this
policy.
The previous Only display the private store within the Microsoft Store app policy
doesn't prevent end users from directly accessing the store using the Windows Package
Manager winget APIs. So, if your goal is to block random unmanaged Store application
installs on client devices, then it's recommended to use the Turn off the Store
application policy. Don't use the Only display the private store within the Microsoft
Store app policy.
Applies to:
Introducing a new RBAC Permission for creating a custom role in Intune, under the
resource Android for work. The permission Update Enrollment Profile allows the admin
to manage or change both AOSP and Android Enterprise Device Owner enrollment
profiles that are used to enroll devices.
Device security
This update is part of the continuing rollout of new profiles for endpoint security
policies, which began in April 2022.
App management
App management
To learn more about changes to the admin and user experience, go to Support Tip:
Intune moving to support new Google Play Android Management API .
Applies to:
Android Enterprise
You can now upload and deploy unmanaged PKG-type applications to managed macOS
devices using the Intune MDM agent for macOS devices. This feature enables you to
deploy custom PKG installers, such as unsigned apps and component packages. You can
add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS
app (PKG) for app type.
For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To
deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB)
apps to Microsoft Intune. For more information about the Intune MDM agent for macOS
devices, see Microsoft Intune management agent for macOS.
Applies to:
macOS
New settings available for the iOS/iPadOS web clip app type
In Intune, you can pin web apps to your iOS/iPadOS devices (Apps > iOS/iPadOS > Add
> iOS/iPadOS web clip). When you add web clips, there are new settings available:
Full screen: If configured to Yes, launches the web clip as a full-screen web app
without a browser. Additionally, there's no URL or search bar, and no bookmarks.
Ignore manifest scope: If configured to Yes, a full screen web clip can navigate to
an external web site without showing Safari UI. Otherwise, Safari UI appears when
navigating away from the web clip's URL. This setting has no effect when Full
screen is set to No. Available in iOS 14 and later.
Precomposed: If configured to Yes, prevents Apple's application launcher
(SpringBoard) from adding "shine" to the icon.
Target application bundle identifier: Enter the application bundle identifier that
specifies the application that opens the URL. Available in iOS 14 and later.
iOS/iPadOS
The Run this script using the logged on credentials setting defaults to Yes.
Previously, the default was No.
The Enforce script signature check setting defaults to Yes. Previously, the default
was No.
This behavior applies to new scripts you add, not existing scripts.
For more information about using Windows PowerShell scripts in Intune, go to Use
PowerShell scripts on Windows 10/11 devices in Intune.
Applies to:
Device configuration
The Settings Catalog lists all the settings you can configure in a device policy, and all in
one place.
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > macOS > Settings catalog for profile type.
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
The initial release of the CR service included support for using only the Intune device ID
with the intent to eliminate the need to manage internal identifiers like serial numbers
and MAC addresses. With this update, organizations that prefer to use MAC addresses
over certificate authentication may continue to do so while implementing the CR service.
While this update adds MAC address support to the CR service, our recommendation is
to use certificate-based authentication with the Intune device ID included in the
certificate.
For information about the CR service as a replacement for the Intune Network Access
Control (NAC) service, see the Intune blog at
https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-
intune-service-for-network-access-control/ba-p/2544696 .
Navigate to Endpoint security > Security baselines. While creating and editing a
workflow these insights are available for all settings with light bulbs.
Device security
With Child process behavior, your rules can manage the elevation context for any child
processes created by the managed process. Options include:
Allowing all child processes created by the managed process to always run as
elevated.
Allow a child process to run as elevated only when it matches the rule that
manages its parent process.
Deny all child processes from running in an elevated context, in which case they
run as standard users.
Endpoint Privilege Management is available as an Intune add-on. For more information,
see Use Intune Suite add-on capabilities.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
Both reports are new instances of existing reports, and deliver improvements over the
older versions, including:
Eventually, the older report versions that are still available in the admin center at Devices
> Monitor will be retired.
App management
Updates to app configuration policy reporting
As part of our continuing efforts to improve the Intune reporting infrastructure, there
have been several user interface (UI) changes for app configuration policy reporting. The
UI has been updated with the following changes:
There is no longer a User status tile or a Not applicable device tile on the
Overview section of the App configuration policies workload.
There is no longer a User install status report on the Monitor section of the App
configuration policies workload.
The Device install status report under the Monitor section of the App
configuration policies workload no longer shows the Pending state in the Status
column.
You can find configure policy reporting in Microsoft Intune admin center by selecting
Apps > App configuration policies.
Device management
Zebra will be releasing support for Android 13 on their devices. You can read more at
Migrating to Android 13 (opens Zebra's web site).
1. App installations don't happen silently. Instead, users get a notification from
the Company Portal app (if they allow notifications) that asks for permission
to allow the app installation. If a user doesn't accept the app installation
when prompted, then the app doesn't install. Users will have a persistent
notification in the notification drawer until they allow the installation.
In an update coming later in July, these issues will be resolved and the behavior
will return to how it was before.
You will soon be able to use Intune's Zebra LifeGuard Over-the-Air integration to
update Android Enterprise dedicated and fully managed devices to Android 13. For
more information, go to Zebra LifeGuard Over-the-Air Integration with Microsoft
Intune.
OEMConfig for Zebra devices on Android 13 requires using Zebra's new Zebra
OEMConfig Powered by MX OEMConfig app (opens the Google Play store). This
new app can also be used on Zebra devices running Android 11, but not earlier
versions.
For more information on this app, go to the New Zebra OEMConfig app for
Android 11 and later blog post.
The Legacy Zebra OEMConfig app (opens the Google Play store) can only be
used on Zebra devices running Android 11 and earlier.
For more general information about Intune Android 13 support, go to the Day Zero
support for Android 13 with Microsoft Intune blog post.
Device security
Now, you can opt-in to a public preview from within the Microsoft 365 Defender portal
to gain access to several enhancements for this scenario:
Intune's endpoint security policies become visible in and can be managed from
within the Microsoft 365 Defender portal. This enables security admins to remain in
the Defender portal to manage Defender and the Intune endpoint security policies
for Defender security settings management.
For Windows devices, the Windows Security Experience profile is now supported
with security settings management.
Intune creates a synthetic registration in Azure AD for devices that can't fully
register with Azure AD. Synthetic registrations are device objects created in Azure
AD that enable devices to receive and report back on Intune policies for security
settings management. In addition, should a device with a synthetic registration
become fully registered, the synthetic registration is removed form Azure AD in
deference to the full registration.
If you don't opt-in to the Defender for Endpoint Public Preview, the previous behaviors
remain in place. In this case, while you can view the Antivirus profiles for Linux, you can't
deploy it as its supported only for devices managed by Defender. Similarly, the macOS
profile which is currently available for devices enrolled with Intune can't be deployed to
devices managed by Defender.
Applies to:
Linux
macOS
Windows
Device configuration
DeviceName
Manufacturer
Model
DeviceCategory
oSVersion
IsRooted
DeviceOwnership
EnrollmentProfileName
For more information on filters, go to Use filters when assigning your apps, policies, and
profiles in Microsoft Intune.
Applies to:
Android
A new device action that is in public preview allows you to run a remediation on-
demand on a single Windows device. The Run remediation device action allows you to
resolve issues without having to wait for a remediation to run on its assigned schedule.
You will also be able to view the status of remediations under Remediations in the
Monitor section of a device.
The Run remediation device action is rolling-out and may take a few weeks to reach all
customers.
Remediations
Device management
With Automatic approval, each new recommended driver that's published by the
driver manufacturer and added to the policy is automatically approved for
deployment to applicable devices. Policies set for automatic approvals can be
configured with a deferral period before the automatically approved updates are
installed on devices. This deferral gives you time to review the driver and to pause
its deployment if necessary.
With manual approval, all new driver updates are automatically added to the
policy, but an admin must explicitly approve each update before Windows Update
deploys it to a device. When you manually approve an update, you choose the
date when Windows Update will begin to deploy it to your devices.
To help you manage driver updates, you review a policy and decline an update you
don't want to install, indefinitely pause any approved update, and reapprove a paused
update to restart its deployment.
This release also includes driver update reports that provide a success summary, per-
device update status for each approved driver, and error and troubleshooting
information. You can also select an individual driver update and view details about it
across all the policies that include that driver version.
To learn about using Windows Driver update policies, see Manage policy for Windows
Driver updates with Microsoft Intune.
Applies to:
Windows 10
Windows 11
App management
For more information, see Preview: App protection policy settings for Windows.
Device configuration
The Settings Catalog lists all the settings you can configure in a device policy, and all in
one place.
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Authentication Method
Denied Bundle Identifiers
Registration Token
Output path
Username
Password
UseKeyChain
Applies to:
macOS
Networking > Network Usage Rules:
SIM Rules
Applies to:
iOS/iPadOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS)
settings. In Microsoft Intune admin center , select Devices > Configuration profiles >
Create profile > Windows 10 and later for platform > Templates > Device Firmware
Configuration Interface for profile type.
Some Asus devices running Windows 10/11 are enabled for DFCI. Contact your device
vendor or device manufacturer for eligible devices.
Applies to:
Windows 10
Windows 11
In Intune, you could manage telecom expenses using Saaswedo's Datalert telecom
expense management. This feature is removed from Intune. This removal includes:
For more information from Saaswedo, go to The datalert service is unavailable (opens
Saaswedo's web site).
Applies to:
Android
iOS/iPadOS
Navigate to Endpoint security > Security baselines. When you create and edit the
workflow, these insights are available for you in the form of a light bulb.
Device management
As a public preview, you can use a new endpoint security policy category, Application
Control. Endpoint security Application Control policy includes:
To get started with using this new policy type, see Manage approved apps for Windows
devices with Application Control policy and Managed Installers for Microsoft Intune
Applies to:
Windows 10
Windows 11
In Remote Help, you can now take advantage of the in-session connection mode switch
feature. This feature can help effortlessly transition between full control and view-only
modes, granting flexibility and convenience.
Applies to:
Windows 10/11
Device security
Intune's Endpoint Privilege Management (EPM) reports now support exporting the full
reporting payload to a CSV file. With this change, you can now export all events from an
elevation report in Intune.
The Endpoint Privilege Management option to Run with elevated access is now available
as a top-level right-click option on Windows 11 devices. Previous to this change,
standard users were required to select Show more options to view the Run with elevated
access prompt on Windows 11 devices.
Windows 11
Intune apps
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
You can find the troubleshooting pane in Microsoft Intune admin center by selecting
Troubleshooting + support > Troubleshoot.
The Troubleshooting + support pane in the Intune admin center has been updated by
consolidating the Roles and Scopes report into a single report. This report now includes
all relevant role and scope data from both Intune and Azure Active Directory, providing
a more streamlined and efficient experience. For related information, see Use the
troubleshooting dashboard to help users at your company.
Device management
New Devices from HTC and Pico supported on Microsoft Intune for
Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) now supports the
following devices:
Applies to:
Android (AOSP)
App management
Device configuration
There's a new Zebra OEMConfig Powered by MX OEMConfig app that aligns more
closely to Google's standards. This app supports Android Enterprise 11.0 and newer
devices.
The older Legacy Zebra OEMConfig app continues to support devices with Android 11
and earlier.
In your Managed Google Play, there are two versions of Zebra OEMConfig app. Be sure
to select the correct app that applies to your Android device versions.
For more information on OEMConfig and Intune, go to Use and manage Android
Enterprise devices with OEMConfig in Microsoft Intune.
Applies to:
Device management
To support the Security Management for Microsoft Defender for Endpoint (MDE security
configuration) scenario, Intune now differentiates Windows devices in Azure Active
Directory as either Windows Server for devices that run Windows Server, or as Windows
for devices that run Windows 10 or Windows 11.
With this change, you can improve policy targeting for MDE security configuration. For
example, you can use dynamic groups that consist of only Windows Server devices, or
only Windows client devices (Windows 10/11).
For more information about this change, see the Intune Customer Success blog
Windows Server devices now recognized as a new OS in Microsoft Intune, Azure AD, and
Defender for Endpoint .
Tenant administration
App management
Based on customer feedback, we're updating the Intune agent for macOS (version
2305.019) to extend the maximum script run time to 60 minutes. Previously, the Intune
agent for macOS only allowed shell scripts to run for up to 15 minutes before reporting
the script as a failure. The Intune agent for macOS 2206.014 and higher supports the 60-
minute timeout.
Assignment filters support MAM app protection policies and app configuration policies.
When you create a new filter, you can fine tune MAM policy targeting using the
following properties:
) Important
All new and edited app protection policies that use Device Type targeting are
replaced with assignment filters.
For more information on filters, go to Use filters when assigning your apps, policies, and
profiles in Microsoft Intune.
Update to MAM reporting in Intune
MAM reporting has been simplified and overhauled, and now uses Intune's newest
reporting infrastructure. Benefits of this include improved data accuracy and
instantaneous updating. You can find these streamlined MAM reports in the Microsoft
Intune admin center by selecting Apps > Monitor. All MAM data available to you is
contained within the new App protection status report and App configuration status
report.
The global quiet time settings allow you to create policies to schedule quiet time for
your end users. These settings automatically mute Microsoft Outlook email and Teams
notifications on iOS/iPadOS and Android platforms. These policies can be used to limit
end user notifications received after work hours. For more information, see Quiet time
notification policies.
Device configuration
Introducing enhanced chat with Remote Help. With the new and enhanced chat you can
maintain a continuous thread of all messages. This chat provides support for special
characters and other languages including Chinese and Arabic.
Applies to:
Windows 10/11
For Remote Help, in addition to existing session reports, administrators can now
reference audit logs sessions created in Intune. This feature enables administrators to
reference past events for troubleshooting and analyzing log activities.
Applies to:
Windows 10
Windows 11
The settings catalog includes hundreds of settings that you can configure and deploy to
your devices.
In the settings catalog, you can turn on/off Personal data encryption (PDE). PDE is a
security feature introduced in Windows 11 version 22H2 that provides more encryption
features for Windows.
PDE is different than BitLocker. PDE encrypts individual files and content, instead of
whole volumes and disks. You can use PDE with other encryption methods, such as
BitLocker.
Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS
devices
Common Tasks you can complete using the Settings Catalog in Intune
Windows 11
Visual Studio settings are included in the Settings Catalog and Administrative Templates
(ADMX). Previously, to configure Visual Studio settings on Windows devices, you
imported them with ADMX import.
Applies to:
Windows 10
Windows 11
Group policy analytics supports scope tags
In Group Policy analytics, you import your on-premises GPO. The tool analyzes your
GPOs and shows the settings that can (and can't) be used in Intune.
When you import your GPO XML file in Intune, you can select an existing scope tag. If
you don't select a scope tag, then the Default scope tag is automatically selected.
Previously, when you imported a GPO, the scope tags assigned to you were
automatically applied to the GPO.
Only admins within that scope tag can see the imported policies. Admins not in that
scope tag can't see the imported policies.
Also, admins within their scope tag can migrate the imported policies that they have
permissions to see. To migrate an imported GPO into a Settings Catalog policy, a scope
tag must be associated with the imported GPO. If a scope tag isn't associated, then it
can't migrate to a Settings Catalog policy. If no scope tag is selected, then a default
scope tag is automatically applied.
For more information on scope tags and Group Policy analytics, go to:
Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune
Create a Settings Catalog policy using your imported GPOs
Use role-based access control (RBAC) and scope tags for distributed IT
Now available in public preview, Microsoft Intune supports integration with Zebra
Lifeguard Over-the-Air service, which allows you to deliver OS updates and security
patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can
select the firmware version you want to deploy, set a schedule, and stagger update
downloads and installs. You can also set minimum battery, charging status, and network
conditions requirements for when the update can happen.
Available for Android Enterprise Dedicated and Fully Managed Zebra devices that are
running Android 8 or later, and requires an account with Zebra.
Google domain allow-list: Restricts users to add only certain Google account
domains in the work profile. You can import a list of allowed domains or add them
in the admin center using the contoso.com format. When left blank, by default, the
OS might allow adding all Google domains in the work profile.
For more information on the settings you can configure, go to Android Enterprise device
settings list to allow or restrict features on personally owned devices using Intune.
Applies to:
Proactive remediations are now Remediations and are available from Devices >
Remediations. You can still find Remediations in both the new location and the existing
Reports > Endpoint Analytics location until the next Intune service update.
Remediations are currently not available in the new Devices experience preview.
Applies to:
Windows 10
Windows 11
Applies to:
Windows 10
Windows 11
This setting is coming in a future release, possibly the 2308 Intune release.
You can create a device configuration profile that deploys a VPN connection to devices
(Devices > Configuration profiles > Create profile > Windows 10 and later for platform
> Templates > VPN for profile type).
In this VPN connection, you can use the Apps and Traffic rules settings to create
network traffic rules.
There's a new Direction setting you can configure. Use this setting to allow Inbound and
Outbound traffic from the VPN connection:
For more information on the VPN settings you can configure, including the network
traffic rule settings, go to Windows device settings to add VPN connections using
Intune.
Applies to:
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > macOS for platform > Settings catalog for profile type.
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
This new key allows you to control the wipe fallback behavior on Macs that have Apple
Silicon or the T2 Security Chip. To find this setting, navigate to Devices > macOS >
[Select a device] > Overview > Wipe in the Device action area.
Applies to:
macOS
Device enrollment
Intune supports account driven user enrollment, a new and improved variation of Apple
User Enrollment for iOS/iPadOS 15+ devices. Now available for public preview, the new
option utilizes just-in-time registration, which eliminates the need for the Company
Portal app during enrollment. Device users can initiate enrollment directly in the Settings
app, resulting in a shorter and more efficient onboarding experience. You can continue
to target iOS/iPadOS devices using the existing profile-based user enrollment method
that uses Company Portal. Devices running iOS/iPadOS, version 14.8.1 and earlier remain
unaffected by this update and can continue to use the existing method. For more
information, see Set up account driven Apple User Enrollment.
Device security
The new Intune security baseline format aligns the presentation of settings that are
available to the settings found in the Intune settings catalog. This alignment helps
resolve past issues for setting names and implementations for settings that could create
conflicts. The new format also improves the reporting experience for baselines in the
Intune admin center.
The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to
your Office Apps that meet the security recommendations of the Office and security
teams at Microsoft. As with all baselines, the default baseline represents the
recommended configurations. You can modify the default baseline to meet the
requirements of your organization.
Applies to:
Windows 10
Windows 11
We've released a new version of the Intune security baseline for Microsoft Edge, version
112. In addition to releasing this new version for Microsoft Edge, the new baseline uses
an updated template experience that uses the unified settings platform seen in the
Intune settings catalog. You can view the list of settings in the new baseline at Microsoft
Edge baseline settings (version 112 and higher).
The new Intune security baseline format aligns the presentation of settings that are
available to the settings found in the Intune settings catalog. This alignment helps
resolve past issues for setting names and implementations for settings that could create
conflicts. The new format also improves the reporting experience for baselines in the
Intune admin center.
Now that the new baseline version is available, all new profiles you create for Microsoft
Edge use the new baseline format and version. While the new version becomes the
default baseline version, you can continue to use the profiles you've previously created
for older versions of Microsoft Edge. But, you can't create new profiles for those older
versions of Microsoft Edge.
Applies to:
Windows 10
Windows 11
Intune apps
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
Device configuration
Some Dynabook devices running Windows 10/11 are enabled for DFCI. Contact your
device vendor or device manufacturer for eligible devices.
Applies to:
Windows 10
Windows 11
eSIM bulk activation for Windows PCs via download server is now
available on the Settings Catalog
You can now perform at-scale configuration of Windows eSIM PCs using the Settings
Catalog. A download server (SM-DP+) is configured using a configuration profile.
Once the devices receive the configuration, they automatically download the eSIM
profile. For more information, go to eSIM configuration of a download server.
Applies to:
Windows 11
eSIM capable devices
App management
It's now also possible to delete Microsoft Store for Business apps from the Apps pane in
the Microsoft Intune admin center so that you can clean up your environment as you
move to the new Microsoft Store app type.
For related information, see Plan for Change: Ending support for Microsoft Store for
Business and Education apps for upcoming dates when Microsoft Store for Business
apps won't deploy and Microsoft Store for Business apps are removed.
Device configuration
Administrators can now utilize conditional access capability when setting up policies and
conditions for Remote Help. For example, multi-factor authentication, installing security
updates, and locking access to Remote Help for a specific region or IP addresses.
Conditional access
Remote Help
Device security
For more information about these settings, see the Defender CSP. The new settings
are also available through the Intune Settings Catalog.
This setting now appears with the Deprecated tag. If this deprecated setting was
previously applied on a device, the setting value is updated to NotApplicable and
has no effect on the device. If this setting is configured on a device, there's no
effect on the device.
Applies to:
Windows 10
Windows 11
App management
This new setting appears in Microsoft Intune admin center by modifying the
properties of an app. For an existing app, you can select Apps > iOS/iPadOS or macOS
> select the app > Properties > Assignment Edit. If no group assignment has been set,
select Add group to add a group. Modify either the setting under VPN, Uninstall on
device removal, or Install as removable. Then, select Prevent iCloud app backup. The
Prevent iCloud app backup setting is used to prevent backup of app data for the
application. Set to No to allow the app to be backed up by iCloud.
For more information, see Changes to applications' backup and restore behavior on
iOS/iPadOS and macOS devices and Assign apps to groups with Microsoft Intune.
You can control the automatic update behavior for Apple VPP at the per-app
assignment level using the Prevent automatic updates setting. This setting is available
in Microsoft Intune admin center by selecting Apps > iOS/iPadOS or macOS > Select
a volume purchase program app > Properties > Assignments > Select an Azure AD
group > App settings.
Applies to:
iOS/iPadOS
macOS
Device configuration
The Settings Catalog lists all the settings you can configure in a device policy, and all in
one place.
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > macOS for platform > Settings catalog for profile type.
Privacy > Privacy Preferences Policy Control > Services > Listen Event or Screen
Capture:
Allowed
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
For more information about configuring the Microsoft Enterprise SSO plug-in for Apple
devices in Intune, go to Microsoft Enterprise SSO plug-in in Microsoft Intune.
Applies to:
iOS/iPadOS
macOS
You can now use the Disable Activation Lock device action in Intune to bypass
Activation Lock on Mac devices without requiring the current username or password.
This new action is available in Devices > macOS > select one of your listed devices >
Disable Activation Lock.
More information on managing Activation Lock is available at Bypass iOS/iPadOS
Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad,
and iPod touch - Apple Support .
Applies to:
For more information, go to Use the troubleshooting portal to help users at your
company.
Existing custom roles for managing Organizational Messages must be modified to add
this permission for users to modify this setting.
For more information, about role-based access control (RBAC), see RBAC with
Microsoft Intune.
For more information, about prerequisites for organization messages, see
Organizational messages prerequisites.
Device management
Endpoint security firewall rules support for ICMP type
You can now use the IcmpTypesAndCodes setting to configure inbound and outbound
rules for Internet Control Message Protocol (ICMP) as part of a firewall rule. This setting
is available in the Microsoft Defender Firewall rules profile for the Windows 10, Windows
11, and Windows Server platform.
Applies to:
Windows LAPS is a Windows feature that allows you to manage and backs up the
password of a local administrator account on your Azure Active Directory-joined or
Windows Server Active Directory-joined devices.
To manage LAPS, Intune configures the Windows LAPS configuration service provider
(CSP) that is built in to Windows devices. It takes precedence over other sources of
Windows LAPS configurations, like GPOs or the Microsoft Legacy LAPS tool. Some of the
capabilities you can use when Intune manages Windows LAPS include:
Define password requirements like complexity and length that apply to the local
administrator accounts on a device.
Configure devices to rotate their local admin account passwords on a schedule.
And, back up the account and password in your Azure Active Directory or on-
premises Active Directory.
Use an Intune device action from the admin center to manually rotate the
password for an account on your own schedule.
View account details from within the Intune admin center, like the account name
and password. This information can help you recover devices that are otherwise
inaccessible.
Use Intune reports to monitor your LAPS policies, and when devices last rotated
passwords manually or by schedule.
Applies to:
Windows 10
Windows 11
New settings available for macOS software update policies
macOS software update policies now include the following settings to help manage
when updates install on a device. These settings are available when the All other updates
update type is configured to Install later:
Max User Deferrals: When the All other updates update type is configured to
Install later, this setting allows you to specify the maximum number of times a user
can postpone a minor OS update before it's installed. The system prompts the user
once a day. Available for devices running macOS 12 and later.
Priority: When the All other updates update type is configured to Install later, this
setting allows you to specify values of Low or High for the scheduling priority for
downloading and preparing minor OS updates. Available for devices running
macOS 12.3 and later.
For more information, see Use Microsoft Intune policies to manage macOS software
updates.
Applies to:
macOS
You can now manage hardware specific information on your HP or Surface devices from
our partner portals page.
The HP link takes you to HP Connect where you can update, configure, and secure the
BIOS on your HP devices. The Microsoft Surface link takes you to the Surface
Management Portal where you can get insights into device compliance, support activity,
and warranty coverage.
To access the Partner portals page, you must enable the Devices pane preview and then
navigate to Devices > Partner Portals.
The following Microsoft Intune reports for Windows Update compatibility are out of
preview and now generally available:
Windows feature update device readiness report - This report provides per-
device information about compatibility risks that are associated with an upgrade or
update to a chosen version of Windows.
These reports can help you plan an upgrade from Windows 10 to 11, or for installing the
latest Windows feature update.
Device security
With Endpoint Privilege Management, admins can set policies that allow standard users
to perform tasks normally reserved for an administrator. To do so, you configure policies
for automatic and user-confirmed workflows that elevate the run-time permissions for
apps or processes you select. You then assign these policies to users or devices that
have end users running without Administrator privileges. After the device receives a
policy, EPM brokers the elevation on behalf of the user, allowing them to elevate
approved applications without needing full administrator privileges. EPM also includes
built-in insights and reporting.
Now that EPM is out of preview, it requires another license to use. You can choose
between a stand-alone license that adds only EPM, or license EPM as part of the
Microsoft Intune Suite. For more information, see Use Intune Suite add-on capabilities.
While Endpoint Privilege Management is now generally available, the reports for EPM
will transition to a feature in preview, and will receive some more enhancements before
being removed from preview.
With this capability, you can scope your firewall rules to an application or a group of
applications and rely on your WDAC policies to define those applications. By using tags
to link to and rely on WDAC policies, your Firewall Rules policy won't need to rely on the
firewall rules option of an absolute file path, or use of a variable file path that can
reduce security of the rule.
Use of this capability requires you to have WDAC policies in place that include AppId
tags that you can then specify in your Intune Microsoft Defender Firewall Rules.
For more information, see the following articles in the Windows Defender Application
Control documentation:
Applies to:
Windows 10/11
We have released a new experience creating new App and Browser Isolation profiles for
endpoint security Attack Surface Reduction policy. The experience for editing your
previously created App and Browser isolation policies remains the same, and you can
continue to use them. This update applies only for the new App and Browser Isolation
policies you create for the Windows 10 and later platform.
This update is part of the continuing rollout of new profiles for endpoint security
policies, which began in April 2022.
Additionally, the new profile includes the following changes for the settings it includes:
Clipboard file type – This setting is added to the updated profile and determines
the type of content that can be copied from the host to Application Guard
environment and vice versa. You can view the CSP for this new setting at
Settings/ClipboardFileType in the WindowsDefenderApplicationGuard CSP
documentation.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
This permission is also added to the Organizational Messages Manager built-in role.
Existing custom roles for managing Organizational Messages must be modified to add
this permission for users to modify this setting.
For more information, about role-based access control (RBAC), see RBAC with
Microsoft Intune.
For more information, about prerequisites for organization messages, see
Organizational messages prerequisites.
Tenant administration
Use audit logs to track and monitor organizational message events in Microsoft Intune.
To access the logs, sign in to the Microsoft Intune admin center and go to Tenant
administration > Audit logs. For more information, see Audit logs for Intune activities.
Device configuration
Configure user scope policies using Settings catalog and assign to groups of
users.
Configure user certificates and assign to users.
Configure PowerShell scripts to install in the user context and assign to users.
Applies to:
Windows 10
Virtual machines created in Azure Public and Azure Government clouds
Device configuration
On Android Enterprise personally owned devices with a work profile, you can configure
settings that restrict device features and settings. Currently, there's an Add and remove
accounts setting. This setting prevents accounts from being added in the work profile,
including preventing Google accounts.
This setting changed. You can now add Google accounts. The Add and remove
accounts setting options are:
Block all accounts types: Prevents users from manually adding or removing
accounts in the work profile. For example, when you deploy the Gmail app into the
work profile, you can prevent users from adding or removing accounts in this work
profile.
Allow all accounts types: Allows all accounts, including Google accounts. These
Google accounts are blocked from installing apps from the Managed Google Play
Store.
Allow all accounts types, except Google accounts (default): Intune doesn't change
or update this setting. By default, the OS might allow adding accounts in the work
profile.
For more information on the settings you can configure, go to Android Enterprise device
settings list to allow or restrict features on personally owned devices using Intune.
Applies to:
App management
You can now update apps of type macOS apps (DMG) deployed using Intune. To edit a
DMG app that's already created in Intune, upload the app update with the same bundle
identifier as the original DMG app. For related information, see Add a macOS DMG app
to Microsoft Intune.
App management
Windows 10 21H2
Windows 10 22H2
Windows 11 21H2
Windows 11 22H2
You can view and manage VPP apps with only the Mobile apps permission assigned.
Previously, the Managed apps permission was required to view and manage VPP apps.
This change doesn't apply to Intune for Education tenants who still need to assign the
Managed apps permission. More information about permissions in Intune is available at
Custom role permissions.
Device configuration
Enforcement level
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
In Intune, you can add existing Bash scripts to configure Linux devices (Devices > Linux
> Configuration Scripts).
When you create this script policy, you can set the context that the script runs in (user or
root), how frequently the script runs, and how many times execution should retry.
For more information on this feature, go to Use custom Bash scripts to configure Linux
devices in Microsoft Intune.
Applies to:
Device enrollment
Create and manage multiple enrollment profiles and tokens for Android Enterprise fully
managed devices. With this new functionality, you can now use the
EnrollmentProfileName dynamic device property to automatically assign enrollment
profiles to fully managed devices. The enrollment token that came with your tenant
remains in a default profile. For more information, see Set up Intune enrollment of
Android Enterprise fully managed devices.
Intune now supports a frontline worker experience for iPhones and iPads using Apple
automated device enrollment. You can now enroll devices that are enabled in Azure AD
shared mode via zero-touch. For more information about how to configure automated
device enrollment for shared device mode, see Set up enrollment for devices in Azure
AD shared device mode.
Applies to:
iOS/iPadOS
Device management
You can now configure settings in endpoint security Firewall policy that configure
firewall logging options. These settings can be found in the Microsoft Defender Firewall
profile template for the Windows 10 and later platform, and are available for the
Domain, Private, and Public profiles in that template.
Following are the new settings, all found in the Firewall configuration service provider
(CSP):
Windows 10
Windows 11
The Interface Types setting in endpoint security Firewall policy now include the option
for Mobile Broadband. Interface Types is available in the Microsoft Defender Firewall
Rules profile for all platforms that support Windows. For information about the use of
this setting and option, see Firewall configuration service provider (CSP).
Applies to:
Windows 10
Windows 11
We've added a pair of network list manager settings to endpoint security Firewall policy.
To help determine when an Azure AD device is or isn't on your on-premises domain
subnets, you can use the network list manager settings. This information can help
firewall rules apply correctly.
The following settings are found in a new category named Network List Manager, that's
available in the Microsoft Defender Firewall profile template for the Windows 10,
Windows 11, and Windows Server platform:
Applies to:
Windows 10
Windows 11
For more information about the updated UI, see Try new Devices experience in
Microsoft Intune.
Device security
As a public preview, you can now use Microsoft Intune Endpoint Privilege Management.
With Endpoint Privilege Management, admins can set policies that allow standard users
to perform tasks normally reserved for an administrator. Endpoint Privilege
Management can be configured in the Intune admin center at Endpoint security >
Endpoint Privilege Management.
With the public preview, you can configure policies for automatic and user-confirmed
workflows that elevate the run-time permissions for apps or processes you select. You
then assign these policies to users or devices that have end users running without
Administrator privileges. Once policy is received, Endpoint Privilege Management will
broker the elevation on behalf of the user, allowing them to elevate approved
applications without needing full administrator privileges. The preview also includes
built-in insights and reporting for Endpoint Privilege Management.
To learn how to activate the public preview and use Endpoint Privilege Management
policies, start with Use Endpoint Privilege Management with Microsoft Intune. Endpoint
Privilege Management is part of the Intune Suite offering, and free to try while it
remains in public preview.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
Registry keys:
HKLM\SOFTWARE\Microsoft\EPMAgent
Commands:
%windir%\system32\pnputil.exe /enum-drivers
Log files:
%ProgramFiles%\Microsoft EPM Agent\Logs\*.*
%windir%\system32\config\systemprofile\AppData\Local\mdm\*.log
Pending: The message hasn't been scheduled yet and is currently in progress.
Failed: The message failed to schedule due to a service error.
For information about reporting details, see View reporting details for organizational
messages.
Device management
Meta Quest 2 and Quest Pro are now in Open Beta (US only) on
Microsoft Intune for Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) has welcomed Meta
Quest 2 and Quest Pro into Open Beta for the US market.
Applies to:
Android (AOSP)
App management
App management
Device management
The Microsoft Intune admin center has a new URL: https://intune.microsoft.com . The
previously used URL, https://endpoint.microsoft.com , continues to work but will
redirect to the new URL in late 2023. We recommend taking the following actions to
avoid issues with Intune access and automated scripts:
Tenant administration
You can add your frequently used queries to a Favorites folder in CMPivot. CMPivot
allows you to quickly assess the state of a device managed by Configuration Manager
via Tenant Attach and take action. The functionality is similar to one already present in
the Configuration Manager console. This addition helps you keep all your most used
queries in one place. You can also add tags to your queries to help search and find
queries. The queries saved in the Configuration Manager console aren't automatically
added to your Favorites folder. You need to create new queries and add them to this
folder. For more information about CMPivot, see Tenant attach: CMPivot usage
overview.
Device enrollment
The Enrollment Status Page (ESP) now supports the new Microsoft store applications
during Windows Autopilot. This update enables better support for the new Microsoft
Store experience and should be rolling out to all tenants starting with Intune 2303. For
related information, see Set up the Enrollment Status Page.
Device configuration
In Microsoft Intune admin center , you need to turn the feature on using Device
Restrictions in Device Configuration for Android Enterprise.
Select Allow on the Locate device toggle for fully managed and corporate owned work
profile devices and select applicable groups. Locate device is available when you select
Devices, and then select All devices. From the list of devices you manage, select a
supported device, and choose the Locate device remote action.
Applies to:
Intune add-ons
Microsoft Intune Suite provides mission-critical advanced endpoint management and
security capabilities into Microsoft Intune.
You can find add-ons to Intune in the Microsoft Intune admin center under Tenant
administration > Intune add-ons.
In public preview, you can view a list of ServiceNow incidents associated with the user
you've selected in the Intune Troubleshooting workspace. This new feature is available
under Troubleshooting + Support > select a user > ServiceNow Incidents. The list of
incidents shown have a direct link back to the source incident and show key information
from the incident. All incidents listed link the "Caller" identified in the incident with the
user selected for Troubleshooting.
For more information, go to Use the troubleshooting portal to help users at your
company.
Device security
Previously, Tunnel for MAM for Android and iOS was in public preview and free for use.
With this release as generally available, this solution now requires an add-on license for
its use.
Applies to:
Android
iOS
Tenant administration
Notices
These notices provide important information that can help you prepare for future Intune
changes and features.
If you're managing iOS/iPadOS devices, you might have devices that won't be able to
upgrade to the minimum supported version (iOS/iPadOS 15).
Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this
change might not affect you. You've likely already upgraded your OS or devices.
To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following
Apple documentation:
7 Note
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment
(ADE) have a slightly nuanced support statement due to their shared usage. The
minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed
OS version will change to iOS 12/iPadOS 12 and later. See this statement about
ADE Userless support for more information.
To manage the supported OS version in your organization, you can use Microsoft Intune
controls for both MDM and APP. For more information, see Manage operating system
versions with Intune.
7 Note
Devices that are currently enrolled on macOS 11.x or earlier will continue to remain
enrolled even when those versions are no longer supported. New devices will be
unable to enroll if they are running macOS 11.x or earlier.
1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services.
Microsoft Store for Business and Education apps won't be able to sync with Intune
and the connector page will be removed from the Intune admin center.
2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for
Business and Education apps on devices. Downloaded applications remain on the
device with limited support. Users may still be able to access the app from their
device, but the app won't be managed. Existing synced Intune app objects remain
to allow admins to view the apps that had been synced and their assignments.
Additionally, you'll not be able to sync apps via the Microsoft Graph API
syncMicrosoftStoreForBusinessApps and related API properties will display stale
data.
3. On September 15, 2023, Microsoft Store for Business and Education apps will be
removed from the Intune admin center. Apps on the device remain until
intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will
no longer be available about a month later.
Note that the retirement of Microsoft Store for Business and Education was announced
in 2021 . When the Microsoft Store for Business and Education portals are retired,
admins will no longer be able to manage the list of Microsoft Store for Business and
Education apps that are synced or download offline content from the Microsoft Store for
Business and Education portals.
Related information
Additional information
Download, install, and configure the latest certificate connector. For more information
see, Install the Certificate Connector for Microsoft Intune.
To check which version of the certificate connector you are using, follow these steps:
1. On a Windows Server running the Intune Certificate Connector, launch "Add or
Remove programs".
2. A list of installed programs and applications will be displayed.
3. Look for an entry related to the Microsoft Intune Certificate Connector. There will
be a "Version" associated with the connector. Note that names for older
connectors may vary.
7 Note
Microsoft Teams devices are not impacted by this announcement and will
continue to be supported regardless of their Android OS version.
Notify your helpdesk, if applicable, of this upcoming change in support. You can identify
how many devices are currently running Android 7.x or below by navigating to Devices
> All devices > Filter. Then filter by OS and sort by OS version. There are two admin
options to help inform your users or block enrollment.
Here's how you can block devices running on versions earlier than Android 8.0:
Create an app protection policy and configure conditional launch with a min OS
version requirement that blocks users from app access.
Utilize a device compliance policy for Android device administrator or Android
Enterprise to make devices running Android 7.x or earlier noncompliant.
Set enrollment restrictions that prevent devices running Android 7.x or earlier from
enrolling.
7 Note
Intune app protection policies are supported on devices running Android 9.0 and
later. See MC282986 for more details.
Based on your feedback, we've updated our support statement. We're doing our best to
keep your organization secure and protect your users and devices, while aligning with
Microsoft app lifecycles.
7 Note
APP policies will continue to be applied to devices running Android 6.x to Android 8.x.
But if you have problems with an Office app and APP, support will request that you
update to a supported Office version for troubleshooting. To continue to receive
support for APP, update your devices to Android version 9 (Pie) or later, or replace them
with a device on Android version 9.0 or later before October 1, 2021.
The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune
automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to
this latest version. To check the version of the extension on a device, review the version
for Microsoft Intune Management Extension in the program list under Apps &
features.
For more information, see the information about security vulnerability CVE-2021-31980
in the Microsoft Security Response Center .
Previously configured settings that were set to Not configured remain as Not
configured. When you create new profiles or edit an existing profile, you can now
explicitly specify No.
In addition, the setting Hide the Virus and threat protection area in the Windows
Security app has a child setting, Hide the Ransomware data recovery option in the
Windows Security app. If the parent setting is set to Not configured and the child
setting is set to Yes, both the parent and child settings are set to Not configured. That
change takes effect when you edit the profile.
Because Microsoft no longer supports these operating systems, this change might not
affect you. You've likely already upgraded your OS or devices. This change only affects
you if you're still managing unsupported Windows 10 versions.
Windows and Company Portal versions that this change affects include:
Windows 10 version 1507, Company Portal version 10.1.721.0
Windows 10 version 1511, Company Portal version 10.1.1731.0
Windows 10 version 1607, Company Portal version 10.3.5601.0
Windows 10 version 1703, Company Portal version 10.3.5601.0
Windows 10 version 1709, any Company Portal version
We won't uninstall these Company Portal versions, but we will remove them from the
Microsoft Store and stop testing our service releases with them.
If you continue to use an unsupported version of Windows 10, your users won't get the
latest security updates, new features, bug fixes, latency improvements, accessibility
improvements, and performance investments. You won't be able to co-manage users by
using System Center Configuration Manager and Intune.
Learn about the most recent updates to the Microsoft Intune apps. We regularly add to
and improve the Intune Company Portal app and website. If you're an Intune
administrator or support person, this article provides the information you need to:
If you're an employee or student, be sure to check out the screenshots and links to the
Company Portal help documentation. For more information about how to use the
Company Portal app, see the Company Portal user help documentation.
On the Devices screen, users will no longer see a red exclamation point next to
non-enrolled devices.
On the Device Details screen, users will no longer see a red exclamation point next
to the enrollment message. Instead, they will see the info (i) icon.
Updated Previous
Updated Previous
When they swipe right, they'll learn how to get more work apps from the Google Play
Store. `
Finally, on the Help page > Frequently Asked Questions section, there's a new link to a
Microsoft technical article about how to find work profile apps.
Week of September 28, 2020
Updated Previous
Updated Previous
This user experience is improved. The listed settings are expanded by default to show
the description, and show the Resolve button, when applicable. Previously, the issues
were collapsed by default. This new default behavior reduces the number of clicks, so
users can resolve issues more quickly.
Updated Previous
Updated Previous
Updated Previous
The following screens show the updated checklist for Android work profile enrollment:
Updated Previous
The following screens show the updated checklist for Android device administrator
enrollment:
Updated Previous
Updated Previous
Updated and improved the layout to include bottom navigation for the most
important actions.
Added the display of actionable notifications in the app for the user, such as the
need to update their device settings.
Added the display of custom push notifications, aligning the app with the support
recently added in the Company Portal app for iOS and Android. For more
information, see Send custom notifications in Intune.
View and manage the devices they've enrolled through the Intune Company Portal
or Microsoft Intune app.
Contact their organization for support.
Send their feedback to Microsoft.
View terms and conditions, if set by their organization.
Allow Safari to open the Company Portal website and download the management
profile before returning to the Company Portal app.
Open the Settings app to install the management profile on their device.
Return to the Company Portal app to complete enrollment.
For updated enrollment steps and screens, see Enroll iOS device in Intune.
Updated Previous
Updated Previous
The Apps page's Installed view lets you see details about completed and in-progress
app installations.
Before After
Before After
Before After
Before After
Before After
Before After
Before After
Before After
7 Note
We use the company name you have set in the Azure Portal in Microsoft Intune >
Client Apps > Company Portal branding > Company name. If you have not set
this value, we will use the tenant name set in Azure Active Directory > Properties
> Name. If you have not set a company name in Company Portal branding and
don't want your tenant name to be displayed, we recommend that you set the
company name in the Company Portal branding tab. If you don't want this string to
show in the header in Company Portal, you can deselect the checkbox to "Show
company name next to logo."
Before After
Before After
Before After
Before After
We're still fine-tuning the way relevance is tracked, so please let us know how it's
working using the "Feedback" link at the bottom of the Company Portal website.
iOS users will also receive this change, as the Company Portal website is also used as
part of the Company Portal app for iOS/iPadOS. The Company Portal apps for Android
and Windows will receive similar updates in the coming months.
We're still fine-tuning the way relevance is tracked, so please let us know how it's
working using the "Feedback" link at the bottom of the Company Portal website.
Before After
Before After
Before After
Before After
Before After
Before After
Before After
Before After
Before After
Before After
August 2017
Modern experience
July 2017
Apps details pages will display new information for
Android devices
The apps details page of the Company Portal app for Android will now display the app
categories that the IT admin has defined for that app.
Below you can see the previous sign-in experience, the new sign-in experience with
credentials, and the new sign-in experience from another device.
The user will tap on the Access Company Content button instead of beginning to enroll
the device.
The user then is taken to the Company Portal website to authorize the app for use on
their device, where the Company Portal website verifies their credentials.
The device can still be enrolled into full management by tapping on the action menu.
Improvements to app syncing with Windows 10 Creators
Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app
install requests for devices with Windows 10 Creators Update (version 1709). This will
reduce the issue of app installs stalling during the "Pending Sync" state. In addition,
users will be able to manually initiate a sync from within the app.
New guided experience for Windows 10 Company Portal
<!---1058938--->
The Company Portal app for Windows 10 will include a guided Intune walkthrough
experience for devices that have not been identified or enrolled. The new experience
provides step-by-step instructions that guide the user through registering into Azure
Active Directory (required for Conditional Access features) and MDM enrollment
(required for device management features). The guided experience will be accessible
from the Company Portal home page. Users can continue to use the app if they do not
complete registration and enrollment, but will experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build
1607) or higher.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu
action to initiate the removal of Company Portal from your device. This action removes
the device from Intune management so that the app can be removed from the device by
the user.
Improvements to the app tiles in the Company Portal app
for iOS
We updated the design of the app tiles on the homepage to reflect the branding color
you set for the Company Portal.
Before
After
Account picker now available for the Company Portal app
for iOS
If users have used their work or school account to sign in to other Microsoft apps on
their iOS device, then they may see our new account picker when signing into the
Company Portal for the first time.
April 2017
Before
After
The Company Portal is also receiving updated icons for the Android, iOS, and Windows
versions of the app to improve consistency with other apps in EM+S. These icons will be
gradually released across platforms from April to late May.
Before
After
After
February 2017
New user experience for the Company Portal app for
Android
Beginning in March, the Company Portal app for Android will follow material design
guidelines to create a more modern look and feel. This improved user experience
includes:
Colors: tab headers can be colored according to your custom color palette.
Interface: Featured Apps and All Apps buttons have been updated in the Apps
tab. The Search button is now a floating action button.
Navigation: All Apps shows a tabbed view of Featured, All and Categories for
easier navigation. Contact IT has been streamlined for improved readability.
January 2017
7 Note
The images below may be previews, and the announced product may differ from
the presented versions.
See also
Microsoft Intune Blog
Cloud Platform roadmap
What's new in Intune
In development for Microsoft Intune
Article • 08/28/2023
To help in your readiness and planning, this article lists Intune UI updates and features
that are in development but not yet released. Also:
If we anticipate that you'll need to take action before a change, we'll publish a
complementary post in the Office message center.
When a feature enters production, whether it's in preview or generally available,
the feature description will move from this article to What's new.
Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.
This article and the What's new article are updated periodically. Check back for more
updates.
7 Note
You can use RSS to be notified when this article is updated. For more information, see
How to use the docs.
App management
ICCID
IMEI
MEID
Phone number
These fields will default to using labels returned by the device, such as: Primary,
Secondary, CTSubscriptionSlotOne, and CTSubscriptionSlotTwo. These returned labels
may be displayed in the language of the local device that is reporting its inventory to
Intune.
Applies to:
iOS/iPadOS
Device configuration
In the Windows Settings Catalog, you can configure Config Refresh. This feature lets you
set a cadence for Windows devices to reapply previously received policy settings,
without requiring devices to check-in to Intune.
For more information on the Settings Catalog, go to Use the settings catalog to
configure settings on Windows, iOS/iPadOS and macOS devices.
Applies to:
The settings within the Managed Settings command are available in the Settings
Catalog. In the Microsoft Intune admin center , you can see these settings at Devices >
Configuration profiles > Create profile > iOS/iPadOS > Settings catalog for profile
type.
Enabled: If true, enable sharing app analytics with app developers. If false, disable
sharing app analytics.
Applies to:
Shared iPad
Time Zone: The Internet Assigned Numbers Authority (IANA) time zone database
name.
Applies to:
iOS/iPadOS
Enabled: If true, enable the Bluetooth setting. If false, disable the Bluetooth setting.
Applies to:
iOS/iPadOS
macOS
For more information on these settings, go to Apple's developer website . For more
information about configuring Settings Catalog profiles in Intune, go to Create a policy
using settings catalog.
There is a new setting in the Settings Catalog. To see this setting, in the Microsoft Intune
admin center , go to Devices > Configuration profiles > Create profile > macOS >
Settings catalog for profile type.
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
Device enrollment
Device management
Applies to:
Safari 16.4+
macOS 11 Big Sur
Support for Application Control policy and Managed installers was originally released in
preview in June 2023 as part of the Intune 2306 service release. Application Control
policies in Intune are an implementation of Defender Application Control (WDAC).
For more information on this change, go to Plan for change: Intune is moving to support
iOS/iPadOS 15 and later.
7 Note
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment
(ADE) have a slightly nuanced support statement due to their shared usage. For
more information, go to Support statement for supported versus allowed
iOS/iPadOS versions for user-less devices .
Applies to:
iOS/iPadOS
Device security
The Linux EDR template will include the following settings for the Device tags category
from Defender for Endpoint:
Group tag – The GROUP tag, tags the device with the specified value. The tag is
reflected in the admin center on the device page and can be used for filtering and
grouping devices.
Value of tag - Only one value per tag can be set. The Type of a tag is unique and
shouldn’t be repeated in the same profile.
You can learn more about Defender for Endpoint settings that are available for Linux in
Set preferences for Microsoft Defender for Endpoint on Linux in the Defender
documentation.
The macOS EDR template will include the following settings for the Device tags category
from Defender for Endpoint:
Type of tag – The GROUP tag, tags the device with the specified value. The tag is
reflected in the admin center on the device page and can be used for filtering and
grouping devices.
Value of tag - Only one value per tag can be set. The Type of a tag is unique and
shouldn’t be repeated in the same profile.
You can learn more about Defender for Endpoint settings that are available for macOS in
Set preferences for Microsoft Defender for Endpoint on macOS in the Defender
documentation.
Notices
These notices provide important information that can help you prepare for future Intune
changes and features.
Plan for change: Intune is moving to support iOS/iPadOS
15 and later
Later this year, we expect iOS 17 to be released by Apple. Microsoft Intune, including
the Intune Company Portal and Intune app protection policies (APP, also known as
MAM), will require iOS 15/iPadOS 15 and higher shortly after iOS 17’s release.
Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this
change might not affect you. You've likely already upgraded your OS or devices.
To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following
Apple documentation:
7 Note
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment
(ADE) have a slightly nuanced support statement due to their shared usage. The
minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed
OS version will change to iOS 12/iPadOS 12 and later. See this statement about
ADE Userless support for more information.
Check your Intune reporting to see what devices or users might be affected. For devices
with mobile device management (MDM), go to Devices > All devices and filter by OS.
For devices with app protection policies, go to Apps > Monitor > App protection status
and use the Platform and Platform version columns to filter. Note that there's a current
known issue where several columns are missing from the App protection status report.
We expect a fix soon.
To manage the supported OS version in your organization, you can use Microsoft Intune
controls for both MDM and APP. For more information, see Manage operating system
versions with Intune.
Plan for change: Intune is moving to support macOS 12
and higher later this year
Later this year, we expect macOS 14 Sonoma to be released by Apple. Microsoft Intune,
the Company Portal app and the Intune mobile device management agent will be
moving to support macOS 12 and later. Since the Company Portal app for iOS and
macOS are a unified app, this change will occur shortly after the release of iOS/iPadOS
17.
7 Note
Devices that are currently enrolled on macOS 11.x or earlier will continue to remain
enrolled even when those versions are no longer supported. New devices will be
unable to enroll if they are running macOS 11.x or earlier.
Note that the retirement of Microsoft Store for Business and Education was announced
in 2021 . When the Microsoft Store for Business and Education portals are retired,
admins will no longer be able to manage the list of Microsoft Store for Business and
Education apps that are synced or download offline content from the Microsoft Store for
Business and Education portals.
Related information
Additional information
Manage operating system versions with Intune
To check which version of the certificate connector you are using, follow these steps:
7 Note
Microsoft Teams devices are not impacted by this announcement and will
continue to be supported regardless of their Android OS version.
Create an app protection policy and configure conditional launch with a min OS
version requirement that warns users.
Utilize a device compliance policy for Android device administrator or Android
Enterprise and set the action for noncompliance to send an email or push
notification to users before marking them noncompliant.
Here's how you can block devices running on versions earlier than Android 8.0:
Create an app protection policy and configure conditional launch with a min OS
version requirement that blocks users from app access.
Utilize a device compliance policy for Android device administrator or Android
Enterprise to make devices running Android 7.x or earlier noncompliant.
Set enrollment restrictions that prevent devices running Android 7.x or earlier from
enrolling.
7 Note
Intune app protection policies are supported on devices running Android 9.0 and
later. See MC282986 for more details.
Based on your feedback, we've updated our support statement. We're doing our best to
keep your organization secure and protect your users and devices, while aligning with
Microsoft app lifecycles.
7 Note
APP policies will continue to be applied to devices running Android 6.x to Android 8.x.
But if you have problems with an Office app and APP, support will request that you
update to a supported Office version for troubleshooting. To continue to receive
support for APP, update your devices to Android version 9 (Pie) or later, or replace them
with a device on Android version 9.0 or later before October 1, 2021.
Notify your helpdesk, if applicable, about this updated support statement. You also have
two admin options to warn users:
For more information, see the information about security vulnerability CVE-2021-31980
in the Microsoft Security Response Center .
Previously configured settings that were set to Not configured remain as Not
configured. When you create new profiles or edit an existing profile, you can now
explicitly specify No.
In addition, the setting Hide the Virus and threat protection area in the Windows
Security app has a child setting, Hide the Ransomware data recovery option in the
Windows Security app. If the parent setting is set to Not configured and the child
setting is set to Yes, both the parent and child settings are set to Not configured. That
change takes effect when you edit the profile.
Windows and Company Portal versions that this change affects include:
We won't uninstall these Company Portal versions, but we will remove them from the
Microsoft Store and stop testing our service releases with them.
If you continue to use an unsupported version of Windows 10, your users won't get the
latest security updates, new features, bug fixes, latency improvements, accessibility
improvements, and performance investments. You won't be able to co-manage users by
using System Center Configuration Manager and Intune.
See also
For details about recent developments, see What's new in Microsoft Intune.
What's new in Microsoft Intune
Article • 08/30/2023
Important notices
Past releases in the What's new archive
Information about how Intune service updates are released
7 Note
Each monthly update may take up to three days to rollout and will be in the
following order:
Some features may roll out over several weeks and might not be available to all
customers in the first week.
For a list of upcoming Intune feature releases, see In development for Microsoft
Intune. For new information about Autopilot, see Windows Autopilot What's new.
You can use RSS to be notified when this page is updated. For more information, see
How to use the docs.
Device configuration
Windows and Android support for 4096-bit key size for SCEP and
PFX certificate profiles
Intune SCEP certificate profiles and PKCS certificate profiles for Windows and Android
devices now support a Key size (bits) of 4096. This key size is available for new profiles
and existing profiles you choose to edit.
SCEP profiles have always included the Key size (bits) setting and now support
4096 as an available configuration option.
PKCS profiles don’t include the Key size (bits) setting directly. Instead, an admin
must modify the certificate template on the Certification Authority to set the
Minimum key size to 4096.
If you use a third-party Certificate Authority (CA), you might need to contact your
vendor for assistance with implementing the 4096-bit key size.
When updating or deploying new certificate profiles to take advantage of this new key
size, we recommend use of a staggered deployment approach to help avoid creating
excessive demand for new certificates across a large number of devices at the same
time.
4096-bit key storage is supported only in the Software Key Storage Provider (KSP).
The following do not support storing keys of this size:
The hardware TPM (Trusted Platform Module). As a workaround you can use the
Software KSP for key storage.
Windows Hello for Business. There is no work around at this time.
Tenant administration
Access policies for multiple Administrator Approval are out of public preview and are
now generally available. With these policies you can protect a resource, like App
deployments, by requiring any change to the deployment be approved by one of a
group of users who are approvers for the resource, before that change is applied.
For more information, see Use Access policies to require multiple administrative
approval.
App management
Managed Home Screen end-users prompted to grant exact alarm
permission
Managed Home Screen uses the exact alarm permission to do the following actions:
Automatically sign users out after a set time of inactivity on the device
Launch a screen saver after a set period of inactivity
Automatically relaunch MHS after a certain period of time when a user exits kiosk
mode
For devices running Android 14 and higher, by default, the exact alarm permission will
be denied. To make sure critical user functionality is not impacted, end-users will be
prompted to grant exact alarm permission upon first launch of Managed Home Screen.
For more information, see Configure the Microsoft Managed Home Screen app for
Android Enterprise and Android's developer documentation .
In Intune, end users can pin web apps to the dock on your macOS devices (Apps >
macOS > Add > macOS web clip). For related information about the settings you can
configure, see Add web apps to Microsoft Intune.
Applies to:
macOS
Win32 app configurable installation time
In Intune, you can set a configurable installation time to deploy Win32 apps. This time is
expressed in minutes. If the app takes longer to install than the set installation time, the
system will fail the app install. Max timeout value is 1440 minutes (1 day). For more
information about Win32 apps, see Win32 app management in Microsoft Intune.
Device configuration
Applies to:
Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze
your on-premises group policy objects (GPOs) for their migration to Intune policy
settings.
For more information about Group Policy analytics, go to Analyze your on-premises
GPOs using Group Policy analytics in Microsoft Intune.
Applies to:
Windows 11
Windows 10
There are new settings in the Settings Catalog. To see these settings, in the Microsoft
Intune admin center , go to Devices > Configuration profiles > Create profile >
iOS/iPadOS or macOS > Settings catalog for profile type.
Applies to:
Autologin Password
Autologin Username
Restrictions:
Applies to:
Restrictions:
Applies to:
Process's arguments
Process path
Process's Signing Identifier
Process's Team Identifier
Process exclusions
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
Device enrollment
Just-in-time registration and compliance remediation for
iOS/iPadOS Setup Assistant with modern authentication now
generally available
Just in time registration and compliance remediation for Setup Assistant with modern
authentication are now out of preview and generally available. With just in time (JIT)
registration, the device user doesn't need to use the Company Portal app for Azure
Active Directory registration and compliance checking. JIT registration and compliance
remediation is embedded into the user's provisioning experience, so they can view their
compliance status and take action within the work app they're trying to access.
Additionally, this establishes single-sign on across the device. For more information
about how to set up JIT registration, see Set up Just in Time Registration.
iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
iOS/iPadOS 13+ devices enrolling without user affinity
iOS/iPadOS 13+ devices enrolling with Azure AD shared mode
This setting is applied once during the out-of-box automated device enrollment
experience in Setup Assistant. The device user doesn't experience it again unless they
re-enroll their device. Awaiting final configuration is enabled by default for new
enrollment profiles. For information about how to enable awaiting final configuration,
see Create an Apple enrollment profile.
Device management
We've updated how our Android apps handle notification permissions to align with
recent changes made by Google to the Android platform. As a result of Google changes,
notification permissions are granted to apps as follows:
You and your device users can expect to see the following changes now that our apps
target API 33:
Company Portal used for work profile management: Users see a notification
permission prompt in the personal instance of the Company Portal when they first
open it. Users don't see a notification permission prompt in the work profile
instance of Company Portal because notification permissions are automatically
permitted for Company Portal in the work profile. Users can silence app
notifications in the Settings app.
Company Portal used for device administrator management: Users see a
notification permission prompt when they first open the Company Portal app.
Users can adjust app notification settings in the Settings app.
Microsoft Intune app: No changes to existing behavior. Users don't see a prompt
because notifications are automatically permitted for the Microsoft Intune app.
Users can adjust some app notification settings in the Settings app.
Microsoft Intune app for AOSP: No changes to existing behavior. Users don't see
a prompt because notifications are automatically permitted for the Microsoft
Intune app. Users can't adjust app notification settings in the Settings app.
Device security
The profile Defender Update controls for Intune Endpoint security Antivirus policy,
which manages update settings for Microsoft Defender, is now generally available. This
profile is available for the Windows 10, Windows 11, and Windows Server platform. While
in public preview, this profile was available for the Windows 10 and later platform.
The profile includes settings for the rollout release channel by which devices and users
receive Defender Updates that are related to daily security intelligence updates, monthly
platform updates, and monthly engine updates.
This profile includes the following settings, which are all directly taken from Defender
CSP - Windows Client Management.
These settings are also available from the settings catalog for the Windows 10 and later
profile.
You’ll find the report in the Report node for EPM in the Intune admin center . Navigate
to Endpoint security > Endpoint Privilege Management and then select the Reports
tab.
Antivirus engine – The following settings are new in this this category:
User interface preferences – A new category that includes the following settings:
Control sign-in to consumer version - Specify whether users can sign into the
consumer version of Microsoft Defender.
Show / hide status menu icon – Specify whether the status menu icon (shown in
the top-right corner of the screen) is hidden or not.
User initiated feedback – Specify whether users can submit feedback to Microsoft
by going to Help > Send Feedback.
New profiles that you create include the original settings as well as the new settings.
Your existing profiles automatically update to include the new settings, with each new
setting set to Not configured until you choose to edit that profile to change it.
For more information about how to set preferences for Microsoft Defender for Endpoint
on macOS in enterprise organizations, see Set preferences for Microsoft Defender for
Endpoint on macOS.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
Log file:
%temp%\CloudDesktop*.log
Device cohorts are identified in devices associated with a high or medium severity
anomaly. Devices are correlated into groups based on one or more factors they have in
common like an app version, driver update, OS version, device model. A correlation
group will contain a detailed view with key information about the common factors
between all affected devices in that group. You can also view a breakdown of devices
currently affected by the anomaly and 'at risk' devices, those that haven't yet shown
symptoms of the anomaly.
For more information about these changes, see the Intune Support Team blog at
https://aka.ms/Intune/device_compl_report .
App management
Use the Turn off the Store application setting to disable end user
access to Store apps, and allow managed Intune Store apps
In Intune, you can use the new Store app type to deploy Store apps to your devices.
Now, you can use the Turn off the Store application policy to disable end users' direct
access to Store apps. When it's disabled, end users can still access and install Store apps
from the Windows Company Portal app and through Intune app management. If you
want to allow random store app installs outside of Intune, then don't configure this
policy.
The previous Only display the private store within the Microsoft Store app policy
doesn't prevent end users from directly accessing the store using the Windows Package
Manager winget APIs. So, if your goal is to block random unmanaged Store application
installs on client devices, then it's recommended to use the Turn off the Store
application policy. Don't use the Only display the private store within the Microsoft
Store app policy.
Applies to:
Introducing a new RBAC Permission for creating a custom role in Intune, under the
resource Android for work. The permission Update Enrollment Profile allows the admin
to manage or change both AOSP and Android Enterprise Device Owner enrollment
profiles that are used to enroll devices.
Device security
This update is part of the continuing rollout of new profiles for endpoint security
policies, which began in April 2022.
App management
App management
To learn more about changes to the admin and user experience, go to Support Tip:
Intune moving to support new Google Play Android Management API .
Applies to:
Android Enterprise
You can now upload and deploy unmanaged PKG-type applications to managed macOS
devices using the Intune MDM agent for macOS devices. This feature enables you to
deploy custom PKG installers, such as unsigned apps and component packages. You can
add a PKG app in the Intune admin center by selecting Apps > macOS > Add > macOS
app (PKG) for app type.
For more information, see Add an unmanaged macOS PKG app to Microsoft Intune. To
deploy managed PKG-type app, you can continue to add macOS line-of-business (LOB)
apps to Microsoft Intune. For more information about the Intune MDM agent for macOS
devices, see Microsoft Intune management agent for macOS.
Applies to:
macOS
New settings available for the iOS/iPadOS web clip app type
In Intune, you can pin web apps to your iOS/iPadOS devices (Apps > iOS/iPadOS > Add
> iOS/iPadOS web clip). When you add web clips, there are new settings available:
Full screen: If configured to Yes, launches the web clip as a full-screen web app
without a browser. Additionally, there's no URL or search bar, and no bookmarks.
Ignore manifest scope: If configured to Yes, a full screen web clip can navigate to
an external web site without showing Safari UI. Otherwise, Safari UI appears when
navigating away from the web clip's URL. This setting has no effect when Full
screen is set to No. Available in iOS 14 and later.
Precomposed: If configured to Yes, prevents Apple's application launcher
(SpringBoard) from adding "shine" to the icon.
Target application bundle identifier: Enter the application bundle identifier that
specifies the application that opens the URL. Available in iOS 14 and later.
iOS/iPadOS
The Run this script using the logged on credentials setting defaults to Yes.
Previously, the default was No.
The Enforce script signature check setting defaults to Yes. Previously, the default
was No.
This behavior applies to new scripts you add, not existing scripts.
For more information about using Windows PowerShell scripts in Intune, go to Use
PowerShell scripts on Windows 10/11 devices in Intune.
Applies to:
Device configuration
The Settings Catalog lists all the settings you can configure in a device policy, and all in
one place.
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > macOS > Settings catalog for profile type.
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
The initial release of the CR service included support for using only the Intune device ID
with the intent to eliminate the need to manage internal identifiers like serial numbers
and MAC addresses. With this update, organizations that prefer to use MAC addresses
over certificate authentication may continue to do so while implementing the CR service.
While this update adds MAC address support to the CR service, our recommendation is
to use certificate-based authentication with the Intune device ID included in the
certificate.
For information about the CR service as a replacement for the Intune Network Access
Control (NAC) service, see the Intune blog at
https://techcommunity.microsoft.com/t5/intune-customer-success/new-microsoft-
intune-service-for-network-access-control/ba-p/2544696 .
Navigate to Endpoint security > Security baselines. While creating and editing a
workflow these insights are available for all settings with light bulbs.
Device security
With Child process behavior, your rules can manage the elevation context for any child
processes created by the managed process. Options include:
Allowing all child processes created by the managed process to always run as
elevated.
Allow a child process to run as elevated only when it matches the rule that
manages its parent process.
Deny all child processes from running in an elevated context, in which case they
run as standard users.
Endpoint Privilege Management is available as an Intune add-on. For more information,
see Use Intune Suite add-on capabilities.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
Both reports are new instances of existing reports, and deliver improvements over the
older versions, including:
Eventually, the older report versions that are still available in the admin center at Devices
> Monitor will be retired.
App management
Updates to app configuration policy reporting
As part of our continuing efforts to improve the Intune reporting infrastructure, there
have been several user interface (UI) changes for app configuration policy reporting. The
UI has been updated with the following changes:
There is no longer a User status tile or a Not applicable device tile on the
Overview section of the App configuration policies workload.
There is no longer a User install status report on the Monitor section of the App
configuration policies workload.
The Device install status report under the Monitor section of the App
configuration policies workload no longer shows the Pending state in the Status
column.
You can find configure policy reporting in Microsoft Intune admin center by selecting
Apps > App configuration policies.
Device management
Zebra will be releasing support for Android 13 on their devices. You can read more at
Migrating to Android 13 (opens Zebra's web site).
1. App installations don't happen silently. Instead, users get a notification from
the Company Portal app (if they allow notifications) that asks for permission
to allow the app installation. If a user doesn't accept the app installation
when prompted, then the app doesn't install. Users will have a persistent
notification in the notification drawer until they allow the installation.
In an update coming later in July, these issues will be resolved and the behavior
will return to how it was before.
You will soon be able to use Intune's Zebra LifeGuard Over-the-Air integration to
update Android Enterprise dedicated and fully managed devices to Android 13. For
more information, go to Zebra LifeGuard Over-the-Air Integration with Microsoft
Intune.
OEMConfig for Zebra devices on Android 13 requires using Zebra's new Zebra
OEMConfig Powered by MX OEMConfig app (opens the Google Play store). This
new app can also be used on Zebra devices running Android 11, but not earlier
versions.
For more information on this app, go to the New Zebra OEMConfig app for
Android 11 and later blog post.
The Legacy Zebra OEMConfig app (opens the Google Play store) can only be
used on Zebra devices running Android 11 and earlier.
For more general information about Intune Android 13 support, go to the Day Zero
support for Android 13 with Microsoft Intune blog post.
Device security
Now, you can opt-in to a public preview from within the Microsoft 365 Defender portal
to gain access to several enhancements for this scenario:
Intune's endpoint security policies become visible in and can be managed from
within the Microsoft 365 Defender portal. This enables security admins to remain in
the Defender portal to manage Defender and the Intune endpoint security policies
for Defender security settings management.
For Windows devices, the Windows Security Experience profile is now supported
with security settings management.
Intune creates a synthetic registration in Azure AD for devices that can't fully
register with Azure AD. Synthetic registrations are device objects created in Azure
AD that enable devices to receive and report back on Intune policies for security
settings management. In addition, should a device with a synthetic registration
become fully registered, the synthetic registration is removed form Azure AD in
deference to the full registration.
If you don't opt-in to the Defender for Endpoint Public Preview, the previous behaviors
remain in place. In this case, while you can view the Antivirus profiles for Linux, you can't
deploy it as its supported only for devices managed by Defender. Similarly, the macOS
profile which is currently available for devices enrolled with Intune can't be deployed to
devices managed by Defender.
Applies to:
Linux
macOS
Windows
Device configuration
DeviceName
Manufacturer
Model
DeviceCategory
oSVersion
IsRooted
DeviceOwnership
EnrollmentProfileName
For more information on filters, go to Use filters when assigning your apps, policies, and
profiles in Microsoft Intune.
Applies to:
Android
A new device action that is in public preview allows you to run a remediation on-
demand on a single Windows device. The Run remediation device action allows you to
resolve issues without having to wait for a remediation to run on its assigned schedule.
You will also be able to view the status of remediations under Remediations in the
Monitor section of a device.
The Run remediation device action is rolling-out and may take a few weeks to reach all
customers.
Remediations
Device management
With Automatic approval, each new recommended driver that's published by the
driver manufacturer and added to the policy is automatically approved for
deployment to applicable devices. Policies set for automatic approvals can be
configured with a deferral period before the automatically approved updates are
installed on devices. This deferral gives you time to review the driver and to pause
its deployment if necessary.
With manual approval, all new driver updates are automatically added to the
policy, but an admin must explicitly approve each update before Windows Update
deploys it to a device. When you manually approve an update, you choose the
date when Windows Update will begin to deploy it to your devices.
To help you manage driver updates, you review a policy and decline an update you
don't want to install, indefinitely pause any approved update, and reapprove a paused
update to restart its deployment.
This release also includes driver update reports that provide a success summary, per-
device update status for each approved driver, and error and troubleshooting
information. You can also select an individual driver update and view details about it
across all the policies that include that driver version.
To learn about using Windows Driver update policies, see Manage policy for Windows
Driver updates with Microsoft Intune.
Applies to:
Windows 10
Windows 11
App management
For more information, see Preview: App protection policy settings for Windows.
Device configuration
The Settings Catalog lists all the settings you can configure in a device policy, and all in
one place.
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > iOS/iPadOS or macOS for platform > Settings catalog for profile type.
Authentication Method
Denied Bundle Identifiers
Registration Token
Output path
Username
Password
UseKeyChain
Applies to:
macOS
Networking > Network Usage Rules:
SIM Rules
Applies to:
iOS/iPadOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS)
settings. In Microsoft Intune admin center , select Devices > Configuration profiles >
Create profile > Windows 10 and later for platform > Templates > Device Firmware
Configuration Interface for profile type.
Some Asus devices running Windows 10/11 are enabled for DFCI. Contact your device
vendor or device manufacturer for eligible devices.
Applies to:
Windows 10
Windows 11
In Intune, you could manage telecom expenses using Saaswedo's Datalert telecom
expense management. This feature is removed from Intune. This removal includes:
For more information from Saaswedo, go to The datalert service is unavailable (opens
Saaswedo's web site).
Applies to:
Android
iOS/iPadOS
Navigate to Endpoint security > Security baselines. When you create and edit the
workflow, these insights are available for you in the form of a light bulb.
Device management
As a public preview, you can use a new endpoint security policy category, Application
Control. Endpoint security Application Control policy includes:
To get started with using this new policy type, see Manage approved apps for Windows
devices with Application Control policy and Managed Installers for Microsoft Intune
Applies to:
Windows 10
Windows 11
In Remote Help, you can now take advantage of the in-session connection mode switch
feature. This feature can help effortlessly transition between full control and view-only
modes, granting flexibility and convenience.
Applies to:
Windows 10/11
Device security
Intune's Endpoint Privilege Management (EPM) reports now support exporting the full
reporting payload to a CSV file. With this change, you can now export all events from an
elevation report in Intune.
The Endpoint Privilege Management option to Run with elevated access is now available
as a top-level right-click option on Windows 11 devices. Previous to this change,
standard users were required to select Show more options to view the Run with elevated
access prompt on Windows 11 devices.
Windows 11
Intune apps
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
You can find the troubleshooting pane in Microsoft Intune admin center by selecting
Troubleshooting + support > Troubleshoot.
The Troubleshooting + support pane in the Intune admin center has been updated by
consolidating the Roles and Scopes report into a single report. This report now includes
all relevant role and scope data from both Intune and Azure Active Directory, providing
a more streamlined and efficient experience. For related information, see Use the
troubleshooting dashboard to help users at your company.
Device management
New Devices from HTC and Pico supported on Microsoft Intune for
Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) now supports the
following devices:
Applies to:
Android (AOSP)
App management
Device configuration
There's a new Zebra OEMConfig Powered by MX OEMConfig app that aligns more
closely to Google's standards. This app supports Android Enterprise 11.0 and newer
devices.
The older Legacy Zebra OEMConfig app continues to support devices with Android 11
and earlier.
In your Managed Google Play, there are two versions of Zebra OEMConfig app. Be sure
to select the correct app that applies to your Android device versions.
For more information on OEMConfig and Intune, go to Use and manage Android
Enterprise devices with OEMConfig in Microsoft Intune.
Applies to:
Device management
To support the Security Management for Microsoft Defender for Endpoint (MDE security
configuration) scenario, Intune now differentiates Windows devices in Azure Active
Directory as either Windows Server for devices that run Windows Server, or as Windows
for devices that run Windows 10 or Windows 11.
With this change, you can improve policy targeting for MDE security configuration. For
example, you can use dynamic groups that consist of only Windows Server devices, or
only Windows client devices (Windows 10/11).
For more information about this change, see the Intune Customer Success blog
Windows Server devices now recognized as a new OS in Microsoft Intune, Azure AD, and
Defender for Endpoint .
Tenant administration
App management
Based on customer feedback, we're updating the Intune agent for macOS (version
2305.019) to extend the maximum script run time to 60 minutes. Previously, the Intune
agent for macOS only allowed shell scripts to run for up to 15 minutes before reporting
the script as a failure. The Intune agent for macOS 2206.014 and higher supports the 60-
minute timeout.
Assignment filters support MAM app protection policies and app configuration policies.
When you create a new filter, you can fine tune MAM policy targeting using the
following properties:
) Important
All new and edited app protection policies that use Device Type targeting are
replaced with assignment filters.
For more information on filters, go to Use filters when assigning your apps, policies, and
profiles in Microsoft Intune.
Update to MAM reporting in Intune
MAM reporting has been simplified and overhauled, and now uses Intune's newest
reporting infrastructure. Benefits of this include improved data accuracy and
instantaneous updating. You can find these streamlined MAM reports in the Microsoft
Intune admin center by selecting Apps > Monitor. All MAM data available to you is
contained within the new App protection status report and App configuration status
report.
The global quiet time settings allow you to create policies to schedule quiet time for
your end users. These settings automatically mute Microsoft Outlook email and Teams
notifications on iOS/iPadOS and Android platforms. These policies can be used to limit
end user notifications received after work hours. For more information, see Quiet time
notification policies.
Device configuration
Introducing enhanced chat with Remote Help. With the new and enhanced chat you can
maintain a continuous thread of all messages. This chat provides support for special
characters and other languages including Chinese and Arabic.
Applies to:
Windows 10/11
For Remote Help, in addition to existing session reports, administrators can now
reference audit logs sessions created in Intune. This feature enables administrators to
reference past events for troubleshooting and analyzing log activities.
Applies to:
Windows 10
Windows 11
The settings catalog includes hundreds of settings that you can configure and deploy to
your devices.
In the settings catalog, you can turn on/off Personal data encryption (PDE). PDE is a
security feature introduced in Windows 11 version 22H2 that provides more encryption
features for Windows.
PDE is different than BitLocker. PDE encrypts individual files and content, instead of
whole volumes and disks. You can use PDE with other encryption methods, such as
BitLocker.
Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS
devices
Common Tasks you can complete using the Settings Catalog in Intune
Windows 11
Visual Studio settings are included in the Settings Catalog and Administrative Templates
(ADMX). Previously, to configure Visual Studio settings on Windows devices, you
imported them with ADMX import.
Applies to:
Windows 10
Windows 11
Group policy analytics supports scope tags
In Group Policy analytics, you import your on-premises GPO. The tool analyzes your
GPOs and shows the settings that can (and can't) be used in Intune.
When you import your GPO XML file in Intune, you can select an existing scope tag. If
you don't select a scope tag, then the Default scope tag is automatically selected.
Previously, when you imported a GPO, the scope tags assigned to you were
automatically applied to the GPO.
Only admins within that scope tag can see the imported policies. Admins not in that
scope tag can't see the imported policies.
Also, admins within their scope tag can migrate the imported policies that they have
permissions to see. To migrate an imported GPO into a Settings Catalog policy, a scope
tag must be associated with the imported GPO. If a scope tag isn't associated, then it
can't migrate to a Settings Catalog policy. If no scope tag is selected, then a default
scope tag is automatically applied.
For more information on scope tags and Group Policy analytics, go to:
Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune
Create a Settings Catalog policy using your imported GPOs
Use role-based access control (RBAC) and scope tags for distributed IT
Now available in public preview, Microsoft Intune supports integration with Zebra
Lifeguard Over-the-Air service, which allows you to deliver OS updates and security
patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can
select the firmware version you want to deploy, set a schedule, and stagger update
downloads and installs. You can also set minimum battery, charging status, and network
conditions requirements for when the update can happen.
Available for Android Enterprise Dedicated and Fully Managed Zebra devices that are
running Android 8 or later, and requires an account with Zebra.
Google domain allow-list: Restricts users to add only certain Google account
domains in the work profile. You can import a list of allowed domains or add them
in the admin center using the contoso.com format. When left blank, by default, the
OS might allow adding all Google domains in the work profile.
For more information on the settings you can configure, go to Android Enterprise device
settings list to allow or restrict features on personally owned devices using Intune.
Applies to:
Proactive remediations are now Remediations and are available from Devices >
Remediations. You can still find Remediations in both the new location and the existing
Reports > Endpoint Analytics location until the next Intune service update.
Remediations are currently not available in the new Devices experience preview.
Applies to:
Windows 10
Windows 11
Applies to:
Windows 10
Windows 11
This setting is coming in a future release, possibly the 2308 Intune release.
You can create a device configuration profile that deploys a VPN connection to devices
(Devices > Configuration profiles > Create profile > Windows 10 and later for platform
> Templates > VPN for profile type).
In this VPN connection, you can use the Apps and Traffic rules settings to create
network traffic rules.
There's a new Direction setting you can configure. Use this setting to allow Inbound and
Outbound traffic from the VPN connection:
For more information on the VPN settings you can configure, including the network
traffic rule settings, go to Windows device settings to add VPN connections using
Intune.
Applies to:
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > macOS for platform > Settings catalog for profile type.
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
This new key allows you to control the wipe fallback behavior on Macs that have Apple
Silicon or the T2 Security Chip. To find this setting, navigate to Devices > macOS >
[Select a device] > Overview > Wipe in the Device action area.
Applies to:
macOS
Device enrollment
Intune supports account driven user enrollment, a new and improved variation of Apple
User Enrollment for iOS/iPadOS 15+ devices. Now available for public preview, the new
option utilizes just-in-time registration, which eliminates the need for the Company
Portal app during enrollment. Device users can initiate enrollment directly in the Settings
app, resulting in a shorter and more efficient onboarding experience. You can continue
to target iOS/iPadOS devices using the existing profile-based user enrollment method
that uses Company Portal. Devices running iOS/iPadOS, version 14.8.1 and earlier remain
unaffected by this update and can continue to use the existing method. For more
information, see Set up account driven Apple User Enrollment.
Device security
The new Intune security baseline format aligns the presentation of settings that are
available to the settings found in the Intune settings catalog. This alignment helps
resolve past issues for setting names and implementations for settings that could create
conflicts. The new format also improves the reporting experience for baselines in the
Intune admin center.
The Microsoft 365 Office Apps baseline can help you rapidly deploy configurations to
your Office Apps that meet the security recommendations of the Office and security
teams at Microsoft. As with all baselines, the default baseline represents the
recommended configurations. You can modify the default baseline to meet the
requirements of your organization.
Applies to:
Windows 10
Windows 11
We've released a new version of the Intune security baseline for Microsoft Edge, version
112. In addition to releasing this new version for Microsoft Edge, the new baseline uses
an updated template experience that uses the unified settings platform seen in the
Intune settings catalog. You can view the list of settings in the new baseline at Microsoft
Edge baseline settings (version 112 and higher).
The new Intune security baseline format aligns the presentation of settings that are
available to the settings found in the Intune settings catalog. This alignment helps
resolve past issues for setting names and implementations for settings that could create
conflicts. The new format also improves the reporting experience for baselines in the
Intune admin center.
Now that the new baseline version is available, all new profiles you create for Microsoft
Edge use the new baseline format and version. While the new version becomes the
default baseline version, you can continue to use the profiles you've previously created
for older versions of Microsoft Edge. But, you can't create new profiles for those older
versions of Microsoft Edge.
Applies to:
Windows 10
Windows 11
Intune apps
The following protected apps are now available for Microsoft Intune:
For more information about protected apps, see Microsoft Intune protected apps.
Device configuration
Some Dynabook devices running Windows 10/11 are enabled for DFCI. Contact your
device vendor or device manufacturer for eligible devices.
Applies to:
Windows 10
Windows 11
eSIM bulk activation for Windows PCs via download server is now
available on the Settings Catalog
You can now perform at-scale configuration of Windows eSIM PCs using the Settings
Catalog. A download server (SM-DP+) is configured using a configuration profile.
Once the devices receive the configuration, they automatically download the eSIM
profile. For more information, go to eSIM configuration of a download server.
Applies to:
Windows 11
eSIM capable devices
App management
It's now also possible to delete Microsoft Store for Business apps from the Apps pane in
the Microsoft Intune admin center so that you can clean up your environment as you
move to the new Microsoft Store app type.
For related information, see Plan for Change: Ending support for Microsoft Store for
Business and Education apps for upcoming dates when Microsoft Store for Business
apps won't deploy and Microsoft Store for Business apps are removed.
Device configuration
Administrators can now utilize conditional access capability when setting up policies and
conditions for Remote Help. For example, multi-factor authentication, installing security
updates, and locking access to Remote Help for a specific region or IP addresses.
Conditional access
Remote Help
Device security
For more information about these settings, see the Defender CSP. The new settings
are also available through the Intune Settings Catalog.
This setting now appears with the Deprecated tag. If this deprecated setting was
previously applied on a device, the setting value is updated to NotApplicable and
has no effect on the device. If this setting is configured on a device, there's no
effect on the device.
Applies to:
Windows 10
Windows 11
App management
This new setting appears in Microsoft Intune admin center by modifying the
properties of an app. For an existing app, you can select Apps > iOS/iPadOS or macOS
> select the app > Properties > Assignment Edit. If no group assignment has been set,
select Add group to add a group. Modify either the setting under VPN, Uninstall on
device removal, or Install as removable. Then, select Prevent iCloud app backup. The
Prevent iCloud app backup setting is used to prevent backup of app data for the
application. Set to No to allow the app to be backed up by iCloud.
For more information, see Changes to applications' backup and restore behavior on
iOS/iPadOS and macOS devices and Assign apps to groups with Microsoft Intune.
You can control the automatic update behavior for Apple VPP at the per-app
assignment level using the Prevent automatic updates setting. This setting is available
in Microsoft Intune admin center by selecting Apps > iOS/iPadOS or macOS > Select
a volume purchase program app > Properties > Assignments > Select an Azure AD
group > App settings.
Applies to:
iOS/iPadOS
macOS
Device configuration
The Settings Catalog lists all the settings you can configure in a device policy, and all in
one place.
A new setting is available in the Settings Catalog. In the Microsoft Intune admin
center , you can see these settings at Devices > Configuration profiles > Create
profile > macOS for platform > Settings catalog for profile type.
Privacy > Privacy Preferences Policy Control > Services > Listen Event or Screen
Capture:
Allowed
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
For more information about configuring the Microsoft Enterprise SSO plug-in for Apple
devices in Intune, go to Microsoft Enterprise SSO plug-in in Microsoft Intune.
Applies to:
iOS/iPadOS
macOS
You can now use the Disable Activation Lock device action in Intune to bypass
Activation Lock on Mac devices without requiring the current username or password.
This new action is available in Devices > macOS > select one of your listed devices >
Disable Activation Lock.
More information on managing Activation Lock is available at Bypass iOS/iPadOS
Activation Lock with Intune or on Apple's website at Activation Lock for iPhone, iPad,
and iPod touch - Apple Support .
Applies to:
For more information, go to Use the troubleshooting portal to help users at your
company.
Existing custom roles for managing Organizational Messages must be modified to add
this permission for users to modify this setting.
For more information, about role-based access control (RBAC), see RBAC with
Microsoft Intune.
For more information, about prerequisites for organization messages, see
Organizational messages prerequisites.
Device management
Endpoint security firewall rules support for ICMP type
You can now use the IcmpTypesAndCodes setting to configure inbound and outbound
rules for Internet Control Message Protocol (ICMP) as part of a firewall rule. This setting
is available in the Microsoft Defender Firewall rules profile for the Windows 10, Windows
11, and Windows Server platform.
Applies to:
Windows LAPS is a Windows feature that allows you to manage and backs up the
password of a local administrator account on your Azure Active Directory-joined or
Windows Server Active Directory-joined devices.
To manage LAPS, Intune configures the Windows LAPS configuration service provider
(CSP) that is built in to Windows devices. It takes precedence over other sources of
Windows LAPS configurations, like GPOs or the Microsoft Legacy LAPS tool. Some of the
capabilities you can use when Intune manages Windows LAPS include:
Define password requirements like complexity and length that apply to the local
administrator accounts on a device.
Configure devices to rotate their local admin account passwords on a schedule.
And, back up the account and password in your Azure Active Directory or on-
premises Active Directory.
Use an Intune device action from the admin center to manually rotate the
password for an account on your own schedule.
View account details from within the Intune admin center, like the account name
and password. This information can help you recover devices that are otherwise
inaccessible.
Use Intune reports to monitor your LAPS policies, and when devices last rotated
passwords manually or by schedule.
Applies to:
Windows 10
Windows 11
New settings available for macOS software update policies
macOS software update policies now include the following settings to help manage
when updates install on a device. These settings are available when the All other updates
update type is configured to Install later:
Max User Deferrals: When the All other updates update type is configured to
Install later, this setting allows you to specify the maximum number of times a user
can postpone a minor OS update before it's installed. The system prompts the user
once a day. Available for devices running macOS 12 and later.
Priority: When the All other updates update type is configured to Install later, this
setting allows you to specify values of Low or High for the scheduling priority for
downloading and preparing minor OS updates. Available for devices running
macOS 12.3 and later.
For more information, see Use Microsoft Intune policies to manage macOS software
updates.
Applies to:
macOS
You can now manage hardware specific information on your HP or Surface devices from
our partner portals page.
The HP link takes you to HP Connect where you can update, configure, and secure the
BIOS on your HP devices. The Microsoft Surface link takes you to the Surface
Management Portal where you can get insights into device compliance, support activity,
and warranty coverage.
To access the Partner portals page, you must enable the Devices pane preview and then
navigate to Devices > Partner Portals.
The following Microsoft Intune reports for Windows Update compatibility are out of
preview and now generally available:
Windows feature update device readiness report - This report provides per-
device information about compatibility risks that are associated with an upgrade or
update to a chosen version of Windows.
These reports can help you plan an upgrade from Windows 10 to 11, or for installing the
latest Windows feature update.
Device security
With Endpoint Privilege Management, admins can set policies that allow standard users
to perform tasks normally reserved for an administrator. To do so, you configure policies
for automatic and user-confirmed workflows that elevate the run-time permissions for
apps or processes you select. You then assign these policies to users or devices that
have end users running without Administrator privileges. After the device receives a
policy, EPM brokers the elevation on behalf of the user, allowing them to elevate
approved applications without needing full administrator privileges. EPM also includes
built-in insights and reporting.
Now that EPM is out of preview, it requires another license to use. You can choose
between a stand-alone license that adds only EPM, or license EPM as part of the
Microsoft Intune Suite. For more information, see Use Intune Suite add-on capabilities.
While Endpoint Privilege Management is now generally available, the reports for EPM
will transition to a feature in preview, and will receive some more enhancements before
being removed from preview.
With this capability, you can scope your firewall rules to an application or a group of
applications and rely on your WDAC policies to define those applications. By using tags
to link to and rely on WDAC policies, your Firewall Rules policy won't need to rely on the
firewall rules option of an absolute file path, or use of a variable file path that can
reduce security of the rule.
Use of this capability requires you to have WDAC policies in place that include AppId
tags that you can then specify in your Intune Microsoft Defender Firewall Rules.
For more information, see the following articles in the Windows Defender Application
Control documentation:
Applies to:
Windows 10/11
We have released a new experience creating new App and Browser Isolation profiles for
endpoint security Attack Surface Reduction policy. The experience for editing your
previously created App and Browser isolation policies remains the same, and you can
continue to use them. This update applies only for the new App and Browser Isolation
policies you create for the Windows 10 and later platform.
This update is part of the continuing rollout of new profiles for endpoint security
policies, which began in April 2022.
Additionally, the new profile includes the following changes for the settings it includes:
Clipboard file type – This setting is added to the updated profile and determines
the type of content that can be copied from the host to Application Guard
environment and vice versa. You can view the CSP for this new setting at
Settings/ClipboardFileType in the WindowsDefenderApplicationGuard CSP
documentation.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
This permission is also added to the Organizational Messages Manager built-in role.
Existing custom roles for managing Organizational Messages must be modified to add
this permission for users to modify this setting.
For more information, about role-based access control (RBAC), see RBAC with
Microsoft Intune.
For more information, about prerequisites for organization messages, see
Organizational messages prerequisites.
Tenant administration
Use audit logs to track and monitor organizational message events in Microsoft Intune.
To access the logs, sign in to the Microsoft Intune admin center and go to Tenant
administration > Audit logs. For more information, see Audit logs for Intune activities.
Device configuration
Configure user scope policies using Settings catalog and assign to groups of
users.
Configure user certificates and assign to users.
Configure PowerShell scripts to install in the user context and assign to users.
Applies to:
Windows 10
Virtual machines created in Azure Public and Azure Government clouds
Device configuration
On Android Enterprise personally owned devices with a work profile, you can configure
settings that restrict device features and settings. Currently, there's an Add and remove
accounts setting. This setting prevents accounts from being added in the work profile,
including preventing Google accounts.
This setting changed. You can now add Google accounts. The Add and remove
accounts setting options are:
Block all accounts types: Prevents users from manually adding or removing
accounts in the work profile. For example, when you deploy the Gmail app into the
work profile, you can prevent users from adding or removing accounts in this work
profile.
Allow all accounts types: Allows all accounts, including Google accounts. These
Google accounts are blocked from installing apps from the Managed Google Play
Store.
Allow all accounts types, except Google accounts (default): Intune doesn't change
or update this setting. By default, the OS might allow adding accounts in the work
profile.
For more information on the settings you can configure, go to Android Enterprise device
settings list to allow or restrict features on personally owned devices using Intune.
Applies to:
App management
You can now update apps of type macOS apps (DMG) deployed using Intune. To edit a
DMG app that's already created in Intune, upload the app update with the same bundle
identifier as the original DMG app. For related information, see Add a macOS DMG app
to Microsoft Intune.
App management
Windows 10 21H2
Windows 10 22H2
Windows 11 21H2
Windows 11 22H2
You can view and manage VPP apps with only the Mobile apps permission assigned.
Previously, the Managed apps permission was required to view and manage VPP apps.
This change doesn't apply to Intune for Education tenants who still need to assign the
Managed apps permission. More information about permissions in Intune is available at
Custom role permissions.
Device configuration
Enforcement level
Applies to:
macOS
For more information about configuring Settings Catalog profiles in Intune, go to Create
a policy using settings catalog.
In Intune, you can add existing Bash scripts to configure Linux devices (Devices > Linux
> Configuration Scripts).
When you create this script policy, you can set the context that the script runs in (user or
root), how frequently the script runs, and how many times execution should retry.
For more information on this feature, go to Use custom Bash scripts to configure Linux
devices in Microsoft Intune.
Applies to:
Device enrollment
Create and manage multiple enrollment profiles and tokens for Android Enterprise fully
managed devices. With this new functionality, you can now use the
EnrollmentProfileName dynamic device property to automatically assign enrollment
profiles to fully managed devices. The enrollment token that came with your tenant
remains in a default profile. For more information, see Set up Intune enrollment of
Android Enterprise fully managed devices.
Intune now supports a frontline worker experience for iPhones and iPads using Apple
automated device enrollment. You can now enroll devices that are enabled in Azure AD
shared mode via zero-touch. For more information about how to configure automated
device enrollment for shared device mode, see Set up enrollment for devices in Azure
AD shared device mode.
Applies to:
iOS/iPadOS
Device management
You can now configure settings in endpoint security Firewall policy that configure
firewall logging options. These settings can be found in the Microsoft Defender Firewall
profile template for the Windows 10 and later platform, and are available for the
Domain, Private, and Public profiles in that template.
Following are the new settings, all found in the Firewall configuration service provider
(CSP):
Windows 10
Windows 11
The Interface Types setting in endpoint security Firewall policy now include the option
for Mobile Broadband. Interface Types is available in the Microsoft Defender Firewall
Rules profile for all platforms that support Windows. For information about the use of
this setting and option, see Firewall configuration service provider (CSP).
Applies to:
Windows 10
Windows 11
We've added a pair of network list manager settings to endpoint security Firewall policy.
To help determine when an Azure AD device is or isn't on your on-premises domain
subnets, you can use the network list manager settings. This information can help
firewall rules apply correctly.
The following settings are found in a new category named Network List Manager, that's
available in the Microsoft Defender Firewall profile template for the Windows 10,
Windows 11, and Windows Server platform:
Applies to:
Windows 10
Windows 11
For more information about the updated UI, see Try new Devices experience in
Microsoft Intune.
Device security
As a public preview, you can now use Microsoft Intune Endpoint Privilege Management.
With Endpoint Privilege Management, admins can set policies that allow standard users
to perform tasks normally reserved for an administrator. Endpoint Privilege
Management can be configured in the Intune admin center at Endpoint security >
Endpoint Privilege Management.
With the public preview, you can configure policies for automatic and user-confirmed
workflows that elevate the run-time permissions for apps or processes you select. You
then assign these policies to users or devices that have end users running without
Administrator privileges. Once policy is received, Endpoint Privilege Management will
broker the elevation on behalf of the user, allowing them to elevate approved
applications without needing full administrator privileges. The preview also includes
built-in insights and reporting for Endpoint Privilege Management.
To learn how to activate the public preview and use Endpoint Privilege Management
policies, start with Use Endpoint Privilege Management with Microsoft Intune. Endpoint
Privilege Management is part of the Intune Suite offering, and free to try while it
remains in public preview.
Intune apps
For more information about protected apps, see Microsoft Intune protected apps.
Registry keys:
HKLM\SOFTWARE\Microsoft\EPMAgent
Commands:
%windir%\system32\pnputil.exe /enum-drivers
Log files:
%ProgramFiles%\Microsoft EPM Agent\Logs\*.*
%windir%\system32\config\systemprofile\AppData\Local\mdm\*.log
Pending: The message hasn't been scheduled yet and is currently in progress.
Failed: The message failed to schedule due to a service error.
For information about reporting details, see View reporting details for organizational
messages.
Device management
Meta Quest 2 and Quest Pro are now in Open Beta (US only) on
Microsoft Intune for Android Open Source Devices
Microsoft Intune for Android open source project devices (AOSP) has welcomed Meta
Quest 2 and Quest Pro into Open Beta for the US market.
Applies to:
Android (AOSP)
App management
App management
Device management
The Microsoft Intune admin center has a new URL: https://intune.microsoft.com . The
previously used URL, https://endpoint.microsoft.com , continues to work but will
redirect to the new URL in late 2023. We recommend taking the following actions to
avoid issues with Intune access and automated scripts:
Tenant administration
You can add your frequently used queries to a Favorites folder in CMPivot. CMPivot
allows you to quickly assess the state of a device managed by Configuration Manager
via Tenant Attach and take action. The functionality is similar to one already present in
the Configuration Manager console. This addition helps you keep all your most used
queries in one place. You can also add tags to your queries to help search and find
queries. The queries saved in the Configuration Manager console aren't automatically
added to your Favorites folder. You need to create new queries and add them to this
folder. For more information about CMPivot, see Tenant attach: CMPivot usage
overview.
Device enrollment
The Enrollment Status Page (ESP) now supports the new Microsoft store applications
during Windows Autopilot. This update enables better support for the new Microsoft
Store experience and should be rolling out to all tenants starting with Intune 2303. For
related information, see Set up the Enrollment Status Page.
Device configuration
In Microsoft Intune admin center , you need to turn the feature on using Device
Restrictions in Device Configuration for Android Enterprise.
Select Allow on the Locate device toggle for fully managed and corporate owned work
profile devices and select applicable groups. Locate device is available when you select
Devices, and then select All devices. From the list of devices you manage, select a
supported device, and choose the Locate device remote action.
Applies to:
Intune add-ons
Microsoft Intune Suite provides mission-critical advanced endpoint management and
security capabilities into Microsoft Intune.
You can find add-ons to Intune in the Microsoft Intune admin center under Tenant
administration > Intune add-ons.
In public preview, you can view a list of ServiceNow incidents associated with the user
you've selected in the Intune Troubleshooting workspace. This new feature is available
under Troubleshooting + Support > select a user > ServiceNow Incidents. The list of
incidents shown have a direct link back to the source incident and show key information
from the incident. All incidents listed link the "Caller" identified in the incident with the
user selected for Troubleshooting.
For more information, go to Use the troubleshooting portal to help users at your
company.
Device security
Previously, Tunnel for MAM for Android and iOS was in public preview and free for use.
With this release as generally available, this solution now requires an add-on license for
its use.
Applies to:
Android
iOS
Tenant administration
Notices
These notices provide important information that can help you prepare for future Intune
changes and features.
If you're managing iOS/iPadOS devices, you might have devices that won't be able to
upgrade to the minimum supported version (iOS/iPadOS 15).
Because Office 365 mobile apps are supported on iOS/iPadOS 15.0 and later, this
change might not affect you. You've likely already upgraded your OS or devices.
To check which devices support iOS 15 or iPadOS 15 (if applicable), see the following
Apple documentation:
7 Note
Userless iOS and iPadOS devices enrolled through Automated Device Enrollment
(ADE) have a slightly nuanced support statement due to their shared usage. The
minimum supported OS version will change to iOS 15/iPadOS 15 while the allowed
OS version will change to iOS 12/iPadOS 12 and later. See this statement about
ADE Userless support for more information.
To manage the supported OS version in your organization, you can use Microsoft Intune
controls for both MDM and APP. For more information, see Manage operating system
versions with Intune.
7 Note
Devices that are currently enrolled on macOS 11.x or earlier will continue to remain
enrolled even when those versions are no longer supported. New devices will be
unable to enroll if they are running macOS 11.x or earlier.
1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services.
Microsoft Store for Business and Education apps won't be able to sync with Intune
and the connector page will be removed from the Intune admin center.
2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for
Business and Education apps on devices. Downloaded applications remain on the
device with limited support. Users may still be able to access the app from their
device, but the app won't be managed. Existing synced Intune app objects remain
to allow admins to view the apps that had been synced and their assignments.
Additionally, you'll not be able to sync apps via the Microsoft Graph API
syncMicrosoftStoreForBusinessApps and related API properties will display stale
data.
3. On September 15, 2023, Microsoft Store for Business and Education apps will be
removed from the Intune admin center. Apps on the device remain until
intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will
no longer be available about a month later.
Note that the retirement of Microsoft Store for Business and Education was announced
in 2021 . When the Microsoft Store for Business and Education portals are retired,
admins will no longer be able to manage the list of Microsoft Store for Business and
Education apps that are synced or download offline content from the Microsoft Store for
Business and Education portals.
Related information
Additional information
Download, install, and configure the latest certificate connector. For more information
see, Install the Certificate Connector for Microsoft Intune.
To check which version of the certificate connector you are using, follow these steps:
1. On a Windows Server running the Intune Certificate Connector, launch "Add or
Remove programs".
2. A list of installed programs and applications will be displayed.
3. Look for an entry related to the Microsoft Intune Certificate Connector. There will
be a "Version" associated with the connector. Note that names for older
connectors may vary.
7 Note
Microsoft Teams devices are not impacted by this announcement and will
continue to be supported regardless of their Android OS version.
Notify your helpdesk, if applicable, of this upcoming change in support. You can identify
how many devices are currently running Android 7.x or below by navigating to Devices
> All devices > Filter. Then filter by OS and sort by OS version. There are two admin
options to help inform your users or block enrollment.
Here's how you can block devices running on versions earlier than Android 8.0:
Create an app protection policy and configure conditional launch with a min OS
version requirement that blocks users from app access.
Utilize a device compliance policy for Android device administrator or Android
Enterprise to make devices running Android 7.x or earlier noncompliant.
Set enrollment restrictions that prevent devices running Android 7.x or earlier from
enrolling.
7 Note
Intune app protection policies are supported on devices running Android 9.0 and
later. See MC282986 for more details.
Based on your feedback, we've updated our support statement. We're doing our best to
keep your organization secure and protect your users and devices, while aligning with
Microsoft app lifecycles.
7 Note
APP policies will continue to be applied to devices running Android 6.x to Android 8.x.
But if you have problems with an Office app and APP, support will request that you
update to a supported Office version for troubleshooting. To continue to receive
support for APP, update your devices to Android version 9 (Pie) or later, or replace them
with a device on Android version 9.0 or later before October 1, 2021.
The new version for the Microsoft Intune Management Extension is 1.43.203.0. Intune
automatically upgrades all versions of the extension that are earlier than 1.43.203.0 to
this latest version. To check the version of the extension on a device, review the version
for Microsoft Intune Management Extension in the program list under Apps &
features.
For more information, see the information about security vulnerability CVE-2021-31980
in the Microsoft Security Response Center .
Previously configured settings that were set to Not configured remain as Not
configured. When you create new profiles or edit an existing profile, you can now
explicitly specify No.
In addition, the setting Hide the Virus and threat protection area in the Windows
Security app has a child setting, Hide the Ransomware data recovery option in the
Windows Security app. If the parent setting is set to Not configured and the child
setting is set to Yes, both the parent and child settings are set to Not configured. That
change takes effect when you edit the profile.
Because Microsoft no longer supports these operating systems, this change might not
affect you. You've likely already upgraded your OS or devices. This change only affects
you if you're still managing unsupported Windows 10 versions.
Windows and Company Portal versions that this change affects include:
Windows 10 version 1507, Company Portal version 10.1.721.0
Windows 10 version 1511, Company Portal version 10.1.1731.0
Windows 10 version 1607, Company Portal version 10.3.5601.0
Windows 10 version 1703, Company Portal version 10.3.5601.0
Windows 10 version 1709, any Company Portal version
We won't uninstall these Company Portal versions, but we will remove them from the
Microsoft Store and stop testing our service releases with them.
If you continue to use an unsupported version of Windows 10, your users won't get the
latest security updates, new features, bug fixes, latency improvements, accessibility
improvements, and performance investments. You won't be able to co-manage users by
using System Center Configuration Manager and Intune.
Microsoft Intune releases features in "public preview". These features are being actively
developed, and may not be complete. They're made available on a "Preview" basis. You
can test and use these features in production environments and scenarios, and provide
feedback.
Preview features have a (preview) tag in the Microsoft Intune admin center:
May have restricted or limited functionality. For example, the feature may only
apply to one platform.
Typically go through feature changes before they're generally available (GA).
Are fully supported by Microsoft.
May only be available in selected geographic regions or cloud environments. For
example, the feature may not exist in the Azure Government cloud.
Individual features in preview may have more usage and support restrictions. If so,
this information is typically noted in the feature documentation.
Next steps
Review the important notices.
See what's in development.
Tutorial: Walkthrough Microsoft Intune
admin center
Article • 05/25/2023
Microsoft Intune provides the cloud infrastructure, the cloud-based mobile device
management (MDM), cloud-based mobile application management (MAM), and cloud-
based PC management for your organization. Intune helps you ensure that your
company's devices, apps, and data meet your company's security requirements. You
have the control to set which requirements need to be checked and what happens when
those requirements aren't met. The Microsoft Intune admin center is where you can
find the Microsoft Intune service, as well as other device management related settings.
Understanding the features available in Intune will help you accomplish various Mobile
Device Management (MDM) and Mobile Application Management (MAM) tasks.
7 Note
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
Before setting up Microsoft Intune, review the following requirements:
You can't combine an existing work or school account after you sign up for a new
account.
1. Open a browser and sign in to the Microsoft Intune admin center . If you are new
to Intune, use your free trial subscription.
When you open the Microsoft Intune admin center, the service is displayed in a
pane of your browser. Some of the first workloads you may use in Intune include
Devices, Apps, Users, and Groups. A workload is simply a sub-area of a service.
When you select the workload, it opens that pane as a full page. Other panes slide
out from the right side of the pane when they open, and close to reveal the
previous pane.
By default, when you open the Microsoft Intune admin center, you'll see the Home
page pane. This pane provides an overall visual snapshot of tenant status and
compliance status, as well as other helpful related links.
2. From the navigation pane, select Dashboard to display overall details about the
devices and client apps in your Intune tenant. If you are starting with a new Intune
tenant, you will not have any enrolled devices yet.
Intune lets you manage your workforce's devices and apps, including how they
access your company data. To use this mobile device management (MDM) service,
the devices must first be enrolled in Intune. When a device is enrolled, it is issued
an MDM certificate. This certificate is used to communicate with the Intune service.
There are several methods to enroll your workforce's devices into Intune. Each
method depends on the device's ownership (personal or corporate), device type
(iOS/iPadOS, Windows, Android), and management requirements (resets, affinity,
locking). However, before you can enable device enrollment, you must set up your
Intune infrastructure. In particular, device enrollment requires that you set your
MDM authority. For more information about getting your Intune environment
(tenant) ready, see Set up Intune. Once you have your Intune tenant ready, you can
enroll devices. For more information about device enrollment, see What is device
enrollment?
3. From the navigation pane, select Devices to display details about the enrolled
devices in your Intune tenant.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Devices.
The Devices - Overview pane has several tabs that allow you to view a summary of
the following statuses and alerts:
4. From the Devices - Overview pane, select Compliance policies to display details
about compliance for devices managed by Intune. You will see details similar to the
following image.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Device
Compliance.
For more information, see Get started with device compliance policies in Intune.
5. From the Devices - Overview pane, select Conditional Access to display details
about access policies.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Conditional
Access.
Conditional Access refers to ways you can control the devices and apps that are
allowed to connect to your email and company resources. To learn about device-
based and app-based Conditional Access, and find common scenarios for using
Conditional Access with Intune, see What's Conditional Access?
6. From the navigation pane, select Devices > Configuration profiles to display
details about device profiles in Intune.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Device
configuration.
Intune includes settings and features that you can enable or disable on different
devices within your organization. These settings and features are added to
"configuration profiles". You can create profiles for different devices and different
platforms, including iOS/iPadOS, Android, macOS, and Windows. Then, you can
use Intune to apply the profile to devices in your organization.
For more information about device configuration, see Apply features settings on
your devices using device profiles in Microsoft Intune.
7. From the navigation pane, select Devices > All devices to display details about
your Intune tenant's enrolled devices. If you are starting with a new Intune
enlistment, you will not have any enrolled devices yet.
This list of devices show key details about compliance, OS version, and last check-
in date.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Devices >
All devices.
8. From the navigation pane, select Apps to display an overview of app status. This
pane provides app installation status based on the following tabs:
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Client apps.
The Apps - Overview pane has two tabs that allow you to view a summary of the
following statuses:
Installation status - View the top installation failures by device, as well as the
apps with installation failures.
App protection policy status - Find details about assigned users to app
protection policies, as well as flagged users.
As an IT admin, you can use Microsoft Intune to manage the client apps that your
company's workforce uses. This functionality is in addition to managing devices
and protecting data. One of an admin's priorities is to ensure that end users have
access to the apps they need to do their work. Additionally, you might want to
assign and manage apps on devices that are not enrolled with Intune. Intune offers
a range of capabilities to help you get the apps you need on the devices you want.
7 Note
The Apps - Overview pane also provides tenant status and account details.
For more information about adding and assigning apps, see Add apps to Microsoft
Intune and Assign apps to groups with Microsoft Intune.
9. From the Apps - Overview pane, select All apps to see a list of apps that have
been added to Intune.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Client apps
> Apps.
You can add a variety of different app type based on platform to Intune. Once an
app has been added, you can assign it to groups of users.
For more information, see Add apps to Microsoft Intune.
10. From the navigation pane, select Users to display details about the users that you
have included in Intune. These users are your company's workforce.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Users.
You can add users directly to Intune or synchronize users from your on-premises
Active Directory. Once added, users can enroll devices and access company
resources. You can also give users additional permissions to access Intune. For
more information, see Add users and grant administrative permission to Intune.
11. From the navigation pane, select Groups to display details about the Azure Active
Directory (Azure AD) groups included in Intune. As an Intune admin, you use
groups to manage devices and users.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Groups.
You can set up groups to suit your organizational needs. Create groups to organize
users or devices by geographic location, department, or hardware characteristics.
Use groups to manage tasks at scale. For example, you can set policies for many
users or deploy apps to a set of devices. For more information about groups, see
Add groups to organize users and devices.
12. From the navigation pane, select Tenant administration to display details about
your Intune tenant.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Tenant
status.
The Tenant admin - Tenant status pane provides tabs for Tenant details,
Connector status, and Service health dashboard. If there are any issues with your
tenant or Intune itself, you will find details available from this pane.
For more information, see Intune Tenant Status.
13. From the navigation pane, select Troubleshooting + support > Troubleshoot to
check status details on a specific user.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting
Troubleshoot.
From the Assignments dropdown list, you can choose to view the targeted
assignments of client apps, policies, update rings, and enrollment restrictions.
Additionally, this pane provides device details, app protection status, and
enrollment failures for a specific user.
For more information about troubleshooting within Intune, see Use the
troubleshooting portal to help users at your company.
14. From the navigation pane, select Troubleshooting + support > Help and support
to request help.
Tip
If you have previously used Intune in the Azure portal, you found the above
details in the Azure portal by signing in to Intune and selecting Help and
support.
As an IT admin, you can use the Help and Support option to search and view
solutions, as well as file an on-line support ticket for Intune.
15. From the navigation pane, select Troubleshooting + support > Guided scenarios
to display available Intune guided scenarios.
If you are not familiar with all the steps and resources needed to implement a
particular Intune scenario, guided scenarios may be used as your starting point.
For more information about guided scenarios, see Guided scenarios overview.
Microsoft Intune, which is a part of the Microsoft Intune family of products, provides the
cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based
mobile application management (MAM), and cloud-based PC management for your
organization. It lets you protect your organization by controlling features and settings
on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10/11 devices. It
integrates closely with Azure Active Directory (Azure AD) for identity and access control
and Azure Information Protection and advanced threat protection products for data
protection. When you use it with Microsoft 365, you can enable your workforce to be
productive on all their devices while keeping your organization's information protected.
If you have on-premises infrastructure, such as Exchange or an Active Directory, you can
use Intune connectors to help you connect to external services. Intune is included in
Microsoft's Enterprise Mobility + Security (EMS) suite .
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
In the following diagram, you can see how Intune interacts with other components in
both your on-premises and cloud infrastructure:
Prerequisites
The following list includes recommended (but not required) prerequisites:
Available devices (iOS device, Android device, Windows device, macOS device)
Familiarity with Intune's supported operating systems
Familiarity with Network endpoints for Microsoft Intune
An app that you would like to add to Intune
Learning objectives
In this topic, you will set up a testing environment to evaluate Intune. Then, you will step
through specific actions to better understand and evaluate Intune.
Learn how the Microsoft Intune family of products helps you maximize your return on
investment. For more information see, Benefits of Microsoft Intune.
Next steps
Start by signing up for the Intune free trial. When you complete the sign up process,
you'll have a new tenant and you'll understand the basics of working with Microsoft
Intune.
Learn more
For more information about Microsoft Intune, see the following resources:
Microsoft Intune helps you protect your workforce's corporate data by managing
devices and apps. In this topic, you will create a free subscription to try Intune in a test
environment.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
Intune provides mobile device management (MDM) and mobile app management
(MAM) from a secure cloud-based service that is administered using the Microsoft
Intune admin center. Using Intune, you ensure your workforce's corporate resources
(data, devices, and apps) are correctly configured, accessed, and updated, meeting your
company's compliance policies and requirements.
When you complete the signup process, you'll have a new tenant. A tenant is a
dedicated instance of Azure Active Directory (Azure AD) where your subscription to
Intune is hosted. You can then configure the tenant, add users and groups, and assign
licenses to users. When you're ready, you can help users enroll their devices and add
apps that they need to begin the modern endpoint management process. As you
continue, you can set configuration and protection policies, as well as other endpoint
management capabilities.
Prerequisites
Before setting up Microsoft Intune, review the following requirements:
You can't combine an existing work or school account after you sign up for a new
account.
To sign up for the Microsoft Intune free trial, follow the steps below:
7 Note
If you already have an account set up with another Microsoft service using
your email address, you can choose to sign in to use the account with the
Intune trial, or you can create a new account. These steps assume you are
creating a new account.
If you click Get Started, you'll open the Microsoft 365 admin center home
page. If you click Manage your subscription, you'll open Your products and
view details about your Microsoft Intune Trial subscription.
2. Use the user ID that you were given in the steps above to sign in. The user ID will
look similar to the following: yourID@yourdomain.onmicrosoft.com.
When you sign up for a trial, you will also receive an email message that contains your
account information and the email address that you provided during the sign-up
process. This email confirms your trial is active.
Tip
When working with the Microsoft Intune, you may have better results working with
a browser in regular mode, rather than private mode.
1. If you're not already signed in, sign in to the Microsoft Intune admin center .
2. Click Tenant administration.
3. View the tenant details. The MDM authority should be set to Microsoft Intune.
If after signing in to the Microsoft Intune admin center, you see an orange banner
indicating that you haven't yet set the MDM authority, you can activate it at this time.
The mobile device management (MDM) authority setting determines how you manage
your devices. The MDM authority must be set before users can enroll devices for
management.
2. Select the orange banner to open the Mobile Device Management Authority
setting. The orange banner is only displayed if you haven't yet set the MDM
authority.
7 Note
If you have set the MDM Authority, you will see the MDM authority value on
the Tenant administration pane. The orange banner is only displayed if you
haven't yet set the MDM authority.
3. If your MDM Authority is not set, under Choose MDM Authority, set your MDM
authority to Intune MDM Authority.
For more information about the MDM authority, see Set the mobile device management
authority.
You cannot rename or remove the initial onmicrosoft.com part of the domain
name. However, you can add, verify or remove custom domain names used with
Intune to keep your business identity clear. For more information, see Configure a
custom domain name.
1. Go to Microsoft 365 admin center and sign in using your administrator account.
2. In the navigation pane, choose Setup > Domains > Add domain.
4. Verify that you are the owner of the domain that you entered in the previous step.
Selecting send code via email will send an email to the registered contact of your
domain. After you receive the email, copy the code and enter it in the field labeled
Type your verification code here. If the verification code matches, the domain will
be added to your tenant. The email displayed may not look familiar. Some
registrars hide the real email address. Also, the email address may be different
than what was provided when the domain was registered.
7 Note
For TXT record verification details, see Create DNS records at any DNS
hosting provider for Microsoft 365 .
To confirm your Azure Active Directory Premium and Microsoft Intune, see Confirm your
licenses.
Admin experiences
There are two admin centers that you will use most often:
The Microsoft Intune admin center (https://intune.microsoft.com ) is where you
can explore the capabilities of Intune. This is where an admin would work with
Intune.
Next steps
In this topic, you've created a free subscription to try Intune in a test environment. For
more information about setting up Intune, see Set up Intune.
In this topic, you'll create a user and then assign the user an Intune license. When you
use Intune, each person you want to have access to company data must have their own
user account. Intune admins can configure users later to manage access control.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
Prerequisites
A Microsoft Intune subscription. Sign up for a free trial account.
Create a user
A user must have a user account to enroll in Intune device management. To create a new
user:
1. In the Microsoft Intune admin center, select Users > All users > New user:
7 Note
If you haven't configured your customer domain name, use the verified
domain name you used to create the Intune subscription (or free trial).
5. Select Create.
1. Sign in to the Microsoft 365 admin center with the same credentials you used to
sign in to Intune.
2. Select Users > Active Users, and then select the user you just created.
4. Under Select location, select a location for the user, if it's not already set.
5. Select the Intune check box in the Licenses section. If another license includes
Intune, you can select that license. The displayed product name is used as the
service plan in Azure management.
7 Note
This setting uses one of your licenses for the user. If you're using a trial
environment, you'll later reassign this license to a real user in a live
environment.
The new active Intune user will now show that they're using an Intune license.
Clean up resources
If you don't need this user anymore, you can delete the user by going to the Microsoft
365 admin center and selecting Users > the user > the delete user icon > Delete user
> Close.
Next steps
In this topic, you created a user and assigned an Intune license to that user. For more
information about adding users to Intune, see Add users and grant administrative
permission to Intune.
To continue to evaluate Microsoft Intune, go to the next step:
In this article, you'll use Intune to create a group based on an existing user. Groups are
used to manage your users and control your employees' access to your company
resources. These resources can be part of your company's intranet or can be external
resources, such as SharePoint sites, SaaS apps, or web apps.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
If you don't have an Intune subscription, sign up for a free trial account.
7 Note
Intune provides pre-created All Users and All Devices groups in the console with
built-in optimizations for your convenience.
Prerequisites
Microsoft Intune subscription - sign up for a free trial account.
To complete this step, you must create a user.
Create a group
You'll create a group that will be used later in this evaluation series. To create a group:
1. Once you've opened the Microsoft Intune admin center , select Groups > New
group.
2. In the Group type dropdown box, select Security.
3. In the Group name field, enter the name for the new group (for example, Contoso
Testers).
6. Under Members, select the link and add one or more members for the group from
the list.
Once you've successfully created the group, it will appear in the list of All groups.
Next steps
In this article, you used Intune to create a group based on an existing user. For more
information about adding groups to Intune, see Add groups to organize users and
devices.
Applies to:
Windows 10
Windows 11
In this task, you'll set up Microsoft Intune to automatically enroll corporate owned or
user owned devices. You can scope automatic enrollment to some Azure AD users, all
users, or none.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
If you don't have an Intune subscription, sign up for a free trial account to try out this
tutorial.
Prerequisites
To complete this evaluation step, you must:
To access Microsoft Intune, sign in to the Microsoft Intune admin center with a Global
Administrator account. If you've already created an Intune Trial subscription, the account
you created the subscription with is a Global Administrator.
) Important
For Windows BYOD devices, the MAM user scope takes precedence if both the
MAM user scope and the MDM user scope (automatic MDM enrollment) are
enabled for all users or the same groups of users. The device will not be MDM
enrolled, and Microsoft Purview Information Protection policies will apply if you
configured them.
1. In the Microsoft Intune admin center , choose All services > M365 Azure Active
Directory > All services > Azure Active Directory > Mobility (MDM and MAM).
2. Select Get a free Premium trial to use this feature. Selecting this option will allow
auto enrollment using the Azure Active Directory free Premium trial.
7. Choose Select groups > Contoso Testers > Select as the assigned group.
8. For MAM User scope, select None.
9. Use the default values for the remaining configuration values on the page.
Clean up resources
To reconfigure Intune automatic enrollment, check out Set up enrollment for Windows
devices.
Next steps
In this task, you learned how to set up auto-enrollment for devices running Windows
10/11. For more information about device enrollment, see Device enrollment overview.
Applies to:
Windows 10
Windows 11
Employees and students who want remote access to work or school resources can enroll
their devices into Microsoft Intune. Enrollment ensures that all devices trying to access
data within your organization are secure and compliant with your policies and
requirements. Upon enrollment, the device gets access to resources like work email,
files, VPN, and Wi-Fi.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
Try out the device user experience by enrolling a device running Windows 10/11
into Microsoft Intune.
Try out the admin user experience by verifying the enrollment in the Microsoft
Intune admin center.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
To complete this evaluation step, you must:
Additionally, before you begin enrollment, confirm the version of Windows running on
your device.
) Important
The steps in this evaluation step are for these versions of Windows. For
information about enrolling earlier versions of Windows, see Enroll device
running Windows 10, version 1511 and earlier.
Enroll device
1. In the Settings app, select Accounts.
5. Wait for your device to finish registering. When you see the You're all set! screen,
select Done. Your work account should now be visible under Accounts.
If you followed the previous steps, but still can't access your work or school email
account and files, see Troubleshoot Windows 10/11 device access.
2. Select Devices > All devices to view the enrolled devices in Intune.
Next steps
In this task, you learned how to enroll a device running Windows 10/11 into Intune. For
more information about the device user experience, see these resources:
In this topic, you'll use Microsoft Intune to require your workforce's Android users to
enter a password of a specific length before access is granted to information on their
Android Enterprise devices.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
An Intune device compliance policy specifies the rules and settings that devices must
meet to be considered compliant. You can use compliance policies with Conditional
Access to allow or block access to company resources. You can also get device reports
and take actions for non-compliance.
) Important
In addition to password settings, you should also consider other system security
settings to protect your workforce. For more information, see System security
settings.
If you don't have an Intune subscription, sign up for a free trial account.
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global administrator or an Intune
Service administrator.
3. For Profile type, select either Fully managed, dedicated, and corporate-owned
work profile or Personally-owned work profile, and then click Create.
6. When done, select Next until you reach the Review + create step. Then, click
Create to create the policy.
When you've successfully created the policy, it appears in your list of device complice
policies.
Clean up resources
When no longer needed, delete the policy. To do so, select the compliance policy and
click Delete.
Next steps
In this topic, you used Intune to create a compliance policy for your workforce's Android
Enterprise devices to require a password of at least six characters in length. For more
information about creating compliance policies, see Get started with device compliance
policies in Intune.
In this topic, you'll use Microsoft Intune to send an email notification to the members of
your workforce that have noncompliant devices.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
7 Note
The remote action to send an email notification is not supported on devices that
are managed by a device compliance partner.
For localization, admin must configure the target language from Intune admin
center when creating the notification message template. The notification message
language sent to the user will be based on the preferred language configured for
the user in AAD.
By default, when Intune detects a device that isn't compliant, Intune immediately marks
the device as noncompliant. Azure Active Directory (Azure AD) Conditional Access then
blocks the device. When a device isn't compliant, Intune allows you to add actions for
noncompliance, which gives you flexibility to decide what to do. For example, you can
give users a grace period to be compliant before blocking noncompliant devices.
One action to take when a device doesn't meet compliance is to send email to the
devices user. You can also customize an email notification before sending it. Specifically,
you can customize the recipients, subject, and message body, including company logo,
and contact information. Intune also includes details about the noncompliant device in
the email notification.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
When using device compliance policies to block devices from corporate resources,
Azure AD Conditional Access must be set up. If you've completed the Create a device
compliance policy evaluation step, you're using Azure Active Directory. For more
information about Azure AD, see Conditional Access in Azure Active Directory and
common ways to use Conditional Access with Intune.
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global administrator or an Intune
Service administrator. If you've created an Intune Trial subscription, the account you
created the subscription with is the Global administrator.
1. In the Intune admin center, select Devices > Compliance policies > Notifications
> Create notification.
3. Click Next.
4. Enter the following information for the Notification message templates step:
You can also edit a Notification template that was previously created.
For details about setting your company name, company contact information, and
company logo, see the following articles:
The following steps will create a compliance policy for Windows 10 devices:
1. In the Intune admin center, select Devices > Compliance Policies > Create Policy.
3. Click Create.
7. Select Next for each of the remaining steps until you reach the Review + create
step. Click Create to create your compliance policy.
Add an action for noncompliance
After you have created a noncompliance policy, you can set an action to take place with
the device is out of compliance.
The following steps will create an action for noncompliance for Windows 10 devices:
1. In the Intune admin center, select Devices > Windows > Compliance policies.
2. Select your Windows 10 compliance policy from the list.
3. In the Windows 10 compliance policy overview pane, select Properties.
4. Next to the Action for noncompliance section, click Edit.
5. In the Action drop-down box, select Send email to end users.
6. In the Schedule (days after noncompliance drop-down box, select 0.
7. Under Message template, click None selected to display the Notification message
templates pane.
8. Click the template you created earlier in this topic, and then click Select to select
the message template.
9. Click Review + save < Save to save your compliance policy.
2. Select Properties.
4. In the Assign to drop-down box, select All Users. This will select all users. Any user
that has a Windows 10 and later device that doesn't meet this compliance policy
will be notified.
7 Note
You can include and exclude groups when assign compliancy policies.
Next steps
In this topic, you used Intune to create and assign a compliance policy for your
workforce's Windows 10 devices to require a password of at least six characters in
length. For more information about creating compliance policies for Windows devices,
see Add a device compliance policy for Windows devices in Intune.
In this topic, you will use Intune to add and assign an app to your company's workforce.
One of an admin's priorities is to ensure that end users have access to the apps they
need to do their work.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
To complete this evaluation step, you must create a user, create a group, and enroll
a device.
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global administrator or an Intune
Service administrator. If you have created an Intune Trial subscription, the account you
created the subscription with is the Global administrator.
1. Sign in to Microsoft Intune admin center , select Apps > All apps > Add.
2. In the App type drop-down box, select Windows 10 and later from Microsoft 365
Apps.
3. Click Select. The Add app steps are displayed.
4. Confirm the default details in the App suite information step and click Next.
5. Confirm the default settings in the App settings step and click Next.
6. Select the group assignments for the app. For more information, see Add groups
to organize users and devices.
7. Click Next to display the Review + create page. Review the values and settings you
entered for the app.
8. When you are done, click Create to add the app to Intune.
7 Note
This evaluation step builds on previous evaluation steps in this series. Please see
prerequisites in this topic for details.
) Important
The device must be enrolled with Intune. Also, you must sign in to the device
using an account contained in the group you assigned to the app.
2. From the Start menu, open the Microsoft Store. Then, find the Company Portal
app and install it.
4. Click the app that you added using Intune. In this topic you added the Microsoft
365 Apps suite.
7 Note
If you did not successfully assign any apps to the Intune user, you will see the
following message:
Your IT administrator did not make any apps available to
you.
5. Click Install.
If your business needs require that you assign the Company Portal app to your
workforce, you can manually assign the Windows 10 Company Portal app directly from
Intune. For more information see, Manually add the Windows 10 Company Portal app by
using Microsoft Intune.
Next steps
In this topic, you added apps to Intune, assigned the apps to a group, and installed the
apps on the enrolled Windows 10 Desktop device. For more information about
managing apps in Intune, see What is Microsoft Intune app management?
In this article, you'll use Intune to create and assign an app protection policy to a client
app on an end user's device. Intune uses app protection policies to confirm that your
apps are meeting your organization's data protection requirements.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
To complete this evaluation step, you must create a user, create a group, enroll a
device, and add and assign an app.
Sign in to Intune
Sign in to the Intune as a Global administrator or an Intune Service administrator. If
you've created an Intune Trial subscription, the account you created the subscription
with is the Global administrator.
1. In Intune , select Apps > App protection policies > Create Policy > Windows 10.
3. Under Protected apps, select Add. The Add apps pane is displayed.
4. Choose the apps that must adhere to this policy and select OK.
6. Select Allow Overrides to set the Windows Information Protection mode. Selecting
this option blocks enterprise data from leaving the protected app.
9. Select Select groups to include, select the group, and select Select.
7 Note
App protection policies can only be applied to groups that contains users, not
groups that contain devices.
Next steps
In this article, you created and assigned an app protection policy. Users of the app that
have this policy assigned won't be able to cut, copy, or paste any content between the
assigned app and other non-managed apps on the device. This type of protection helps
protect your organization's data. For more information about app protection policies in
Intune, see What are app protection policies?
In this Intune topic, you'll create a custom role with specific permissions for a security
operations department. Then you'll assign the role to a group of such operators. There
are several default roles that you can use right away. But by creating custom roles like
this one, you have precise access control to all parts of your mobile device management
system.
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
To complete this evaluation step, you must create a group.
Sign in to Intune
Sign in to Intune as a Global Administrator or an Intune Service Administrator. If you
have created an Intune Trial subscription, the account you created the subscription with
is the Global administrator.
2. Under Add custom role, in the Name box, enter Security operations.
3. In the Description box, enter This role lets a security operator monitor device
configuration and compliance information.
4. Choose Configure > Corporate device identifiers > Yes next to Read > OK.
5. Choose Device compliance policies > Yes next to Read > OK.
6. Choose Device configurations > Yes next to Read > OK.
7. Choose Organization > Yes next to Read > OK.
8. Choose OK > Create.
Now everyone in the group is a member of the Security operations role and can review
the following information about a device: corporate device identifiers, device
compliance policies, device configurations, and organization information.
Clean up resources
If you don't want to use the new custom role anymore, you can delete it. Choose Roles
> All roles > choose the ellipses next to the role > Delete.
Next steps
In this quickstart, you created a custom security operations role and assigned it to a
group. For more information about roles in Intune, see Role-based administration
control (RBAC) with Microsoft Intune
In this topic, you'll see how to create an email device profile for iOS/iPadOS devices. This
profile specifies the settings that are required for the built-in email app on the
iOS/iPadOS device to connect to company email. Email device profiles help standardize
settings across devices, and they let end users access company email on their personal
devices without any required setup on their part. To further safeguard your email, you
can use an email profile to determine if devices are compliant, and then set up
Conditional Access to allow only compliant devices to access email. For details about
email profiles, see How to configure email settings in Microsoft Intune
7 Note
Use the information provided in this series of topics to try and evaluate Microsoft
Intune. When you're ready, follow the complete process to set up Intune. For more
information, see Set up Microsoft Intune.
If you don't have an Intune subscription, sign up for a free trial account.
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global Administrator or an Intune
Service Administrator. If you have created an Intune Trial subscription, the account you
created the subscription with is the Global administrator.
4. Select Create.
Name: Enter a descriptive name for the new profile. For this example, enter
iOS require work email.
6. Select Next.
7. In Configuration settings, enter the following settings (leave the defaults for other
settings):
8. Select Next.
9. In Scope tags (optional), Select Next. We won't use a scope tag for this profile.
10. In Assignments, use the drop-down for Assign to and select All users and all
devices. Then, select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned.
Clean up resources
If you don't intend to use the profile you created for additional tutorials or testing, you
can delete it now.
Next steps
In this topic, you created an email profile for iOS/iPadOS devices. Now you can use this
profile to determine whether an iOS/iPadOS device is compliant by creating a
compliance policy that marks as noncompliant any iOS/iPadOS devices that don't match
the profile. For further protection, you can create a Conditional Access policy that blocks
noncompliant iOS/iPadOS devices from accessing email. For more information about
device compliance policies, see Get started with device compliance policies in Intune.
Learn about using device compliance policies with Conditional Access to make sure that
iOS devices can access Exchange Online email only if they're managed by Intune and
using an approved email app.
" Create an Intune iOS device compliance policy to set the conditions that a device
must meet to be considered compliant.
" Create an Azure Active Directory (Azure AD) Conditional Access policy that requires
iOS devices to enroll in Intune, comply with Intune policies, and use the approved
Outlook mobile app to access Exchange Online email.
If you don't have an Microsoft Intune Plan 1 subscription, sign up for a free trial account.
Prerequisites
You'll need a test tenant with the following subscriptions for this tutorial:
Microsoft 365 Apps for business subscription that includes Exchange (free trial )
Before you begin, create a test device profile for iOS devices by following the steps in
Quickstart: Create an email device profile for iOS/iPadOS.
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global administrator or an Intune
Service administrator. If you have created an Intune Trial subscription, the account you
created the subscription with is the Global administrator.
b. Select OK.
6. Select Device Health. Next to Jailbroken devices, select Block, and then select OK.
7. Select System Security and enter Password settings. For this tutorial, select the
following recommended settings:
Tip
Default values that are grayed out and italicized are only
recommendations. You must replace values that are recommendations
to configure a setting.
For Required password type, choose Alphanumeric.
9. Select Create.
1. In Microsoft Intune admin center, select Endpoint security > Conditional Access >
New policy.
3. Under Assignments, select Users and groups. On the Include tab, select All users,
and then select Done.
4. Under Assignments, select Cloud apps or actions. Because we want to protect
Microsoft 365 Exchange Online email, we'll select it by following these steps:
b. Choose Select.
c. In the applications list, select Office 365 Exchange Online, and then choose
Select.
d. Select Done.
b. On the Include tab, select Any device, and then select Done.
b. For this tutorial, select Mobile apps and desktop clients and Modern
authentication clients (which refers to apps like Outlook for iOS and Outlook
for Android). Clear all other check boxes.
d. Under For multiple controls, select Require all the selected controls. This
setting ensures that both requirements you selected are enforced when a device
tries to access email.
e. Choose Select.
8. Under Enable policy, select On.
9. Select Create.
Try it out
With the policies you've created, any iOS device that attempts to sign in to Microsoft
365 email will need to enroll in Intune and use the Outlook mobile app for iOS/iPadOS.
To test this scenario on an iOS device, try signing in to Exchange Online using
credentials for a user in your test tenant. You'll be prompted to enroll the device and
install the Outlook mobile app.
1. To test on an iPhone, go to Settings > Passwords & Accounts > Add Account >
Exchange.
2. Enter the email address for a user in your test tenant, and then press Next.
5. A message appears that says your device must be managed to access the resource,
along with an option to enroll.
Clean up resources
When the test policies are no longer needed, you can remove them.
3. In the Policy Name list, select the context menu (...) for your test policy, and then
select Delete. Select OK to confirm.
5. In the Policy Name list, select the context menu (...) for your test policy, and then
select Delete. Select Yes to confirm.
Next steps
In this tutorial, you created policies that require iOS devices to enroll in Intune and use
the Outlook app to access Exchange Online email. To learn about using Intune with
Conditional Access to protect other apps and services, including Exchange ActiveSync
clients for Microsoft 365 Exchange Online, see Set up Conditional Access.
Tutorial: Protect Exchange Online email
on unmanaged devices
Article • 03/02/2023
In this tutorial, you'll learn how to use app protection policies with Conditional Access to
protect Exchange Online, even when devices aren't enrolled in a device management
solution like Intune. In this tutorial, you'll learn how to:
" Create an Intune app protection policy for the Outlook app. You'll limit what the
user can do with app data by preventing "Save As" and restrict cut, copy, and paste
actions.
" Create Azure Active Directory (Azure AD) Conditional Access policies that allow only
the Outlook app to access company email in Exchange Online. You'll also require
multi-factor authentication (MFA) for Modern authentication clients, like Outlook
for iOS and Android.
Prerequisites
You'll need a test tenant with the following subscriptions for this tutorial:
Sign in to Intune
For this tutorial, when you sign in to the Microsoft Intune admin center , sign in as a
Global administrator or an Intune Service administrator. If you've created an Intune Trial
subscription, the account you created the subscription with is the Global administrator.
4. The Apps page allows you to choose how you want to apply this policy to apps on
different devices. Configure the following options:
Click Select public apps. In the Apps list, select Microsoft Outlook, and then
choose Select. Microsoft Outlook now appears under Public apps.
5. The Data protection page provides settings that determine how users interact with
data in the apps that this app protection policy applies.Configure the following
options:
Below Data Transfer, configure the following settings, leaving all other settings at
their default values:
6. The Access requirements page provides settings to allow you to configure the PIN
and credential requirements that users must meet to access apps in a work
context. Configure the following settings, leaving all other settings at their default
values:
7. The Conditional launch page provides settings to set the sign-in security
requirements for your app protection policy. For this tutorial, you don't need to
configure these settings.
8. Use the Assignments page to assign the app protection policy to groups of users.
For this tutorial, you won't assign this policy to a group.
9. On the Next: Review + create page, review the values and settings you entered for
this app protection policy. Click Create to create the app protection policy in
Intune.
The app protection policy for Outlook is created. Next, you'll set up Conditional Access
to require devices to use the Outlook app.
Create Conditional Access policies
Now we'll use the Microsoft Intune admin center to create two Conditional Access
policies to cover all device platforms. You integrate Conditional Access with Intune to
help control the devices and apps that can connect to your email and company
resources.
The first policy will require that Modern Authentication clients use the approved
Outlook app and multi-factor authentication (MFA). Modern Authentication clients
include Outlook for iOS and Outlook for Android.
The second policy will require that Exchange ActiveSync clients use the approved
Outlook app. (Currently, Exchange Active Sync doesn't support conditions other
than device platform). You can configure Conditional Access policies in either the
Azure AD portal or the Microsoft Intune admin center. Since we're already in the
admin center, we'll create the policy here.
When you configure Conditional Access policies in the Microsoft Intune admin center,
you're really configuring those policies in the Conditional Access blades from the Azure
portal. Therefore, the user interface is a bit different than when you configure other
policies for Intune.
4. Under Assignments, select Users and groups. On the Include tab, select All users,
and then select Done.
5. Under Assignments, select Cloud apps or actions. Select Microsoft 365 Exchange
Online email with these steps:
a. On the Include tab, choose Select apps.
b. Choose Select.
c. From the list of Applications, select Office 365 Exchange Online, and then
choose Select, and then Done.
Your app protection policies and Conditional Access are now in place and ready to test.
Try it out
With the policies you've created, devices will need to enroll in Intune and use the
Outlook mobile app to access Microsoft 365 email. To test this scenario on an iOS
device, try signing in to Exchange Online using credentials for a user in your test tenant.
1. To test on an iPhone, go to Settings > Passwords & Accounts > Add Account >
Exchange.
2. Enter the email address for a user in your test tenant, and then press Next.
5. The message More information is required appears, which means you're being
prompted to set up MFA. Go ahead and set up an additional verification method.
6. Next you'll see a message that says you're trying to open this resource with an app
that isn't approved by your IT department. The message means you're being
blocked from using the native mail app. Cancel the sign-in.
7. Open the Outlook app and select Settings > Add Account > Add Email Account.
8. Enter the email address for a user in your test tenant, and then press Next.
9. Press Sign in with Office 365. You'll be prompted for additional authentication and
registration. Once you've signed in, you can test actions such as cut, copy, paste,
and "Save As".
Clean up resources
When the test policies are no longer needed, you can remove them.
3. In the Policy Name list, select the context menu (...) for your test policy, and then
select Delete. Select OK to confirm.
5. In the Policy Name list, select the context menu (...) for each of your test policies,
and then select Delete. Select Yes to confirm.
Next steps
In this tutorial, you created app protection policies to limit what the user can do with the
Outlook app, and you created Conditional Access policies to require the Outlook app
and require MFA for Modern Authentication clients. To learn more about using Intune
with Conditional Access to protect other apps and services, see Learn about Conditional
Access and Intune.
Tutorial: Configure Slack to use Intune
for EMM and app configuration
Article • 03/06/2023
Slack is a collaboration app that you can use with Microsoft Intune.
" Set Intune as the Enterprise Mobility Management (EMM) provider on your Slack
Enterprise Grid. You'll be able to limit access to your Grid plan's workspaces to
Intune managed devices.
" Create app configuration policies to manage the Slack for EMM app on iOS/iPadOS
and the Slack app for Android personally-owned work profile devices.
" Create Intune device compliance policies to set the conditions Android and
iOS/iPadOS devices must meet to be considered compliant.
If you don't have an Intune subscription, sign up for a free trial account.
Prerequisites
You'll need a test tenant with the following subscriptions for this tutorial:
Sign in to Intune
Sign in to the Microsoft Intune admin center as a Global Administrator or an Intune
Service Administrator. If you have created an Intune Trial subscription, the account you
created the subscription with is the Global administrator.
1. In Microsoft Intune admin center , select Apps > All apps > Add.
2. Under App type, choose iOS store app and click Select.
3. Click Search the App Store. Enter the search term "Slack for EMM" and select the
app. Click Select in the Search the App Store pane.
4. In the App information step, configure any changes as you see fit. Select Next to
set your app information.
5. In the Assignments step, click Add group under the Required section. Select one
or more groups to assign the app to. When complete, click Next to continue.
6. In the Review + create step, click Create once you have verified the app details.
1. In Microsoft Intune admin center , select Apps > App configuration policies >
Add > Managed devices.
2. For Name, enter "Slack app configuration policy test".
3. For Device enrollment type, confirm Managed devices is set.
4. For Platform, select iOS/iPadOS.
5. For Targeted app, click Select app. The Associated app pane is displayed.
6. In the search bar, enter "Slack for EMM" and select the app. Click OK > Next.
7. In the Settings step, set the Configuration settings format to Use configuration
designer.
8. Add OrgDomain as the Configuration key. Set the Value type to String and set the
Configuration value to Y .
7 Note
The OrgDomain configuration key provides the ability to enter your
organization’s URL domain to help users sign in.
9. Click Next.
10. In the Assignments step, click All Users. Then, click Next.
11. In the Review + create step, click Create to create the configuration policy.
1. In Microsoft Intune admin center , select Devices > Compliance policies >
Policies > Create Policy.
2. Select iOS/iPadOS as the Platform. Then, click Create.
3. In the Basics step, enter "iOS compliance policy test" as the Name and click Next.
4. In the Compliance settings, under Device Health and next to Jailbroken devices,
select Block.
5. Under System Security for this tutorial, select the following settings:
1. In Microsoft Intune admin center , select Apps > All apps > Add.
2. Under App type, choose Managed Google Play app and click Select.
3. In the Search box, enter the search term "Slack" and select the app. Click Approve
in the Manage Google Play pane. Click Approve to also approve permissions of
the app. After verifying the app's approval settings, click Done. Click Select.
4. On the All apps pane, click Refresh to update the app list. Then, click the newly
added Slack app.
5. Next to Assignments, click Edit.
6. configure any changes as you see fit. Select Next to set your app information.
7. Click Add group under the Required section. Select one or more groups to assign
the app to. When complete, click Review + save.
8. In the Review + save step, click Save once you have verified the app details.
1. In Microsoft Intune admin center , select Apps > App configuration policies >
Add > Managed devices.
2. For Name, enter "Slack app configuration policy test".
3. For Device enrollment type, confirm Managed devices is set.
4. For Platform, select Android Enterprise.
5. For Profile Type, select Personally-Owned Work Profile Only.
6. For Targeted app, click Select app. The Associated app pane is displayed.
7. In the search bar, enter "Slack" and select the Manged Google Play store app. Click
OK > Next.
8. In the Settings step, set the Configuration settings format to Use configuration
designer.
9. Add Slack Enterprise Grid Domain URL as the Configuration key. Click OK.
7 Note
The Slack Enterprise Grid Domain URL configuration key provides the ability
to enter your organization’s URL domain to help users sign in.
1. In Microsoft Intune admin center , select Devices > Compliance policies >
Policies > Create Policy.
2. Select Android Enterprise as the Platform and select Personally-owned work
profile as the Profile type. Then, click Create.
3. In the Basics step, enter "Android Enterprise compliance policy test" as the Name
and click Next.
4. In the Compliance settings, under Device Health and next to Rooted devices,
select Block.
5. Under System Security for this tutorial, select the following settings:
Launch Slack
With the policies you've just created, any iOS/iPadOS or Android personally-owned work
profile devices that attempt to sign in to one of your workspaces will need to be Intune
enrolled. To test this scenario, try launching Slack for EMM on an Intune enrolled
iOS/iPadOS device or launching Slack on an Intune enrolled Android personally-owned
work profile device.
Next steps
In this tutorial:
You set Intune as the Enterprise Mobility Management (EMM) provider on your
Slack Enterprise Grid.
You created app configuration policies to manage the Slack for EMM app on
iOS/iPadOS and the Slack app for Android personally-owned work profile devices.
You created Intune device compliance policies to set the conditions Android and
iOS/iPadOS devices must meet to be considered compliant.
To learn more about app configuration policies, see App configuration policies for
Microsoft Intune. To learn more about device compliance policies, see Set rules on
devices to allow access to resources in your organization using Intune.
Tutorial: Set up Microsoft Intune
enrollment for iOS/iPadOS devices in
Apple Business Manager
Article • 03/27/2023
Use Apple Business Manager with Microsoft Intune to simplify and automate device
enrollment for iOS/iPadOS devices procured through Apple Business Manager.
Automated device enrollment, which we'll set up in this tutorial, enables secure
automatic enrollment the first time the user turns on the device by deploying the
enrollment profile to the device over-the-air.
At the end of this tutorial, devices will be ready to distribute for enrollment.
Prerequisites
Set mobile device management (MDM) authority.
Get Apple MDM Push certificate.
Have new or wiped devices purchased from Apple Business Manager.
Add purchase information under device management settings in Apple Business
Manager .
If you don't have an Intune subscription, sign up for a free trial account.
4. Select Add.
6. Select Download your public key to download the server's public key certificate (a
.pem file) to your local drive.
7. Select Create a token via Apple Business Manager and sign in to Apple Business
Manager with your company Apple ID.
) Important
While you're in Apple Business Manager, don't close the browser tab with
Microsoft Intune. You'll return to it later.
8. Add an MDM server called TestMDMServer and download the server token for it in
Apple Business Manager. For details and instructions, see Link to a third-party
MDM server (opens Apple Business Manager User Guide). Save the server token
locally as a P7M file (.p7m). Then continue to Step 2: Assign devices.
1. In Apple ID, enter the Apple ID you used to create the token.
2. Under Apple token, upload the server token you saved earlier. The file must be in
P7M format.
3. Select Next.
4. Optionally, apply scope tags to the enrollment token to limit other admins from
accessing or making changes to it. For more information about scope tags, see Use
role-based access control (RBAC) and scope tags for distributed IT.
5. Select Next.
6. On Review + create, select Create to finish linking Microsoft Intune and Apple
Business Manager.
Microsoft Intune automatically syncs with Apple Business Manager. Devices can take up
to 12 hours to appear in the admin center. You can wait for these devices to sync, or
manually start the sync. To start the sync yourself, select your token from the list in the
admin center, and then choose Devices > Sync.
1. Select your token in the admin center, and then choose Profiles > Create profile >
iOS/iPadOS.
2. On the Basics page, enter TestProfile for Name and Testing ADE for iOS/iPadOS
devices for Description. Users don't see these details.
3. Select Next.
4. On the Management Settings page, decide if you want your devices to enroll with
or without User Affinity. User Affinity is designed for devices that will be used by
particular users. If your users will want to use the Company Portal for services like
installing apps, choose Enroll with User Affinity. If your users don't need the
Company Portal or you want to provision the device for many users, choose Enroll
without User Affinity.
5. If you chose to enroll with User Affinity, the Select where users must authenticate
option appears. Decide if you want to Authenticate with Company Portal or Apple
Setup Assistant.
6. If you chose to enroll with User Affinity and Authenticate with Company Portal, the
Install Company Portal with VPP option appears. If you install the Company Portal
with a VPP token, your user won't have to enter an Apple ID and Password to
download the Company Portal from the app store during enrollment. Choose Use
Token: under Install Company Portal with VPP to select a VPP token that has free
licenses of the Company Portal available. If you don't want to use VPP to deploy
the Company Portal, choose Don't use VPP.
7. If you chose to enroll with User Affinity, Authenticate with Company Portal, and
Install Company Portal with VPP, decide if you want to run the Company Portal in
Single App Mode until Authentication. With this setting, you can ensure the user
doesn't have access to other apps until they finish the corporate enrollment. If you
want to restrict the user to this flow until enrollment is completed, choose Yes
under Run Company Portal in Single App Mode until authentication.
8. Under Device Management Settings, choose Yes under Supervised (if you chose
Enroll with User Affinity, this is automatically set to Yes). Supervised devices give
you the most management options for your corporate iOS/iPadOS devices.
9. Choose Yes under Locked enrollment to ensure your users can't remove
management of the corporate device.
10. Choose an option under Sync with Computers to determine if the iOS/iPadOS
devices will be able to sync with computers.
11. By default, Apple names the device with the device type, such as iPad. If you want
to provide a different name template, choose Yes under Apply device name
template. Enter the name you want to apply to the devices, where the strings
{{SERIAL}} and {{DEVICETYPE}} will substitute each device's serial number and
device type. Otherwise, choose No under Apply device name template.
13. On the Setup Assistant page, Tutorial department for Department Name. This
string is what users see when they tap About configuration during device
activation.
14. Under Department Phone, enter a phone number. This number appears when
users tap the Need help button during activation.
15. You can Show or Hide various screens during device activation. For the most
seamless enrollment experience, set all screens to Hide.
7 Note
Ensure that Device Type Restrictions under Enrollment Restrictions does not have
the default All Users policy set to block the iOS/iPadOS platform. This setting will
cause automated enrollment to fail and your device will show as Invalid Profile,
regardless of user attestation. To permit enrollment only by company-managed
devices, block only personally owned devices, which will permit corporate devices
to enroll. Microsoft defines a corporate device as a device that's enrolled via a
Device Enrollment Program or a device that's manually entered under Corporate
device identifiers.
Next steps
You can find more information about other options available for enrolling iOS/iPadOS
devices.
7 Note
This walkthrough was created as a technical workshop for Microsoft Ignite. It has
more prerequisites than typical walkthroughs, as it compares using and configuring
ADMX policies in Intune and on-premises.
Group policy administrative templates, also known as ADMX templates, include settings
you can configure on Windows client devices, including PCs. The ADMX template
settings are available by different services. These settings are used by Mobile Device
Management (MDM) providers, including Microsoft Intune. For example, you can turn
on Design Ideas in PowerPoint, set a home page in Microsoft Edge, block ActiveX
controls in Internet Explorer, and more.
These templates are built in to Microsoft Intune, and are available as Administrative
templates profiles. In this profile, you configure the settings you want to include, and
then "assign" this profile to your devices.
Windows 11
Windows 10 version 1709 and newer
Tip
There are two ways to create an administrative template: Using a template, or using
the Settings Catalog. This article focuses on using the Administrative Templates
template. The Settings Catalog has more Administrative Template settings available.
For the specific steps to use the Settings Catalog, see Use the settings catalog to
configure settings.
Prerequisites
A Microsoft 365 E3 or E5 subscription, which includes Intune and Azure Active
Directory (AD) premium. If you don't have an E3 or E5 subscription, try it for free.
For more information on what you get with the different Microsoft 365 licenses,
see Transform your Enterprise with Microsoft 365 .
1. Copy the following Office and Microsoft Edge templates to the Central Store
(sysvol folder) :
Office administrative templates
Microsoft Edge administrative templates > Policy file
2. Create a group policy to push these templates to a Windows 10/11 Enterprise
administrator computer in the same domain as the DC. In this walkthrough:
The group policy we created with these templates is called OfficeandEdge.
You'll see this name in the images.
The Windows 10/11 Enterprise administrator computer we use is called the
Admin computer.
1. Open the Settings app > Apps > Optional features > Add feature.
Be sure you have internet access and administrator rights to the Microsoft 365
subscription, which includes the Intune admin center.
2. Go to the Microsoft Intune admin center . Sign in with the following account:
User: Enter the administrator account of your Microsoft 365 tenant subscription.
This admin center is focused on device management, and includes Azure services, such
as Azure AD and Intune. You might not see the Azure Active Directory and Intune
branding, but you're using them.
You can also open the Intune admin center from the Microsoft 365 admin center :
1. Go to https://admin.microsoft.com .
2. Sign in with the administrator account of your Microsoft 365 tenant subscription.
3. Select Show all > All admin centers > Endpoint management. The Intune admin
center opens.
In Intune, policies are applied to users and groups you create. There isn't a hierarchy. For
example:
If two policies update the same setting, then the setting shows as a conflict.
If two compliance policies are in conflict, then the most restrictive policy applies.
If two configuration profiles are in conflict, then the setting isn't applied.
For more information, see Common questions, issues, and resolutions with device
policies and profiles.
In these next steps, you create security groups, and add users to these groups. You can
add a user to multiple groups. For example, it's normal for a user to have multiple
devices, such as a Surface Pro for work, and an Android mobile device for personal. And,
it's normal for a person to access organizational resources from these multiple devices.
Adding devices is optional. The goal is to practice creating groups, and knowing
how to add devices. If you're using this walkthrough in a production environment,
then be aware of what you're doing.
Dynamic device members: Select Add dynamic query, and configure your
query:
Property: Select deviceOSType.
Operator: Select Equals.
Value: Enter Windows.
Dynamic user members: Select Add dynamic query, and configure your
query:
When users or devices meet the criteria you enter, they're automatically
added to the dynamic groups. In this example, users are automatically
added to this group when their department is Teachers. You can enter
the department and other properties when users are added to your
organization. If you're using this walkthrough in a production
environment, then be careful. The goal is to practice creating dynamic
groups.
Talking points
Dynamic groups are a feature in Azure AD Premium. If you don't have Azure AD
Premium, then you're licensed to only create assigned groups. For more
information on dynamic groups, see:
Dynamic Group Membership in Azure Active Directory (Part 1)
Dynamic Group Membership in Azure Active Directory (Part 2)
Azure AD Premium includes other services that are commonly used when
managing apps and devices, including multi-factor authentication (MFA) and
conditional access.
Many administrators ask when to use user groups and when to use device groups.
For some guidance, see User groups vs. device groups.
Remember, a user can belong to multiple groups. Consider some of the other
dynamic user and device groups you can create, such as:
All Students
All Android devices
All iOS/iPadOS devices
Marketing
Human Resources
All Charlotte employees
All Redmond employees
West coast IT administrators
East coast IT administrators
The users and groups created are also seen in the Microsoft 365 admin center , Azure
AD in the Azure portal, and Microsoft Intune in the Azure portal . You can create and
manage groups in all these areas for your tenant subscription. If your goal is device
management, use the Microsoft Intune admin center .
3. Select Groups to see the membership of this user. You can also remove the user
from a group.
4. Select some of the other options to see more information, and what you can do.
For example, look at the assigned license, the user's devices, and more.
1. In the Intune admin center, select Devices > Configuration profiles > Create
profile.
2. Enter the following properties:
3. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, enter Admin template - Windows
10 student devices.
Description: Enter a description for the profile. This setting is optional, but
recommended.
5. Select Next.
6. In Configuration settings, All settings show an alphabetical list of all the settings.
You can also filter settings that apply to devices (Computer configuration), and
settings that apply to users (User configuration):
7. Expand Computer configuration > Microsoft Edge > select SmartScreen settings.
Notice the path to the policy, and all the available settings:
This app gets installed with RSAT: Group Policy Management Tools, which is an
optional feature you install on Windows. Prerequisites (in this article) lists the steps
to install it.
2. Expand Domains > select your domain. For example, select contoso.net.
3. Right-click the OfficeandEdge policy > Edit. The Group Policy Management Editor
app opens.
OfficeandEdge is a group policy that includes the Office and Microsoft Edge
ADMX templates. This policy is described in prerequisites (in this article).
4. Expand Computer configuration > Policies > Administrative Templates > Control
Panel > Personalization. Notice the available settings.
Double-click Prevent enabling lock screen camera, and see the available options:
5. In the Intune admin center, go to your Admin template - Windows 10 student
devices template.
6. Select Computer configuration > Control Panel > Personalization. Notice the
available settings:
The setting type is Device, and the path is /Control Panel/Personalization. This
path is similar to what you just saw in Group Policy Management Editor. If you
open the Prevent enabling lock screen camera setting, you see the same Not
configured, Enabled, and Disabled options you see in Group Policy Management
Editor.
Compare a user policy
1. In your admin template, select Computer configuration > All settings, and search
for inprivate browsing. Notice the path.
Do the same for User configuration. Select All settings, and search for inprivate
browsing.
2. In Group Policy Management Editor, find the matching user and device settings:
Tip
To see the built-in Windows policies, you can also use GPEdit (Edit group policy
app).
2. Expand Computer configuration > Microsoft Edge > Startup, homepage and
new tab page. Notice the available settings.
Do the same for User configuration.
2. Select the Turn off InPrivate Browsing setting. In this window, notice the
description and values you can set. These options are similar to what you see in
group policy.
4. Also configure the following Internet Explorer settings. Be sure to select OK to save
your changes.
5. Clear your search filter. Notice the settings you configured are listed at the top:
2. A list of existing users and groups is shown. Select the All Windows 10 student
devices group you created earlier > Select.
If you're using this walkthrough in a production environment, then consider
adding groups that are empty. The goal is to practice assigning your template.
As soon as the profile is saved, it applies to the devices when they check in with Intune.
If the devices are connected to the internet, it can happen immediately. For more
information on policy refresh times, see How long does it take for devices to get a
policy, profile, or app.
When assigning strict or restrictive policies and profiles, don't lock yourself out.
Consider creating a group that's excluded from your policies and profiles. The idea is to
have access to troubleshoot. Monitor this group to confirm it's being used as intended.
1. Create another profile (Devices > Configuration profiles > Create profile).
3. Select Create.
Name: Enter Admin template - OneDrive policies that apply to all Windows
10 users.
Description: Enter a description for the profile. This setting is optional, but
recommended.
5. Select Next.
6. In Configuration settings, configure the following settings. Be sure to select OK to
save your changes:
Computer configuration:
Silently sign in users to the OneDrive sync client with their Windows
credentials
Type: Device
Value: Enabled
Use OneDrive Files On-Demand
Type: Device
Value: Enabled
User configuration:
Prevent users from syncing personal OneDrive accounts
Type: User
Value: Enabled
For more information on OneDrive client settings, see Use Group Policy to control
OneDrive sync client settings.
2. A list of existing users and groups is shown. Select the All Windows devices group
you created earlier > Select.
At this point, you created some administrative templates, and assigned them to groups
you created. The next step is to create an administrative template using Windows
PowerShell and the Microsoft Graph API for Intune.
Optional: Create a policy using PowerShell and
Graph API
This section uses the following resources. We'll install these resources in this section.
a. Enter: get-ExecutionPolicy
Write down what it's set to, which may Restricted. When finished with the
walkthrough, set it back to its original value.
PowerShell's execution policy helps prevent executing malicious scripts. For more
information, see About Execution Policies.
Enter Y if:
It can take several minutes to complete. When finished, a prompt similar to the
following prompt is shown:
4. In your web browser, go to https://github.com/Microsoft/Intune-PowerShell-
SDK/releases , and select the Intune-PowerShell-SDK_v6.1907.00921.0001.zip file.
a. Select Save as, and select a folder you'll remember. c:\psscripts is a good
choice.
b. Open your folder, right-click the .zip file > Extract all > Extract. Your folder
structure looks similar to the following folder:
PowerShell
Import-Module c:\psscripts\Intune-PowerShell-
SDK_v6.1907.00921.0001\drop\outputs\build\Release\net471\Microsoft.Grap
h.Intune.psd1
c. When prompted, sign in with the same Microsoft 365 administrator account.
These cmdlets create the policy in your tenant organization.
User: Enter the administrator account of your Microsoft 365 tenant subscription.
d. Select Accept.
PowerShell
When these cmdlets succeed, the profile is created. To confirm, go to the Intune
admin center > Configuration Profiles. Your Test Configuration profile should be
listed.
PowerShell
11. Find the definition ID using the setting display name. Enter:
PowerShell
$desiredSettingDefinition = $settingDefinitions.value | ?
{$_.DisplayName -Match "Silently sign in users to the OneDrive sync app
with their Windows credentials"}
PowerShell
Invoke-MSGraphRequest -Url
"https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigura
tions('$($configuration.id)')/definitionValues('$($configuredSetting.id
)')" -Content ("{""enabled"":""false""}") -HttpMethod PATCH
PowerShell
You see the Silently sign in users to the OneDrive sync client with their Windows
credentials setting is configured.
Clean up resources
When no longer needed, you can:
Set the Windows PowerShell execution policy back to its original value. The
following example sets the execution policy to Restricted:
PowerShell
Next steps
In this tutorial, you got more familiar with the Microsoft Intune admin center , used the
query builder to create dynamic groups, and created administrative templates in Intune
to configure ADMX settings. You also compared using ADMX templates on-premises
and in the cloud with Intune. As a bonus, you used PowerShell cmdlets to create an
administrative template.
) Important
This feature is in public preview. For more information, see Public preview in
Microsoft Intune.
Enroll devices, manage profiles and policies, and access monitoring and reports all in
one place in Microsoft Intune. Now in public preview, you can go to the Devices area in
the Microsoft Intune admin center to:
Get at-a-glance actionable information and key metrics about your devices.
Access workloads for device onboarding, management, and monitoring.
View, monitor, and drill down into active issues on the Overview page.
Manage devices by OS platform.
Access, apply, and view filters at the top of every list view.
This article describes how to opt in to the public preview and access these updated
workloads:
You remain in public preview until you switch it back, even if you close the browser. To
exit public preview and return to the current version of the admin center:
1. Go to Overview.
2. Flip the switch next to Use Devices preview. Wait while Intune refreshes the UI.
3. Optionally, when prompted, provide feedback about your experience with the
Devices public preview. Select x to return to the admin center without giving
feedback.
Overview
Go to Devices > Overview to access workloads by OS platform, view key metrics about
assigned policies, and access associated reports. Overview options include:
This page also highlights key metrics about active issues, such as enrollment failures and
Windows 365 provisioning failures, happening across devices. Select a metric for more
information about the issue.
All devices
Go to Devices > All devices to view a list of all Intune-managed devices in your tenant.
Select a device for more granular information, such as:
Hardware details
Installed apps
Assigned policies
Available remote actions
For more information about device details, see See device details in Intune.
Device onboarding
Under Device onboarding, you can access these onboarding options (workloads with UI
changes are marked as New):
Cloud PC creation
Enrollment - New
Monitor: Access reports and list views associated with enrollment profiles, policies,
and Windows Autopilot deployment.
Windows: Set up enrollment for devices running Windows 10 or Windows 11.
Apple: Set up enrollment for iOS/iPadOS and Mac devices.
Android: Set up enrollment for supported Android devices.
Corporate device identifiers: Add and manage corporate identifiers for devices
that should have corporate-owned status.
Device enrollment manager: Add and manage device enrollment managers that
oversee or help with enrolling devices.
For more information about getting started with enrollment, see Enrollment guide:
Microsoft Intune enrollment.
Manage devices
Under Manage devices, you can access these essential management workloads
(workloads with UI changes are marked as New):
Configuration - New
Compliance - New
Conditional access
Scripts
Windows 10 and later updates - New
Apple updates - New
Group Policy analytics
eSIM cellular profiles (preview)
Policy sets
Device clean-up rules
Device categories
Partner portals
Monitored data and relevant reports are located in the same place as your management
tasks to help you find and act on issues quickly. This section describes the public
preview experience for all updated workloads.
Configuration
Go to Devices > Configuration to monitor and manage device configuration policies in
Microsoft Intune. Within Configuration, you can access these subworkloads:
Monitor: Access key metrics, reports, and list views associated with device
configuration profiles.
Policies: Create and manage device configuration policies.
Import ADMX: Import custom and partner ADMX and ADML templates that you
can create device configuration policies from.
For more information about device configuration, see Apply features settings on your
devices using device profiles in Microsoft Intune.
Compliance
Go to Devices > Compliance to monitor and manage device compliance policies in
Microsoft Intune. Within Compliance, you can access these subworkloads:
Monitor: Access key metrics, reports, and list views associated with device
compliance.
Policies: Create and manage device compliance policies.
Notifications: Create and send custom notifications to device users on managed
iOS/iPadOS and Android devices.
Retire noncompliant devices: Remove all company data from a device and remove
the device from Intune management.
Scripts: Add and manage scripts used for custom compliance settings.
Monitor: Access key metrics and active issues associated with Windows software
update policies.
Update rings: Create and manage update ring policies for Windows 10 and
Windows 11 updates.
Feature updates: Create and manage policies for feature updates.
Quality updates: Create and manage policies for quality updates.
Driver updates: Create and manage policies for driver updates.
For more information about Windows updates, see Manage Windows 10 and Windows
11 software updates in Intune.
Apple updates
Go to Devices > Apple updates to monitor and manage software update policies for
Apple devices. Within this area, you can access the following subworkloads:
Monitor: Access key metrics and active issues associated with Apple update
policies.
iOS/iPadOS updates: Create and manage policies for iOS/iPadOS updates.
macOS updates: Create and manage policies for macOS updates.
For more information about software update policies for Apple devices, see:
Next steps
For an overview of new features and features that are ready to try in public preview, see
What's New in Microsoft Intune.
Set up enrollment for devices in Azure
AD shared device mode
Article • 03/27/2023
Applies to iOS/iPadOS
) Important
This feature is in public preview. For more information, see Public preview in
Microsoft Intune.
Set up automated device enrollment for devices in Azure AD shared device mode.
Shared device mode enables frontline workers to securely share a single device
throughout the day, signing in and out as needed. The foundation for this experience is
made up of Azure Active Directory (Azure AD) shared device mode and the Microsoft
Enterprise SSO plug-in.
This article describes how to enable automated device enrollment for devices in shared
device mode. You will:
Prerequisites
Before you create an enrollment profile in Microsoft Intune:
For more information about how-to create an enrollment profile, see Create an Apple
enrollment profile.
For more information about how to create a dynamic group for shared devices in Azure
AD, see Create a group membership rule.
For more information about how to create an assignment filter rule, see Create a filter.
You can configure the rest of the profile to meet your organization's needs. When you're
done configuring the profile, assign it to All devices and then add the assignment filter
you created in Step 3.
For more information about creating an SSO app extension policy, see:
For more information about assigning a volume-purchased app, see Assign a volume
purchased app.
Users typically don't like enrolling themselves, and may not be familiar with the
Company Portal app. Be sure to provide guidance, including what information to enter.
For some guidance on communicating with your users, see Planning guide: Step 5 -
Create a rollout plan.
Microsoft Intune planning guide
Article • 06/07/2023
A successful Microsoft Intune deployment or migration starts with planning. This guide
helps you plan your move or adoption of Intune as your unified endpoint management
solution.
Intune gives organizations options to do what's best for them and the many different
user devices. You can enroll devices in Intune for mobile device management (MDM) of
Android, iOS/iPadOS, Linux, macOS, and Windows devices. You can also use app
protection policies for mobile application management (MAM) that focuses on
protecting app data.
This guide:
Tip
The Intune Adoption Kit includes email templates, project plans, planning
spreadsheet, and more.
Want to print or save this guide as a PDF? In your web browser, use the Print
option, Save as PDF.
This guide is a living thing. So, be sure to add or update existing tips and
guidance you've found helpful.
Step 1 - Determine your objectives
Organizations use mobile device management (MDM) and mobile application
management (MAM) to control organization data securely, and with minimal disruption
to users. When evaluating an MDM/MAM solution, such as Microsoft Intune, look at
what the goal is, and what you want to achieve.
These apps are the apps you want on their devices. Some considerations:
Many organizations deploy the Office suite of apps to PCs and tablets, such as
Word, Excel, OneNote, PowerPoint, and Teams. On smaller devices, such as mobile
phones, individual apps might be installed, depending on the user requirements.
For example, the sales team may require Teams, Excel, and SharePoint. On mobile
devices, you can deploy only these apps, instead of deploying the entire Office
suite.
Users expect to read and reply to email and join meetings on all devices, including
personal devices. On organization-owned devices, you can deploy Outlook and
Teams, and manage and control all device settings and all app settings, including
PIN and password requirements.
On personal devices, you might not have this control. So, determine if you want to
give users access to organization apps, such as email and meetings.
Antivirus, malware scanning, responding to threats, and keep devices up-to-date are all
important considerations. You also want to minimize the impact of malicious activity.
Some considerations:
Antivirus (AV) and malware protection are a must. Intune integrates with
Microsoft Defender for Endpoint and different Mobile Threat Defense (MTD)
partners to help protect your managed devices, personal devices, and apps.
Microsoft Defender for Endpoint includes security features and a portal to help
monitor, and react to threats.
For example, Microsoft Defender for Endpoint scans a device, and determines it's
compromised. Conditional Access can automatically block organization access on
this device, including email.
Conditional Access helps protect your network and resources from devices, even
devices that aren't enrolled in Intune.
Update device, the OS, and apps to help keep your data secure. Create a plan on
how and when updates are installed. There are policies in Intune that help you
manage updates, including updates to store apps.
Determine how users will authenticate to organization resources from their many
devices. For example, you can:
If you plan to use biometrics for authentication, be sure your devices support
biometrics. Most modern devices do.
Implement a Zero Trust deployment. With Zero Trust, you use the features in
Azure AD and Microsoft Intune to secure all endpoints, uses password-less
authentication, and more. For more information, see Zero Trust with Microsoft
Intune.
Objective: Distribute IT
Many organizations want to give different admins control over locations, departments,
and so on. For example, the Charlotte IT Admins group controls and monitors the
policies in the Charlotte campus. These Charlotte IT Admins can only see and manage
policies for the Charlotte location. They can't see and manage policies for the Redmond
location. This approach is called distributed IT.
In Intune, distributed IT uses scope tags, device enrollment categories, and require
multiple admin approval.
Scope tags use role-based access control (RBAC). So, only users in a specific group
have permission to manage policies and profiles for users and devices in their
scope.
When you use device enrollment categories, devices are automatically added to
groups based on categories you create. This feature used Azure AD dynamic
groups, and helps make managing devices easier.
When users enroll their device, they choose a category, such as Sales, IT admin,
point-of-sale device, and so on. When they're added to a category, these device
groups are ready to receive your policies.
When admins create policies, you can require multiple admin approval for specific
policies, including policies that run scripts or deploy apps.
✔️Task: Determine how you want to distribute your rules and settings
Rules and settings are deployed using different policies. Some considerations:
Determine your admin structure. For example, you might want to separate by
location, such as Charlotte IT Admins or Cambridge IT Admins. You might want to
separate by role, such as Network Admins that control all network access,
including VPN.
✔️Task: Create a plan to cover different scenarios that impact your organization
A device is lost or stolen, or no longer being used. A user leaves the organization.
In Intune, you can remove devices by using wipe, retire, or manually unenroll
them. You can also automatically remove devices that haven't checked in for x
number of days.
At the app level, you can remove organization data from Intune-managed apps.
A selective wipe is great for personal devices, as it keeps personal data on the
device, and only removes organization data.
On personal devices, you may want to prevent users from copy/paste, taking
screenshots, or forwarding emails. App protection policies can block these features
on devices you don't manage.
On managed devices (devices enrolled in Intune), you can also control these
features using device configuration profiles. Device configuration profiles control
settings on the device, not the app. On devices that access highly sensitive or
confidential data, device configuration profiles can prevent copy/paste, taking
screenshots, and more.
Supported platforms
Intune supports Android, iOS/iPadOS, macOS, Linux, and Windows devices. For the
specific versions, go to supported platforms.
If your devices use unsupported versions, which are primarily older operating systems,
then it's time to upgrade the OS or replace the devices. These older OS' and devices
might have limited support, and are a potential security risk. This task includes desktop
computers running Windows 7, iPhone 7 devices running the original v10.0 OS, and so
on.
Option 1: On personal devices, give users the choice to enroll in Intune. Once
enrolled, admins fully manage these devices, including pushing policies,
controlling device features and settings, and even wiping devices. As an admin,
you may want this control, or you may think you want this control.
When users enroll their personal devices, they may not realize or understand that
admins can do anything on the device, including accidentally wiping or resetting
the device. As an admin, you may not want this liability or potential impact on
devices your organization doesn't own.
Also, many users refuse to enroll. They find other ways to access organization
resources. For example, you require devices be enrolled to use the Outlook app to
check organization email. To skip this requirement, users open any web browser on
the device, and sign in to Outlook web access, which may not be what you want.
Or, they create screenshots, and save the images on the device, which also isn't
what you want.
If you choose this option, be sure to educate users on the risks and benefits of
enrolling their personal devices. As an alternative, you can use app protection
policies.
Option 2: On personal devices, use app configuration policies and app protection
policies. Users don't enroll in Intune. For these devices, you manage app access.
Use a Terms and conditions statement with a conditional access policy. If users
don't agree, then they don't get access to apps. If users agree to the statement,
then a device record is added to Azure AD, and the device becomes a known
entity. When the device is known, you can track what's being accessed from the
device.
Look at the tasks your organization uses the most, such as email and joining
meetings. Use app configuration policies to configure app-specific settings, such
as Outlook. Use app protection policies to control the security and access to these
apps.
For example, users can use the Outlook app on their personal device to check work
email. In Intune, admins create an Outlook app protection policy. This policy uses
multi-factor authentication (MFA) every time the Outlook app opens, prevents
copy and paste, and restricts other features.
Option 3: You want every device to be fully managed. In this scenario, give users
all the devices they need, including mobile phones. Invest in a hardware refresh
plan so users continue to be productive and effective. Enroll these organization-
owned devices in Intune, and manage them using policies.
As a best practice, always assume data will leave the device. Be sure your tracking and
auditing methods are in place. For more information, see Zero Trust with Microsoft
Intune.
If your Windows devices are currently managed using Configuration Manager, you can
still enroll these devices in Intune. This approach is called co-management. Co-
management offers many benefits, including running remote actions on the device
(restart, remote control, factory reset), conditional access with device compliance, and
more. You can also cloud-attach your devices to Intune.
What is co-management
Paths to co-management
Configuration Manager tenant attach
✔️Task: Look at what you currently use for mobile device management
Your adoption of a mobile device management can depend on what your organization
currently uses, including if that solution uses on-premises features or programs.
If you currently don't use any MDM service or solution, then going straight to
Intune may be best.
For new devices not enrolled in Configuration Manager, or any MDM solution,
then going straight to Intune may be best.
Azure Active Directory (AD) Premium includes several features that are key to
managing devices, including:
Windows Autopilot: Windows client devices can automatically enroll in Intune,
and automatically receive your policies.
Multi-factor authentication (MFA): Users must enter two or more verification
methods, such as a PIN, an authenticator app, a fingerprint, and more. MFA is a
great option when using app protection policies for personal devices, and
organization-owned devices that require extra security.
Conditional Access: If users and devices follow your rules, such as a 6-digit
passcode, then they get access to organization resources. If users or devices
don't meet your rules, then they don't get access.
Dynamic user groups and dynamic device groups: Add users or devices
automatically to groups when they meet criteria, such as a city, job title, OS
type, OS version, and more.
Microsoft 365 apps includes the apps that users rely on, including Outlook, Word,
SharePoint, Teams, OneDrive, and more. You can deploy these apps to devices
using Intune.
Microsoft Defender for Endpoint helps monitor and scan your Windows client
devices for malicious activity. You can also set an acceptable threat level. When
combined with conditional access, you can block access to organization resources
if the threat level is exceeded.
If your goal is to deploy policies (rules) and profiles (settings), without any
enforcement, at a minimum, you need:
Intune
You currently use Configuration Manager, and want to set up co-management for
your devices. Intune is already included in your Configuration Manager license. If
you want Intune to fully manage new devices or existing co-managed devices,
then you need a separate Intune license.
You want to enforce the compliance or password rules you create in Intune. At a
minimum, you need:
Intune
Azure AD Premium
Intune and Azure AD Premium are available with Enterprise Mobility + Security.
For more information, go to Enterprise Mobility + Security pricing options .
You want to only manage Microsoft 365 apps on devices. At a minimum, you need:
Microsoft 365 Basic Mobility and Security
You want to deploy Microsoft 365 apps to your devices, and create policies to help
secure devices that run these apps. At a minimum, you need:
Intune
Microsoft 365 apps
You want to create policies in Intune, deploy Microsoft 365 apps, and enforce your
rules and settings. At a minimum, you need:
Intune
Microsoft 365 apps
Azure AD Premium
Since all these services are included in some Microsoft 365 plans, then it might be
cost effective to use the Microsoft 365 license.
For more information, go to
Microsoft 365 licensing plans .
With these goals in mind, create a baseline of your policies. If you have multiple device
management solutions, now might be the time to use a single mobile device
management service.
This task includes looking at services that could move to the cloud. Remember, instead
of looking at what you've always done, determine the goal.
Tip
Some considerations:
Review existing policies and their structure. Some policies may apply globally,
some apply at the site level, and some are specific to a device. The goal is to know
and understand the intent of global policies, the intent of local policies, and so on.
On-premises AD group policies are applied in the LSDOU order - local, site,
domain, and organizational unit (OU). In this hierarchy, OU policies overwrite
domain policies, domain policies overwrite site policies, and so on.
In Intune, policies are applied to users and groups you create. There isn't a
hierarchy. If two policies update the same setting, then the setting shows as a
conflict. For more information on conflict behavior, go to Common questions,
issues, and resolutions with device policies and profiles.
When coming from AD group policy to Intune, and after reviewing your policies,
your AD global policies logically start to apply to groups you have, or groups you
need. These groups include users and devices you want to target at the global
level, site level, and so on. This task gives you an idea of the group structure you
need in Intune.
Be prepared to create new policies in Intune. Intune includes several features that
cover scenarios that may interest you. Some examples:
Group policy: Use group policy analytics to import and analyze your GPOs. This
feature helps you determine how your GPOs translate in the cloud. The output
shows which settings are supported in MDM providers, including Microsoft
Intune. It also shows any deprecated settings, or settings not available to MDM
providers.
You might also be able to create an Intune policy based on your imported
settings. For more information, go to Create a settings catalog policy using your
imported GPOs.
Create a policy baseline that includes the minimum of your goals. For example:
Review the current structure of your groups. In Intune, you can create and assign
policies to user groups, device groups, and dynamic user and device groups
(requires Azure AD Premium).
When you create groups in the cloud, such as Intune or Microsoft 365, they're
created in Azure AD. You might not see the Azure AD branding, but that's what
you're using.
Creating new groups can be an easy task. They can be created in the Microsoft
Intune admin center . For more information, go to add groups to organize
users and devices.
If you have existing Office 365 groups, you can move to Microsoft 365. Your
existing groups remain, and you get all the features and services of Microsoft
365. For more information, go to:
What is Microsoft 365?
Migration to Microsoft 365 Enterprise
Upgrade to Microsoft 365 Business
If you have multiple device management solutions, then move to a single mobile
device management solution. We recommend using Intune to help protect
organization data in apps and on devices.
Define your goals and success metrics. Use these data points to create other
rollout phases. Make sure goals are SMART (Specific, Measurable, Attainable,
Realistic, and Timely). Plan to measure against your goals at each phase so your
rollout project stays on track.
Have clearly-defined goals and objectives. Include these objectives in all awareness
and training activities so users understand why your organization chose Intune.
Start with a pilot or test group. These groups should know they're the first users,
and be willing to provide feedback. Use this feedback to improve configuration,
documentation, notifications, and make it easier for users in a future rollout.
These users shouldn't be executives or VIPs.
After initial testing, add more users to the pilot group. Or, create more pilot
groups that focus on a different rollout, such as:
Platform: This rollout deploys similar platforms at the same time. For
example, deploy policies to all iOS/iPadOS devices in February, all Android
devices in March, and all Windows devices in April. This approach might
simplify help desk support, as they only support one platform at a time.
Using a staged approach, you can get feedback from a wide range of user
types.
After a successful pilot, you're ready to start a full production rollout. The
following example is an Intune rollout plan that includes targeted groups and
timelines:
Production Retail
rollout (1000
phase 2 users)
Choose how users will enroll their personal and organization-owned devices.
There are different enrollment approaches you can use, including:
User self-service: Users enroll their own devices following steps provided by
their IT organization. This approach is most common, and is more scalable than
user-assisted enrollment.
User-assisted enrollment: In this pre-provisioned deployment approach, an IT
member helps users through the enrollment process, in person or using Teams.
This approach is common with executive staff and other groups that might need
more assistance.
IT tech fair: At this event, the IT group sets up an Intune enrollment assistance
booth. Users receive information on Intune enrollment, ask questions, and get
help enrolling their devices. This option is beneficial for IT and users, especially
during the early phases of an Intune rollout.
Limited Pilot
Self-service IT
Expanded Pilot
Self-service IT
Pre-provisioned IT
Executives
Self-service Retail
Pre-provisioned Executives
For more information on the different enrollment methods for each platform, go to
Deployment guidance: Enroll devices in Microsoft Intune.
This information should include how to notify users, and when to communicate. Some
considerations:
The Intune Adoption Kit might be helpful. Use it as-is, or change it for your
organization.
Create an email for pre-enrollment, email for enrollment, and email for post-
enrollment. For example:
Email 1: Explain the benefits, expectations, and schedule. Take this
opportunity to showcase any other services whose access is granted on
devices managed by Intune.
Email 2: Announce that services are now ready for access through Intune. Tell
users to enroll now. Give users a timeline before their access is affected.
Remind users of benefits and strategic reasons for migration.
Use an organization web site that explains the rollout phases, what users can
expect, and who to contact for help.
Create posters, use organization social media platforms (such as Microsoft Viva
Engage), or distribute flyers to announce the pre-enrollment phase.
Create a timeline that includes when and who. The first Intune kickoff
communications can target the entire organization, or just a subset. They can take
place over several weeks before the Intune rollout begins. After that, information
could be communicated in phases to users and groups, aligned with their Intune
rollout schedule.
Phase 1 All
Pre-rollout Email 1 First week First week First week First week
Enrollment email Third week Third week Third week Third week
Validate the end-user experience with success metrics in your deployment plan. Some
considerations:
Determine who will support end users. Organizations may have different tiers or
levels (1-3). For example, tier 1 and 2 may be part of the support team. Tier 3
includes members of the MDM team responsible for the Intune deployment.
Tier 1 is typically the first level of support and the first tier to contact. If tier 1 can't
resolve the issue, then they escalate to tier 2. Tier 2 escalates it to tier 3. Microsoft
support may be considered as tier 4.
In the initial rollout phases, be sure all tiers in your support team document
issues and resolutions. Look for patterns, and adjust your communications for
the next rollout phase. For example:
If different users or groups are hesitant about enrolling their personal
devices, consider a Teams calls to answer common questions.
If users are having the same issues enrolling organization-owned devices,
then host an in-person event to help users enroll the devices.
This approach, especially in early stages of the Intune rollout, adds many benefits,
including:
Help learn the technology
Quickly identify issues and resolution
Improve the overall user experience
Train your help desk and support teams. Have them enroll devices running the
different platforms used in your organization so they're familiar with the process.
Consider using help desk and support teams as a pilot group for your scenarios.
The community-based Intune forum and end-user documentation are also great
resources.
Next steps
Migration guide: Set up or move to Microsoft Intune
Get started with your Microsoft Intune deployment
Settings insight
Article • 07/24/2023
Settings insight is tailored insights powered by a Machine Learning model. This article
explains how Settings insight works. Settings insight is currently available within Intune
security baselines.
Overview
The Settings insight feature provides confidence in configurations by adding insights
that similar organizations have successfully adopted. This article explains how Settings
insight can be accessed or viewed for policies that are created or that exist in Microsoft
security baselines.
Prerequisites
Licensing/Subscriptions: You must have a Microsoft Intune Plan 1 license to use
Settings insight. For more information, see Licenses available for Microsoft Intune
Permissions: Global Admins or Endpoint Security Administrators can create a
profile using Baselines.
Viewing insights
1. Sign in to the Microsoft Intune admin center .
2. Select Endpoint security > Security baselines to view the list of available baselines.
3. Select one of the following baselines you'd like to use, and then select Create
profile.
6. On the Configuration settings tab, view the groups of Settings that are available.
You can expand a group to view the settings in that group, and the default values
for those settings. Insights are available beside some settings with a light bulb
icon.
Models used to categorize organizations
Similar organizations are identified using a K-means clustering model based on
customer attributes, such as industry, organization size, etc. Clustering algorithms and
key attributes are selected through experiments so that customers are grouped
appropriately. The model determines the optimal number of clusters at runtime based
on clustering performance.
Setting value recommendations are then made for similar organizations categorized in
the same cluster. Healthy organizations within a cluster are first identified based on
Endpoint analytic scores. For a common setting, the setting value used by most of the
organizations is recommended to other similar organizations within the same cluster.
The recommended setting value is only suggested if it aligns with the default setting
value that Microsoft baseline selects and functions as a positive reinforcement.
) Important
Customer Data is not being used in the model. Usage data is aggregated at
organization level and is converted to categorical format when possible. For
example, a Boolean attribute is used to reflect whether the customer has Microsoft
Exchange in use and categorical data is used to show the range of deployment
ratio rather than the actual deployment ratio. Data in use is signed off via privacy
and security reviews to ensure compliance and is securely stored with appropriate
protection and retention management.
Other safeguard measures are also applied to inhibit individual customer inference. For
example, no recommendation is made if the number of similar customers within one
cluster is below a given threshold or when the setting isn't adopted by the required
minimum number of organizations. Data aggregation and a set of thresholds are
applied to protect the confidentiality of individual organizations.
Model execution and performance are actively monitored to ensure quality and
reliability. A series of live monitors is set up to closely watch execution anomalies and
key performance metrics. Prompt investigation and regular maintenance are in place to
provide valuable recommendations to customers.
Next steps
For more information about security baselines, go to:
Security baselines
Create security baseline profiles in Microsoft Intune
Supported operating systems and
browsers in Intune
Article • 06/05/2023
Before setting up Microsoft Intune, review the supported operating systems and
browsers.
For more information on configuration service provider support, visit the Configuration
service provider reference.
Android
iOS/iPadOS
Linux
macOS
Windows
Chrome OS
Apple
Apple iOS 14.0 and later
Apple iPadOS 14.0 and later
macOS 11.0 and later
7 Note
Intune requires iOS 14.x or later for device enrollment scenarios and app
configuration delivered through Managed devices app configuration policies.
For Intune app protection policies and app configuration delivered through
Managed apps App configuration policies, Intune requires iOS 14.x or later.
7 Note
Intune requires Android 8.x or higher for device enrollment scenarios and app
configuration delivered through Managed devices app configuration policies. This
requirement does not apply to Microsoft Teams Android devices as these
devices will continue to be supported.
For Intune app protection policies and app configuration delivered through
Managed apps app configuration policies, Intune requires Android 9.0 or higher.
Linux
Ubuntu Desktop 22.04 LTS with a GNOME graphical desktop environment
Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment
7 Note
Microsoft
Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions)
7 Note
For more information about managing devices running Windows 10 LTSC 2019,
see What's new in Windows 10 Enterprise LTSC 2019
Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows
8.1 (Sustaining mode)
For more information about managing devices running Windows Holographic for
Business, see Windows Holographic for Business support.
Surface Hub
For more information about managing devices running Windows 10 Teams, see
Manage Surface Hub with MDM
7 Note
Not all Windows editions support all available operating system features being
configured through MDM. For more information, see the Windows configuration
service provider reference docs. Each CSP highlights which Windows editions are
supported.
Customers with Enterprise Management + Security (EMS) can also use Azure Active
Directory (Azure AD) to register Windows 10 devices.
For guidelines on using Windows 10 virtual machines with Intune, see Using Windows
10 virtual machines.
7 Note
Intune does not currently support managing UWF enabled devices. For more
information, see Unified Write Filter (UWF) feature.
Windows 11 known issues
Multi-app kiosk mode isn't currently available. Windows 11 only supports the use
of a single app in kiosk mode. For more information, see the following articles:
Set up a multi-app kiosk on Windows devices
Windows device settings to run as a dedicated kiosk using Intune
7 Note
You may need to enable access to Samsung servers to enroll Samsung Knox
devices. For more information about enrollment, see Automatically enroll Android
devices by using Samsung's Knox Mobile Enrollment.
The Samsung device models in the following table don't support Knox solutions and
features. Intune enrolls them as native Android devices.
SM-G355M
SM-G386W
GT-I9082
GT-I9080L
Galaxy J1 SM-J100H
SM-J100M
SM-J100ML
SM-J110H
SM-J210F
Galaxy J3 SM-J320F
SM-J320FN
SM-J320H
SM-J320M
SM-N9009
Device Name Device Model Numbers
SM-N9300
SM-N930F
SM-N930T
SM-N9300
SM-N930F
SM-N930S
SM-N930T
SM-G730V
GT-I9300I
Galaxy S4 SM-S975L
Galaxy S5 SM-G9006W
SM-T285
SM-T210
SM-T211
GT-P5210
GT-P5220
Next steps
For network configuration requirements, or to learn more about setting up devices
using the configuration service provider (CSP), see:
Before setting up Microsoft Intune for Android Open Source Project devices, ensure
you're using a supported device.
As organizations embrace a hybrid and remote workforce, admins are challenged with
controlling and managing software updates on devices owned by users. These devices
are often called BYOD (bring your own device) or personally owned devices. When
devices are organization owned, IT admins manage software updates. On personal
devices, IT admins typically don't have any control of software updates.
By default, when a new update is available for unmanaged devices (not enrolled in
Intune), users receive notifications and/or see the latest updates available on their
devices (Settings > Software Updates). The timing of these updates varies depending on
the carrier, OEM, and the device itself. At any time, users can check for updates
themselves.
To help manage the software updates on unmanaged devices, there are Intune policies
and features that can help. This section lists the Microsoft-recommended policies to
install software updates on unmanaged devices.
Android Enterprise
iOS/iPadOS
Tip
If your devices are organization owned, then go to the software updates planning
guides for:
When they enroll iOS/iPadOS devices, the behavior depends on the enrollment
option you use. For information on the different iOS/iPadOS enrollment options
for personal devices, go to iOS/iPadOS enrollment guide.
The following example shows an enrollment device platform restrictions policy for
Android Enterprise devices:
When users enroll their personal devices, this policy checks the version info. If the
devices are outside the versions you enter, then they're prevented from enrolling.
✔️Create compliance policies. Use the built-in reporting to see noncompliant devices
and see the individual settings that aren't compliant.
Notify the user that the OS version doesn't meet your requirements.
Allow a grace period before the device is marked noncompliant, to allow them
time to upgrade.
If you combine your compliance policies with Conditional Access (CA), then you can
block users from resource access until they meet the OS version requirements.
At the app level, you can use app protection policies to determine the minimum OS and
patch versions.
When users open or resume an app that's managed by you, the app protection policy
can prompt users to upgrade the OS. In the policy, if the version they're running doesn't
meet your requirements, then you can warn users that a new OS version is required, or
block access:
For more information on app protection policies, go to App protection policies
overview.
Next steps
Software updates planning guide for managed Android devices
Software updates planning guide and scenarios for supervised iOS/iPadOS devices
Software updates planning guide for
managed Android Enterprise devices in
Microsoft Intune
Article • 08/08/2023
Patches, major & minor updates, and new operating system versions are released
frequently. Organizations must keep devices updated to get the latest security updates.
Devices with Android Google Mobile Services (GMS) include all the Google apps and
Google services. These apps and services are on top of the OEMs own firmware features
and apps. These devices receive a different type of updates and they're updated
randomly, depending on the behaviors by Google, the OEM, and the service
carrier/telecommunication company.
This article includes an admin checklist for enrolled and managed Android Enterprise
devices. Use this information to help manage software updates on your organization-
owned devices.
Tip
If your devices are personally owned, then go to the software updates planning
guide for personal devices.
Powered on
Plugged in
Connected to the Internet
Idle and not actively being used
Dedicated devices
Fully managed devices
Fully managed devices with a work profile
When users install their own updates (instead of admins managing the updates), it can
disrupt user productivity and business tasks. For example:
Users can start an update when they want, and might not be able to work while an
update is installing.
Users can apply updates that your organization hasn't approved. This decision can
cause issues with application compatibility, changes to the operating system, or
changes to the user experience that disrupt device use.
Users can avoid applying required updates that affect security or app compatibility.
This situation can leave the devices at risk and/or prevent the devices from
functioning.
When you configure this setting, you choose when the updates are installed. For
example, you can:
Use the device's default behavior, which automatically installs updates if the device
is connected to Wi-Fi, is charging, and is idle.
For more specific information on this setting and the values you can configure, go to
Android Enterprise device settings list to allow or restrict features on corporate-owned
devices using Intune.
For more information on this setting, go to Android Enterprise device settings list to
allow or restrict features on corporate-owned devices using Intune.
Android devices running older versions that are currently enrolled in Intune don't
receive updates to the Android Company Portal app or the Intune app. These apps
aren't available in the Google Play Store. If these apps were downloaded before this
change, then the devices aren't blocked from enrollment. Policies applied to these
devices continue to be deployed, but the devices aren't in a supported state.
If you currently have devices running older Android versions in your organization, then
upgrade or replace them. Use the information in this article to help you define an
update strategy. Using newer OS versions provide better productivity and security to
your users and your organization.
Next steps
Software updates planning guide and scenarios for BYOD and personal devices
Software updates planning guide and scenarios for supervised iOS/iPadOS devices
Software updates planning guide for managed macOS devices
Software updates planning guide and
scenarios for supervised iOS/iPadOS
devices in Microsoft Intune
Article • 07/12/2023
Keeping your mobile devices current with software updates is critical. You need to
reduce the risk of security events and have minimal disruption to your organization and
your users. On iOS/iPadOS supervised devices, Intune has built-in policies that can
manage software updates.
This article includes an admin checklist to help you get started with software updates on
iOS/iPadOS supervised devices. It also lists common industry scenarios and sample
policies that you can configure in your environment.
For the specific steps to create a software update policy, go to Manage iOS/iPadOS
software update policies in Intune.
Tip
If your devices are personally owned, then go to the software updates planning
guide for personal devices.
When users install their own updates (instead of admins managing the updates), it can
disrupt user productivity and business tasks. For example:
Users can start an update when they want, and might not be able to work while an
update is installing.
Users can apply updates that your organization hasn't approved. This decision can
cause issues with application compatibility, changes to the operating system, or
changes to the user experience that disrupt device use.
Users can avoid applying required updates that affect security or app compatibility.
This situation can leave the devices at risk and/or prevent the devices from
functioning.
To use this automatic patching and install updates faster, make sure the devices are:
Powered on
Plugged in
Connected to the Internet
When the devices are powered on, plugged in, and connected to the Internet, then the
updates automatically download & install, and the device reboots. If the device doesn't
meet these conditions, then the updates won't automatically download and install.
To keep your devices on the most current version and with minimal effort from you,
keep the automatic updates feature enabled:
Automatic updates work together with other update policies, which can provide a
positive experience for admins and end users.
Using Intune policies, you can also force users to update their devices:
Use Enrollment Restrictions to prevent users from enrolling devices that aren't
current.
Create compliance policies to determine the devices that aren't updated.
Create Conditional Access (CA) policies to block devices that aren't updated. The
CA policies can also prompt users to install current updates so they regain access.
If devices are configured with a PIN, then to start the software update, you must
enter the PIN. Entering the PIN typically isn't an issue for information worker 1:1
devices.
When planning for updates on kiosks, factory floor or userless scenarios, you may
need to adjust your processes to accommodate for the PIN behavior.
These policies offer a controlled roll-out of a specific version. You can also force
devices on older versions to upgrade. Admins can enter the iOS/iPadOS version to
install and schedule the installation.
These policies hide updates for up to 90 days. They prevent users from manually
updating their device to a version that hasn't been approved. This feature doesn't
control when the updates are applied.
With these features, admins can make sure their Apple devices are running a specific
software version and can control the release of updates across their devices.
These settings are configurable in the Microsoft Intune admin center. For more
information, go to Manage iOS/iPadOS software update policies in Intune.
To minimize the number of policies you have to create and manage, create a
configuration that supports many time zones. Don't create a separate policy for each
time zone.
For example, in the United States, there are four primary time zones: Pacific (UTC-8),
Mountain (UTC-7), Central (UTC-6) and Eastern (UTC-5). You can create separate policies
for each time zone. Or, create one or two policies that achieve the same result.
For example:
You configure a policy that delays updates for 90 days. If there's an enrollment
restriction policy that requires devices have a recent iOS/iPadOS version, then after
a device reset, devices could be blocked from enrolling.
You create a compliance policy that requires a minimum iOS/iPadOS version that's
recent. With this policy, devices on older releases become noncompliant. If you use
Conditional Access to enforce compliance, then users are blocked and can't work.
The following table includes common industry terminology that's used in this article:
This section describes some common industry scenarios and gives examples of Intune
policies.
Knowledge workers
This group is people with gained knowledge that work in enterprise businesses and
organizations. Their knowledge and thinking ability are their job. Some examples include
engineers, content developers, programmers, accountants, communications,
consultants, and so on.
Knowledge workers typically have their own device that's only used by them. It's not
shared with other users or other knowledge workers.
In scenarios like knowledge worker devices, the primary goal is for the update process
to be as simple and quick as possible. Their apps are mostly store-based, and the apps
should remain compatible with the latest OS version. On these devices, users are
typically tolerant of prompts for updates and/or choosing a convenient time for reboots.
Scenario example:
You're configuring an update profile for the knowledge workers at Contoso. These users
mostly use Microsoft 365 apps and several Volume Purchase Program (VPP) apps.
To accomplish these goals, you can use a policy with the following default settings:
Kiosks
These devices are typically in-store retail devices, and can be a desktop computer or a
mobile device. They're used by employees to serve customers and used directly by
customers for self-service tasks. They can also be a visual display that all customers see
when they're on-premises.
In kiosk-like scenarios, the primary goals for updating the devices are:
Scenario example:
You're configuring an iOS/iPadOS update profile for the kiosk devices at Contoso. These
devices operate in a retail outlet. Your staff uses the devices to serve customers 7 days a
week, including extended retail hours. The devices run a single Line of Business (LOB)
kiosk app, which was developed in-house by Contoso. This internal application is only
tested and validated on a quarterly basis.
You want to deploy the specific iOS/iPadOS version that this LOB app was recently
tested with, which is iOS 16.3. If this kiosk application doesn't work correctly, then the
retail outlet can't serve customers. The devices are connected to Wi-Fi and charge
overnight when the retail outlet is closed to customers.
In factory machine scenarios, the primary goal is to make sure devices behave in a
consistent manner. Updates may need to be delayed so all application compatibility
testing can complete. Installation and reboots occur at specific times and are typically
deployed in a phased approach.
Scenario example:
You're configuring an update profile for devices on the manufacturing floor at Contoso's
industrial facility. The facility runs 24x7, 365 days a year, except for a few hours of
mandatory stoppage for safety inspections. These inspections happen early Sunday
morning every week.
These devices run two vendor apps. To remain in a supported configuration, both apps
are updated infrequently, and must run a specific version of the app and OS.
You want to deploy a specific, older iOS/iPadOS version (15) to these devices, as the app
vendor doesn't support later releases yet. Since the devices are nearly always in use, you
only have a small maintenance window once a week on Sunday.
For iOS/iPadOS shared devices, to apply updates, all users must be signed out. The users
can be signed out or the device can be rebooted, which automatically signs out users.
In the morning, UserA signs in to the device to check email before going out on the
floor. An hour later, UserB uses the same device to run some LOB apps.
You need to configure an update for this shared device. These shared devices are used
by general knowledge workers who are in the office from 8AM – 5PM, Monday through
Friday. You want the devices on the latest iOS/iPadOS version that supports all the apps
used on the shared devices.
To keep the policy as simple as possible, you want the updates to install outside typical
working hours, plus one hour for reboots or other actions.
In the first policy, you want all users signed out or want to reboot the device after
a set amount of time. You can create an Apple Business Manager enrollment
profile to sign out any users who are idle for more than 15 minutes (900 seconds):
In the second policy, schedule the update using the following settings:
Next steps
Manage iOS/iPadOS software update policies in Intune
Software updates planning guide and scenarios for BYOD and personal devices
Software updates planning guide for managed Android devices
Software updates planning guide for managed macOS devices
Software updates planning guide for
managed macOS devices in Microsoft
Intune
Article • 08/08/2023
Keeping your devices current with updates is critical. Admins must do what they can to
reduce risk of security events, and reduce this risk with minimal disruption to the
business & users.
Intune has built-in policies that can manage software updates. For macOS devices, you
can use Intune to manage device updates, configure when devices are updated, and
review the device update status.
This article includes an admin guide for enrolled and managed macOS devices. Use this
information to help manage software updates on your organization-owned devices.
Tip
If your devices are personally owned, then go to the software updates admin
guide for personal devices.
Powered on
Plugged in
Connected to Internet
Not shut down but can be can a sleep state
They can also change the update behavior using the Automatic Updates feature on the
device (Settings > Software Updates):
When users install their own updates (instead of admins managing the updates), it can
disrupt user productivity and business tasks. For example:
Users can apply updates that the business hasn't approved for use. This situation
can cause issues with application compatibility or changes to the operating system
or user experience that disrupt device use.
Users can avoid applying updates that are required for security or app
compatibility reasons. This delay can leave the devices at risk and/or prevent them
from being able to function.
Because of these potential issues, Microsoft recommends that you evaluate your use
case scenarios and deploy policies to manage the update experience to minimize risk
and disruption to your business.
Admin steps for organization owned devices
To update macOS devices owned by your organization, Microsoft recommends the
following steps. These steps apply to most macOS devices. You can also use these steps
as a starting point for your own update strategy.
2. Create a Settings Catalog software update policy: This policy prevents end users
from disabling update checks. It also configures the device to check for updates
and prompt users regularly.
3. Configure and deploy Nudge: This community tool prompts users quickly when
an update is available. If the first two policies don't motivate end users to install
updates, then Nudge reminds them.
For example, you can manage when critical updates and firmware updates are installed.
You can also manage how many times the user can defer an update before it's force
installed.
For most organizations, Microsoft recommends you configure the following settings:
7 Note
On recent macOS builds, almost all updates show as Configuration data
files or All other updates. The All other updates settings are mostly legacy
updates for older builds of macOS.
The time specified in these settings is used by the Intune service. The time
isn't the local device time. Be aware of time differences when you configure
a maintenance window, espeically for a global environment.
You can change the values to your preferred scheduled times. Some of the values may
only affect minor updates, and not major updates. For the specific steps, and more
information on these settings & their values, go to Manage macOS software update
policies in Intune.
With these settings, this policy locks these settings so users can't change them. The
policy also:
1. Checks for updates each time the device checks in with the Intune service. If there
are updates available, then they're automatically downloaded.
2. The device finds a time period when the device isn't being used.
If the device isn't being used, then the policy tries to automatically install the
update.
If the device is being used, then end users can choose to install the update, or
defer the installation up to five times. Be sure to encourage your end users to
install updates when they're available.
The following images show the prompts that end users can see when updates are
available:
3. If end users use all the deferrals, then the update is force installed. For a forced
installation, a restart doesn't prompt the end user, and could result in data loss.
For example, you can configure the device to automatically install updates, including
app updates, when they're available.
This settings catalog policy works with Step 1 - Use a software update policy to manage
when updates are installed (in this article). It makes sure the devices are checking for
updates and prompting users to install them. End users still need to take action to finish
the installation.
This policy locks these settings so users can't change them. On the device, the software
update settings are greyed out:
For more information on the settings catalog, including how to create a settings catalog
policy, go to Use the settings catalog to configure settings.
A popular tool within the Microsoft macOS admin community is Nudge. Nudge is an
open source tool that encourages end users to install macOS updates. It provides a
rich configuration experience for admins.
When Nudge is configured and deployed, end users see the following sample message
when their device is ready to be updated. End users can also choose to update the
device or defer the update:
There's also a sample script and Intune configuration policy for Nudge in the
Microsoft shell script repository. This script includes everything you need to get started
with Nudge. Make sure you update the .mobileconfig file with your values.
For each device, you can see its current state of updates (Devices > macOS > select a
device > Update policies for macOS):
Next steps
Software updates planning guide for BYOD and personal devices in Microsoft
Intune
Software updates planning guide for managed Android Enterprise devices in
Microsoft Intune
Software updates planning guide and scenarios for supervised iOS/iPadOS devices
in Microsoft Intune
Intune network configuration
requirements and bandwidth
Article • 02/21/2023
You can use this information to understand bandwidth requirements for your Intune
deployments.
7 Note
To ensure devices receive the updates and content from Intune, they must
periodically connect to the Internet. The time required to receive updates or
content can vary, but they should remain continuously connected to the Internet
for at least one hour each day.
package
Additional downloads are possible when there are
updates for this content type.
agent
Additional downloads are possible when there are
updates for this content type.
agent
Additional downloads are possible when there are
updates for this content type.
Content type Approximate Frequency and details
size
malware definition
updates Typically 40 KB Up to three times a day.
to 2 MB
updates you
deploy. A newly enrolled or deployed computer can use
more network bandwidth while downloading the
full set of previously released updates.
A caching proxy server that receives content requests from clients can retrieve that
content and cache both web responses and downloads. The server uses cached data to
answer subsequent requests from clients.
The following are typical settings to use for a proxy server that caches content for Intune
clients.
Cache 5 GB to 30 GB The value varies based on the number of client computers in your
size network and the configurations you use. To prevent files from
being deleted too soon, adjust the size of the cache for your
environment.
Individual 950 MB This setting might not be available in all caching proxy servers.
cache file
size
Object HTTP
Intune packages are CAB files retrieved by Background Intelligent
types to Transfer Service (BITS) download over HTTP.
cache HTTPS
BITS
7 Note
For information about using a proxy server to cache content, see the documentation for
your proxy server solution.
Delivery Optimization
Delivery Optimization lets you use Intune to reduce bandwidth consumption when your
Windows 10 devices download applications and updates. By using a self-organizing
distributed cache, downloads can be pulled from traditional servers and alternate
sources (like network peers).
To see the full list of Windows 10 versions and content types supported by Delivery
Optimization, see the Delivery Optimization for Windows 10 updates article.
You can set up Delivery Optimization as part of your device configuration profiles.
7 Note
For MDM management on Windows, only the OS's management interface for the
MobileMSI app type uses BITS to download. AppX/MsiX use their own non-BITS
download stack and Win32 apps via the Intune agent use Delivery Optimization
rather than BITS.
To learn more about BITS and Windows computers, see Background Intelligent Transfer
Service in the TechNet Library.
Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The
following operating systems support BranchCache:
Windows 7
Windows 8.0
Windows 8.1
Windows 10
To use BranchCache, the client computer must have BranchCache enabled, and then be
configured for distributed cache mode.
When the Intune client is installed on computers, BranchCache and distributed cache
mode are enabled by default. However, if Group Policy has disabled BranchCache,
Intune doesn't override that policy and BranchCache remains disabled.
If you use BranchCache, work with other administrators in your organization to manage
Group Policy and Intune Firewall policy. Ensure they don't deploy policy that disables
BranchCache or Firewall exceptions. For more about BranchCache, see BranchCache
Overview.
Next steps
Review endpoints for Intune
Using Windows 10 virtual machines with
Intune
Article • 03/02/2023
Intune supports managing virtual machines running Windows 10 Enterprise with certain
limitations. Intune management doesn't depend on, or interfere with Azure Virtual
Desktop management of the same virtual machine.
Enrollment
We recommend that you don't use Intune to manage on-demand, session-host
virtual machines, also known as non-persistent virtual desktop infrastructure (VDI).
Each VM must be enrolled when it's created. Also, regularly deleting VMs will leave
orphaned device records in Intune until they're cleaned up.
Windows Autopilot Self-deploying and pre-provisioning deployment types aren't
supported because they require a physical Trusted Platform Module (TPM).
Out of Box Experience (OOBE) enrollment isn't supported on VMs that can only be
accessed by using RDP (such as VMs that are hosted on Azure). This restriction
means:
Windows Autopilot and Commercial OOBE aren't supported.
Enrollment Status Page isn't supported.
Configuration
Intune doesn't support any configuration that utilizes a Trusted Platform Module or
hardware management, including:
BitLocker settings
Device Firmware Configuration Interface settings
Reporting
Intune automatically detects virtual machines and reports them as "Virtual Machine" in
Devices > All devices > choose a device > Overview > Model field.
Next steps
Learn about using Azure Virtual Desktop with Intune
Using Azure Virtual Desktop with Intune
Article • 02/21/2023
Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft
Azure. It lets end users connect securely to a full desktop from any device. With
Microsoft Intune, you can secure and manage your Azure Virtual Desktop VMs with
policy and apps at scale, after they're enrolled.
Prerequisites
Currently, for single-session, Intune supports Azure Virtual Desktop VMs that are:
For more information on Azure Virtual Desktop licensing requirements, see What is
Azure Virtual Desktop?.
For information about working with multi-session remote desktops, see Windows 10 or
Windows 11 Enterprise multi-session remote desktops.
Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows
11 Enterprise physical desktops. This treatment lets you use some of your existing
configurations and secure the VMs with compliance policy and conditional access.
Intune management doesn't depend on or interfere with Azure Virtual Desktop
management of the same virtual machine.
Limitations
There are some limitations to keep in mind when managing Windows 10 Enterprise
remote desktops:
Configuration
All VM limitations listed in Using Windows 10 virtual machines also apply to Azure
Virtual Desktop VMs.
Domain Join
Wi-Fi
7 Note
Configuration and compliance policies for Secure Boot and features leveraging
vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure
Virtual Desktop VMs.
Remote actions
The following Windows 10 desktop device remote actions aren't
supported/recommended for Azure Virtual Desktop VMs:
Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe
Retirement
Deleting VMs from Azure leaves orphaned device records in Intune. They'll be
automatically cleaned up according to the cleanup rules configured for the tenant.
Known issues
The following table provides a set of known issues along with more information about
each issue.
Cannot auto-enroll if tenant has more This issue will be fixed in the future.
than one MDM provider
Modern apps, such as Universal Using FSLogix and Modern apps could cause
Windows Platform (UWP) apps, are not compatibility issues. We recommend that you don’t
working correctly if FSLogix is configure Modern apps when FSLogix is configured.
configured
Next steps
Learn more about Azure Virtual Desktops.
Use Azure Virtual Desktop multi-session with Intune
Windows 10 or Windows 11 Enterprise
multi-session remote desktops
Article • 07/21/2023
Azure Virtual Desktop multi-session with Microsoft Intune is now generally available.
You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise
multi-session remote desktops in the Microsoft Intune admin center just as you can
manage a shared Windows 10 or Windows 11 client device. When managing such virtual
machines (VMs), you'll be able to use both device-based configuration targeted to
devices or user-based configuration targeted to users.
You can manage Windows 10 and Windows 11 Enterprise multi-session VMs created in
Azure Government Cloud in US Government Community (GCC), GCC High, and DoD.
) Important
Microsoft Intune support for Azure Virtual Desktop multi-session is not currently
available for Citrix DaaS and VMware Horizon Cloud.
Overview
Device configuration support in Microsoft Intune for Windows 10 or Windows 11
Enterprise multi-session is generally available (GA). This means policies defined in the
OS scope and apps configured to install in the system context can be applied to Azure
Virtual Desktop multi-session VMs when assigned to device groups.
7 Note
Configure user scope policies using Settings catalog and assign to groups of
users. You can use the search bar to search all configurations with scope set to
"user".
Configure PowerShell scripts to install in the user context and assign to users.
Prerequisites
This feature supports Windows 10 or Windows 11 Enterprise multi-session VMs, which
are:
7 Note
If you're joining session hosts to Azure Active Directory Domain Services, you can't
manage them using Intune.
) Important
If you're using Windows 10, versions 2004, 20H2, or 21H1 builds, make sure
that you install the July 2021 Windows Update or a later Windows update.
Otherwise, remote actions in the Microsoft Intune admin center, like remote
sync, won't work correctly. As a result, pending policies assigned to devices
might take up to 8 hours to be applied.
Intune does not currently support token roaming functionality between
devices. If FSLogix, or a similar technology, is used to manage Windows user
profiles and settings, you must ensure that tokens are not unexpectedly
roamed or duplicated across devices. To confirm that you are running a
supported version and configuration of FSLogix with token roaming disabled,
please see the FSLogix RoamIdentity Configuration Settings Reference.
See What is Azure Virtual Desktop? for more information about Azure Virtual Desktop
licensing requirements.
The existing device configuration profile templates aren't supported for Windows 10 or
Windows 11 Enterprise multi-session VMs, except for the following templates:
Trusted certificate - Device (machine) when targeting devices and User when
targeting users
SCEP certificate - Device (machine) when targeting devices and User when
targeting users
PKCS certificate - Device (machine) when targeting devices and User when
targeting users
VPN - Device Tunnel only
To configure policies
1. Sign in to the Microsoft Intune admin center and choose Devices > Windows >
Configuration profiles > Create Profile.
2. For Platform, select Windows 10 and later.
3. For Profile type, select Settings catalog, or when deploy settings by using a
Template, select Templates and then the name of the supported Template.
4. Select Create.
5. On the Basics page, provide a Name and (optionally) Description > Next.
6. On the Configuration settings page, select Add settings.
7. Under Settings picker, select Add filter and select the following options:
Key: OS edition
Operator: ==
Value: Enterprise multi-session
Select Apply. The filtered list now shows all configuration profile categories
that support Windows 10 or Windows 11 Enterprise multi-session. The scope
for a policy is shown in parentheses. For user scope it shows as (User) and all
the rest are policies with device scope.
8. From the filtered list, pick the categories that you want.
For each category you pick, select the settings that you want to apply to your
new configuration profile.
For each setting, select the value that you want for this configuration profile.
ADMX-backed policies are supported. Some policies aren't yet available in the
Settings catalog.
ADMX-ingested policies are supported, including Office and Microsoft Edge
settings available in Office administrative template files and Microsoft Edge
administrative template files. For a complete list of ADMX-ingested policy
categories, see Win32 and Desktop Bridge app policy configuration. Some ADMX
ingested settings won't be applicable to Windows 10 or Windows 11 Enterprise
multi-session.
Minimum OS version
Maximum OS version
Valid operating system builds
Simple passwords
Password type
Minimum password length
Password Complexity
Password expiration (days)
Number of previous passwords to prevent reuse
Microsoft Defender Antimalware
Microsoft Defender Antimalware security intelligence up-to-date
Firewall
Antivirus
Antispyware
Real-time protection
Microsoft Defender Antimalware minimum version
Defender ATP Risk score
You'll need to create a new compliance policy and target it to the device group
containing your multi-session VMs. User-targeted compliance configurations aren't
supported.
Conditional Access policies support both user and device based configurations for
Windows 10 or Windows 11 Enterprise multi-session.
7 Note
7 Note
Configuration and compliance policies for BitLocker, Secure Boot, and features
leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time
for Azure Virtual Desktop VMs.
Endpoint security
You can configure profiles under Endpoint security for multi-session VMs by selecting
Platform Windows 10, Windows 11, and Windows Server. If that Platform is not
available, the profile is not supported on multi-session VMs.
For more information, see Manage device security with endpoint security policies in
Microsoft Intune
Application deployment
All Windows 10 or Windows 11 apps can be deployed to Windows 10 or Windows 11
Enterprise multi-session with the following restrictions:
Script deployment
Scripts configured to run in the system context and assigned to devices are supported
on Windows 10 or Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to No.
Scripts configured to run in the user context and assigned to users are supported on
Windows 10 and Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to Yes.
The following settings are available in the catalog, with the links opening the Windows
CSP documentation:
Remote actions
The following Windows 10 or Windows 11 desktop device remote actions aren't
supported and will be grayed out in the UI and disabled in Graph for Windows 10 or
Windows 11 Enterprise multi-session VMs:
Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe
Retirement
Deleting VMs from Azure will leave orphaned device records in the Microsoft Intune
admin center. They'll be automatically cleaned up according to the cleanup rules
configured for the tenant.
Security baselines
Security baselines aren't available for Windows 10 or Windows 11 Enterprise multi-
session at this time. We recommend that you review the Available security baselines and
configure the recommended policies and values in the Settings catalog.
Troubleshooting
The following sections provide troubleshooting guidance for common issues.
Enrollment issues
Issue Detail
Enrollment of Azure AD The Azure Virtual Desktop agent you're using isn't updated.
joined virtual machine The agent must be version 1.0.2944.1400 or above.
fails Azure Virtual Desktop host pool wasn't created through the
Azure Resource Manager template.
Configuration issues
Issue Detail
Settings catalog policy fails Confirm the VM is enrolled using device credentials.
Enrollment with user credentials isn't currently
supported for Windows 10 or Windows 11 Enterprise
multi-session.
Configuration policy didn't apply Templates (except for Certificates) aren't supported on
Windows 10 or Windows 11 Enterprise multi-session.
All policies must be created via the settings catalog.
Configuration policy reports as Not Some policies aren't applicable to Azure Virtual
applicable Desktop VMs.
Microsoft Edge/Microsoft Office ADMX Applicability for these settings isn't based on the
policy doesn't show up when I apply Windows version or edition but on whether those apps
the filter for Windows 10 or Windows have been installed on the device. To add these
11 Enterprise multi-session edition settings to your policy, you may have to remove any
filters applied in the settings picker.
App configured to install in system Confirm the app doesn't have a dependency or
context didn't apply supersedence relationship on any apps configured to
install in user context. User context apps aren't
currently supported on Windows 10 or Windows 11
Enterprise multi-session.
Issue Detail
Update rings for Windows 10 and later Windows Update for Business policies aren't currently
policy didn't apply supported.
Next steps
Learn more about Azure Virtual Desktops.
Network endpoints for Microsoft Intune
Article • 08/10/2023
This article lists IP addresses and port settings needed for proxy settings in your
Microsoft Intune deployments.
7 Note
The information in this section also applies to the Microsoft Intune Certificate
Connector. The connector has the same network requirements as managed
devices.
The endpoints in this article should be accessible via TCP port 80 and 443 via
whatever method you use to allow access. Windows Information Protection uses
port 444.
For some tasks, Intune requires unauthenticated proxy server access to
manage.microsoft.com, *.azureedge.net, and graph.microsoft.com.
7 Note
7 Note
Allow HTTP Partial response is required for Scripts & Win32 Apps endpoints.
You can modify proxy server settings on individual client computers. You can also use
Group Policy settings to change settings for all client computers located behind a
specified proxy server.
Managed devices require configurations that let All Users access services through
firewalls.
To make it easier to configure services through firewalls, we have onboarded with the
Office 365 Endpoint service. At this time, the Intune services are accessed through a
PowerShell script. There are other dependent services for Intune, which are already
covered as part of the Microsoft 365 Service and are marked as 'required'. Services
already covered by Microsoft 365 aren't included in the script to avoid duplication. By
using the following PowerShell script, you can retrieve the list of IP addresses for the
Intune service. This provides the same list as the subnets indicated in the IP address
table below.
PowerShell
By using the following PowerShell script, you can retrieve the list of FQDNs used by
Intune and dependent services.
PowerShell
The script provides a convenient method to list and review all services required by
Intune and Autopilot in one location. Additional properties can be returned from the
endpoint service such as the category property, which indicates whether the FQDN or IP
should be configured as Allow, Optimize or Default.
You'll also need FQDNs that are covered as part of Microsoft 365 Requirements. For
reference, the following table is the list of URLs returned, and the service they're tied to.
intunecdnpeasd.azureedge.net
The following tables list the ports and services that the Intune client accesses:
Domains IP address
*.manage.microsoft.com 104.46.162.96/27
manage.microsoft.com 13.67.13.176/28
13.67.15.128/27
13.69.231.128/28
13.69.67.224/28
13.70.78.128/28
13.70.79.128/27
13.71.199.64/28
13.73.244.48/28
13.74.111.192/27
13.77.53.176/28
13.86.221.176/28
13.89.174.240/28
13.89.175.192/28
20.189.172.160/27
20.189.229.0/25
20.191.167.0/25
20.37.153.0/24
20.37.192.128/25
20.38.81.0/24
20.41.1.0/24
20.42.1.0/24
20.42.130.0/24
20.42.224.128/25
20.43.129.0/24
20.44.19.224/27
20.49.93.160/27
20.192.174.216/29
20.192.159.40/29
20.204.193.12/30
20.204.193.10/31
40.119.8.128/25
40.67.121.224/27
40.70.151.32/28
40.71.14.96/28
40.74.25.0/24
40.78.245.240/28
40.78.247.128/27
40.79.197.64/27
40.79.197.96/28
40.80.180.208/28
40.80.180.224/27
40.80.184.128/25
40.82.248.224/28
40.82.249.128/25
52.150.137.0/25
52.162.111.96/28
Domains IP address
52.168.116.128/27
52.182.141.192/27
52.236.189.96/27
52.240.244.160/27
To find your tenant location (or Azure Scale Unit (ASU)), sign in to the Microsoft Intune
admin center , choose Tenant administration > Tenant details. The location is under
Tenant location as something like North America 0501 or Europe 0202. Look for the
matching number in the following table. That row will tell you which storage name and
CDN endpoints to grant access to. The rows are differentiated by geographic region, as
indicated by the first two letters in the names (na = North America, eu = Europe, ap =
Asia Pacific). Your tenant location is one of these three regions although your
organization’s actual geographic location might be elsewhere.
AMSUB0501
AMSUB0502
AMSUB0601
AMSUB0701
Microsoft Store
Managed Windows devices using the Microsoft Store – either to acquire, install, or
update apps – will need access to these endpoints.
displaycatalog.md.mp.microsoft.com
purchase.md.mp.microsoft.com
licensing.mp.microsoft.com
storeedgefd.dsx.mp.microsoft.com
Win32 content download locations and endpoints are unique per application and are
provided by the external publisher. You can find the location for each Win32 Store app
using the following command on a test system (you can obtain the [PackageId] for a
Store app by referencing the Package Identifier property of the app after adding it to
Microsoft Intune):
The Installer Url property will either show the external download location or the region-
based (Microsoft-hosted) fallback cache based on whether the cache is in-use. Note that
the content download location can change between the cache and external location.
Microsoft-hosted Win32 app fallback cache:
Delivery Optimization (optional, required for peering): For details, see the following
resource:
If a customer has firewall policies that prevent access to the new Intune MAA service for
Windows 11, then Windows 11 devices with assigned compliance policies using any of
the device health settings (BitLocker, Secure Boot, Code Integrity) will fall out of
compliance as they're unable to reach the MAA attestation endpoints for their location.
Ensure there are no firewall rules blocking outbound HTTPS/443 traffic to the endpoints
listed in this section based on your Intune tenant's location. To find your tenant location
navigate to the Intune admin center > Tenant administration > Tenant status > Tenant
details, see Tenant location.
'https://intunemaape1.eus.attest.azure.net'
'https://intunemaape2.eus2.attest.azure.net'
'https://intunemaape3.cus.attest.azure.net'
'https://intunemaape4.wus.attest.azure.net'
'https://intunemaape5.scus.attest.azure.net'
'https://intunemaape6.ncus.attest.azure.net'
'https://intunemaape7.neu.attest.azure.net'
'https://intunemaape8.neu.attest.azure.net'
'https://intunemaape9.neu.attest.azure.net'
'https://intunemaape10.weu.attest.azure.net'
'https://intunemaape11.weu.attest.azure.net'
'https://intunemaape12.weu.attest.azure.net'
'https://intunemaape13.jpe.attest.azure.net'
'https://intunemaape17.jpe.attest.azure.net'
'https://intunemaape18.jpe.attest.azure.net'
'https://intunemaape19.jpe.attest.azure.net'
Port requirements
For peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP or 3544 for NAT
traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS
over port 80/443.
Proxy requirements
To use Delivery Optimization, you must allow Byte Range requests. For more
information, see Proxy requirements for Windows Update.
Firewall requirements
Allow the following hostnames through your firewall to support Delivery Optimization.
For communication between clients and the Delivery Optimization cloud service:
*.do.dsp.mp.microsoft.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
For more information, see Use Apple products on enterprise networks , TCP and UDP
ports used by Apple software products , About macOS, iOS/iPadOS, and iTunes server
host connections and iTunes background processes , and If your macOS and
iOS/iPadOS clients aren't getting Apple push notifications .
Because Google Mobile Services isn't available in China, devices in China managed
by Intune can't use features that require Google Mobile Services. These features
include: Google Play Protect capabilities such as SafetyNet device attestation,
Managing apps from the Google Play Store, Android Enterprise capabilities (see this
Google documentation ). Additionally, the Intune Company Portal app for
Android uses Google Mobile Services to communicate with the Microsoft Intune
service. Because Google Play services isn't available in China, some tasks can
require up to 8 hours to finish. For more information, see this article.
Android (AOSP)
Endpoint analytics
For more information on the required endpoints for endpoint analytics, see Endpoint
analytics proxy configuration.
Allow the following hostnames through your firewall to support Security Management
for Defender for Endpoint. For communication between clients and the cloud service:
) Important
) Important
Related topics
Office 365 URLs and IP address ranges
Other endpoints not included in the Office 365 IP Address and URL Web service
Managing Office 365 endpoints
China endpoints for Microsoft Intune
Article • 04/05/2023
This page lists the China endpoints needed for proxy settings in your Intune
deployments.
To manage devices behind firewalls and proxy servers, you must enable communication
for Intune.
The proxy server must support both HTTP (80) and HTTPS (443) because Intune
clients use both protocols
For some tasks (like downloading software updates), Intune requires
unauthenticated proxy server access to manage.microsoft.com
You can modify proxy server settings on individual client computers. You can also use
Group Policy settings to change settings for all client computers located behind a
specified proxy server.
Managed devices require configurations that let All Users access services through
firewalls.
For more information about Windows 10 auto-enrollment and device registration for
U.S. customers, see Windows auto enrollment and device registration .
The following tables list the ports and services that the Intune client accesses:
Endpoint IP address
*.manage.microsoftonline.cn 40.73.38.143
139.217.97.81
52.130.80.24
40.73.41.162
40.73.58.153
139.217.95.85
CNPASU01 sovereignprodimedatapri
sovereignprodimedatapri.azureedge.net
sovereignprodimedatasec
sovereignprodimedatasec.azureedge.net
sovereignprodimedatahotfix sovereignprodimedatahotfix.azureedge.net
*.mzstatic.com
*.phobos.apple.com
*.phobos.itunes-
apple.com.akadns.net
Used for Hostname (IP address/subnet) Protocol Port
Next steps
Learn more about Intune operated by 21Vianet in China
Intune operated by 21Vianet in China
Article • 02/21/2023
Intune operated by 21Vianet is designed to meet the needs for secure, reliable, and
scalable cloud services in China. Intune as a service is built on top of Microsoft Azure.
Microsoft Azure operated by 21Vianet is a physically separated instance of cloud
services located in China. It's independently operated and transacted by 21Vianet. This
service is powered by technology that Microsoft has licensed to 21Vianet.
Microsoft doesn't operate the service itself. 21Vianet operates, provides, and manages
delivery of the service. 21Vianet is an Internet data center services provider in China. It
provides hosting, managed network services, and cloud computing infrastructure
services. By licensing Microsoft technologies, 21Vianet operates local datacenters to
provide you the ability to use Intune service while keeping your data within China.
21Vianet also provides your subscription, billing, and support services.
7 Note
If you're interested in viewing or deleting personal data, please see the Azure Data
Subject Requests for the GDPR article. If you're looking for general info about
GDPR, see the GDPR section of the Service Trust portal .
With Microsoft Azure, Intune, Microsoft 365, and Power BI operated by 21Vianet, you’re
the owner of your data:
Using the Azure Active Directory Admin Center, a Tenant Administrator can
permanently delete a data subject from Azure Active Directory and related
services. For more information, see Azure Data Subject Requests - Delete
System-generated logs for Microsoft services operated by 21Vianet can be
exported by Tenant Administrators using the Data Log Export. For more
information, see Azure Data Subject Requests - Export.
Next steps
Learn more about Intune supported configurations
Migration guide: Set up or move to
Microsoft Intune
Article • 04/20/2023
After you've planned for the move to Microsoft Intune, the next step it to choose the
migration approach that's right for your organization. These decisions depend on your
current mobile device management (MDM) environment, business goals, and technical
requirements.
This migration guide lists and describes your options to adopt or move to Intune, which
include:
Use this guide to determine the best migration approach, and get some guidance &
recommendations.
Tip
This guide is a living thing. So, be sure to add or update existing tips and
guidance you've found helpful.
As a companion to this article, the Microsoft 365 admin center also has some
setup guidance. The guide customizes your experience based on your
environment. At Microsoft Intune setup guide , sign in with the Global
Reader (at a minimum) to access the deployment guides. For more
information on these deployment guides and the roles needed, go to
Advanced deployment guides for Microsoft 365 and Office 365 products.
Microsoft Intune: If you want a cloud solution and ready for full device
management, then go straight to Intune. You can use Intune to check for
compliance, configure device features, deploy apps, and install system & app
updates. You also get the benefits of the Microsoft Intune admin center, which is a
web-based console.
App protection policies overview
Get started with Intune
Step 1 - Set up Intune
Step 2 - Add, configure, and protect apps with Intune
Step 3 – Plan for compliance policies
Step 4 - Create device configuration profiles to secure devices
Step 5 - Enroll devices
Users must unenroll their devices from the current MDM provider before they enroll in
Intune.
2. Deploy apps and create app protection policies. The idea is to help protect
organization data in your apps during the migration and until devices are enrolled
& managed by Intune.
For more information, go to Step 2 - Add, configure, and protect apps with Intune.
When devices are unenrolled, they aren't receiving your policies, including policies
that provide protection. They're vulnerable until they enroll in Intune and start
receiving your new policies.
Give users specific unenroll steps. Include guidance from your existing MDM
provider on how to unenroll devices. Clear and helpful communication minimizes
end user downtime, dissatisfaction, and helpdesk calls.
4. Optional, but recommended. If you have Azure AD Premium, also use conditional
access to block devices until they enroll in Intune.
) Important
Don't configure Intune and any existing third party MDM solution simultaneously
to apply access controls to resources, including Exchange or SharePoint.
Recommendations:
If you're moving from a partner MDM/MAM provider, then note the tasks you're
running and the features you use. This information gives an idea of what tasks to
also do in Intune.
Use a phased approach. Start with a small group of pilot users, and add more
groups until you reach full scale deployment.
Monitor the helpdesk load and enrollment success of each phase. Leave time in
the schedule to evaluate success criteria for each group before migrating the next
group.
User productivity:
Corporate resources are working, including VPN, Wi-Fi, email, and
certificates.
Deployed apps are accessible.
Data security:
Review compliance reports, and look for common issues and trends.
Communicate issues, resolutions, and trends with your help desk.
Mobile app protections are applied.
When you're satisfied with the first phase of migrations, repeat the migration cycle
for the next phase.
Repeat the phased cycles until all users are migrated to Intune.
Confirm the helpdesk is ready to support end users throughout the migration.
Run a voluntary migration until you can estimate the support call workload.
Don't set deadlines for enrollment until your helpdesk can handle all remaining
users.
Helpful information:
If you currently use Configuration Manager, and want to use Intune, then you have the
following options.
Helpful information:
What is co-management?
Co-management workloads
Switch Configuration Manager workloads to Intune
Configuration Manager product and licensing FAQ
These steps are an overview, and are only included for those users who want a 100%
cloud solution. With this option, you:
This option is more work for administrators, but can create a more seamless experience
for existing Windows client devices. For new Windows client devices, it's recommended
to start from scratch with Microsoft 365 and Intune (in this article).
1. Set up hybrid Active Directory and Azure AD for your devices. Hybrid Azure AD
joined devices are joined to your on-premises Active Directory, and registered with
your Azure AD. When devices are in Azure AD, they're also available to Intune.
Hybrid Azure AD support Windows devices. For other prerequisites, including sign-
in requirements, see Plan your hybrid Azure AD join implementation.
5. On the devices, uninstall the Configuration Manager client. For more information,
see uninstall the client.
Once Intune is set up, you can create an Intune app configuration policy that
uninstalls the Configuration Manager client. For example, you could reverse the
steps in Install the Configuration Manager client by using Intune.
1. Uninstall the Configuration Manager client. When you uninstall, the devices
aren't receiving your policies, including policies that provide protection.
They're vulnerable until they enroll in Intune and start receiving your new
policies.
2. Enroll the devices in Intune to receive policies.
To help minimize vulnerabilities, move macOS devices after Intune is set up, and
when your enrollment policies are ready to be deployed.
1. Deploy Microsoft 365, including creating users and groups. Don't use or configure
Microsoft 365 Basic Mobility and Security.
Helpful links:
Specifically:
On Android devices, these profiles use the Android Management API and EMM
API .
On Apple devices, these profiles use the Device management payloads .
On Windows devices, these profiles use the Windows configuration service
providers (CSPs).
When moving devices from group policy, use Group policy analytics. In Intune, you
import your GPOs, and see which policies are available (and not available) in Intune. For
the policies that are available in Intune, you can create a settings catalog policy using
the settings you imported. For more information on this feature, go to Create a Settings
Catalog policy using your imported GPOs in Microsoft Intune.
For more information, go to Migrate from Microsoft 365 Basic Mobility and Security to
Intune.
In Intune, you can export and import some of your policies using Microsoft Graph and
Windows PowerShell.
For example, you create a Microsoft Intune trial subscription. In this subscription trial
tenant, you have policies that configure apps and features, check compliance, and more.
You'd like to move these policies to another tenant.
This section shows how to use the Microsoft Graph scripts for a tenant to tenant
migration, and lists some policy types that can or can't be exported.
) Important
These steps use the Intune beta Graph samples on GitHub. The sample
scripts make changes to your tenant. They're available as-is, and should be
validated using a non-production or "test" tenant account. Be sure the scripts
meet your organization security guidelines.
The scripts don't export and import every policy, such as certificate profiles.
Expect to do more tasks than what's available in these scripts. You will have to
recreate some policies.
To migrate a user's device, the user must unenroll the device from the old
tenant, and then re-enroll in the new tenant.
1. Download the samples, and use Windows PowerShell to export your policies:
b. Open the Windows PowerShell app as administrator, and change the directory
to your folder. For example, enter the following command:
cd C:\psscripts\powershell-intune-samples-master
Install-Module AzureAD
Select Y to install the module from an untrusted repository. The install can take
a few minutes.
d. Change the directory to the folder with the script you want to run. For example,
change the directory to the CompliancePolicy folder:
cd C:\psscripts\powershell-intune-samples-master\powershell-intune-samples-
master\CompliancePolicy
e. Run the export script. For example, enter the following command:
.\CompliancePolicy_Export.ps1
Sign in with your account. When prompted, enter the path to put the policies.
For example, enter:
C:\psscripts\ExportedIntunePolicies\CompliancePolicies
a. Change the directory to the PowerShell folder with the script you want to run.
For example, change the directory to the CompliancePolicy folder:
cd C:\psscripts\powershell-intune-samples-master\powershell-intune-samples-
master\CompliancePolicy
b. Run the import script. For example, enter the following command:
.\CompliancePolicy_Import_FromJSON.ps1
Sign in with your account. When prompted, enter the path to the policy .json
file you want to import. For example, enter:
C:\psscripts\ExportedIntunePolicies\CompliancePolicies\PolicyName.json
3. Sign in to the Intune admin center . The policies you imported are shown.
Policy or Information
profile type
Applications
of-business ❌ Import
apps
To add your LOB app to a new tenant, you also need the original .apk
application source files.
Policy or Information
profile type
Apple – ❌ Export
Volume ❌ Import
Purchase
Program (VPP) These apps are synced with the Apple VPP. In the new tenant, you add your VPP
token, which shows your available apps.
iOS/iPadOS ❌ Export
line-of- ❌ Import
business apps
To add your LOB app to a new tenant, you also need the original .ipa
application source files.
Managed ❌ Export
These apps and weblinks are synced with Managed Google Play. In the new
tenant, you add your Managed Google Play account, which shows your available
apps.
Microsoft ❌ Export
Business
These apps are synced with the Microsoft Store for Business. In the new tenant,
you add your Microsoft Store for Business account, which shows your available
apps.
(Win32) ❌ Import
To add your LOB app to a new tenant, you also need the original .intunewin
application source files.
Compliance
policies
Non- ❌ Import
Compliance
It's possible there could be a link to an e-mail template. When you import a
policy that has non-compliance actions, the default actions for non-compliance
are added instead.
Assignments ✔️Export
❌ Import
Configuration
profiles
Email ✔️Export
✔️If an email profile doesn't use certificates, then the import should work.
❌ If an email profile uses a root certificate, then the profile can't be imported
to a new tenant. The root certificate ID is different in a new tenant.
SCEP ✔️Export
certificate
❌ Import
SCEP certificate profiles use a root certificate. The root certificate ID is different
in a new tenant.
VPN ✔️Export
✔️If a VPN profile doesn't use certificates, then the import should work.
❌ If a VPN profile uses a root certificate, then the profile can't be imported to a
new tenant. The root certificate ID is different in a new tenant.
Wi-Fi ✔️Export
✔️If a Wi-Fi profile doesn't use certificates, then the import should work.
❌ If a Wi-Fi profile uses a root certificate, then the profile can't be imported to
a new tenant. The root certificate ID is different in a new tenant.
Assignments ✔️Export
❌ Import
Endpoint
Security
Endpoint ❌ Export
response
This policy is linked to Microsoft Defender for Endpoint. In the new tenant, you
configure Microsoft Defender for Endpoint, which automatically includes the
Endpoint detection and response policy.
Next steps
Get started with Intune
Enrollment deployment guides
Migrate from Microsoft 365 Basic
Mobility and Security to Intune
Article • 03/07/2023
Microsoft 365 includes a basic set of policies that protect devices and protect Microsoft
365 apps, like Outlook. These policies are managed in the Microsoft 365 Defender portal
and are called Basic Mobility and Security. For more information on what Basic Mobility
and Security offers, go to Capabilities of Basic Mobility and Security.
You can migrate from Basic Mobility and Security to Microsoft Intune. Migrating to
Intune requires the following major steps:
1. Prepare:
Review your Intune licenses, Basic Mobility and Security policies, group
memberships, and devices to streamline the migration.
Use the Migration evaluation in the Microsoft Intune admin center . The output
shows Intune policy and group recommendations that replace the Basic Mobility
and Security policies.
Assign licenses to users or groups, which will automatically switch the users to
Intune device management at the next refresh cycle.
This article will help you migrate your mobile device management (MDM) from
Microsoft 365 Basic Mobility and Security to Microsoft Intune.
Test the steps in this article on a test users group that have devices enrolled in
Basic Mobility and Security. Confirm that the policies behave as you expect.
After you migrate to Intune, the existing device security policies deployed with
Basic Mobility and Security are permanently frozen.
Assigning Intune licenses impacts the migration process. The license assignment
controls the migration of devices from Basic Mobility and Security to Intune.
Users with Intune licenses already assigned can start receiving policies
immediately, possibly sooner than you expect. The policies can happen even if the
users or devices weren't previously managed by Basic Mobility and Security.
If you want to prevent this behavior, you can unassign the Intune licenses before
the migration. You can also create separate groups to help manage when the
policies are deployed:
Group 1: Users with Intune licenses already assigned
Group 2: Users without Intune licenses assigned
Then, you can assign the migrated Basic Mobility and Security device security
policies to users who aren't assigned Intune licenses.
Step 1 - Prepare
Before you migrate from Basic Mobility and Security device management to Intune
device management:
1. Be sure you have enough Intune licenses to cover all your users managed by Basic
Mobility and Security.
2. Review the device security policies in the Microsoft 365 Defender portal. Delete
any policies that are no longer needed. Deleting unneeded policies reduces the
number of recommendations created by the Intune migration evaluation. The idea
is to have fewer recommendations to review after the migration evaluation.
3. Review the membership of groups that are currently assigned device security
policies.
If these groups include users that are already licensed for Intune, then they can get
policies assigned sooner than expected. For more information on the impact of
existing Intune licenses, go to Before you begin (in this article).
4. Review the types of devices currently enrolled in Basic Mobility and Security.
Unsupported OS versions and variants may continue to work, but they won’t be
supported if migrated to Intune.
Settings applied to unsupported operating systems won’t be moved to Intune. And
if the user is already licensed for Intune, then their devices will lose any
configuration set by device security policies in the Microsoft 365 Defender portal.
5. Before migration:
Don’t assign Intune licenses to users whose devices are managed by Basic
Mobility and Security.
Don't assign Intune licenses to enable app protection policies, also known as
mobile application management (MAM).
Only assign Intune licenses to users after the policy migration is complete. For
more information on the impact of Intune licenses, go to Before you begin (in this
article).
6. You may have to create new Intune policies to replace Basic Mobility and Security
policies. For more information on a minimum base set of policies, go to Get started
with Intune.
After the migration evaluation process activates, you can't make changes to your device
security policies in the Microsoft 365 Defender portal. The existing Basic Mobility and
Security policies are still enforced, but changes to these existing policies aren't saved.
) Important
If you have any of the following products or service, then contact the support team
before you proceed:
The tool can migrate your existing Basic Mobility and Security device security policies to
Intune as compliance policies and device configuration profiles. It also makes
recommendations for which groups the new policies should be assigned.
These Intune recommendations are designed to replicate the Basic Mobility and Security
policies. You need to review these recommendations to make sure they reflect the old
policies.
To evaluate and migrate policies from Basic Mobility and Security to Intune:
1. Complete the steps in the Step 1 - Prepare section (in this article).
2. Open the Migration evaluation > select Start. It will take a few minutes to
complete the evaluation.
7 Note
If you navigate away from the Migration evaluation, the only way to
return is to open the Migration evaluation link again.
After you start the migration evaluation, you can't create new or edit
existing device security policies in the Microsoft 365 Defender portal.
3. Select Recommendations.
This page displays the Intune policy recommendations based on your Basic
Mobility and Security policies. The recommendations are read only and can't be
changed.
The name of each recommendation has a prefix based on the Basic Mobility and
Security policy name. You need to review each item in the list, like the following
example:
Not all device settings correspond exactly to Intune settings and values. So,
they can’t be moved with precise one-to-one mapping. You need to review
and possibly adjust these settings.
The conditional access (CA) settings that control the Office 365 services are
the same CA policies in Azure Active Directory. So, you don’t need to review
or make changes to them unless you want to.
4. Select an item in the list. The Compliance policy recommendation overview page
opens. Review the instructions.
7 Note
7 Note
6. If you want to implement the recommended policy, then select Open policy. The
policy page opens and the Intune policy is created. You can change or update the
migrated policies.
7 Note
If you delete the policy, the Open policy link from the recommendation page
won’t work.
At this point, the policy is created, but it’s not doing anything yet. The next step is to
assign the policy to the recommended groups or other groups you choose.
1. Assign the recommended groups to the policy. Select Open policy > Properties >
Edit (next to Assignments) > use the assignments workflow to assign the groups.
When you assign groups, your newly migrated Intune policies replace the device
settings configured in Basic Mobility and Security. If you don’t assign the groups,
then devices managed by Basic Mobility and Security could lose settings and email
configuration when their users are licensed for Intune. Remember, the Intune
license assignment is a key step in the migration of devices from Basic Mobility
and Security to Intune device management.
For more information on the impact of existing Intune licenses, go to Before you
begin (in this article).
2. Sign in to the Microsoft Intune admin center with Azure AD Global or License
administrator rights.
Users with existing Intune licenses are immediately moved to Intune and the
newly migrated policies are applied at the next Intune refresh cycle.
For users without Intune licenses, coexistence is the second step in the
migration process. They'll be moved to Intune in the next step.
4. For users without Intune licenses, assign Intune licenses to the users you want to
migrate. Your options:
At the next Intune device refresh cycle, the devices will automatically switch to Intune
management and the new policies will start affecting user devices.
When you complete the migration, your migrated policies are in Microsoft Intune
admin center. The new policies include compliance policies, device configuration
profiles, and conditional access policies. The new policies are in the following
locations:
Compliance policies
Microsoft Intune Microsoft Intune admin
center > Devices > Compliance policies
Specify the device settings as access
requirements.
Configuration profiles
Microsoft Intune admin center >
Devices > Configuration profiles
Specify other settings that aren’t part of the
access requirements, including email profiles.
Known issues
Workaround: If this setting was enabled in the Basic Mobility and Security policy, then
this setting must be manually added to Intune device configuration profiles. For more
information on the similar settings you can configure in Intune, go to:
Next steps
What is Intune?
Get started with Intune
Access requirements policy mapping
from Basic Mobility and Security to
Intune
Article • 02/22/2023
This article provides mapping details between Basic Mobility and Security to Intune.
Specifically, this page maps Office 365 Security and Compliance portal Access
Requirement policies to the equivalent policies in Microsoft Intune admin center.
Because Intune offers more flexibility, each Office policy will translate into multiple
Intune and Azure Active Directory (Azure AD) policies to achieve the same result.
If you’re migrating from Basic Mobility and Security to Intune, you can use the Migration
evaluation tool to automate much of this mapping.
To see these settings in the Office 365 Security and Compliance portal, sign in to the
portal at https://protection.office.com/devicev2 and under the list of Device security
policies select policy name > Edit policy > Access Requirements.
) Important
The If a device doesn't meet the requirements above, then... setting determines if
you should use Intune compliance policies or configuration profiles for all access
requirement settings. Make sure to review the details for this setting first.
7 Note
Require a password
7 Note
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Require a password to unlock
mobile devices
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Require a password to unlock
mobile devices
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Require a password to unlock
mobile devices
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Simple passwords
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Simple passwords
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Required password type.
If Prevent simple passwords is selected, choose Numeric complex, Alphabetic,
Alphanumeric, or Alphanumeric with symbols (based on other Office settings).
If Prevent simple passwords isn't selected, choose Numeric or a higher type in
the list (based on other Office settings).
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Required password type
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Required password type
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Required password type.
If Prevent simple passwords is selected, choose Numeric complex, Alphabetic,
Alphanumeric, or Alphanumeric with symbols (based on other Office settings).
If Prevent simple passwords isn't selected, choose Numeric or a higher type in
the list (based on other Office settings).
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Password complexity.
1 Require digits and lowercase letters. The Windows compliance policy doesn’t
allow only one character set, so an Office setting of 1 translates to Require digits
and lowercase letters.
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Number of non-alphanumeric
characters in password. The iOS compliance policy doesn’t enforce the number of
character sets but only the number of non-alphanumeric characters that must be
used. So Office values are translated to the same number of non-alphanumeric
characters required.
1 1
2 2
3 3
4 4
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Required password type. Android
doesn’t support distinguishing lowercase and uppercase as different character sets,
and so the Office value of 4 cannot be enforced. Instead it translates to at least
Alphanumeric with symbols.
2 At least Alphanumeric
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Minimum password length
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Minimum password length
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Required password type and
Minimum password length.
Office value for Require an alphanumeric Intune value for Required password type
password
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Devices > Windows > Configuration profiles > policy name_O365_W >
Properties > Compliance settings Edit > Password > Number of sign-in failures
before wiping device
Devices > iOS/iPadOS > Configuration profiles > policy name_O365_i >
Properties > Compliance settings Edit > Password > Number of sign-in failures
before wiping device
Devices > Android > Configuration profiles > policy name_O365_A > Properties
> Compliance settings Edit > Password > Number of sign-in failures before
wiping device
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Maximum minutes of inactivity
before password is required
1 through 4 1 minute
5 through 14 5 minutes
15 or more 15 minutes
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Maximum minutes of inactivity
before password is required
1 1 minute
2 2 minutes
3 3 minutes
4 4 minutes
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Required password type.
1 through 4 1 minute
5 through 14 5 minutes
15 through 29 15 minutes
30 through 59 30 minutes
60 60 minutes
Password expiration
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Password expiration (days)
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Password expiration (days)
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Number of days until password
expires.
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Compliance settings Edit > System Security > Number of previous passwords
to prevent reuse
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > System Security > Number of previous passwords
to prevent reuse
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > System Security > Number of previous passwords to
prevent reuse and Required password type
Office value for Require an alphanumeric Intune value for Required password type
password
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
For Android devices, Intune only supports this setting for Android device administrator
devices.
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > Device Health > Jailbroken devices
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Compliance settings Edit > Device Health > Rooted devices
For Android, this setting was only supported on Samsung Knox devices in Basic Mobility
and Security.
Intune requires additional settings be configured when deploying email that weren’t
available in device security policies. For more information, see Additional settings
required by Intune for email profiles.
When If a device doesn't meet the requirements above, then… is set to Block access
and report violation, use Intune compliance policies as shown below. If the setting is set
to Allow…, use configuration profiles instead.
Setting Value
SSL Enable
Devices > iOS/iPadOS > Configuration profiles > policy name_O365_i_Email >
Properties > Configuration settings Edit
Setting Value
SSL Enable
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Compliance settings Edit > Email > Unable to set up email on the device >
Require
Devices > Android ** > Configuration profiles > policy name_O365_A_Email >
Properties > ** Configuration settings Edit
Setting Value
SSL Enable
This article provides mapping details between Basic Mobility and Security to Intune.
Specifically, this page maps Office 365 Security and Compliance portal Configurations
policies to the equivalent policies in Microsoft Intune admin center. Because Intune
offers more flexibility, each Office policy will translate into multiple Intune and Azure
Active Directory (Azure AD) policies to achieve the same result.
If you’re migrating from Basic Mobility and Security to Intune, you can use the Migration
evaluation tool to automate much of this mapping.
To see these settings in the Office 365 Security and Compliance portal, sign in to the
portal and then select Device security policies > policy name > Edit policy >
Configurations.
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Compliance settings Edit > Cloud and Storage > Force encrypted backup
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > Cloud and Storage > various Block iCloud settings
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > Cloud and Storage > Block iCloud document and
data sync
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > Cloud and Storage > Block My Photo Stream
Devices > Windows > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Screen capture (mobile only)
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Block screenshots and screen recording
Devices > Android > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Screen capture (Samsung KNOX only)
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > Built-in Apps > Block FaceTime
Block sending diagnostic data from device
For Android devices, this setting is only supported on Samsung Knox devices in Basic
Mobility and Security.
For Windows 10 devices, the most restrictive value prevents sending security-related
data.
Devices > Windows > Configuration profiles > profile name > Properties >
Configuration settings Edit > Reporting and Telemetry > Share usage data
Block sending diagnostic data from device value Share usage data value
Selected Security
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Block sending diagnostic and usage data
to Apple
Devices > Android > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Diagnostic data (Samsung Knox only)
Devices > Windows > Configuration profiles > profile name > Properties >
Configuration settings Edit > App store > App store (mobile only)
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > App store, Doc Viewing, Gaming > Block App store
Devices > Android > Configuration profiles > choose a profile with type Device
administrator > Properties > Configuration settings Edit > Google Play Store >
Google Play store (Samsung Knox only)
Require password when accessing application
store
This setting was never supported for Windows or Android in Basic Mobility and Security.
Apple doesn't block accessing the app store without a password, but blocks purchases
without a password.
Devices > iOS/iPadOS > Configuration profiles > profile name > Properties >
Configuration settings Edit > App store, Doc Viewing, Gaming > Require iTunes
Store password for all purchases
For Android devices, this setting is only supported on Samsung Knox devices in Basic
Mobility and Security.
Devices > Windows > Configuration profiles > profile name > Properties >
Configuration settings Edit > General > Removable storage
Devices > Android > Configuration profiles > choose a profile with type Device
administrator > Properties > Configuration settings Edit > Cloud and Storage >
Removable storage (Samsung Knox only)
For Android devices, this setting is only supported on Samsung Knox devices in Basic
Mobility and Security.
Devices > Windows > Configuration profiles > profile name > Properties >
Configuration settings Edit > > Cellular and connectivity > Bluetooth
Devices > Android > Configuration profiles > choose a profile with type Device
administrator > Properties > Configuration settings Edit > Cellular and
connectivity > Bluetooth (Samsung Knox only)
Next steps
To migrate these policies, you can use the Migration evaluation tool.
Miscellaneous policy mapping from
Basic Mobility and Security to Intune
Article • 02/22/2023
This article provides mapping details between Basic Mobility and Security to Intune.
Specifically, this page maps the following Office 365 Security and Compliance portal
policies and device properties to the equivalent policies and properties in Microsoft
Intune admin center:
Because Intune offers more flexibility, each Office policy will translate into multiple
Intune and Azure Active Directory (Azure AD) policies to achieve the same result.
If you’re migrating from Basic Mobility and Security to Intune, you can use the Migration
evaluation tool to automate much of this mapping.
User
Devices > All devices > device name > Overview > Enrolled by
Device type
Devices > All devices > device name > Overview > Operating system
State
This isn't a default column in the Intune portal device list. You can show it by using the
Columns picker.
Factory reset
Devices > All devices > device name > Overview > Wipe
Endpoint security > Conditional access > policy name > Users and groups >
Exclude
Name
Up to three compliance policies and up to six configuration profiles (three for
restrictions and three for email):
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Basics Edit > Name
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Basics Edit > Name
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Basics Edit > Name
Devices > Windows > Configuration profiles > policy name_O365_W >
Properties > Basics Edit > Name
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i >
Properties > Basics Edit > Name
Devices > Android > Configuration profiles > policy name_O365_A > Properties
> Basics Edit > Name
Devices > Windows > Configuration profiles > policy name_O365_W_Email >
Properties > Basics Edit > Name
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i_Email >
Properties > Basics Edit > Name
Devices > Android > Configuration profiles > policy name_O365_A_Email >
Properties > Basics Edit > Name
Description
Up to three compliance policies and up to six configuration profiles (three for
restrictions and three for email):
Devices > Windows > Compliance policies > policy name_O365_W > Properties
> Basics Edit > Description
Devices > iOS/iPadOS > Compliance policies > policy name_O365_i > Properties
> Basics Edit > Description
Devices > Android > Compliance policies > policy name_O365_A > Properties >
Basics Edit > Description
Devices > Windows > Configuration profiles > policy name_O365_W >
Properties > Basics Edit > Description
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i >
Properties > Basics Edit > Description
Devices > Android > Configuration profiles > policy name_O365_A > Properties
> Basics Edit > Description
Devices > Windows > Configuration profiles > policy name_O365_W_Email >
Properties > Basics Edit > Description
Devices > iOS/iPadOS > Configuration profiles> policy name_O365_i_Email >
Properties > Basics Edit > Description
Devices > Android > Configuration profiles > policy name_O365_A_Email >
Properties > Basics Edit > Description
Next steps
To migrate these policies, you can use the Migration evaluation tool.
Get started with your Microsoft Intune
deployment
Article • 04/20/2023
Microsoft Intune is a cloud-based service that helps you manage your devices and apps.
For more information about what Microsoft Intune can do for your organization, go to
What is Microsoft Intune.
This article provides an overview of the steps to start your Intune deployment.
Tip
As a companion to this article, the Microsoft 365 admin center also has some setup
guidance. The guide customizes your experience based on your environment. At
Microsoft Intune setup guide , sign in with the Global Reader (at a minimum) to
access the deployment guides. For more information on these deployment guides
and the roles needed, go to Advanced deployment guides for Microsoft 365 and
Office 365 products.
To review best practices without signing in and activating the automated setup
features, go to the M365 Setup portal .
Determine your license needs and any other prerequisites for your Intune
deployment. The following list provides some of the most common prerequisites:
Intune subscription: Included with some Microsoft 365 subscriptions. You also
get access to the Microsoft Intune admin center , which is a web-based
console for managing your devices, apps, and users.
Microsoft 365 apps : Included with Microsoft 365 and is used for productivity
apps, including Outlook and Teams.
Azure Active Directory (Azure AD) : Included with some Microsoft 365
subscriptions. Azure AD is used for the identity management for users, groups,
and devices, which comes with your Intune and Microsoft 365 subscription.
Azure AD Premium, which might cost extra, gives you more features commonly
used by organizations, including Conditional Access, multi factor authentication
(MFA), and dynamic groups.
For example, if you manage iOS/iPadOS and macOS devices, you need an Apple
MDM push certificate and possibly an Apple token. If you manage Android
devices, you may need a managed Google Play account. If you use certificate
authentication, you may need a SCEP or PKCS certificate.
✔️Confirm your devices are supported, create your Intune tenant, add users &
groups, assign licenses, and more.
This step focuses on setting up Intune and getting it ready for you to manage your user
identities, apps, and devices. Intune uses many features in Azure AD, including your
domain, your users, and your groups.
✔️On devices that will enroll in Intune, create a baseline of apps that all devices must
have, and then assign these app policies during enrollment. On apps that need extra
security, also use app protection policies.
✔️On devices that won't enroll in Intune, use app protection policies and multi-factor
authentication (MFA):
For more information, go to Step 2 - Add, configure, and protect apps with Intune.
Every organization has a base set of apps that should be installed on devices. Before
users enroll their devices, you can use Intune to assign these apps to their devices.
During enrollment, the app policies are automatically deployed. When enrollment
completes, the apps install and are ready to use.
If you prefer, you can enroll your devices, and then assign apps. It's your choice. The
next time users check for new apps, they'll see the new apps available.
If users with their own personal devices will access organization resources, then you
need to protect any apps that access your organization data using mobile application
management (MAM), at a minimum. You can create MAM policies for Outlook, Teams,
SharePoint, and other apps. The Microsoft Intune planning guide has some guidance on
managing personal devices.
7 Note
MFA is a feature of Azure AD that must be enabled in your Azure AD tenant. Then,
you configure MFA for your apps. For more information, go to:
✔️Create a baseline of compliance policies that all devices must have, and then assign
these compliance policies during enrollment.
MDM solutions like Intune can set rules that devices should meet, and can report the
compliance states of these rules. These rules are called compliance policies. When you
combine compliance policies with Conditional Access, you can require devices meet
certain security requirements before they can access your organization's data.
When users enroll their devices in Intune, the enrollment process can automatically
deploy your compliance policies. When enrollment completes, admins can check the
compliance status and get a list of devices that don't meet your rules.
If you prefer, you can enroll your devices before checking compliance. It's your choice.
At the next Intune check-in, the compliance policies are assigned.
7 Note
✔️Create baseline of security features and device features that should be enabled or
blocked. Assign these profiles during enrollment.
Your organization may have a base set of device and security features that should be
configured or should be blocked. These settings are added to device configuration and
endpoint security profiles. It's recommended to assign key security and device
configuration policies during enrollment. When enrollment starts, the device
configuration profiles are automatically assigned. When enrollment completes, these
device and security features are configured.
If you prefer, you can enroll your devices before creating the configuration profiles. It's
your choice. At the next Intune check-in, the profiles are assigned.
In the Microsoft Intune admin center , you can create different profiles based on your
device platform - Android, iOS/iPadOS, macOS, and Windows.
To fully manage devices, the devices must be enrolled in Intune to receive the
compliance & Conditional Access policies, app policies, device configuration policies,
and security policies you create. As an admin, you create enrollment policies for your
users and devices. Each device platform (Android, iOS/iPadOS, macOS, Windows, and
Linux) has different enrollment options. You choose what's best for your environment,
your scenarios, and how your devices are used.
Depending on the enrollment option you choose, users can enroll themselves. Or, you
can automate enrollment so users only need to sign in to the device with their
organization account.
When a device enrolls, it's issued a secure MDM certificate. This certificate
communicates with the Intune service.
Different platforms have different enrollment requirements. The following articles can
help you learn more about device enrollment, including platform-specific guidance:
If you use or will use Configuration Manager, there are two steps to cloud attach your
on-premises devices:
1. Tenant attach: Register your Intune tenant with your Configuration Manager
deployment. Your Configuration Manager devices are shown in the Microsoft
Intune admin center . On these devices, you can run different actions, including
installing apps and run Windows PowerShell scripts using the web-based Intune
admin center.
If you currently use Configuration Manager, you get immediate value through tenant
attach, and you get more value through co-management.
For guidance on the Microsoft Intune setup that's right for your organization, go to
Deployment guide: Set up or move to Microsoft Intune.
Next steps
Step 1 - Set up Microsoft Intune
Step 2 - Add, configure, and protect apps with Intune
Step 3 – Plan for compliance policies
Step 4 - Configure device features and settings to secure devices and access
organization resources
Step 5 - Deployment guidance: Enroll devices in Microsoft Intune
Levels of protection and configuration
in Microsoft Intune
Article • 03/02/2023
Microsoft Intune gives admins the ability to create policies that are applied to users,
devices, and apps. These policies can range from a minimum set to more secure or
controlled policies. These policies depend on the organization needs, the devices that
are used, and what the devices will do.
When you're ready to create policies, you can use the different levels of protection and
configuration:
Your environment and business needs may have different levels defined. You can use
these levels as a starting point and then customize them to fit your needs. For example,
you can use the device configuration policies in level 1 and the app policies in level 3.
Choose the levels that are right for your organization. There isn't a wrong choice.
Tip
In this level, Microsoft recommends you configure the following protection and access
for apps:
Compliance (level 1)
In this level, device compliance includes configuring the tenant-wide settings that apply
to all devices, and deploying minimal compliance policies to all devices to enforce a core
set of compliance requirements. Microsoft recommends that these configurations be in
place before you allow devices to access your organization’s resources. Level 1 device
compliance includes:
Compliance policy settings are a few tenant-wide settings that affect how the Intune
compliance service works with your devices.
Actions for noncompliance are automatically included with each platform specific policy.
These actions are one or more time-ordered actions you configure that apply to devices
that fail to meet the compliance requirements of the policy. By default, marking a device
as non-compliant is an immediate action that’s included in each policy.
For more information on these policies in this level, go to Step 4 - Create device
configuration profiles to secure devices and create connections to organization
resources.
Level 2 - Enhanced protection and
configuration
This level expands on the minimum set of policies to include more security and expand
your mobile device management. The policies in this level secure more features, provide
identity protection, and manage more device settings.
Use the settings in this level to add what you've done in Level 1.
Apps (level 2)
This level recommends a standard level of application protection for devices where users
access more sensitive information. This level introduces app protection policy data
leakage prevention mechanisms and minimum OS requirements. This level is the
configuration that is applicable to most mobile users accessing work or school data.
Compliance (level 2)
At this level, Microsoft recommends adding more complex options to your compliance
policies. Many of the settings at this level have platform-specific names that all deliver
similar results. The following are the categories or types of settings that Microsoft
recommends you use when they're available:
Applications:
Manage where devices get apps, like Google Play for Android
Allow apps from specific locations
Block apps from unknown sources
Firewall settings
Firewall settings (macOS, Windows)
Encryption:
Require encryption of data storage
BitLocker (Windows)
FileVault (macOS)
Passwords
Password expiration and reuse
Add another layer of security by enabling disk encryption, secure boot, and TPM
on your devices.
Configure your PINs & passwords to expire and manage if/when passwords can be
reused.
Configure more granular device features, settings, and behaviors.
If you have on-premises GPOs, then you can determine if these GPOs are available
in Intune.
For more specific information on device configuration policies at this level, go to Level 2
- Enhanced protection and configuration.
Level 3 - High protection and configuration
This level includes enterprise-level policies and may involve different admins in your
organization. These policies continue moving to password-less authentication, have
more security, and configure specialized devices.
Use the settings in this level to add what you've done in Levels 1 and 2.
Apps (level 3)
This level recommends a standard level of application protection for devices where users
access more sensitive information. This level introduces advanced data protection
mechanisms, enhanced PIN configuration, and app protection policy Mobile Threat
Defense. This configuration is desirable for users that are accessing high risk data.
In addition to level 1 and 2 settings, Microsoft recommends you configure the following
protection and access for apps:
Compliance (level 3)
At this level, you can expand on Intune’s built-in compliance capabilities through the
following capabilities:
Use scripts to add custom compliance settings to your policies for settings that
aren't available from within the Intune UI. (Windows, Linux)
Use compliance policy data with Conditional Access policies to gate access to your
organization’s resources
For more specific information on device configuration policies at this level, go to Level 3
- High protection and configuration.
Next steps
For a complete list of all the device configuration profiles you can create, go to Apply
features and settings on your devices using device profiles in Microsoft Intune.
Step 1: Set up Microsoft Intune
Article • 03/29/2023
The first step when deploying Microsoft Intune is to set up your Intune environment.
In this article, you'll step through the process of setting up Microsoft Intune. Also, this
article will provide the choices and considerations you need to make when setting up an
endpoint-management solution such as Intune.
By the end of this article, you'll have a better understanding of Intune's supported
configurations. You'll have signed up for the Microsoft Intune's free trial. You'll add end
users, define user groups, assign licenses to users, and set up the other needed settings
to begin using Microsoft Intune. All of these steps will prepare you to add and manage
devices and apps using Intune.
Prerequisites
Before you begin setting up Microsoft Intune, review the Planning guide. Use this guide
to plan your move or migration to Intune.
Review the device platforms and operating systems that Intune supports.
Review which web browsers are supported when accessing Intune using Microsoft
Intune admin center.
Be familiar with the network bandwidth requirements to perform installations and
updates using Intune.
Tip
By default, all device platforms can enroll in Intune. If you want to prevent specific
platforms, then create a restriction. For more information, go to Create a device
platform restriction.
Before you sign up for Intune, determine whether you already have a Microsoft Online
Services account, Enterprise Agreement, or equivalent volume licensing agreement. A
Microsoft volume licensing agreement or other Microsoft cloud services subscription
like Microsoft 365 usually includes a work or school account.
If you already have a work or school account, sign in with that account and add Intune
to your subscription. Otherwise, you can sign up for a new account to use Intune for
your organization.
When your organization signs up for Microsoft Intune, you're given an initial domain
name hosted in Azure Active Directory (Azure AD) that looks like your-
domain.onmicrosoft.com.
You can optionally configure your organization's custom domain in Intune, such as
contoso.com . If you don't add your domain account, then, for example,
contoso.onmicrosoft.com may be used.
Set DNS registration to connect your company's domain name with Intune. This
gives users a familiar domain when connecting to Intune and using resources.
If you are simply evaluating Intune using the free trial, you can skip this step.
If you're moving to Microsoft 365 from an Office 365 subscription, your domain
may already be in Azure AD. Intune uses the same Azure AD, and can use your
existing domain.
Users are stored in Azure AD, which is also included with Microsoft 365. Azure AD
controls access to resources, and authenticates users.
You can add users, or connect Active Directory to sync with Intune. This step is required
unless your devices are "userless" kiosk devices.
The people in your organization each need a user account before they can sign in and
access Microsoft Intune. To create user accounts, you can add users to Intune. Once
added, you can grant permissions and assign licenses to users. Then later, you can
assign different types of policies to users to help and protect them.
Intune uses Azure Active Directory (Azure AD) groups to organize and manage devices
and users. As an Intune admin, you can set up groups to suit your organizational needs.
For instance, you can create groups to organize users or devices by geographic location,
department, or hardware characteristics. Also, you can use groups to manage tasks at
scale. For example, you can set policies for many users or deploy apps to a set of
devices based on groups.
6 - Manage licenses
Intune is available with different subscriptions, including as a stand-alone service.
Determine the licensed services your organization needs and then continue to assign
each user an Intune license before users can enroll their devices in Intune.
Microsoft Intune is available for different organization sizes and needs, from a simple-
to-use management experience for schools and small businesses, to more advanced
functionality required by enterprise customers. An admin must have a license assigned
to them to administer Intune (unless you have selected to allow unlicensed admins).
✔️Unlicensed admins
You can give administrators access to Microsoft Endpoint Manager without them
requiring an Intune license. This feature applies to any administrator, including Intune
administrators, global administrators, Azure AD administrators, and so on.
Microsoft Intune includes a set of admin roles that you can assign to users in your
organization using the Microsoft Intune admin center. Each admin role maps to
common business functions and gives people in your organization permissions to do
specific tasks in the admin centers.
1. Role-based access control (RBAC) helps you manage who has access to your
organization's resources and what they can do with those resources. For guidance,
go to Role-based access control (RBAC) with Microsoft Intune.
2. By assigning roles to your Intune users, you can limit what they can see and
change. For guidance, go to Assign a role to an Intune user.
3. You can use both the built-in and custom roles. Built-in roles cover some common
Intune scenarios. You can create your own custom roles with the exact set of
permissions you need. For guidance, go to Create a custom role in Intune.
4. You can use role-based access control and scope tags to make sure that the right
admins have the right access and visibility to the right Intune objects. Roles
determine what access admins have to which objects. Scope tags determine which
objects admins can see. For guidance, go to Use role-based access control (RBAC)
and scope tags for distributed IT
If you are changing your tenant to support Intune, you will need to change your MDM
authority configuration.
Customize the Intune Company Portal that users use to enroll devices and install apps.
These settings appear in both the Company Portal app and the Intune Company Portal
website. You can also customize the Company Portal app so it includes your
organization details.
The next step when deploying Intune is to add and protect apps that access
organization data.
MAM configurations
When apps are used without restrictions, company and personal data can get
intermingled. Company data can end up in locations like personal storage or transferred
to apps beyond your purview and result in data loss. One of the primary reasons to use
either MAM without device enrollment or Intune MDM + MAM is to help protect your
organization's data.
7 Note
This configuration includes managing apps with Intune on devices enrolled with
third-party enterprise mobility management (EMM) providers. You can use Intune
app protection policies independent of any MDM solution. This independence
helps you protect your company's data with or without enrolling devices in a device
management solution. By implementing app-level policies, you can restrict access
to company resources and keep data within the purview of your IT department.
Tip
Many productivity apps, such as the Microsoft Office apps, can be managed by
Intune MAM. See the official list of Microsoft Intune protected apps available for
public use.
For BYOD devices not enrolled in any MDM solution, app protection policies can help
protect company data at the app level.
However, there are some limitations to be aware
of, such as:
You can't deploy apps to the device. The end user has to get the apps from the
store.
You can't provision certificate profiles on these devices.
You can't provision company Wi-Fi and VPN settings on these devices.
For more information about app protection in Intune, see App protection policies
overview.
MDM, in addition to MAM, makes sure that the device is protected. For example, you
can require a PIN to access the device, or you can deploy managed apps to the device.
You can also deploy apps to devices through your MDM solution, to give you more
control over app management.
There are additional benefits to using MDM with app protection policies, and companies
can use app protection policies with and without MDM at the same time. For example, a
member of your organization could have both a phone issued by the company and their
own personal tablet. The company phone could be enrolled in MDM and protected by
app protection policies while the personal device is protected by app protection policies
only.
On enrolled devices that use an MDM service, app protection policies can add an extra
layer of protection. For example, a user signs in to a device with their organization
credentials. As that organization data is used, app protection policies control how the
data is saved and shared. When users sign in with their personal identity, those same
protections (access and restrictions) aren't applied. In this way, IT has control of
organization data, while end users maintain control and privacy over their personal data.
Help protect company data from leaking to consumer apps and services
Apply restrictions like save-as, clipboard, or PIN, to client apps
Wipe company data when needed from apps without removing those apps from
the device
Protect company data at the app level. You can add and assign mobile apps to
user groups and devices. This allows your company data to be protected at the
app level. You can protect company data on both managed and unmanaged
devices because mobile app management doesn't require device management.
The management is centered on the user identity, which removes the requirement
for device management.
Configure apps to start or run with specific settings enabled. In addition, you can
update existing apps already on the device.
Assign policies to limit access and prevent data from being used outside your
organization. You choose the setting for these policies based on your
organization's requirements. For example, you can:
Require a PIN to open an app in a work context.
Block managed apps from running on jailbroken or rooted devices
Control the sharing of data between apps.
Prevent the saving of company app data to a personal storage location by using
data relocation policies, like Save copies of org data, and Restrict cut, copy,
and paste.
Support apps on a variety of platforms and operating systems. Each platform is
different. Intune provides available settings specifically for each supported
platform.
See reports about which apps are used, and track their usage. In addition, Intune
provides endpoint analytics to help you assess and resolve problems.
Do a selective wipe by removing only organization data from apps.
Ensure personal data is kept separate from managed data. End-user productivity
isn't affected and policies don't apply when using the app in a personal context.
The policies are applied only in a work context, which gives you the ability to
protect company data without touching personal data.
The users of apps and devices at your company (your company's workforce) might have
several app requirements. Before adding apps to Intune and making them available to
your workforce, you may find it helpful to assess and understand a few app
fundamentals. There are various types of apps that are available for Intune. You must
determine app requirements that are needed by the users at your company, such as the
platforms and capabilities that your workforce needs. You must determine whether to
use Intune to manage the devices (including apps) or have Intune manage the apps
without managing the devices. Also, you must determine the apps and capabilities that
your workforce needs, and who needs them. The information in this article helps you get
started.
Before adding apps to Intune, consider reviewing the support app types and assess your
app requirements. For more information, see Add apps to Microsoft Intune.
Tip
To better understand app types, app purchases, and app licenses for Intune, see the
solution Purchase and add apps for Microsoft Intune. This solution content also
provides recommended steps to assess app requirements, create app categories,
purchases apps, and add apps. Additionally, this solution content explains how to
manage apps and app licenses.
One of the available app types is Microsoft 365 apps for Windows 10 devices. By
selecting this app type in Intune, you can assign and install Microsoft 365 apps to
devices you manage that run Windows 10. You can also assign and install apps for the
Microsoft Project Online desktop client and Microsoft Visio Online Plan 2, if you own
licenses for them. The available Microsoft 365 apps are displayed as a single entry in the
list of apps in the Intune console within Azure.
Add the following core Microsoft apps to Intune:
Microsoft Edge
Microsoft Excel
Microsoft Office
Microsoft OneDrive
Microsoft OneNote
Microsoft Outlook
Microsoft PowerPoint
Microsoft SharePoint
Microsoft Teams
Microsoft To Do
Microsoft Word
For more information about adding Microsoft apps to Intune, go to the following topics:
The following table provides the different categories available for store apps:
Free store You can freely add these apps to Intune and deploy them to the members of your
apps organization. These apps do not require any additional cost to use.
Purchased You must purchase licenses for these apps before adding to Intune. Each device
apps platform (Windows, iOS, Android) offers a standard method to purchase licenses
for these apps. Intune provides methods to manage the app license for each end
user.
Apps You can freely add and deploy these apps from Intune, however the app may
requiring an require an account, subscription, or license from the app vendor. For a list of apps
account, that support Intune management functionality, see Partner productivity apps and
subscription, Partner UEM apps. NOTE: For apps that may require an account, subscription, or
or license license, you must contact the app vendor for specific app details.
from the app
developer
Store app Description
category
Apps The license you use with Microsoft Intune may include the app licenses you
included with require.
your Intune
license
7 Note
In addition to purchasing app licenses, you can create Intune policies that allow
end users to add personal accounts to their devices to purchase unmanaged apps.
For more information about adding Microsoft apps to Intune, go to the following topics:
You can create and use app configuration policies to provide configuration settings for
both iOS/iPadOS or Android apps. These configuration settings allow an app to be
customized by using app configuration and management. The configuration policy
settings are used when the app checks for these settings, typically the first time the app
is run.
An app configuration setting, for example, might require you to specify any of the
following details:
If end users were to enter these settings instead, they could do this incorrectly. App
configuration policies can help provide consistency across an enterprise and reduce
helpdesk calls from end users trying to configure settings on their own. By using app
configuration policies, the adoption of new apps can be easier and quicker.
The available configuration parameters are ultimately decided by the developers of the
app. Documentation from the application vendor should be reviewed to see if an app
supports configuration and what configurations are available. For some applications,
Intune will populate the available configuration settings.
The richest and broadest protection capabilities for Microsoft 365 data are available
when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft
Intune and Azure Active Directory Premium features, such as conditional access. At a
minimum, you will want to deploy a conditional access policy that allows connectivity to
Outlook for iOS and Android from mobile devices and an Intune app protection policy
that ensures the collaboration experience is protected.
For more information about configuring Microsoft Outlook, go to the following topic:
Manage messaging collaboration access by using Outlook for iOS and Android
with Microsoft Intune
For more information about configuring Microsoft Edge, go to the following topic:
You can also create VPN policies that are used by specific apps. This feature is called
per-app VPN. When the app is active, it can connect to the VPN, and access resources
through the VPN. When the app isn't active, the VPN isn't used.
Use a VPN and per-app VPN policy on Android Enterprise devices in Microsoft
Intune
Mobile Application Management (MAM) app protection policies allows you to manage
and protect your organization's data within an application. Many productivity apps, such
as the Microsoft Office apps, can be managed by Intune MAM. See the official list of
Microsoft Intune protected apps available for public use.
One of the primary ways that Intune provides mobile app security is through policies.
App protection policies allow you to do the following actions:
Use Azure AD identity to isolate organization data from personal data. So personal
information is isolated from organizational IT awareness. Data accessed using
organization credentials are given additional security protection.
Help secure access on personal devices by restricting actions users can take with
organizational data, such as copy-and-paste, save, and view.
Create and deploy on devices that are enrolled in Intune, enrolled in another
mobile device management (MDM) service, or not enrolled in any MDM service.
7 Note
App protection policies are designed to apply uniformly across a group of apps,
such as applying a policy across all Office mobile apps.
Organizations can use app protection policies with and without MDM at the same time.
For example, consider an employee that uses both a tablet issued by the company, and
their own personal phone. The company tablet is enrolled in MDM and protected by
app protection policies while their personal phone is protected by app protection
policies only.
For more information about app protection in Intune, go to the following topics:
When configuring App Protection Policies, the different settings and options available
allow organizations to customize the protection to their specific needs. Due to this
flexibility, it may not be obvious which permutation of policy settings are required to
implement a complete scenario. To help organizations prioritize client endpoint
hardening endeavors, Microsoft has introduced a new taxonomy for security
configurations in Windows 10 , and Intune is leveraging a similar taxonomy for its APP
data protection framework for mobile app management.
The APP data protection configuration framework is organized into three distinct
configuration scenarios:
Basic app protection in Intune (level 1) is the minimum data protection configuration for
an enterprise mobile device. This configuration replaces the need for basic Exchange
Online device access policies by requiring a PIN to access work or school data,
encrypting the work or school account data, and providing the capability to selectively
wipe the school or work data. However, unlike Exchange Online device access policies,
the below App Protection Policy settings apply to all the apps selected in the policy,
thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the
impact to users and mirror the default data protection and access requirements settings
when creating an App Protection Policy within Microsoft Endpoint Manager.
For specific data protection, access requirements, and conditional launch settings for
basic app protection, go to the following topic:
The policy settings enforced in level 2 include all the policy settings recommended for
level 1 but only lists those settings below that have been added or changed to
implement more controls and a more sophisticated configuration than level 1. While
these settings may have a slightly higher impact to users or to applications, they enforce
a level of data protection more commensurate with the risks facing users with access to
sensitive information on mobile devices.
For specific data protection and conditional launch settings for enhanced app
protection, go to the following topic:
The policy settings enforced in level 3 include all the policy settings recommended for
level 2 but only lists those settings below that have been added or changed to
implement more controls and a more sophisticated configuration than level 2. These
policy settings can have a potentially significant impact to users or to applications,
enforcing a level of security commensurate with the risks facing targeted organizations.
For specific data protection, access requirements, and conditional launch settings for
basic app protection, go to the following topic:
For more information about protecting Exchange Online, go to the following topic:
The end user must have an Azure Active Directory (Azure AD) account. See Add
users and give administrative permission to Intune to learn how to create Intune
users in Azure Active Directory.
The end user must have a license for Microsoft Intune assigned to their Azure
Active Directory account. See Manage Intune licenses to learn how to assign Intune
licenses to end users.
The end user must belong to a security group that is targeted by an app
protection policy. The same app protection policy must target the specific app
being used. App protection policies can be created and deployed in the Microsoft
Intune admin center . Security groups can currently be created in the Microsoft
365 admin center .
The end user must sign into the app using their Azure AD account.
Previously, you’ve set up your Intune subscription and created app protection policies.
Next, plan for and configure device compliance settings and policies to help protect
organizational data by requiring devices to meet requirements that you set.
If you’re not yet familiar with compliance policies, see Compliance overview.
You deploy compliance policies to groups of devices or users. When deployed to users,
any device the user signs into must then meet the policies requirements. Some common
examples of compliance requirements include:
When devices fail to meet the requirements of a compliance policy, that policy can apply
one or more actions for noncompliance. Some actions include:
Generally, our recommendations place settings that are considered key configurations
that are common across platforms at the minimal compliance level, providing a strong
return for your investment. Settings listed for at higher levels can involve more
complexity, such as settings that require integration of third-party products. Be sure to
review all the range recommendations and be ready to adjust your own deployment
plan to fit your organization’s needs and expectations.
The following articles can help you understand the settings that Intune policies natively
support:
✔️Use a core set of minimal compliance settings across platforms you support
The minimal device compliance settings include the following subjects that all tenants
who plan to use compliance policies should understand and be prepared to use:
Compliance policy settings – Tenant-wide settings that affect how the Intune
compliance service works with your devices.
Actions for noncompliance – These configurations are common to all device
compliance policies.
Minimal device compliance policy recommendations – These are the platform
specific device compliance settings we believe every tenant should implement to
help keep their organizations resources safe.
In addition, we recommend you be familiar with how device compliance policies and
device configuration policies are related and interact.
Compliance policy settings are a few configurations you make at the tenant-level
that then apply to all devices. They establish how the Intune compliance service
functions for your tenant.
These settings are configured directly in the Microsoft Intune admin center and are
distinct from device compliance policies that you create for specific platforms and
deploy to discreet groups of devices or users.
To learn more about Compliance Policy Settings at the tenant level, and how to
configure them, see Compliance policy settings.
Actions for noncompliance
Each device compliance policy includes actions for noncompliance, which are one or
more time-ordered actions that are applied to devices that fail to meet the compliance
requirements of the policy. By default, marking a device as noncompliant is an
immediate action that’s included in each policy.
For each action you add, you define how long to wait after a device is marked as
noncompliant before that action runs.
Available actions you can configure include the following, but not all are available for
each device platform:
Policy administrators should understand the available options for each action and
complete supporting configurations before deploying a policy that requires them. For
example, before you can add the send email action, you must first create one or more
email templates with the messages you might want to send. Such an email might
include resources to help the user bring their device into compliance. Later, when
defining an email action for a policy you can select one of your templates to use with a
specific action.
Because each non-default action can be added to a policy multiple times, each with a
separate configuration, you can customize how the actions will apply.
For example, you could configure several related actions to occur in a sequence. First,
immediately upon being noncompliant you might have Intune send an email to the
device’s user, and perhaps an administrator as well. Then a few days later, a second
action could send a different email reminder, with details about a deadline for
remediating the device. You might also configure a final action to add a device to a list
of devices you might want to retire, with the action set to run only after a device
continues to remain noncompliant for an excessive period.
While compliance policy can mark a device as noncompliant, you’ll also need a plan for
how to remediate noncompliant devices. This could include admins using noncompliant
device status to request updates or configurations be made to a device. To provide
general guidance to device users, you can configure the send email to end user action
for noncompliance to include useful tips or contacts for resolving a device compliance
issue.
Devices that receive compliance policies are evaluated against the compliance policy
configurations with results returned to Intune for possible actions. Some compliance
configurations like password requirements result in enforcement on the device, even
when device configurations are more lenient.
When a device receives conflicting configurations for a setting either different or similar
policy types, conflicts can occur. To help prepare for this scenario, see Compliance and
device configuration policies that conflict
Review the platform specific policies in the Microsoft Intune admin center to identify
which compliance settings are available for each platform and more details about their
use. To configure policies, see Create a compliance policy.
We recommend using the following settings in your minimal device compliance policies:
Minimal device compliance Information
categories and examples
Antivirus, Antispyware, and Active solutions for Antivirus, Antispyware, and Antimalware
Antimalware
solutions are important.
Windows:
Windows compliance policy can assess the state of these
Evaluate devices for solutions solutions when they're active and registered register with
that register with Windows Windows Security Center on a device.
Other platforms:
Operating System versions Use available settings that define a minimum allowed OS
version or build and important patch levels to ensure device
All devices:
operating systems are current and secure.
- Minimum OS
- Minor and Major build versions Linux supports an option to define the Linux distribution type,
- OS patch levels like Ubuntu.
Password configurations
Use compliance to evaluate devices for password structure
and length, and to identify devices that lack passwords or use
All devices:
simple passwords. These settings can help protect access to
- Enforce settings that lock the the device.
Review the platform specific policies in the Microsoft Intune admin center to identify
which compliance settings are available for each platform and more details about their
use. To configure policies, see Create a compliance policy.
Applications
Configure requirements for various applications.
Android Enterprise:
For Android, manage the use and operation of applications like Google
- Block apps from Play, SafteyNet, and evaluation of the Company Portal app runtime
unknown sources
integrity.
iOS/iPadOS
- Restricted apps
macOS:
- Firewall settings
Windows:
- Firewall settings
Enhanced device Information
compliance
categories and
examples
Encryption
Add compliance settings that require the encryption of data storage.
Windows also supports requiring use of BitLocker.
Android Enterprise:
- Require encryption of
data storage
Android AOSP:
- Require encryption of
data storage
macOS:
- Require encryption of
data storage
Linux:
- Require encryption of
data storage
Windows:
- Require encryption of
data storage
- BitLocker
Android Enterprise:
- Password expiration,
and reuse
iOS/iPadOS:
- Password expiration,
and reuse
macOS:
- Password expiration,
and reuse
Windows:
- Password expiration,
and reuse
Enhanced device Information
compliance
categories and
examples
System level file and Configure the platform specific options that evaluate devices for system
boot protection
level or kernel level risks.
Android ASOP:
- Rooted devices
Android Enterprise:
- Rooted devices
iOS/iPadOS
- Jailbroken devices
macOS:
- Require system
integrity protection
Windows:
- Require code
integrity
- Trusted Platform
Module (TPM)
✔️Use compliance data with Conditional Access to gate access to your organization’s
resources
Integrating device compliance status with Conditional Access to help gate which
devices are allowed to access email, other cloud services, or on-premises
resources.
When integrated, Intune supports use of MTD solutions with enrolled devices, and when
supported by the MTD solution, unenrolled devices by using Microsoft Intune protected
apps and app protection policies.
Be sure to use an MTD partner that is supported by Intune and that supports the
capabilities your organization needs on the full range of platforms you use.
For example, Microsoft Defender for Endpoint is a Mobile Threat Defense solution you
might already use that can be used with the Android, iOS/iPadOS, and Windows
platforms. Other solutions, typically support Android and iOS/iPadOS. See Mobile Threat
Defense partners to view the list of supported MTD partners.
To learn more about using Mobile Threat Defense software with Intune, start with
Mobile Threat Defense integration with Intune.
In some environments, Intune might serve as the only MDM authority you need to use,
as by default, Intune is a registered compliance partner for the Android, iOS/iPadOS, and
Windows platforms. Other platforms require other compliance partners to serve as a
devices MDM authority, like use of Jamf Pro for macOS devices.
If you’ll use a third-party device compliance partner in your environment, ensure they're
supported with Intune. To add support, you’ll need to configure a connection for the
partner from within the Microsoft Intune admin center, and follow that partners
documentation to complete the integration.
For more information on this subject, see Support third-party device compliance
partners in Intune.
Custom settings give you the flexibility to base compliance on the settings that are
available on a device without having to wait for Intune to add these settings.
To use custom compliance, you must configure a .JSON file that defines values on the
device to use for compliance, and a discovery script that runs on the device to evaluate
the settings from the JSON.
To learn more about perquisites, supported platforms, and the JSON and script
configurations required for custom compliance, see [Use custom compliance policies
and settings for Linux and Windows devices with Microsoft Intune](../
protect/compliance-use-custom-settings.md).
Conditional Access also works with the following to help you keep devices secure:
Runtime defenses
When you integrate Intune with a Mobile Threat Defense partner, you
can use that partners device threat level evaluation as criteria in your
Android Enterprise:
compliance policies.
- Require the device to be
at or under the Device When you've integrated Microsoft Defender for Endpoint with Intune,
Threat Level
you can use the risk score from Defender as a compliance check.
- Require the device to be
at or under the machine
risk score
iOS/iPadOS:
Windows:
So far, you've set up your Intune subscription, created app protection policies, and
created device compliance policies.
In this step, you're ready to configure a minimum or baseline set of security and device
features that all devices must have.
Android
iOS/iPadOS
macOS
Windows
When you create device configuration profiles, there are different levels and types of
policies available. These levels are the minimum Microsoft recommended policies. Know
that your environment and business needs may be different.
This article lists the different levels of device configuration policies that organizations
should use. Most of these policies in this article focus on access to organization
resources and security.
These features are configured in device configuration profiles in the Microsoft Intune
admin center . When the profiles are ready, they can be deployed from Intune to your
devices.
Tip
This section lists the Intune and Microsoft services you can use to create these security
policies.
If you prefer a more granular list of settings and their recommended values, go to:
All devices should have antivirus software installed and be regularly scanned for
malware. Intune integrates with third party partner mobile threat defense (MTD) services
that provide AV and threat scanning. For macOS and Windows, antivirus and scanning
are built in to Intune with Microsoft Defender for Endpoint.
Enterprise - Microsoft Defender for Endpoint for Android can scan for malware
macOS Intune Endpoint Security antivirus profile (Microsoft Defender for Endpoint)
Android Enterprise:
Mobile threat defense integration
Microsoft Defender for Endpoint overview
iOS/iPadOS Mobile threat defense integration
macOS Antivirus policy
Windows:
Antivirus policy
Security baselines
Android Enterprise:
Mobile threat defense integration with Intune
Microsoft Defender for Endpoint overview
iOS/iPadOS:
Mobile threat defense integration with Intune
Microsoft Defender for Endpoint overview
Windows:
Security baselines
Endpoint detection and response policy
Firewall
✔️Enable the firewall on all devices
Some platforms come with a built-in firewall and on others, you may have to install a
firewall separately. Intune integrates with third party partner mobile threat defense
(MTD) services that can manage a firewall for Android and iOS/iPadOS devices. For
macOS and Windows, firewall security is built in to Intune with Microsoft Defender for
Endpoint.
macOS Intune Endpoint Security firewall profile (Microsoft Defender for Endpoint)
Password policy
✔️Create a strong password/PIN policy and block simple passcodes
PINs unlock devices. On devices that access organization data, including personally
owned devices, you should require strong PINs/passcodes and support biometrics to
unlock devices. Using biometrics is part of a password-less approach, which is
recommended.
Intune uses device restrictions profiles to create and configure password requirements.
- Device password
Software updates
✔️Regularly install software updates
All devices should be updated regularly and policies should be created to make sure
these updates are successfully installed. For most platforms, Intune has dedicated
policies that focus on managing and installing updates.
Android Enterprise organization System update settings using Intune device restrictions profile
owned devices
Platform Policy type
owned devices
Can use compliance policies to set a minimum patch level,
min/max OS version, and more.
For more information on these features and/or the settings you can configure, go to:
The profile includes the email configuration settings that connect to your email server.
Depending on the settings you configure, the email profile can also automatically
connect the users to their individual email account settings.
The email device configuration profile includes settings that connect to your Exchange.
Intune has built in email settings for Android, iOS/iPadOS, and Windows client devices.
When users open their email app, they can automatically connect, authenticate, and
synchronize their organizational email accounts on their devices.
✔️Deploy anytime
On new devices, it's recommended to deploy the email app during the enrollment
process. When enrollment completes, then deploy the email device configuration policy.
If you have existing devices, then deploy the email app at any time, and deploy the
email device configuration policy.
To get started:
1. Deploy an email app to your devices. For some guidance, go to Add email settings
to devices using Intune.
2. Create an email device configuration profile in Intune. Depending on the email app
your organization uses, the email device configuration profile might not be
needed.
For some guidance, go to Add email settings to devices using Intune.
3. In the email device configuration profile, configure the settings for your platform:
4. Assign the email device configuration profile to your users or user groups.
VPN
Many organizations deploy VPN profiles with preconfigured settings to user devices.
The VPN connects your devices to your internal organization network.
If your organization uses cloud services with modern authentication and secure
identities, then you probably don't need a VPN profile. Cloud-native services don't
require a VPN connection.
Creating a VPN profile is a common minimum baseline policy for organizations with
remote workers and hybrid workers.
As users work from anywhere, they can use the VPN profile to securely connect to your
organization's network to access resources.
Intune has built in VPN settings for Android, iOS/iPadOS, macOS, and Windows client
devices. On user devices, your VPN connection is shown as an available connection.
Users select it. And, depending on the settings in your VPN profile, users can
automatically authenticate and connect to the VPN on their devices.
The VPN device configuration profile includes settings that connect to your VPN server.
✔️Deploy anytime
On new devices, it's recommended to deploy the VPN app during the enrollment
process. When enrollment completes, then deploy the VPN device configuration policy.
If you have existing devices, deploy the VPN app at any time, and then deploy the VPN
device configuration policy.
3. In the VPN device configuration profile, configure the settings for your platform:
4. Assign the VPN device configuration profile to your users or user groups.
Wi-Fi
Many organizations deploy Wi-Fi profiles with preconfigured settings to user devices. If
your organization has a remote-only workforce, then you don't need to deploy Wi-Fi
connection profiles. Wi-Fi profiles are optional and are used for on-premises
connectivity.
✔️Connect wirelessly
As users work from different mobile devices, they can use the Wi-Fi profile to wirelessly
and securely connect to your organization's network.
The profile includes the Wi-Fi configuration settings that automatically connect to your
network and/or SSID (service set identifier). Users don't have to manually configure their
Wi-Fi settings.
Intune has built in Wi-Fi settings for Android, iOS/iPadOS, macOS, and Windows client
devices. On user devices, your Wi-Fi connection is shown as an available connection.
Users select it. And, depending on the settings in your Wi-Fi profile, users can
automatically authenticate and connect to the Wi-Fi on their devices.
✔️Deploy anytime
On new devices, it's recommended to deploy the Wi-Fi device configuration policy when
devices enroll in Intune.
If you have existing devices, you can deploy the Wi-Fi device configuration policy at any
time.
3. Assign the Wi-Fi device configuration profile to your users or user groups.
Enable disk encryption, secure boot, and TPM on your devices. These features
combined with a strong PIN policy or biometric unlocking are recommended at
this level.
Android
On Android devices, disk encryption and Samsung Knox might be built into
the operating system. Disk encryption might be automatically enabled when
you configure the lock screen settings. In Intune, you can create a device
restrictions policy that configures lock screen settings.
For a list of the password and lock screen settings you can configure, go to
the following articles:
Organization owned devices - Device password
Organization owned devices - Work profile password
Personally owned devices - Work profile password
Personally owned devices - Device password
Expire passwords and regulate reusing old passwords. In Level 1, you created a
strong PIN or password policy. If you haven't already, be sure you configure your
PINs & passwords to expire and set some password-reuse rules.
You can use Intune to create a device restrictions policy or a settings catalog policy
that configures these settings. For more information on the password settings you
can configure, go to the following articles:
Android
On Android devices, you can use device restrictions policies to set password
rules:
Organization owned devices - Device password settings
Organization owned devices - Work profile password settings
Personally owned devices - Work profile password settings
Personally owned devices - Device password settings
Intune includes hundreds of settings that can manage devices features and
settings, like disabling the built-in camera, controlling notifications, allowing
bluetooth, blocking games, and more.
You can use the built-in templates or the settings catalog to see and configure the
settings.
Device restrictions templates have many built-in settings that can control
different parts of the devices, including security, hardware, data sharing, and
more.
Use the Settings catalog to see and configure all the available settings. You can
use the settings catalog on the following platforms:
iOS/iPadOS
macOS
Windows
If you use on-premises GPOs and want to know if these same settings are
available in Intune, then use Group Policy analytics. This feature analyzes your
GPOs and depending on the analysis, can import them into an Intune settings
catalog policy.
For more information, go to Analyze your on-premises GPOs and import them in
Intune.
Configure single sign-on (SSO) for a more seamless experience when users
open business apps, like Microsoft 365 apps. Users sign-in once and then are
automatically signed-in to all the apps that support your SSO configuration.
Set up Microsoft Tunnel for your Android and iOS/iPadOS devices. Microsoft
Tunnel uses Linux to allow these devices access to on-premises resources using
modern authentication and Conditional Access.
Microsoft Tunnel uses Intune, Azure AD, and Active Directory Federation
Services (AD FS). For more information, go to Microsoft Tunnel for Microsoft
Intune.
Use Android Common Criteria mode on Android devices that are used by highly
sensitive organizations, like government establishments.
Android
Android Enterprise:
Use and manage Android Enterprise devices with OEMConfig
Dedicated devices that run as a kiosk device settings
In the final phase of deployment, devices are registered or joined in Azure Active
Directory (Azure AD), enrolled in Microsoft Intune, and checked for compliance.
Getting started
If this is your first time deploying enrollment profiles with Intune, or you're trying a new
configuration, start small and use a staged approach. Assign the enrollment profile to a
pilot or test group. After initial testing, add more users to the pilot group. If everything
is going well, assign the enrollment profile to more pilot groups. For more information
and suggestions, see the Planning guide: Step 5 - Create a rollout plan.
Registration in Azure AD is a required step for Intune management. Before a device can
enroll in Intune, the user of the device must authenticate and establish a device identity
in your org's Azure AD. This step grants the user single sign-on access to cloud-based
work apps and other resources. It's important to know which identity option you're
utilizing because it determines the enrollment methods you can use, and also
determines the sign-in experience for the device user. Identity options include:
Azure AD registration is the device identity option available for personal and
corporate-owned mobile devices. Users on these devices authenticate by signing
in to work resources, like apps and web browsers, using their Azure AD work
account.
Azure AD joined is the device identity option available for corporate-owned
Windows 10/11 devices utilizing co-management options. Users on these devices
authenticate by signing in to the device using their Azure AD work account.
Pre-enrollment configurations
Prepare devices for enrollment by configuring enrollment features, such as enrollment
restrictions, device categorization, and device enrollment managers. These
configurations help improve and simplify the enrollment experience for you and device
users, and help you stay organized in the admin center. Configure them before you
create the enrollment profile.
iOS/iPadOS Yes
Linux No
macOS Yes
Windows No
Devices that don't require a reset begin installing Intune profiles as soon as they enroll.
Previously configured settings may remain on devices if you don't change them in
Intune prior to enrollment.
For more information and limitations, see Add device enrollment managers.
Enrollment restrictions aren't available for Linux and some Windows enrollment
scenarios. When you're setting up restrictions for Android Enterprise personal devices,
we recommend leveraging our Android security configuration framework. It includes the
device restrictions needed for basic security (level 1), which is the minimum security
configuration we recommend having on personal devices, and high security (level 3),
which is for devices used by specific users or groups who are uniquely high risk.
If you're looking for more control, including where the terms appear, consider
configuring Azure Active Directory (Azure AD) terms of use. Azure AD terms are shown to
users when they sign in to targeted apps and resources and offer more granular settings
than Intune terms and conditions.
For more information, see Terms and conditions for user access.
For more information, see Require multifactor authentication for Intune device
enrollments.
This feature is available for all platforms except Linux. For more information, see
Categorize devices into groups.
Prerequisites
Connect Intune to your managed Google Play account. The connection is required for all
Android Enterprise management options, including:
Corporate owned
Dedicated device: Enroll corporate-owned, single use or kiosk devices used for
things like digital signage, ticket printing, or inventory management. With this
method, you can limit the apps and web links available on the device, and
prevent people from using the device outside of the intended scope. This
method aligns with the Android Enterprise dedicated devices management
solution.
Corporate-owned, userless devices: Enroll devices that are built from the
Android Open Source Project (AOSP) and absent of Google Mobile services as
corporate-owned, userless devices. These devices don't have a user associated
with them and are intended to be shared, like in a library or lab.
Corporate-owned, user associated devices: Enroll devices that are built from
AOSP and absent of Google Mobile services as corporate-owned, user-
associated devices. These devices are associated with a single user and
intended to be exclusively for work use.
7 Note
Prerequisites
Complete the following prerequisites before you create the enrollment profile for Apple
devices:
Upload an Apple MDM push certificate to Intune. For more information, see Get
MDM push certificate.
Get an Apple enrollment program token if you plan to enroll devices via Apple
automated device enrollment. For more information, see:
Get Apple enrollment program token for iOS/iPadOS
Get Apple enrollment program token for macOS
Corporate owned
Apple Configurator for iOS/iPadOS and for Mac devices: Manually enroll new
or existing corporate-owned devices via Apple Configurator. This option is
ideal for bulk enrollments and when you don't have access to Apple School
Manager, Apple Business Manager, or when you require a wired network
connection. You must have physical access to the devices because you have to
connect to and configure devices on a Mac. There are two different paths you
can take:
Setup Assistant enrollment: This method wipes the device and prepares it
for enrollment in Apple Configurator. When users turn on their devices,
Setup Assistant begins, and then devices enroll in Intune. You must have
access to the device serial numbers, because you need to input them into
the admin center.
Direct enrollment: This method lets you enroll the device prior to
distribution, and doesn't wipe the device. Devices enrolled this way aren't
associated with a user so we recommend this option for shared or kiosk
devices. The instructions are different for macOS and iOS devices, so be
sure to use the correct how-to documentation for devices.
As an Intune admin, you don't need to do anything to enable Linux enrollment in the
admin center. It's automatically enabled. When users enroll their Linux devices, you'll see
them in the admin center. For more information, see Enroll Linux desktop devices in
Microsoft Intune.
7 Note
Automatic enrollment
Resources
Additional enrollment guides are available throughout the Microsoft Intune
documentation. These guides include visual comparisons, how-to steps, tips, and
enrollment best practices for each supported platform.
Next steps
1. Set up Microsoft Intune
2. Add, configure, and protect apps
3. Plan for compliance policies
4. Create device configuration profiles
5. 🡺 Enroll devices (You are here)
Sign up or sign in to Microsoft Intune
Article • 06/20/2023
This article tells system administrators how you can sign up for an Intune account.
Before you sign up for Intune, determine whether you already have a Microsoft Online
Services account, Enterprise Agreement, or equivalent volume licensing agreement. A
Microsoft volume licensing agreement or other Microsoft cloud services subscription
like Microsoft 365 usually includes a work or school account.
If you already have a work or school account, sign in with that account and add Intune
to your subscription. Otherwise, you can sign up for a new account to use Intune for
your organization.
2 Warning
You can't combine an existing work or school account after you sign up for a new
account.
After completing the sign up process, you're directed to the Microsoft 365 admin center
to add users and assign them licenses. If you only have cloud-based accounts using your
default onmicrosoft.com domain name, then you can go ahead and add users and
assign licenses at this point. However, if you plan to use your organization's custom
domain name or synchronize user account information from on-premises Active
Directory, then you can close that browser window.
By default, your account must have one of the following permissions in Azure AD:
Global Administrator
Intune Service Administrator (also known as Intune Administrator)
To grant access to administer the service for users with other permissions, see Role
Based Access Control
See also
You can't sign in to Microsoft 365, Azure, or Intune
Configure a custom domain name
Article • 03/02/2023
This topic tells administrators how you can create a DNS CNAME to simplify and
customize your logon experience using Microsoft Intune.
When your organization signs up for a Microsoft cloud-based service like Intune, you're
given an initial domain name hosted in Azure Active Directory (AD) that looks like your-
domain.onmicrosoft.com. In this example, your-domain is the domain name that you
chose when you signed up. onmicrosoft.com is the suffix assigned to the accounts you
add to your subscription. You can configure your organization's custom domain to
access Intune instead of the domain name provided with your subscription.
Before you create user accounts or synchronize your on-premises Active Directory, we
strongly recommend that you decide whether to use only the .onmicrosoft.com domain
or to add one or more of your custom domain names. Set up a custom domain before
adding users to simplify user management. Setting up a customer domain lets users
sign in with the credentials they use to access other domain resources.
When you subscribe to a cloud-based service from Microsoft, your instance of that
service becomes a Microsoft Azure AD tenant, which provides identity and directory
services for your cloud-based service. And, because the tasks to configure Intune to use
your organizations custom domain name are the same as for other Azure AD tenants,
you can use the information and procedures found in Add your domain.
Tip
To learn more about custom domains, see Conceptual overview of custom domain
names in Azure Active Directory.
You cannot rename or remove the initial onmicrosoft.com domain name. You can add,
verify, or remove custom domain names used with Intune to keep your business identity
clear.
4. The Verify domain dialog box opens giving you the values to create the TXT
record in your DNS hosting provider.
5. You may need to create additional DNS records for Intune enrollments. For more
information, see Enable auto-discovery of Intune enrollment server.
The steps to add and verify a custom domain can also be performed in Azure Active
Directory.
You can learn more about your initial onmicrosoft.com domain in Microsoft 365 .
Add users and grant administrative
permission to Intune
Article • 03/29/2023
As an administrator, you can add users directly or synchronize users from your on-
premises Active Directory. Once added, users can enroll devices and access company
resources. You can also give users additional permissions including global administrator
and service administrator permissions.
First name
Last name
Display name
User name - Universal principle name (UPN) stored in Azure Active Directory
used to access the service.
Password - Autogenerate or create.
4. Choose Next.
5. On the Assign product licenses page, select a Location and then choose a license
for this user. A license including Intune is required.
6. Choose Next.
7. On the Optional settings page, you can
Assign the new user additional roles (by default the new user is given the
User role).
Provide profile information.
8. Choose Next.
9. On the Review and finish page, select Finish adding to add the user. Choose Close
to close the Add a user page.
7 Note
If you're moving to Microsoft 365 from an Office 365 subscription, your users and
groups are already in Azure AD. Intune uses the same Azure AD, and can use the
existing users and groups.
User name - The new name that the user will use to sign in to Azure Active
Directory.
Name - The user's given name.
First name - The user's first name.
Last name - The user's last name.
3. Choose whether you want to create the password for the new user or have it
autogenerated.
4. To assign the new user to groups (optional), choose 0 groups selected to open the
Groups pane. Here you can select the groups you want to assign to the user. When
finished selecting groups, choose Select.
5. By default, the new user is assigned the role of User. If you want to add roles to
the user, select User under Groups and roles. In the Directory roles pane, select
the roles you want to assign to the user and then choose Select.
6. If you want to block the user from signing in, you can select Yes for Block sign in.
Make sure to switch this back to No when you're ready to let the user sign in.
7. Choose a Usage location for the new user. Usage location is required before you
can assign the new user an Intune license.
8. Optionally, you can provide information for the Job title, Department, Company
name, and Manager fields.
9. Select Create to add the new user to Intune.
Grant admin permissions
After you've added users to your Intune subscription, we recommend that you grant a
few users administrative permission. To grant admin permissions, follow these steps:
Types of administrators
Assign users one or more administrator permissions. These permissions define the
administrative scope for users and the tasks they can manage. Administrator
permissions are common between the different Microsoft cloud services, and some
services might not support some permissions. Both the Azure portal and Microsoft 365
admin center list limited administrator roles that aren't used by Intune. Intune
administrator permissions include the following options:
The account you use to create your Microsoft Intune subscription is a global
administrator. As a best practice, don't use a global administrator for day-to-day
management tasks. While an administrator doesn't require an Intune license to access
the Intune on Azure portal, in order to perform certain management tasks, such as
setting up the Exchange service Connector, an Intune license is required.
To access the Microsoft 365 admin center, your account must have a Sign-in allowed
set. In the Azure portal under Profile, set Block sign in to No to allow access. This status
is different from having a license to the subscription. By default, all user accounts are
Allowed. Users without administrator permissions can use the Microsoft 365 admin
center to reset Intune passwords.
Be sure your AD admins have access to your Azure AD subscription, and are trained to
complete common AD and Azure AD tasks.
You can also export Active Directory users using the UI or through script. An
internet search can help you find the best option for your organization.
To synchronize your user accounts with Azure AD, use the Azure AD Connect
wizard . The Azure AD Connect wizard provides a simplified and guided
experience for connecting your on-premises identity infrastructure to the cloud.
Choose your topology and needs (single or multiple directories, password hash
sync, pass-through authentication, or federation). The wizard deploys and
configures all components required to get your connection up and running.
Including: sync services, Active Directory Federation Services (AD FS), and the
Azure AD PowerShell module.
Tip
Intune uses Azure Active Directory (Azure AD) groups to manage devices and users. As
an Intune admin, you can set up groups to suit your organizational needs. Create groups
to organize users or devices by geographic location, department, or hardware
characteristics. Use groups to manage tasks at scale. For example, you can set policies
for many users or deploy apps to a set of devices.
7 Note
Default groups created from Microsoft 365 admin center are not security
enabled. You must explicitly create security enabled Microsoft 365 groups in
Microsoft 365 admin center , the Azure AD admin center , or Microsoft Intune
admin center .
For example, when a user is added with the manager title, the user is automatically
added to an All managers users group. Or, when a device has the iOS/iPadOS
device OS type, the device is automatically added to an All iOS/iPadOS devices
devices group.
Security: Security groups define who can access resources, and are
recommended for your groups in Intune. For example, you can create groups
for users, such as All Charlotte employees or Remote workers. Or, create
groups for devices, such as All iOS/iPadOS devices or All Windows 10
student devices.
Tip
The users and groups created can also be seen in the Microsoft 365
admin center , Azure Active Directory admin center, and Microsoft
Intune in the Azure portal . In your organization tenant, you can create
and manage groups in all these areas.
7 Note
4. Enter a Group name and Group description for the new group. Be specific and
include information so others know what the group is for.
For example, enter All Windows 10 student devices for group name, and All
Windows 10 devices used by students in Contoso high school grades 9-12 for
group description.
5. Enter the Membership type. Your options:
7 Note
In this admin center, when you create users or groups, you might not see the
Azure Active Directory branding. But, that's what you're using.
6. Choose Create to add the new group. Your group is shown in the list.
Consider some of the other dynamic user and device groups you can create, such as:
Device groups
You can create device groups when you need to run administrative tasks based on the
device identity, not the user identity. They're useful for managing devices that don't
have dedicated users, such as kiosk devices, devices shared by shift workers, or devices
assigned to a specific location.
For example:
You can also use device categories to automatically join devices to groups when they
enroll.
The All devices group targets all devices that are enrolled into management. The All
users group is a simple way to target all users that are assigned an Intune license. These
groups are considered "virtual" because you don't create them or view them in Azure
Active Directory. They're convenient to use because they're already in your tenant, and
they're a faster targeting unit than Azure AD groups.
When assigning policies and applications to large groups, such as All users and All
devices, you may choose to use Filters, so that you can dynamically control which
devices the policy or app deployment should apply to.
Use filters when assigning your apps, policies, and profiles in Microsoft Intune
Performance recommendations for Grouping, Targeting and Filtering in large
Microsoft Intune environments
See also
Role-based access control (RBAC) with Microsoft Intune
Manage access to resources with Azure AD groups
Assign apps to groups with Microsoft Intune
Microsoft Intune licensing
Article • 05/25/2023
Microsoft Intune is available for different customer needs and organization sizes, from a
simple-to-use management experience for schools and small businesses, to more
advanced functionality required by enterprise customers. Most licenses that include
Microsoft Intune also grant the rights to use Microsoft Configuration Manager, as long
as the subscription remains active. An admin must have a license assigned to them to
administer Intune (unless you allow unlicensed admins).
Microsoft Intune
The following plans are available for Microsoft Intune. For more information about the
plans and pricing, see Discover Microsoft Intune Plans and Pricing .
Microsoft 365 E5
Microsoft 365 E3
Enterprise Mobility + Security E5
Enterprise Mobility + Security E3
Microsoft 365 Business Premium
Microsoft 365 F1
Microsoft 365 F3
Microsoft 365 Government G5
Microsoft 365 Government G3
Microsoft Intune for Education
7 Note
For additional licensing information about Intune for Education, see Microsoft 365
Education.
For information about trial and purchasing, see Use Intune Suite add-on capabilities.
For information about trial and purchasing, see Use Intune Suite add-on capabilities.
Additional information
A Microsoft Intune user and device subscription is available as a standalone, in
addition to the bundles listed above.
A Microsoft Intune device-only subscription is available to manage kiosks,
dedicated devices, phone-room devices, IoT, and other single-use devices that
don't require user-based security and management features. For more information,
see Device-only licenses.
The appropriate Microsoft Intune license is required if a user or device benefits
directly or indirectly from the Microsoft Intune service, including access to the
Microsoft Intune service through a Microsoft API.
Intune isn't included in licenses not in the previous tables.
Unlicensed admins
For more information about giving administrators access to the Microsoft Intune admin
center without them having an Intune license, see Unlicensed admins.
Device-only licenses
Microsoft Intune offers a device-only subscription service that helps organizations
manage devices that aren't affiliated with specific users.
You can purchase device licenses based on your estimated usage. Microsoft Intune
device licenses are applicable when a device is enrolled through any of the following
methods:
7 Note
Visit the Microsoft Licensing page, or contact your account representative if you
have any questions or you would like to receive the latest information about
product editions, product licensing updates, volume licensing plans, and other
information related to your specific use cases.
7 Note
If you are unable to access this portal using the step below, or if you don't have an
Intune license, you can sign up now for the Intune free trial. When setting up
Intune, you can give an administrators access to the Microsoft Intune admin center
without them requiring an Intune license.
To confirm your Microsoft Intune license or trial, use the following steps:
Under the Tenant details tab, you will see the MDM authority, the Total licenses
users, and the Total Intune licenses.
3. Select Tenant administration > Roles > My permissions.
4. Confirm you are an administrator with full permissions to all Intune resources.
7 Note
For more in-depth information about Microsoft Intune, see the learning module:
Set up Microsoft Intune.
If you don't have a license for Azure AD Premium, see Sign up for Azure Active Directory
Premium editions.
Next steps
For the latest information about product editions, product licensing updates, volume
licensing plans, and other information related to your specific use cases, see the
Microsoft Licensing page.
For information about how user and device licenses affect access to services, as well as
how to assign a license to a user, see the Assign Intune licenses to your user accounts
article.
Assign licenses to users so they can
enroll devices in Intune
Article • 06/30/2023
Whether you manually add users or synchronize from your on-premises Active
Directory, you must first assign each user an Intune Plan 1 license before users can
enroll their devices in Intune. For a list of licenses, see Microsoft Intune licensing.
7 Note
Users assigned Intune app protection policy and not enrolling their devices into
Microsoft Intune will also require an Intune license to receive policy.
1. In the Microsoft Intune admin center , select Users > All Users > choose a user >
Licenses > Assignments.
2. Choose the box for Intune > Save. If you want to use the Enterprise Mobility +
Security E5 or other license, choose that box instead.
3. The user account now has the permissions needed to use the service and enroll
devices into management.
When you assign an Intune for Education license, make sure that Intune A Direct license
is also assigned.
See this overview of School Data Sync to learn more about SDS.
If you purchased Intune through an Enterprise Agreement, you can find your
subscription information in the Volume License portal under Subscriptions.
If you purchased Intune through a Cloud Solution Provider, check with your
reseller.
If you purchased Intune with a CC# or Invoice, then your licenses will be user-
based.
PowerShell
$creds = Get-Credential
2. A pop-up window will prompt for credentials. Enter your Microsoft Intune
credentials.
PowerShell
PowerShell
Get-MgSubscribedSku
A list of the Account ID, the Active Units, and the Consumed Units will appear. Note
that this will also display any Microsoft Office 365 licenses on the subscription.
7 Note
To confirm your Azure Active Directory Premium and Microsoft Intune using
Microsoft Intune admin center, see Confirm your licenses.
To selectively assign user licenses for EMS services, open PowerShell as an administrator
on a computer with the Azure Active Directory Module for Windows PowerShell
installed. You can install PowerShell on a local computer or on an ADFS server.
You must create a new license SKU definition that applies only to the desired service
plans. To do this, disable the plans you don't want to apply. For example, you might
create a license SKU definition that does not assign an Intune license. To see a list of
available services, type:
PowerShell
You can run the following command to exclude the Intune service plan. You can use the
same method to expand to an entire security group or you can use more granular filters.
Example 1
Create a new user on the command line and assign an EMS license without enabling the
Intune portion of the license:
PowerShell
Connect-MgGraph
Verify with:
PowerShell
(Get-MgUser -UserPrincipalName
"user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus
Example 2
Disable the Intune portion of EMS license for a user that is already assigned with a
license:
PowerShell
Connect-MgGraph
Verify with:
PowerShell
(Get-MgUser -UserPrincipalName
"user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus
Unlicensed admins
Article • 02/22/2023
You can give administrators access to Microsoft Intune without them requiring an Intune
license. This feature applies to any administrator, including Intune administrators, global
administrators, Azure AD administrators, and so on. Other features or services, such as
those in Azure Active Directory (AD) Premium, may require a license for the
administrator.
The Unlicensed admins option has been enabled by default on all accounts created after
the 2006 release.
Allow access
1. Sign in to Microsoft Intune admin center > Tenant administration > Roles >
Administrator Licensing.
2 Warning
3. From now on, users who sign in to the Microsoft Intune admin center don’t require
an Intune license. Their scope of access is defined by the roles assigned to them.
Intune supports up to 350 unlicensed admins per security group, and only applies to
direct members. Admins above this limit will experience unpredictable behavior.
Next steps
Role-based access control (RBAC) with Microsoft Intune
The mobile device management (MDM) authority setting determines how you manage
your devices. As an IT admin, you must set an MDM authority before users can enroll
devices for management. You should also be assigned an Intune license to set the MDM
Authority.
Basic Mobility and Security for Microsoft 365 - After this configuration is
activated, the MDM authority is set to "Office 365". If you want to start using
Intune, you're required to purchase Intune licenses.
Basic Mobility and Security for Microsoft 365 coexistence - You can add Intune to
your tenant if you're already using Basic Mobility and Security for Microsoft 365.
You can set the management authority to either Intune or Basic Mobility and
Security for Microsoft 365 for each user to dictate which service is used to manage
their MDM-enrolled devices. Each user's management authority is defined based
on the license assigned to the user:
Basic Mobility and Security for Microsoft 365 manages the devices of users who
only have a license for Microsoft 365 Basic or Standard.
Intune manages the devices of users who have a license entitling them to use it.
If you add a license entitling Intune to a user previously managed by Basic
Mobility and Security for Microsoft 365, their devices are switched to Intune
management. To avoid losing Basic Mobility and Security for Microsoft 365
configuration on users' devices, make sure to assign Intune configurations to
users before switching them to Intune.
For tenants using the 1911 service release and later, if you activated Basic Mobility and
Security, follow the steps in this section.
For pre-1911 service release tenants, if you haven't yet set the MDM authority, follow
the steps in this section.
1. In the Microsoft Intune admin center , select the orange banner to open the
Mobile Device Management Authority setting. The orange banner is only
displayed if you haven't yet set the MDM authority.
2. Under Mobile Device Management Authority, choose your MDM authority from
the following options:
In each case, the consent is strictly related to running a mobile device management
service. For example, confirming that an IT Admin has authorized Google or Apple
devices to enroll. Documentation to address what information is shared when the new
workflows go live is available from the following locations:
Key Considerations
After you switch to the new MDM authority, there's some transition time (up to eight
hours) before the device checks in and synchronizes with the service. You're required to
configure settings in the new MDM authority to make sure that enrolled devices
continue to be managed and protected after the change.
Devices must connect with the service after the change so that the settings from
the new MDM authority (Intune standalone) replace the existing settings on the
device.
After you change the MDM authority, some of the basic settings (such as profiles)
from the previous MDM authority will remain on the device for up to seven days or
until the device connects to the service for the first time. You should configure
apps and settings (such as policies, profiles, and apps) in the new MDM authority
as soon as possible and deploy the setting to the user groups that contain users
who have existing enrolled devices. As soon as a device connects to the service
after the change in MDM authority, it will receive the new settings from the new
MDM authority and prevent gaps in management and protection.
Devices that don't have associated users (typically when you have iOS/iPadOS
Device Enrollment Program or bulk enrollment scenarios) aren't migrated to the
new MDM authority. For those devices, you need to call support for assistance to
move them to the new MDM authority.
Coexistence
By enabling coexistence, you can use Intune for a new set of users while continuing to
use Basic Mobility and Security for the existing users. You can control which devices are
managed by Intune through the user. Intune manages all the devices enrolled by a user,
if the user has an Intune license or uses Intune co-management with Configuration
Manager. Otherwise, the user is managed by Basic Mobility and Security.
1. Preparation
2. Add Intune MDM authority
3. User and Device migration (optional).
Preparation
Before enabling coexistence with Basic Mobility and Security, consider the following
points:
Make sure you have sufficient Intune licenses for the users you intend to manage
through Intune.
Review which users are assigned Intune licenses. After you enable coexistence, any
user already assigned an Intune license will have their devices switch to Intune. To
avoid unexpected device switches, we recommend not assigning any Intune
licenses until you've enabled coexistence.
Create and deploy Intune policies to replace device security policies that were
originally deployed through the Office 365 Security & Compliance portal. This
replacement should be done for any users you expect to move from Basic Mobility
and Security to Intune. If there are no Intune policies assigned to those users,
enabling coexistence may cause them to lose Basic Mobility and Security settings.
These settings are lost without replacement, like managed email profiles. Even
when replacing device security policies with Intune policies, users may be
prompted to re-authenticate their email profiles after the device is moved to
Intune management.
You can't unprovision Basic Mobility and Security after you've set it up. However,
there are steps you can take to turn off the policies. For more information, see Turn
off Basic Mobility and Security.
1. Sign in to the Microsoft Intune admin center with Azure AD Global or Intune
service administrator rights.
2. Navigate to Devices.
3. The Add MDM Authority blade displays.
4. To switch the MDM authority from Office 365 to Intune and enable coexistence,
select Intune MDM Authority > Add.
Devices that are powered on and online during or shortly after the change in MDM
authority experience a delay. The delay can last up to eight hours, depending on
the timing of the next scheduled regular check-in. During the delay, the devices
aren't registered with the service under the new MDM authority. After the delay,
the devices are fully registered and operational under the new MDM authority.
) Important
Between the time when you change the MDM authority and when the
renewed APNs certificate is uploaded to the new authority, new device
enrollments and device check-in for iOS/iPadOS devices fail. Therefore, it's
important that you review and upload the APNs certificate to the new
authority as soon as possible after the change in MDM authority.
Users can quickly change to the new MDM authority by manually starting a check-
in from the device to the service. Users can easily make this change by using the
Company Portal app and starting a device compliance check.
To validate that things are working correctly after devices have checked-in and
synchronized with the service after the change in MDM authority, look for the
devices in the new MDM authority.
There's an interim period when a device is offline during the change in MDM
authority and when that device checks in to the service. During the interim period,
it's important to protect and maintain the functionality of the device. To protect
and maintain the functionality of the device, the following profiles remain on the
device. These profiles stay on the device up to seven days or until the device
connects with the new MDM authority. Once the device connects and receives new
settings, the existing profiles are overwritten:
E-mail profile
VPN profile
Cert profile
Wi-Fi profile
Configuration profiles
After you change to the new MDM authority, the compliance data in the Microsoft
Intune admin center can take up to a week to accurately report. However, the
compliance states in Azure Active Directory and on the device are accurate so the
device is still protected.
Make sure the new settings intended to overwrite existing settings have the same
name as the previous ones to ensure that the old settings are overwritten.
Otherwise, the devices might end up with redundant profiles and policies.
Tip
After you change the MDM authority, perform the following steps to validate that
new devices are enrolled successfully to the new authority:
Enroll a new device
Make sure the newly enrolled device shows up in the new MDM authority.
Perform an action, such as Remote Lock, from the Microsoft Intune admin
center to the device. If it's successful, then the new MDM authority is managing
the device.
If you have issues with specific devices, you can unenroll and re-enroll the devices
to get them connected to the new authority and managed as quickly as possible.
Next steps
With the MDM authority set, you can start enrolling devices.
Use Access policies to require multiple
administrative approvals
Article • 08/28/2023
To help protect against a compromised administrative account, use Intune access policies
to require that a second administrative account is used to approve a change before the
change is applied. This capability is known as multiple administrative approval (MAA).
With MAA, you configure access policies that protect specific configurations, like Apps
or Scripts for devices. Access policies specify what is protected and which group of
accounts are permitted to approve changes to those resources.
When any account in the Tenant is used to make a change to a resource that’s protected
by an access policy, Intune won't apply the change until a different account explicitly
approves it. Only administrators who are members of an approval group that’s assigned
a protected resource in an access protection policy can approve changes. Approvers can
also reject change requests.
Apps – Applies to app deployments, but doesn't apply to app protection policies.
Scripts – Applies to deploying scripts to devices that run Windows.
To create an access policy, your account must be assigned the Intune Service
Administrator or Azure Global Administrator role.
To be an approver, an account must be in the group that’s assigned to the access policy
for a specific type of resource.
After a change is submitted, an approver navigates to the Received request page of the
Multi Admin Approval node. Here they’ll see a list of requests that are active, or
recently managed. This view provides some details about the request including when
and who submitted it, the type of operation involved like Create or Assign, and its status.
To manage the request:
The approver selects the Business justification link for the request. This action
opens the Access policy request pane where you can view more information about
the change, including the full details provided in the Business justification field of
the request.
On the Access policy request pane, the approver can enter notes in the Approver
notes field, and then select an option to Approve request or Reject request. These
notes are added to the request and are visible to the individual who requested the
change when they review their requests on the My request page. For example, if
the request is rejected, the reason for the rejection can be passed back to the
requestor through the Approver notes.
Individuals who submit a request and are also members of the approval group for
that can see their own requests on the Received request page. However, they can't
approve their own requests.
If a change is approved, Intune processes the requested change and updates the
object. While Intune processes the request, its status can display as Approved. After it’s
successfully processed, the status updates to Completed.
Each change of status remains visible for up to 30 days after the last change of status. If
a request isn’t processed further within 30 days, it becomes Expired, and must be
resubmitted.
2. On the Basics page, provide a Name, and optional Description, and for Profile type
select from available options. Each policy supports a single profile type.
3. On the Approvers page, select Add groups and then select a group as the group of
approvers for this policy. More complex configurations that exclude groups aren't
supported.
4. On the Review + Create page, review, and then save your changes. After Intune
applies this policy, configurations for the protected profile type will require
multiple admin approvals.
Submit a request
To submit a request when MAA is enabled, use your normal process to create or edit a
resource.
On the final page before you can save your changes, add details to the Business
justification field and then submit the request. For urgent requests, consider reaching
out to a known list of approvers to ensure your request is seen in a timely manner.
When there's a request for the same object that is already pending approval, you won't
be able to submit your request. Intune displays a message to alert you to this situation.
To monitor the status of your requests, in the Microsoft Intune admin center go to
Tenant administration > Multi Admin Approval > My requests.
You can cancel a request before it’s approved by selecting it from the My requests page,
and then selecting Cancel request.
Approve requests
1. To find requests to approve, in the Microsoft Intune admin center go to Tenant
administration > Multi Admin Administration > Received requests.
2. Select the Business justification link for a request to open the review page where
you can learn more about the request, and manage approval or rejection.
3. After reviewing the details, enter relevant details in the Approver notes field, and
then select Approve request or Reject request.
4. After you approve a request, the requestor needs select Complete. Intune will
process the change, and changes the status to Completed. Verify the approval
succeeded (or failed) by reviewing the console notification upon completion.
To verify if the approval succeeded (or failed), look at the notifications in the Intune
admin center. A message shows if the approval succeeded or failed.
More considerations
Intune doesn't send notifications when new requests are created, or the status of
an existing request changes. We recommend that when submitting an urgent
change request, you reach out to individuals who have permission to approve
those requests.
Plan to monitor the status of your requests through the My requests page of the
Multi Admin Approval node in the Microsoft Intune admin center.
All actions for a protected resource are protected, including but not limited to:
Edit
Create
Modify
Delete
Assign
Actions for requests and the approval process are logged in the Intune audit logs.
For more information, see Audit logs for Intune activities.
Next steps
Manage role-based access control
Role-based access control (RBAC) with
Microsoft Intune
Article • 06/08/2023
Role-based access control (RBAC) helps you manage who has access to your
organization's resources and what they can do with those resources. By assigning roles
to your Intune users, you can limit what they can see and change. Each role has a set of
permissions that determine what users with that role can access and change within your
organization.
To create, edit, or assign roles, your account must have one of the following permissions
in Azure AD:
Global Administrator
Intune Service Administrator (also known as Intune Administrator)
Roles
A role defines the set of permissions granted to users assigned to that role.
You can use
both the built-in and custom roles. Built-in roles cover some common Intune scenarios.
You can create your own custom roles with the exact set of permissions you need.
Several Azure Active Directory roles have permissions to Intune.
To see a role in the
Intune admin center, go to Tenant administration > Roles > All roles > choose a role.
You can manage the role on the following pages:
Properties: The name, description, permissions, and scope tags for the role.
Assignments: A list of role assignments defining which users have access to which
users/devices. A role can have multiple assignments, and a user can be in multiple
assignments.
7 Note
Built-in roles
You can assign built-in roles to groups without further configuration. You can't delete or
edit the name, description, type, or permissions of a built-in role.
Custom roles
You can create your own roles with custom permissions. For more information about
custom roles, see Create a custom role.
Global Reader (This role is equivalent to the Read Only Read Only
Intune Help Desk Operator role)
Tip
Intune also shows three Azure AD extensions: Users, Groups, and Conditional
Access, which are controlled using Azure AD RBAC. Additionally, the User Account
Administrator only performs AAD user/group activities and does not have full
permissions to perform all activities in Intune. For more information, see RBAC with
Azure AD.
Role assignments
A role assignment defines:
7 Note
Scope Tags are freeform text values that an administrator defines and then adds to
a Role Assignment. The scope tag added on a role controls visibility of the role
itself, while the scope tag added in role assignment limits the visibility of Intune
objects (such as policies and apps) or devices to only administrators in that role
assignment because the role assignment contains one or more matching scope
tags.
Assign permissions and scope tags only apply to the objects (like policies or apps)
in that role's assignment Scope (Groups). Assign permissions and scope tags don't
apply to objects in other role assignments unless the other assignment specifically
grants them.
Other permissions (such as Create, Read, Update, Delete) and scope tags apply to
all objects of the same type (like all policies or all apps) in any of the user's
assignments.
Permissions and scope tags for objects of different types (like policies or apps),
don't apply to each other. A Read permission for a policy, for example, doesn't
provide a Read permission to apps in the user's assignments.
In case of no scope tags and some scope tags assigned from different
assignments, user will only be able to see devices that are part of some scope tags
and will not be able to see all devices.
Next steps
Assign a role to a user
Create a custom role
Assign a role to an Intune user
Article • 02/22/2023
To create, edit, or assign roles, your account must have one of the following permissions
in Azure AD:
Global Administrator
Intune Service Administrator
1. In the Microsoft Intune admin center , choose Tenant administration > Roles >
All roles.
2. On the Endpoint Manager roles - All roles blade, choose the built-in role you want
to assign > Assignments > + Assign.
4. On the Admin Groups page, select the group that contains the user you want to
give the permissions to. Choose Next.
5. On the Scope (Groups) page, choose a group containing the users/devices that
the member above will be allowed to manage. You also have the option to choose
all users and/or all devices. Choose Next.
7 Note
The All users and All devices are Intune virtual groups and not Azure Active
Directory (Azure AD) security groups. As a result, for Scope (Groups)
assignment purposes you cannot use them as parents of Azure AD security
groups. If you need both All users and All devices and specific Azure AD
security groups for Scope (Groups) assignments, you must add them
separately with separate assignments. Otherwise, even if the Scope (Groups)
assignment for a role is set to All Users the admin in this role won't have
access to specific Azure AD user groups.
6. On the Scope (Tags) page, choose tags where this role assignment will be applied.
Choose Next.
7. On the Review + Create page, when you're done, choose Create. The new
assignment is displayed in the list of assignments.
7 Note
When you create scope groups and assign a scope tag, you can only target
groups that are listed in the Scope (Groups) of your role assignment.
Next steps
Learn more about role-based access control in Intune
Create a custom role
Create a custom role in Intune
Article • 06/20/2023
You can create a custom Intune role that includes any permissions required for a specific
job function. For example, if an IT department group manages applications, policies, and
configuration profiles, you can add all those permissions together in one custom role.
After creating a custom role, you can assign
it to any users that need those permissions.
To create, edit, or assign roles, your account must have one of the following permissions
in Azure AD:
Global Administrator
Intune Service Administrator
2. On the Basics page, enter a name and description for the new role, then choose
Next.
3. On the Permissions page, choose the permissions you want to use with this role.
4. On the Scope (Tags) page, choose the tags for this role. When this role is assigned
to a user, that user can access resources that also have these tags. Choose Next.
5. On the Review + create page, when you're done, choose Create. The new role is
displayed in the list on the Intune roles - All roles blade.
Copy a role
You can also copy an existing role.
1. In the Microsoft Intune admin center , choose Tenant administration > Roles >
All roles > select the checkbox for a role in the list > Duplicate.
2. On the Basics page, enter a name. Make sure to use a unique name.
3. All the permissions and scope tags from the original role will already be selected.
You can subsequently change the duplicate role's Name, Description, Permissions,
and Scope (Tags).
4. After you've made all the changes that you want, choose Next to get to the
Review + create page. Select Create.
7 Note
You can view and manage VPP apps with only the Mobile apps permission
assigned. Previously, the Managed apps permission was required to view and
manage VPP apps. This change does not apply to Intune for Education tenants who
still need to assign the Managed apps permission.
Permission Description
Android FOTA/Delete Delete and cancel pending Android firmware over-the-air (FOTA)
deployments and delete deployment history.
Android FOTA/Create Create and manage all aspects of Android firmware over-the-air (FOTA)
deployments.
Android FOTA/Update Change existing Android firmware over-the-air (FOTA) deployments and
cancel firmware deployments.
Android for View the Android for Work configuration used to sync applications with
work/Read the Play for Work store or view the Android for Work enrollment
prerequisites and enrollment profiles.
Android for Manage or change the Android for Work configuration used to sync
work/Update app sync applications with the Play for Work store, or sync the apps you've
approved from the store with Intune.
Android for Manage or change the Android for work configuration used to enroll
work/Update Android for Work devices or manage the Android for Work enrollment
onboarding profiles.
Audit data/Read View all Intune audit data for this tenant.
Cloud attached Displays the Collections page for Configuration Manager cloud attached
devices\View devices
collections
Cloud attached Displays the Resource explorer page for Configuration Manager cloud
devices\View resource attached devices
explorer
Cloud attached Displays the Timeline page for Configuration Manager cloud attached
devices\View timeline devices
Cloud attached Displays the Software updates page for Configuration Manager cloud
devices\View software attached devices
updates
Cloud attached Displays the Scripts page for Configuration Manager cloud attached
devices\View scripts devices
Cloud attached Displays the Run script action and allows the user to run scripts on
devices\Run script Configuration Manager cloud attached devices
Cloud attached Displays the CMPivot page for Configuration Manager cloud attached
devices\Run CMPivot devices
query
Cloud attached Displays the Client details page for Configuration Manager cloud
devices\View client attached devices
details
Cloud attached Displays the Applications page for Configuration Manager cloud
devices\View attached devices
applications
Cloud attached Displays application actions in the Applications page and allows the user
devices\Take to take application actions on Configuration Manager cloud attached
application actions devices
Corporate device Create new corporate device identifiers or import a CSV file containing a
identifiers/Create list of corporate device identifiers.
Corporate device Delete IMEI or serial numbers used as corporate device identifiers.
identifiers/Delete
Corporate device View the IMEI or serial numbers used as corporate device identifiers.
identifiers/Read
Permission Description
Corporate device Change IMEI or serial numbers used as corporate device identifiers.
identifiers/Update
Derived Configure the Derived Credentials for your Microsoft Intune tenant.
Credentials/Modify
Derived View the Derived Credentials for your Microsoft Intune tenant.
Credentials/Read
Device compliance Assign device compliance policies to Azure AD security groups, and
policies/Assign assign Exchange on-premises access to Azure AD security groups.
Device compliance View device compliance policies and the list of Exchange Active Sync
policies/Read Connectors, or view the settings for Exchange on-premises access.
Device compliance Change device compliance policies, Exchange ActiveSync connectors and
policies/Update Exchange on-premises access settings.
Device enrollment Create new device enrollment manager accounts, or delete device
managers/Update enrollment manager accounts.
Enrollment Import Apple devices for the Device Enrollment Program, Apple School
programs/Create or Business Manager, Apple Configurator or Windows Autopilot devices.
device
Enrollment Create new profiles for the Device Enrollment Program, Apple School
programs/Create Manager, Apple Configurator, or Windows Autopilot.
profile
Enrollment Delete Apple devices for the Device Enrollment Program, Apple School
programs/Delete or Business Manager, Apple Configurator or Windows Autopilot devices.
device
Permission Description
Enrollment Delete profiles for the Device Enrollment Program, Apple School
programs/Delete Manager, Apple Configurator, or Windows Autopilot.
profile
Enrollment View Apple devices for the Device Enrollment Program, Apple School
programs/Read device Manager, Apple Configurator, or Windows Autopilot devices.
Enrollment View profiles for the Device Enrollment Program, Apple School Manager,
programs/Read profile Apple Configurator, or Windows Autopilot.
Enrollment View the Apple Device Enrollment Program or Apple School Manager
programs/Read token token status.
Enrollment Manage profiles for the Device Enrollment Program, Apple School
programs/Update Manager, Apple Configurator, or Windows Autopilot.
profile
Enrollment Upload the Apple Device Enrollment or Apple School Manager token
programs/Update and sync Apple Device Enrollment Program or Apple School Manager
token devices.
Intune data View all data and reports from the data warehouse. Data can be used by
warehouse/Read Power BI or other reporting services.
Managed apps/Wipe Create a wipe request to selectively remove company data from a
protected app.
Managed devices/Set Choose, change, or remove the primary user of a managed device. This
primary user permission must be used in combination with the managed devices read
and update permissions.
Managed Google Modify the settings for synchronizing Managed Google Play apps with
Play/Modify Microsoft Intune.
Managed Google Display the settings for synchronizing Managed Google Play apps with
Play/Read Microsoft Intune.
Microsoft Defender View the connection between Microsoft Intune and Microsoft Defender
ATP/Read ATP.
Microsoft Store For Modify the settings for synchronizing Microsoft Store for Business apps
Business/Modify with Microsoft Intune.
Microsoft Store For View the settings for synchronizing Microsoft Store for Business apps
Business/Read with Microsoft Intune.
Microsoft Tunnel Create Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Create configurations include settings for IP address ranges, DNS servers, ports
and split tunneling rules. Sites are logical groupings of multiple servers
that support Microsoft Tunnel.
Microsoft Tunnel Delete Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Delete configurations include settings for IP address ranges, DNS servers, ports
and split tunneling rules. Sites are logical groupings of multiple servers
that support Microsoft Tunnel.
Permission Description
Microsoft Tunnel View Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Read configurations include settings for IP address ranges, DNS servers, ports
and split tunneling rules. Sites are logical groupings of multiple servers
that support Microsoft Tunnel.
Microsoft Tunnel Update Microsoft Tunnel Gateway server configurations and sites. Server
Gateway/Update configurations include settings for IP address ranges, DNS servers, ports
and split tunneling rules. Sites are logical groupings of multiple servers
that support Microsoft Tunnel.
Mobile apps/Create Add new mobile applications to Intune such as store apps, line-of-
business apps, web-links or built-in apps. You can also add books
purchased through the Apple Volume Purchase Program or add eBook
categories. You can setup iOS VPP Tokens, Windows Symantec
certificates, Windows side loading keys, app categories, or the Android
for Work connection.
Mobile apps/Delete Delete mobile applications such as store apps, line-of-business apps,
web-links or built-in apps. You can also delete books purchased through
the Apple Volume Purchase Program or delete eBook categories. You
can delete iOS VPP Tokens, Windows Symantec certificates, Windows
side loading keys, app categories, or the Android for Work connection.
Mobile apps/Read View mobile applications such as store apps, line-of-business apps, web-
links or built-in apps. You can also view books purchased through the
Apple Volume Purchase Program or add eBook categories. You can view
iOS VPP Tokens, Windows Symantec certificates, Windows side loading
keys, app categories, or the Android for Work connection.
Mobile apps/Relate Create relationships with other managed apps using Dependencies and
Supersedence features. Without this permission, IT admins are not able
to add App dependency or supersedence relationships when creating or
editing Win32 apps.
Mobile apps/Update Manage mobile applications such as store apps, line-of-business apps,
web-links or built-in apps. You can also manage books purchased
through the Apple Volume Purchase Program or add eBook categories.
You can manage iOS VPP Tokens, Windows Symantec certificates,
Windows side loading keys, app categories, or the Android for Work
connection.
Mobile apps/View View reports on mobile applications such as store apps, line-of-business
reports apps, web links, and built-in apps.
Mobile Threat Add, remove, or modify the Mobile Threat Defense connectors between
Defense/Modify Intune and your chosen MTD vendors
Permission Description
Mobile Threat View the Mobile Threat Defense connectors between Intune and your
Defense/Read chosen MTD vendors
Remote assistance View the status of the TeamViewer connector and Remote Help. This
connectors/Read permission is not required to initiate remote assistance requests for
devices.
Remote assistance Manage the state of the TeamViewer connector and Remote Help. This
connectors/Update permission also requires the Remote assistance connectors Read
permission to view the status of the TeamViewer connector and Remote
Help.
Remote assistance View, generate and export Remote Help sessions and monitor reports.
connectors/View
reports
Remote Help Elevation allows the helper to enter UAC credentials when prompted on
app/Elevation the sharer's device when Remote Help is enabled. Enabling elevation
also allows the helper to view and control the sharer's device when the
sharer grants the helper access.
Remote Help Take full control allows the helper to view and control the sharer's device
app/Take full control when Remote Help is enabled.
Remote Help View screen allows the helper to view the sharer's device when Remote
app/View screen Help is enabled.
Remote tasks/Bypass Remove the Activation Lock from supervised devices without requiring
activation lock the user's Apple ID and password. This may be required if a user leaves
the company and returns the device; without the user's Apple ID and
password, there is no way to reactivate the device. Or, you need to
reassign some devices to a different department during a device refresh
in your organization. You can only reassign devices that do not have
Activation Lock enabled. You must also have the Managed Device Read
permission to view devices in the Azure portal before initiating this
remote task.
Remote tasks/Clean Initiate a Fresh start device action. This action removes any apps that are
PC installed on a Windows 10 PC that is running the Creators Update. Then,
it automatically updates the PC to the latest version of Windows.
Remote tasks/Disable Turn off the lost mode for an iOS device.
lost mode
Remote tasks/Enable Initiate lost mode on lost or stolen iOS devices. This mode lets you enter
lost mode a message and a phone number that appears on the lock screen of the
device. To use lost mode, the device must be a corporate-owned iOS
device that is in supervised mode.
Permission Description
Remote tasks/Locate View the location of a lost or stolen corporate-owned device on a map.
device Can locate supervised iOS/iPadOS devices, Android dedicated devices
(COSU), and Windows devices.
Remote tasks/Manage Log out the user with the current session on a shared device. This action
shared device users does not delete users from a shared device, it will only force the user
with a current session to be logged out.
Remote tasks/Offer Initiate a remote assistance session with a user's device by using a
remote assistance remote assistance provider. The remote assistance option for your
provider must be enabled for your tenant.
Remote tasks/Play lost Initiate the lost mode ring sound on a device that has been placed in
mode sound MDM Lost mode.
Remote tasks/Reboot Initiates a device restart. This causes the device you choose to be
now restarted. The device owner isn't automatically notified of the restart,
and they might lose work.
Remote tasks/Remote The Remote lock device action locks the device. To unlock the device, the
lock device owner enters their passcode. You can remotely lock devices that
have a PIN or password set. Devices that don't have a PIN or password
can't be remotely locked.
Remote tasks/Reset Initiates a forced removal of the passcode, and requires the device user
passcode to set a new passcode. Supported on iOS devices, and certain later
versions of Android and Android for work. Not supported on older
Android versions, macOS, or Windows.
Remote tasks/Retire Initiates a retire action for a device. Also called remove company data.
The Remove company data action removes managed app data (where
applicable), settings, and email profiles that were assigned by using
Intune. The device is removed from Intune management. This happens
the next time the device checks in and receives the remote Remove
company data action. Remove company data leaves the user's personal
data on the device.
Remote tasks/Revoke Revokes any iOS VPP application licenses that have been associated with
App Licenses the device.
Permission Description
Remote tasks/Rotate Initiates a key rotation for BitLocker Recovery Passwords on the device.
BitLockerKeys
(preview)
Remote tasks/Shut Initiates a shutdown of the device, and will automatically close all
down applications and running services and leave the device in a powered-off
state.
Remote tasks/Sync Initiates a sync operation on the device and forces the selected device to
devices. immediately check in with Intune. When a device checks in, it
immediately receives any pending actions or policies that have been
assigned to it.
Remote tasks/Update Activate the data plan for cellular iOS/iPadOS devices that support eSIM.
cellular data plan
Remote tasks/Update Allows changing the device account associated with Surface Hub
device account devices, and set authentication options such as password rotation.
Remote tasks/Wipe Initiates a wipe of the device. Also called a factory reset. The Factory
reset action restores a device to its factory default settings. The user data
is kept or wiped depending on whether or not you choose the Retain
enrollment state and user account checkbox.
Roles/Create Create new Intune custom roles. Built-in roles are created by Intune
automatically.
Roles/Delete Delete a custom Intune role. You cannot delete built-in roles.
Roles/Read View permissions, role assignments, member groups and scope groups
for any built-in or custom Intune role.
Permission Description
Roles/Update Update custom role permissions and role assignments for built-in or
custom roles. Role assignments define the administrators and end user
scope for the role.
Terms and Manage existing terms and conditions but not assignments.
conditions/Update
Windows Enterprise Add, remove, or modify the code-signing certificate used to distribute
Certificate/Modify line-of-business apps to your managed Windows devices.
Next steps
Assign a role to a user
Learn more about role-based access control in Intune
Use role-based access control (RBAC)
and scope tags for distributed IT
Article • 02/22/2023
You can use role-based access control and scope tags to make sure that the right
admins have the right access and visibility to the right Intune objects. Roles determine
what access admins have to which objects. Scope tags determine which objects admins
can see.
For example, let's say a Seattle regional office admin has the Policy and Profile Manager
role. You want this admin to see and manage only the profiles and policies that only
apply to Seattle devices. To set up this access, you would:
3. Add the Seattle scope tag to policies and profiles that you want admins in
Members (Groups) to have access to.
4. Add the Seattle scope tag to devices that you want visible to admins in the
Members (Groups).
The default scope tag feature is similar to the security scopes feature in Microsoft
Configuration Manager.
2. On the Basics page, provide a Name and optional Description. Choose Next.
3. On the Assignments page, choose the groups containing the devices that you
want to assign this scope tag. Choose Next.
) Important
Auto scope tags assignments will overwrite mannually assigned scope tags.
If
a device is assigned multiple scope tags through group assignment, all scope
tags will apply.
2. On the Basics page, provide an Assignment name and Description. Choose Next.
3. On the Admin Groups page, choose Add groups, and select the groups that you
want as part of this assignment. Users in these groups will have permissions to
manage users/devices in the Scope (Groups). Choose Next.
4. On the Scope Groups page, select one of the following options for Included
groups:
Add groups: Select the groups containing the users/devices that you want to
manage. All users/devices in the selected groups will be managed by the
users in the Admin Groups.
Add All users: All users can be managed by the users in the Admin Groups.
Add All devices: All devices can be managed by the users in the Admin
Groups.
5. Choose Next
6. On the Scope tags page, select the tags that you want to add to this role. Users in
the Admin Groups will have access to Intune objects that also have the same scope
tag. You can assign a maximum of 100 scope tags to a role.
7. Choose Next to go to the Review + create page and then choose Create.
1. In the Microsoft Intune admin center , choose Devices > Configuration profiles
> choose a profile.
2. Choose Properties > Scope (Tags) > Edit > Select scope tags > choose the tags
that you want to add to the profile. You can assign a maximum of 100 scope tags
to an object.
You can assign scope tags to an Intune object type if the tenant can have multiple
versions of that object (such as role assignments or apps).
The following Intune
objects are exceptions to this rule and don't currently support scope tags:
Corp Device Identifiers
Autopilot Devices
Device compliance locations
Jamf devices
Volume Purchase Program (VPP) apps and ebooks associated with the VPP token
inherit the scope tags assigned to the associated VPP token.
When an admin creates an object in Intune, all scope tags assigned to that admin
will be automatically assigned to the new object.
Intune RBAC doesn't apply to Azure Active Directory roles. So, the Intune Service
Admins and Global Admins roles have full admin access to Intune no matter what
scope tags they have.
If a role assignment has no scope tag, that IT admin can see all objects based on
the IT admins permissions. Admins that have no scope tags essentially have all
scope tags.
You can only assign a scope tag that you have in your role assignments.
You can only target groups that are listed in the Scope (Groups) of your role
assignment.
If you have a scope tag assigned to your role, you can't delete all scope tags on an
Intune object. At least one scope tag is required.
Next steps
Learn how scope tags behave when there are multiple role assignments.
Manage your
roles and profiles.
Distributed IT environment with many
admins in the same Microsoft Intune
tenant
Article • 05/25/2023
Many organizations use a distributed IT environment where they have a single Microsoft
Intune tenant with multiple local admins.
This article describes one way to scale
Microsoft Intune to support multiple local admins who manage their own users, devices,
and create their own policies all within a single Microsoft Intune tenant.
There's no right
or wrong answer on how many admins you can have in your tenant. The article focuses
on tenants that have many local administrators.
Each local admin can set up groups to suit their organizational needs. The local admin
typically creates groups and organizes multiple users or devices by geographic location,
department, or hardware characteristics. The local admins also use these groups to
manage tasks at scale. For example, the local admins can set policies for many users or
deploy apps to a set of devices.
Local admins: The local admins are local and focus on policies and profiles for their
specific locations; schools, hospitals and so on.
✔️Permissions
Create, update and delete permissions for policies, enrollment profiles, and apps
should be held by the Central team.
Grant only read and assign permissions to the local admins.
✔️Reuse
✔️Exceptions
The Central team can create certain new policies, enrollment profiles, and apps as
exceptions, when needed, on behalf of the local admins. Usually, these exceptions
include any type of profile that requires unique parameters.
Group and assignment guidelines for local admins: What are some of the best
practices for local admins to adopt while organizing groups for device management
through Microsoft Intune? To find out, read the article Intune grouping, targeting, and
filtering: Recommendations for best performance - Microsoft Tech Community
Each local admin should have their own scope tag to separate each object that
they fully manage.
When the local admin doesn't need to create, update or delete, then grant the
local admin a role with read and assign permissions and avoid assigning any other
role with full permission to them. With this approach, you can avoid combining
permissions across scope tags.
Sometimes the local admins may need to create their own policies, profiles, and
apps while sharing some common policies, profiles, and apps. In such cases, create
a special group and assign the common policies, profiles, and apps, to this group.
This group shouldn't be included in the Scope Group for any local admin. Scope
Group. This approach prevents the create, update and delete permissions assigned
to the local admins from applying to these common policies, profiles and apps.
Central model
In the central model, a single local admin team (parent) manages multiple child orgs.
Factors such as geography, business unit, or size, can relate Child orgs.
There's only one scope tag used to cover all the managed local admins.
If possible, the local admin team should standardize assignments across local
admins and place all their devices into a single Azure AD group for assignment.
When it isn't possible to create a single Azure AD group, the local admin team can
create different Azure AD groups to make different assignments.
If a different local admin team manages or moves an org, the following steps must
be taken:
All the org's devices and users must be extracted from common Azure AD
groups in scope of the original local admin team.
All policies/apps/profiles assigned uniquely for that org must have their scope
tag updated for the new local admin team.
Devolved model
In the devolved model, multiple local admins (children) are managed both by their
dedicated local admin and also overseen by an intermediary local admin team. Both the
parent and children admins have their own scope tags to represent management
boundaries.
If there are fewer than 50 children admins, the intermediate local admin team may
be granted access by assigning all the children's scope tags to the intermediate
local admin teams RBAC role assignment.
If there are more than 50 children admins, the intermediate local admin team
should be granted their own scope tag to represent the entire collection of
children admins they oversee.
Newly created policies under the children admin's scope tags must have the
intermediate tag added by a global admin role to prevent the intermediate local
admin team from losing visibility.
Hybrid model
In the hybrid model, the same parent admin is used in both Central and Devolved model
at the same time.
There are no special recommendations for this model.
7 Note
The guidance provided in this section doesn't address every feature, but only
covers those areas for which we have special instructions.
The guidelines for App protection policies are split across the Central team and the local
admins as follows:
Compliance policy
Compliance policies in Intune define the rules and settings that users and devices must
meet to be compliant. For more information on compliance policies, go to Compliance
policies.
Central team
The Central team should create common compliance policies for local admins to choose
from and only, if necessary, create exception policies. For more information, go to
Compliance policies.
Creating policies includes the creation of custom compliance policy
scripts because they're subject to the same scale as normal compliance policy.
For more information on how to create a compliance policy, go to Compliance policies.
Local admins
Provide local admins with read and assign permissions, but not create, update or delete
permissions on Compliance policy. The read and assign permissions allow them to
choose from the common compliance policies created by the central team and assign
them to their users and devices.
Device configuration
In this section:
Use the Settings Catalog and Security Baselines to the maximum possible extent,
instead of profiles created in the Configuration profiles list, to mitigate scale in the
Microsoft Endpoint Manager admin center.
In general, the central team should try to centrally monitor the content of
configurations and replace lots of duplicate profiles where possible with a shared
profile.
Resource access
Feature updates
Quality updates
Certificates
We recommend you use permissions through the Central team to
onboard/offboard connectors as needed. Onboard connectors for each local
admin to support certificate issuance.
Applications
Grant local admins full permissions to manage apps to the extent of their scope.
In this section:
Windows
Android
Currently, there are no scale concerns for the supported number of Volume Purchase
Program tokens.
For more information, go to How many tokens can I upload..
Windows
Local admins can create Win32 apps as needed within the cross-platform, line-of-
business app and web-link limit. For more information, go to Win32 app
management.
Local admins can purchase Microsoft Store for Business (MSFB) apps as needed.
7 Note
Microsoft Store for Business is being retired. Starting with Windows 11, you
have a new option for your private volume-licensed apps. For more
information, go to Private app repository in Windows 11 and Update to
Microsoft Intune integration with the Microsoft Store on Windows .
Android
Local admins should choose from existing store apps or ask the central team to
add new Android store apps. Local admins shouldn't create new Android store
apps. The total number of objects may become large and difficult to manage.
Local admins can create Android line-of-business apps, as needed, within the
cross-platform, line-of-business app and web-link limit.
7 Note
Although many apps can be set to high-priority mode, only one app update
can be installed at a time. One large app update could potentially block many
smaller updates until the large app is done installing.
Depending on when apps release new updates, there could be a sudden spike
in your network usage if app releases coincide. If Wi-Fi is not available on
some devices, there could also be a spike in cellular usage.
Although disruptive user experiences have already been mentioned, the
problem grows as more apps are set to high-priority update mode.
For more information on scale concerns regarding Managed Google Play app updates
using high-priority update mode, go this Techcommunity article.
Enrollment profiles
In this section:
Autopilot
Enrollment status page (ESP)
Apple business manager (ABM)
Android Enterprise profiles
Enrollment restrictions
Device categories
Autopilot
Grant local admins the permissions to read Autopilot devices and upload new
Autopilot devices.
Local admins shouldn't create Autopilot profiles. When you delegate to a large
numbers of administrators, the total number of objects may become large and
difficult to manage. The best practice varies per feature area.
For more information
on Autopilot, go to Use Autopilot to enroll Windows devices in Intune.
Local admins should select from existing Enrollment status page profiles to assign,
or they should request the Central team to create an exception profile, only if
necessary.
Local admins shouldn't create Enrollment status page profiles. When you delegate
to a large numbers of administrators, the total number of objects may become
large and difficult to manage. The best practice varies per feature area. For
information on Enrollment status page, go to Set up the Enrollment Status Page.
When you delegate to a large numbers of administrators, the total number of objects
may become large and difficult to manage. The best practice varies per feature area. For
more information, go to Use Apple Business Manager to enroll Apple devices in Intune.
Enrollment restrictions
The same set of permissions govern both Device configuration and Enrollment
restrictions. When you grant permissions to create for device configuration, then
you're also granting permissions to create for enrollment restrictions. However,
local admins shouldn't be given permission to create enrollment restriction
profiles. So, they should be instructed not to create new Enrollment restrictions
profiles.
Enrollment device limit restrictions define how many devices each user can enroll.
The enrollment device limit restrictions should cover all possible device limits for
local admins to share. For more information, go to What are enrollment
restrictions.
The Central team should standardize Device Type restrictions as much as possible
and add new restrictions but only as special exceptions after a local admin has
reviewed existing restrictions.
Device categories
The Device categories (Devices > Device categories) feature doesn't have its own
permissions family. Instead, its permissions are governed by the permissions set under
Organization. Go to Tenant administration > Roles. Select a custom or built-in role and
select Properties. Here you can assign permissions, one of them being Organization. So,
if you need read permissions for Device categories, then set read permissions in
Organization.
Central teams can create Device Categories. However, local admins shouldn't be allowed
to create, update, or delete device categories, as it would require granting them
permissions on Organization, giving them access to other tenant-level features
governed by Organization permissions.
Endpoint analytics
The Central team should create as many common Endpoint Analytics baselines as
they need to support the variance of the Local admins.
If possible, local admins shouldn't create their own Endpoint Analytics baselines.
When you delegate to a large numbers of administrators, the total number of
objects may become large and difficult to manage. The best practice varies per
feature area.
For more information, go to Configuring settings in Endpoint analytics.
Built-in role permissions for Microsoft
Intune
Article • 06/08/2023
The following tables lists the built-in roles for Microsoft Intune. The tables also list the
permissions that are associated with each role.
7 Note
This article was partially created with the help of artificial intelligence. Before
publishing, an author reviewed and revised the content as needed. See Our
principles for using AI-generated content in Microsoft Learn .
Application Manager
Application Managers manage mobile and managed applications, can read device
information and can view device configuration profiles.
Permission Action
Filters Create
Filters Delete
Filters Read
Filters Update
Customization Read
Organization Read
Permission Action
Filters Read
Customization Read
Organization Read
Roles Read
Permission Action
Organization Read
Permission Action
Filters Read
Customization Read
Organization Read
Roles Read
Permission Action
Organization Read
School Administrator
School Administrators can manage apps and settings for their groups. They can take
remote actions on devices, including remotely locking them, restarting them, and
retiring them from management.
Permission Action
Filters Create
Filters Delete
Filters Read
Filters Update
Customization Assign
Customization Create
Customization Delete
Customization Read
Customization Update
Organization Read
Permission Action
Filters Create
Filters Delete
Filters Read
Filters Update
Organization Read
Permission Action
Filters Read
Customization Read
Organization Read
Roles Read
Permission Action
Organization Read
Permission Action
Permission Action
Organization Read
Roles Assign
Roles Create
Roles Delete
Roles Read
Roles Update
What is Microsoft Intune app
management?
Article • 03/31/2023
As an IT admin, you can use Microsoft Intune to manage the client apps that your
company's workforce uses. This functionality is in addition to managing devices and
protecting data. One of an admin's priorities is to ensure that end users have access to
the apps they need to do their work. This goal can be a challenge because:
Additionally, you might want to assign and manage apps on devices that are not
enrolled with Intune.
https://www.microsoft.com/en-us/videoplayer/embed/RE4MRyj?postJsllMsg=true
MAM allows you to manage and protect your organization's data within an application.
Many productivity apps, such as the Microsoft Office apps, can be managed by Intune
MAM. See the official list of Microsoft Intune protected apps available for public use.
Intune MDM + MAM: IT administrators can manage apps using MAM on devices
that are enrolled with Intune mobile device management (MDM). To manage apps
using MDM + MAM, customers should use Intune in the Microsoft Intune admin
center .
Unenrolled devices with MAM managed applications: IT administrators can
manage org data and accounts in apps using MAM on unenrolled devices or
devices enrolled with third-party EMM providers. To manage apps using MAM,
customers should use Intune in the Microsoft Intune admin center . For more
information about BYOD and Microsoft's EMS, see Technology decisions for
enabling BYOD with Microsoft Enterprise Mobility + Security (EMS).
App management capabilities by platform
Intune offers a range of capabilities to help you get the apps you need on the devices
you want to run them on. The following table provides a summary of app management
capabilities.
Add and assign apps to devices and Yes Yes Yes Yes
users
1 Consider using Microsoft Purview Information Protection and Microsoft Purview Data
Loss Prevention. Microsoft Purview simplifies the configuration set-up and provides an
advanced set of capabilities.
2
Applies to devices managed by Intune only.
3
Intune supports available apps from Managed Google Play store on Android Enterprise
devices.
4 Intune does not provide installing a shortcut to an app as a web link on standard
Android Enterprise devices. However, Web link support is provided for multi-app
dedicated Android Enterprise devices.
5 LOB for AE are supported, but the apps need to be published privately to Managed
Play.
Get started
You can find most app-related information in the Apps workload, which you can access
by doing the following:
2. Select Apps.
The apps workload provides links to access common app information and functionality.
The top of the App workload navigation menu provides commonly used app details:
Overview: Select this option to view the tenant name, the MDM authority, the
tenant location, the account status, app installation status, and app protection
policy status.
All apps: Select this option to display a list of all available apps. You can add
additional apps from this page. Additionally, you can see the status of each app, as
well as whether each app is assigned. For more information, see Add apps and
Assign apps.
Monitor apps
App licenses: View, assign, and monitor volume-purchased apps from the app
stores. For more information, see iOS volume-purchased program (VPP) apps
and Microsoft Store for Business volume-purchased apps.
Discovered apps: View apps that were assigned by Intune or installed on a
device. For more information, see Intune discovered apps.
App install status: View the status of an app assignment that you created. For
more information, see Monitor app information and assignments with Microsoft
Intune.
App protection status: View the status of an app protection policy for a user
that you select.
By Platform: Select these platforms to view the available apps by platform.
Windows
iOS
macOS
Android
Policy:
App protection policies: Select this option to associate settings with an app and
help protect the company data it uses. For example, you might restrict the
capabilities of an app to communicate with other apps, or you might require the
user to enter a PIN to access a company app. For more information, see App
protection policies.
App configuration policies: Select this option to supply settings that might be
required when a user runs an app. For more information, see App configuration
policies, iOS app configuration policies, and Android app configuration policies.
iOS app provisioning profiles: iOS apps include a provisioning profile and code
that is signed by a certificate. When the certificate expires, the app can no
longer be run. Intune gives you the tools to proactively assign a new
provisioning profile policy to devices that have apps that are nearing expiration.
For more information, see iOS app provisioning profiles.
S mode supplemental policies: Select this option to authorize additional
applications to run on your managed S mode devices. For more information,
see S mode supplemental policies.
Policies for Office apps: Select this option to create mobile app management
policies for Office mobile apps that connect to Microsoft 365 services. You can
also protect access to Exchange on-premises mailboxes by creating Intune app
protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid
Modern Authentication. You must meet the requirements to use policies for
Office apps. For more information about requirements, see Requirements for
using the Office cloud policy service. App protection policies are not supported
for other apps that connect to on-premises Exchange or SharePoint services. For
related information, see Overview of the Office cloud policy service for
Microsoft 365 Apps for enterprise.
Policy sets: Select this option to create an assignable collection of apps, policies,
and other management objects you've created. For more information, see Policy
sets.
Other:
App selective wipe: Select this option to remove only corporate data from a
selected user's device. For more information, see App selective wipe.
App categories: Add, pin, and delete app category names.
E-books: Some app stores give you the ability to purchase multiple licenses for
an app or books that you want to use in your company. For more information,
see Manage volume-purchased apps and books with Microsoft Intune.
Help and support: Troubleshoot, request support, or view Intune status. For more
information, see Troubleshoot problems.
54%
Additional information
The following items within the console provide app related functionality:
Microsoft Store for Business: Set up integration to the Microsoft Store for
Business. Afterward, you can synchronize purchased applications to Intune, assign
them, and track your license usage. For more information, see Microsoft Store for
Business volume-purchased apps.
Windows enterprise certificate: Apply or view the status of a code-signing
certificate that's used to distribute line-of-business apps to your managed
Windows devices.
Windows Symantec certificate: Apply or view the status of a Symantec code-
signing certificate.
Windows side loading keys: Add a Windows side-loading key that can be used to
install an app directly to devices rather than publishing and downloading the app
from the Windows store. For more information, see Side-load a Windows app.
Microsoft Configuration Manager: Displays information about the Configuration
Manager connector including last successful synchronization time and the
connection status. Select a Configuration Manager hierarchy running version 2006,
or later to display additional information about it.
Apple Business Manager location tokens: Apply and view your iOS/iPadOS
volume purchased licenses. For more information, see How to manage iOS and
macOS apps purchased through Apple Business Manager with Microsoft Intune.
Managed Google Play: Managed Google Play is Google's enterprise app store and
sole source of applications for Android Enterprise. For more information, see Add
Managed Google Play apps to Android Enterprise devices with Intune.
Customization: Customize the Company Portal to give it your company branding.
For more information, see Company Portal configuration.
For more information about apps, see Add apps to Microsoft Intune.
Next steps
Add an app to Microsoft Intune
Deployment guide: Mobile Application
Management (MAM) for unenrolled
devices in Microsoft Intune
Article • 06/14/2023
MAM for unenrolled devices uses app configuration profiles to deploy or configure apps
on devices without enrolling the device. When combined with app protection policies,
you can protect data within an app.
MAM for unenrolled devices is commonly used for personal or bring your own devices
(BYOD). Or, used for enrolled devices that need extra security. MAM is an option for
users who don't enroll their personal devices, but still need access to organization email,
Teams meetings, and more.
Android
iOS/iPadOS
7 Note
Tip
This guide is a living thing. So, be sure to add or update existing tips and guidance
you've found helpful.
organization or school.
Not recommended as the only enrollment method for
organization-owned devices. Organization-owned devices should
be enrolled and managed by Intune. If you want extra security for
specific apps, then use enrollment and MAM together.
as kiosk, or dedicated
device. Typically, user-less or shared devices are organization-owned.
These devices should be enrolled and managed by Intune.
In the Intune admin center , add your apps or configure your apps. When the
apps are on the device, the apps are considered "managed" by Intune. After you
add or configure the app, create an app protection policy. For example, create a
policy that allows or blocks features within the app, such as copy and paste.
Tell users how to get different apps. For example, you can:
Direct users to the Company Portal web site at portal.manage.microsoft.com .
When they sign in with their organization credentials, they see a list of apps,
including required apps. They can get apps from this site.
Have users download and install the Company Portal app from the app store.
Once authenticated, users can install apps, including required apps.
After the app is installed, they open the app, and are prompted to sign in with
their organization credentials ( user@contoso.com ). When users sign in, they may
have to restart the app. After the restart, the app data is "managed" by Intune.
Some platforms may require specific apps to install other apps, such as Outlook or
Teams. For example, on iOS devices, users must install a broker app, such as the
Microsoft Authenticator app. On Android devices, users must install the Company
Portal app.
Next steps
Android enrollment guide
iOS/iPadOS enrollment guide
Linux enrollment guide
macOS enrollment guide
Windows enrollment guide
Purchase and add apps for Microsoft
Intune
Article • 03/28/2023
To help protect and secure your organization’s data, you can provide the members of
your organization with managed apps so they can safely collaborate and be productive.
Managed apps are a subset of client apps that you install and manage on the devices of
members of your organization. These apps that have been enhanced to support special
configuration and protection capabilities. These capabilities are managed and
maintained by an endpoint management solution, such as Microsoft Intune. Intune
provides a web-based console to manage, protect, and monitor all of your
organization's endpoints, whether those endpoints are devices or apps. The capabilities
provided by Intune helps to keep your organization's cloud and on-premises devices,
apps, and data secure. The Microsoft Intune product family integrates Microsoft Intune,
Microsoft Endpoint Configuration Manager, Desktop Analytics, and Windows Autopilot.
7 Note
Depending on the apps your organization needs, you may want to purchase licenses for
specific apps. This content helps you understand the different types of apps available to
Intune. Additionally, you can add apps to be managed using configuration and
protection policies, or apps that you can just deploy to members of your organization.
You'll learn about purchasing apps and app licenses. These concepts are all an important
part of the process to add apps to Intune.
Deploying Intune
You should understand how to set up and deploy the capabilities of Intune before you
start adding and assigning apps. Deploying Intune commonly involves the following
steps:
1 Set up Intune You can try Intune for free by following the steps to get started fast. When
you're finished with this step, you'll have completed the following:
2 Set up apps Add, configure, and protect the apps your organization uses. When you're
finished with this step, you'll have completed the following:
4 Create You'll understand how to configure device features and settings to secure
device devices and access resources. When you complete this step, you'll
configuration understand the different levels of device configuration and protection.
policies
5 Enroll your When you complete this step, you'll understand the how to configure
devices to be devices for enrollment and understand enrollment policies and
managed restrictions. You'll also understand how to use enrollment profiles and
Windows Autopilot.
Mobile Application Management
configurations
When apps are used without restrictions, company and personal data can get
intermingled. Company data can end up in locations like personal storage or transferred
to apps beyond your purview and result in data exposure and data loss. Managing the
apps that the members of your organization use on their devices is called Mobile
Application Management (MAM). MAM allows you to provide data protection on
unenrolled devices. Unenrolled devices are personal devices that are used by members
of your organization to access corporate data. It's important to understand that these
personal devices aren't managed, but still need protection. One of the primary reasons
to use either MAM without device enrollment or MAM with device enrollment is to
help protect your organization's data.
The Microsoft Intune service supports two Mobile Application Management (MAM)
configurations:
Tip
Many productivity apps, such as the Microsoft Office apps, can be managed by
Intune MAM. See the official list of Microsoft Intune protected apps available for
public use.
If you choose to use MAM without device enrollment, there are some limitations to be
aware of, such as:
You can't specifically deploy apps directly to the device. The end user (member of
your organization) retrieves the apps from the store.
You can't provision certificate profiles on these unmanaged devices.
You can't provision company Wi-Fi and VPN settings on these unmanged devices.
7 Note
The MAM configuration includes managing apps with Intune on devices enrolled
with third-party enterprise mobility management (EMM) providers. You can use
Intune app configuration and protection policies independent of any MDM
solution. This independence helps you protect your company's data with or without
enrolling devices in a device management solution. By implementing app-level
policies, you can restrict access to company resources and keep data within the
purview of your IT department.
MDM, in addition to MAM, makes sure that the device is protected. For example, you
can require a PIN to access the device, or you can deploy managed apps to the device.
There are additional benefits to using MDM with app protection policies. For example, a
member of your organization could have both a phone issued by the company, as well
as their own personal tablet. The company phone could be enrolled in MDM and
protected by app protection policies while the personal device is protected by app
protection policies only.
On enrolled devices that use an MDM service, app protection policies can add an extra
layer of protection. For example, a user signs in to a device with their organization
credentials. As that organization data is used, app protection policies control how the
data is saved and shared. When users sign in with their personal identity, those same
protections (access and restrictions) aren't applied. In this way, IT has control of
organization data, while end users maintain control and privacy over their personal data.
The App protection policies add value by providing the following capabilities:
Help protect company data from leaking to consumer apps and services
Apply restrictions like save-as, clipboard, or PIN, to client apps
Wipe company data when needed from apps without removing those apps from
the device
Protect company data at the app level. You can add and assign mobile apps to
user groups and devices. This management allows your company data to be
protected at the app level. You can protect company data on both managed and
unmanaged devices because mobile app management doesn't require device
management. The management is centered on the user identity, which removes
the requirement for device management.
Configure apps to start or run with specific settings enabled. In addition, you can
update existing apps already on the device.
Assign policies to limit access and prevent data from being used outside your
organization. You choose the setting for these policies based on your
organization's requirements. For example, you can:
Require a PIN to open an app in a work context.
Block managed apps from running on jailbroken or rooted devices.
Control the sharing of data between apps.
Prevent the saving of company app data to a personal storage location by using
data relocation policies like Save copies of org data, and Restrict cut, copy, and
paste..
Support apps on a variety of platforms and operating systems. Each platform is
different. Intune provides available settings specifically for each supported
platform.
See reports about which apps are used, and track their usage. In addition, Intune
provides endpoint analytics to help you assess and resolve problems.
Do a selective wipe by removing only organization data from apps.
Ensure personal data is kept separate from managed data. End-user productivity
isn't affected and policies don't apply when using the app in a personal context.
The policies are applied only in a work context, which gives you the ability to
protect company data without touching personal data.
Understand app types
The users of apps and devices at your organization might have several app
requirements. Before adding apps to Intune and making them available to the members
of your organization, you may find it helpful to assess and understand a few app
fundamentals. There are various types of apps that are available for Intune. You must
determine app requirements that are needed by the users at your organization, such as
the platforms and capabilities that the members of your organization needs. You must
determine whether to use Intune to manage the devices (including apps) or have Intune
manage the apps without managing the devices. Also, you must determine the apps and
capabilities that the members of your organization needs, and who needs them. For
more information, see App types for managed environments or an overview.
Purchase apps
Often, before you can distribute an app to the members of your organization, you must
either purchase the app, purchase a license to use the app, or acquire a license to use
the app. Many apps are free, however you may still need to follow the purchase process
in order to distribute those apps to the members of your organization. Of those free
apps, most are not designed to be protected and configured with Intune. For more
information, see Purchase apps for Intune for an overview.
There are many types of apps you may want to use at your organization that can either
be acquired or created. By understanding and grouping apps based the types presented
in this article, you'll have a better understanding of apps that can be managed by
Microsoft Intune. An app that can be managed supports Intune's app protection
policies. App protection policies are rules that ensure that your organization's data
remains safe and contained in your managed apps. This overview provides a view of app
types based on how apps are acquired, created, used, installed, and run.
7 Note
Managed apps are enhanced by being integrated to support the Intune App SDK
or wrapped using the Intune App Wrapping Tool. This integration allows managed
apps to support Microsoft Intune's app protection policies and app configuration
policies.
There are several app types that you'll want to consider when determining which apps
you want to provide and manage at your organization. Understanding the complete
breadth of app types is an important step toward understanding apps that can be
assign, delivered, and managed using the Intune product family.
The users of apps and devices at your organization (your company's workforce) might
have several app requirements. Before adding apps to Intune and making them
available to the members of your organization, you may find it helpful to assess and
understand a few app fundamentals. You must determine app requirements that the
users at your company need, such as the platforms and capabilities that the members of
your organization needs. You must determine whether to use Intune to manage both
the devices and apps, or have Intune manage just the apps without managing the
devices. Also, you must determine the apps and capabilities that the members of your
organization needs, and who needs them. The information in this article helps you get
started by understanding app types. Later in this content set, you'll step through the
process of assessing your organization's app requirements.
App Description
type
Apps Apps that are purchased or downloaded from a third-party, such as Google,
from the Microsoft, or Apple. These apps have been uploaded by the app developer to either
store the Google Play store store, the Microsoft app store , or Apple's app store . The
(store provider of a store app maintains and provides updates to the app. You select the app
apps) in the store list and add it by using Intune as an available app for your users.
Apps Apps that your organization creates or designed for your organization. These apps
created are often called Line-of-Business (LOB) apps. Intune installs the app on the device
in-house (you supply the installation file). These apps are created in-house or as a custom app.
or as a The functionality of this type of app has been created for one of the Intune supported
custom platforms, such as Windows, iOS/iPadOS, macOS, or Android. You must have a
app separate file to install this app type from Intune. Also, you provide updates of the app
(line-of- to users by adding and deploying the updates using Intune.
business)
Apps Curated managed apps that provide specific functionality. Intune installs the app on
that are the device.
built in
(built-in
apps)
Apps on Intune creates a shortcut to the web app on the device home screen. Web apps are
the web client-server applications. The server provides the web app, which includes the UI,
(web link content, and functionality. Additionally, modern web hosting platforms commonly
or web offer security, load balancing, and other benefits. This type of app is separately
app) maintained on the web. You use Intune to point to this app type. You also assign
which groups of users can access the app.
Specific Intune provides specific Microsoft apps with specialized settings that you can select
Microsoft when adding the apps to Intune.
apps
Store apps
Line-of-business apps
Built-in apps
Web apps
Microsoft apps
Understand store apps for Intune
Article • 03/28/2023
Microsoft, Apple, and Google each provide an app store. You can use Intune to deploy
store apps to your organization's workforce. Deploying apps from the stores offers
increased protection over allowing end-users to install apps on their own. Also, many
store apps have been designed to support a managed environment such as Microsoft
Intune.
In addition to protecting app data, Intune supports configuring app settings, such as
email settings. Store apps are the most common type of apps that you would provide to
the members of your organization. Common types of store apps that support Intune
include Microsoft apps, partner productivity apps, and Partner unified endpoint
management (UEM) apps.
Android Android store apps are available to add to Intune from the Google Play store .
store apps Intune can deploy these apps to Android devices.
Managed Managed Google Play apps are available to add to Intune from the Managed
Google Google Play store . Intune can deploy these apps specifically to Android Enterprise
Play apps devices. Intune provides an app type specifically for Managed Google Play apps,
which makes it easy to add this type of app. There are three types of Managed
Google Play apps:
iOS/iPadOS iOS store apps are available to add to Intune from Apple's app store . Intune can
store apps deploy these apps to iOS/iPadOS devices.
Microsoft Microsoft Store apps are available to add to Intune from the Microsoft app store .
Store apps Intune can deploy these apps to Windows devices.
Store app can be added to Intune by first selecting the app type.
7 Note
Microsoft Store for Business will be retired in the first quarter of 2023. However,
admins can still leverage the connection to Store for Business and Education from
their UEM solution to deploy apps to managed Windows 11 devices until they are
retired in 2023.
Intune integrates directly with the app stores when adding apps for many app scenarios.
In addition, Intune provides capabilities to assign, configure, protect, manage, and retire
the apps that you need to manage. Also, Intune provides several reports to keep track of
app protection, installation, and licensing.
Understand line-of-business apps for
Intune
Article • 03/28/2023
A line-of-business (LOB) app is an app that you add to Microsoft Intune from an app
installation file. Line-of-business (LOB) apps are commonly referred to as custom apps
and in-house apps because they're typically created by your organization. These apps
support a specific purpose for your organization. To include LOB apps in your managed
environment, you upload the app installation file to Intune and assign the app to
devices or groups from Intune. Intune supports LOB apps for Android devices,
iOS/iPadOS devices, Windows devices, and macOS devices.
When your organization initially creates an app for the members of your organization to
use, they can include support for Intune app configuration policies and app protection
policies. This support allows Intune to manage your LOB app. To to add this support to
your app, your organization must use either the Intune App SDK or the Intune App
Wrapping Tool.
Android Android LOB apps are typically developed in-house. This app type requires you to
line-of- upload an Android .apk file to Intune. Intune installs the LOB app on the user's
business device.
(LOB) apps
iOS/iPadOS iOS/iPadOS LOB apps are typically developed in-house. This app type requires you
LOB apps to upload an iOS .ipa file to Intune. Intune installs the LOB app on the user's device.
You need to join the Apple Developer Enterprise Program to use this specific app
type.
Windows Windows LOB apps are typically developed in-house. This app type requires you to
LOB apps upload a Windows app package file. The file extensions for Windows apps include
.msi, .appx, .appxbundle, .msix, and .msixbundle. Intune installs the LOB app on the
user's device using a process called sideloading, which allows an app to be installed
that isn't certified by the Microsoft Store using the Intune Management Extension).
macOS macOS LOB apps are typically developed in-house. This app type requires you to
LOB apps upload a .pkg file to Intune. Intune installs the LOB app on the user's device.
App type Description
macOS macOS apps (DMG) are typically developed in-house. This app type requires you to
apps upload a .dmg file to Intune. Intune installs the LOB app on the user's device. The
(DMG) Microsoft Intune management agent is necessary to be installed on managed
macOS devices in order to enable advanced device management capabilities that
aren't supported by the native macOS operating system. The Apple disk image
(DMG) file can include one or more apps to deploy.
Windows Win32 apps are typically developed in-house. This app type requires you to upload
app a Windows app package file. Win32 apps must be contained in a .intunewin file to
(Win32) upload to Intune. Intune installs the Win32 app on the user's device using
sideloading, which allows an app that isn't certified by the Microsoft Store to be
installed. Intune supports both 32-bit and 64-bit operating system architecture for
this file type. Win32 apps offer more control within Intune than a Windows LOB app.
LOB apps can be added to Intune by first selecting either Line-of-business app or
specifically macOS app (DMG).
When you select Line-of-business app, you'll have the option to add your specific
installation package file. Also, you can choose to use Test Base to help you manage
the performance of your LOB app.
Understand built-in apps for Intune
Article • 03/28/2023
The built-in app type makes it easy for you to assign curated managed apps, such as
Microsoft 365 apps and third-party apps, to iOS/iPadOS and Android devices. You can
assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and
others. After you add an app to Intune, the app type is displayed as either Built-in iOS
app or Built-in Android app. By using the built-in app type, you can choose which of
these apps to publish to device users.
When possible, instead of using store app types, we recommend that you use the built-
in app type. By using the built-in app type, you have the additional flexibility to edit and
delete Microsoft 365 apps.
Built-in Built-in iOS/iPadOS apps are specific apps that have been designed to work
iOS/iPadOS app with Microsoft Intune.
Built-in Android Built-in Android apps are specific apps that have been designed to work with
app Microsoft Intune.
Intune supports various app types, including web apps and web links. A web app is
commonly an app that is displayed in a web browser and processes both locally on the
client device and in the cloud. A web link is simply a URL to a web page.
A web app can be complex when it's designed as a client-service application. The service
provides the web app, which includes the UI, content, and functionality. Additionally,
modern web-hosting platforms commonly offer security, load balancing, and other
benefits. A web app is separately maintained on the web. You use Microsoft Intune to
point to this app type. You also assign the groups of users that can access this app.
A web link (or web clip) is a URL that displays a web page within a protected browser on
the user's device. Intune creates a shortcut to the web app on the user's device. For
iOS/iPadOS devices, a shortcut to the web app is added to the home screen. For
Android Device Admin devices, a shortcut to the web app is added to the Intune
company portal widget, and the widget needs to be pinned manually by the user. For
Windows devices, a shortcut to the web app is placed on the Start Menu.
7 Note
iOS/iPadOS An iOS/iPadOS web clip is a shortcut that you assign to iOS users or devices. The
web clip shortcut contains a URL that opens a browser.
Windows A Windows web link is a shortcut that you assign to Windows users or devices. The
web link shortcut contains a URL that opens a browser. For Windows 10 and later devices,
the shortcut is added to the Start menu.
Web link A Web link is a shortcut that you assign to users or devices running iOS, Android, or
Windows. This link allows you to reach the same web location from multiple
platforms (cross platform web app). Web links (Web apps) aren’t supported on
Android Enterprise devices with work profiles.
Managed A Managed Google Play web app is a shortcut that you assign to users or devices
Google running Android. You create this web app from the Managed Google Play app store
Play web by selecting Managed Google Play app as the app type within Intune. This link is
link installable and manageable just like other Android apps.
There are specific Microsoft app types that allow you to install and manage Microsoft
365 apps, Microsoft Edge, and Microsoft Defender for Endpoint. The app types are
specific to Windows 10 and later, and also macOS. Users must have an account and
license to use these apps, such as one of the license you can select for Microsoft Intune.
7 Note
For licensing and plan information related to device and app management, see
Microsoft 365 enterprise plans.
7 Note
Many of the Microsoft apps connect the user to services, such as OneDrive.
For complete list of supported Microsoft apps, see Microsoft Intune protected apps.
Microsoft This app type allows you to choose one or more Microsoft 365 Apps for managed
365 apps devices running Windows 10 or later. Users must have an account and license to use
for these apps. When you add Microsoft 365 Apps to Intune, you can install your choice
Windows of Microsoft 365 Apps on managed devices running Windows 10 or later.
10 and
later
Microsoft This app type allows you to choose one or more Microsoft 365 Apps for managed
365 apps devices running macOS. Users must have an account and license to use these apps.
for
macOS
Microsoft You can assign and install Microsoft Edge version 77 and later to devices you manage
Edge for that run Windows 10 and macOS.
Windows
10 and
later
Microsoft You can assign and install Microsoft Edge version 77 and later to devices you manage
Edge for that run Windows 10 and macOS. These app types make it easy for you to assign
macOS Microsoft Edge to macOS devices without requiring you to use the macOS app
wrapping tool. To help keep the apps more secure and up to date, the app comes
with Microsoft AutoUpdate (MAU).
Microsoft You can also assign and install Microsoft Defender for Endpoint to devices you
Defender manage that run macOS. This app type makes it easy for you to assign Microsoft
for Defender for Endpoint to macOS devices without requiring you to use the macOS app
Endpoint wrapping tool. To help keep the apps more secure and up to date, the app comes
for with Microsoft AutoUpdate (MAU).
macOS
Microsoft apps can be added to Intune by selecting one of the Microsoft app types.
Purchase apps for Intune
Article • 03/28/2023
There are a variety of apps that you can use with Microsoft Intune. Some apps are free
for the members of your organization to use, while other apps require either a license
and/or an account for each user to use the app. For instance, Microsoft Outlook requires
both a license and an account to use the app. Within Microsoft Intune admin center ,
you can select store apps and freely add them to Intune. Based on the supported
integration with Intune, you can then configure these apps so that the members of your
organization can easily set them up and use them based on your unique company
requirements. Also, you can add app protection policies for each app to protect your
company's data on various levels.
7 Note
Many of the apps available from Intune are free to add to Intune and assign to
members of your organization. Apps that you must purchase to add to Intune are
available through a volume purchase program. For app licensing information, see
Understand app licenses used in Intune.
Intune only shows free store apps. Store apps that require a payment method will
not be displayed as an available store app from within Intune unless you have a
license for the app.
7 Note
Intune does support specific macOS application types, such as Microsoft 365 Apps,
Microsoft Edge, version 77 and later, Microsoft Defender for Endpoint, Web link",
Line-of-business app, and macOS app (DMG) .
For more information about store apps, see Purchase store apps for Intune.
7 Note
You can use Intune policies to block end-users from accessing the app store on
their devices. You can also remove purchase restriction by allowing end-users to
add new accounts to their device. Doing so will enable end-users to be able to
purchase store apps for their personal use.
the iOS/iPadOS device platforms have a method to purchase apps for your organization
in bulk:
7 Note
For more information about volume purchased apps, see Purchase apps in volume for
Intune.
In-app purchases
Many apps offer core functionality for free, however there are those apps that provide
more capabilities that you can purchase from within the app. Purchasing additional app
functionality within an app is called "in-app purchases".
You can choose to block in-app purchases specifically for iOS devices using device
restriction settings. To force users to enter the Apple ID password for each in-app or
ITunes purchase, you can set Require iTunes Store password for all purchases to Yes.
However, the default is Not configured. Intune doesn't change or update this setting. By
default, the OS might allow purchases without prompting for a password every time. To
block in-app purchases from the Apple store, set Block in-app purchases to Yes. When
set to Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow store purchases within a running app.
Many of the standard store apps displayed from within Microsoft Intune are freely
available for you to add and deploy to members of your organization. In addition, you
can purchase store apps for each device platform.
The following table provides the different categories available for store apps:
Free store You can freely add these apps to Intune and deploy them to the members of your
apps organization. These apps don't require any additional cost to use. To add a free
store app to Intune, see Add apps to Microsoft Intune Overview.
Purchased You must purchase licenses for these apps before adding to Intune. The iOS
apps device platform offers a standard method to purchase licenses for apps that you
use with Intune. Intune provides methods to manage the app license for each end
user. For more information about purchasing apps for each device platform, see
Purchase apps in-volume for Intune.
Apps You can freely add and deploy these apps from Intune, however the app may
requiring an require an account, subscription, or license from the app vendor. For a list of apps
account, that support Intune management functionality, see Partner productivity apps and
subscription, Partner UEM apps. NOTE: For apps that may require an account, subscription, or
or license license, you must contact the app vendor for specific app details.
from the app
developer
Store app Description
category
Apps The license you use with Microsoft Intune may include the app licenses your
included with organization requires. For more information, see Microsoft app licenses included
your Intune with Intune.
license
7 Note
In addition to purchasing app licenses, you can create Intune policies that allow
end users to add personal accounts to their devices to purchase unmanaged apps.
The following table lists the specific store app types and how you can add them to
Intune from the Select app type pane:
Android Store app Android Select Android store app as the App type, click Select,
store apps then enter the Google Play store URL for the app.
iOS/iPadOS Store app iOS/iPadOS Select iOS store app as the app type, search for the
store apps app, and select the app in Intune.
Microsoft Store app Windows Select Microsoft Store app as the app type, and search
Store apps the Microsoft Store for the app.
Managed Store app Android Select Managed Google Play as the app type, search
Google Play Enterprise for the app, and select the app in Intune. Managed
apps Google Play apps must be approved using your
Google account. Then, Intune must sync with the
Managed Google Play store before you can select
these apps in Intune.
Android Store app Android Select Managed Google Play as the app type, search
Enterprise for the app, and select the app in Intune.
apps
App type General Device App-specific procedures
type platform
Microsoft Store app Windows Select Windows 10 and later under Microsoft 365
365 apps for (Microsoft Apps as the app type, and then select the Microsoft
Windows 10 365) 365 app that you want to install.
and later
Microsoft Store app Windows Select macOS under Microsoft 365 Apps as the app
365 apps for (Microsoft type, and then select the Microsoft 365 app suite.
macOS 365)
Microsoft Store app Windows Select Windows 10 and later under Microsoft Edge,
Edge, version version 77 and later as the app type.
77 and later
for Windows
10 and later
Microsoft Store app Windows Select macOS under Microsoft Edge, version 77 and
Edge, version later as the app type.
77 and later
for macOS
Microsoft Store app macOS Select macOS under Microsoft Defender for Endpoint
Defender for (Microsoft as the app type and then continue by setting up the
Endpoint Defender app in Intune.
(macOS) ATP)
You can add an app in from Microsoft Intune admin center in the Apps workload. You
can find free apps in the apps store by selecting Search the App Store.
7 Note
The Managed Google Play store only supports free apps. Standard Google apps are
added to Intune as a Android store app. To add a Managed Google Play app, you
must find and approve the app from the Managed Google Play store, then sync the
app with Intune. For more information, see Managed Google Play.
App licenses that you purchase in-volume are purchased through a volume purchase
program (VPP). Apple lets you purchase multiple app licenses using Apple Business
Manager](https://support.apple.com/guide/apple-business-manager/sign-up-
axm402206497 ). Depending on your Microsoft Intune license, you may already have
Microsoft app licenses available to add and deploy.
7 Note
The Managed Google Play store and Microsoft Store only supports free apps. For
more information, see Managed Google Play and Microsoft Store.
7 Note
If your organization is a school, you can use Apple School Manager to purchase
apps. Once the apps are purchased, you can sync Apple School Manager with
Microsoft Intune, where you can manage those apps. For Apple School Manager
set up details, see Set up Apple School Manager .
After you've signed up to use Apple Business Manager and purchased your app licenses,
you can sync from Microsoft Intune to manage your Apple apps on the Apple devices
used at your organization. Managing apps with Intune includes setting the app
configuration policies, setting the app protection policies, assigning the apps, and
monitor the apps.
Before you can purchase apps using Apple Business Manager, you must add a payment
method to Apple Business Manager. A payment method is required to purchase any
app, including free apps.
Follow Apple's guidelines to add payment information and purchase apps using Apple
Business Manager:
Tip
To see all available apps in Apple Business Manager, your Apple Business Manager
role must be Administrator or Content Manager.
For related information about purchasing apps, see Intro to purchasing content in Apple
Business Manager .
7 Note
VPP apps can only be added via a connector to the service. The connnector syncs
the location tokens.
Follow the Intune guidelines to upload and sync an Apple VPP token:
In addition to synchronizing location tokens, Intune help you track how many licenses
are available and have been used for purchased apps, and helps you install apps up to
the number of licenses you own.
7 Note
You can also synchronize, manage, and assign books you purchased from Apple
Business Manager with Intune to iOS/iPadOS devices.
For more information, see How to manage iOS and macOS apps purchased through
Apple Business Manager with Microsoft Intune.
Once Apple apps have been integrated and synced with Intune, you can deploy the app
to members of your organization by assigning the app to groups of users listed in
Intune. To assign an app, you must already have users added to Intune and groups of
uses created. For more information, see Add users and grant administrative permission
using Intune and Add groups to organize users and devices using Intune.
Confirm that your mobile device management (MDM) authority is set to Microsoft
Intune.
7 Note
7 Note
The Managed Google Play store no longer supports purchasing apps. You can still
purchase apps from developers and add them to your private store.
Confirm that your mobile device management (MDM) authority is set to Microsoft
Intune.
Ensure that Android Enterprise is available in your country or region. For more
information, see Is Android Enterprise available in my country?
Add a Managed Google Play store app directly in the Microsoft Intune.
7 Note
To make it easier for you to configure and use Android Enterprise management, upon
connecting your Intune tenant to Managed Google Play, Intune will automatically add
four common Android Enterprise related apps to the Intune admin center. The four are
the following apps:
Microsoft Intune - Used for Android Enterprise fully managed scenarios. This
app is automatically installed to fully managed devices during the device
enrollment process.
Microsoft Authenticator - Helps you sign-in to your accounts if you use two-
factor verification. This app is automatically installed to fully managed devices
during the device enrollment process.
Intune Company Portal - Used for App Protection Policies and Android
Enterprise personally owned work profile scenarios. This app is automatically
installed to fully managed devices during the device enrollment process.
Managed Home Screen - Used for Android Enterprise dedicated multi-app kiosk
scenarios. IT admins should create an assignment to install this app on dedicated
devices that are going to be used in multi-app kiosk scenarios.
Understand app licenses used in Intune
Article • 03/28/2023
Before you can distribute managed apps to members of your organization, you must
add the apps to Intune. Many of the apps that you use with Intune can be added to
Intune and deployed to user's devices for free. However, some apps that you can deploy
to the members of your organization may require either a license, subscription, or
account for each user to use the app. Intune helps you manage app licenses as tokens.
Additionally, Intune uses Azure Active Directory (Azure AD) to help manage user
credentials that managed apps can utilize.
The following table provides the primary ways to obtain app licenses that you can use
with Intune:
Standard license included You can freely add these apps to Intune and deploy them to the
with app members of your organization. These apps don't require any
additional cost to use.
Purchased app license You must purchase licenses for these apps before adding them to
Intune and deploying them to members of your organization. Each
device platform (Windows, iOS, Android) offers a standard method to
purchase licenses for these apps. In addition, Intune provides
methods to manage the app license for each member (end user) of
your organization.
License for apps that You can freely add and deploy the app from Intune, but the app
requiring an account, requires an account, subscription, or license from the app vendor to
subscription, or license use.
from the app developer
Microsoft app license of Based on your Microsoft Intune license, you may already have
apps included with your Microsoft app licenses available, allowing you to add and deploy
Intune license apps to members of your organization.
Each app type for their related platform is added within Microsoft Intune admin
center by selecting Apps > All apps > Add.
Microsoft 365 apps Includes online apps, such as Microsoft Word, Excel, PowerPoint,
OneNote, Outlook, and more
Email, calendar, and Includes Microsoft Exchange and Outlook desktop client
scheduling
Social, intranet, and Includes SharePoint, Viva Engage, and Viva Connections
storage
Content services Includes Microsoft Graph API, Microsoft Search, Microsoft Stream,
and more
Viva Insights and Viva Includes Personal insights in Teams, Viva Learning in Teams, and
Learning more
Automation, app building, Power Apps for Microsoft 365, Power Automate for Microsoft 365,
and chatbots and more
Access and security Microsoft Defender for Cloud Apps Discovery, Microsoft Developer
for Cloud Apps, Office 365 Cloud App Security
Identity and access Azure Active Directory Premium, Multi Factor Authentication,
management Microsoft Advanced Threat Analytics, and more
more
Before you can manage app licenses in Intune, you much first add the apps to Intune.
Part of adding the app to Intune may require you to purchase app licenses for your
organization. For iOS/iPadOS apps, this process involves first creating a business
account for the platform according to Apple's guidelines. This process is commonly
called a "volume purchase program" where you purchase app tokens. Each token
represents an individual user license for the related app. Once you've purchased the app
tokens that you need, you can sync those tokens with Intune. When the tokens have
been synched, you can add the app to Intune, and then assign the app to end users.
For more information about purchasing apps in-volume for each platform type, see
Purchase apps in-volume for Intune.
You must create an Apple ID and purchase the app license from Apple. Once you
complete the purchase process, you'll be able to download and synchronize the related
app tokens with Intune. This synchronization process allows you to track how many
licenses are available and have been used for iOS/iPadOS and macOS purchased apps.
Then, you can add the apps to Intune and assign the apps to members of your
organization in the same way you assign any other app. For more information, see How
to manage iOS and macOS apps purchased through Apple Business Manager with
Microsoft Intune.
7 Note
You can also synchronize, manage, and assign books you purchased from Apple
Business Manager with Intune to iOS/iPadOS devices. For more information, see
How to manage iOS/iPadOS eBooks you purchased through a volume-purchase
program.
Before you can add apps to Microsoft Intune, you must first set up Intune. If you're new
to Intune, start with the Microsoft Intune free trail. Trying out Intune is free for 30 days.
When you complete the sign-up process, you'll have a new tenant that you can use to
evaluate Intune. A tenant is a dedicated instance of Azure Active Directory (Azure AD)
where your subscription to Intune is hosted. You can then configure the tenant, which
involves many capabilities that you can use to protect your organization. One of those
involves adding apps to Intune.
As an IT admin, you can use Intune to manage the apps that members of your
organization use. This management functionality is in addition to managing devices and
protecting data. One of your priorities as an admin is to ensure that the members of
your organization have access to the apps they need to do their work. This goal can be a
challenge because:
The end users of apps and devices at your organization might have several app
requirements. Before adding apps to Intune and making them available to members of
your organization, you may find it helpful to assess the app capabilities your
organization needs. Are there specific apps that your organization needs? Do you
support multiple types of devices? Do you need to manage corporate devices only? Will
you manage the apps on personal devices used to access corporate resources? Are
there specific groups of users at your organization that needed different protection and
configuration of devices and apps?
Once you've completed the above steps, you are ready to configure, protect, assign, and
monitor the managed apps your organization uses.
Step 1. Assess app requirements
Article • 03/28/2023
As an IT admin, before adding apps to Intune and making them available to the
members of your organization, you may find it helpful to determine a few app
requirements for your organization up front. You must determine app requirements,
such as the platforms and capabilities that the members of your organization require.
You must determine whether to use Intune to manage the devices as well as the apps, or
have Intune manage just the apps without managing the devices. Intune supports both
of these types Mobile Application Management configurations. In addition, you should
determine the apps and capabilities that the members of your organization should use
and who needs those apps. This step helps you assess and consider how you'll provide
apps to your organization.
To start, first determine your organization's requirements by answering the following key
questions:
Questions Details
Does my Intune supports both MAM and MDM. MAM without device management
organization need allows just your organization's apps to be managed by Intune, without
to use Mobile enrolling the devices to be managed by Intune. MAM with device
Application management (also known as MDM) allows your organization's apps and
Management devices to be managed. There's advantages to each management method.
(MAM) or Mobile For more information, see Understanding MAM and MDM.
Device
Management
(MDM)?
What platforms do Intune supports a number of device platforms. You should consider
members of my supporting all possible device platforms that members of your organization
organization use? use to access corporate data. For more information, see Determine the
platforms needed for each app.
Which apps are Determine which apps are currently used by members of your organization
needed to access and which apps need to be available or added. For more information, see
organization Determine apps needed for your organization.
information and
data?
Which security Determine which apps are currently used to protect your organization.
apps are needed Check if the security apps, such as Microsoft Defender for Endpoint, is
by your available based on your licensing for Microsoft Intune.
organization?
Questions Details
Do any of the apps Intune allows you to create and assign app configuration policies. These
used by members types of policies are used to make sure the apps at your organization are
of your set up correctly from the start. For instance, members of your organization
organization need won't have to determine or input the email settings that are needed for
specific your organization. For more information, see App configuration policies for
configuration Microsoft Intune.
policies?
Which groups of Intune allows you to add users to be managed. You can create groups of
users need specific users to organize your devices and apps. For more information, see
apps? Determine who will use the app.
Windows
iOS/iPadOS
macOS
Android
For details about platforms for the apps your organization uses, see Deploy apps your
organization uses.
Application that you may want to consider adding to Intune would commonly include
the following areas:
Communications
Email, meetings, calendar, tasks, messaging
Collaboration, communities, events, chats, channels
Sharing, booking, calling, sales
Productivity
Spreadsheets, presentations, writing, reading
Security
Authentication, verification, encryption, signatures, tokens
Tools and utilities
Editors, compression, file viewers
Printing, annotations, workspace management
Dev Ops, location services
Storage
Cloud storage, secure file store, inventory
Consider those apps that integrate with Intune by having built-in configuration and
protection capabilities. For a list of apps, see Microsoft Intune protected apps.
For more information, see Determine the type of app for your solution.
As you're determining which apps the members of your organization needs, consider
the various groups of users and the various apps they use. Knowing these groups is also
helpful after you've added an app. As you add an app to Intune, you assign a group of
users that can use the app.
To help determine the app users, see Determine who will use the app. For details about
adding groups of users, see Add groups to organize users and devices.
Next step
Continue with Step 2 to create and edit categories for apps in Microsoft Intune.
Step 2. Create and edit categories for
apps
Article • 03/28/2023
App categories can be used to help you sort apps to make them easier for members of
your organization (end users) to find in the Company Portal. The Company Portal app,
Company Portal website, and Intune app on Android are Microsoft apps that were
created to work with Microsoft Intune. These apps are where members of your
organization can do common tasks related to app management on their individual
devices. Common task may include enrolling devices, installing apps, and locating
information (such as for assistance from your IT department). Additionally, these apps
allow end-users to securely access company resources. The end user experience
provides several different pages, such as Home, Apps, App details, Devices, and Device
details. To quickly find available apps within the Company Portal, end-users can filter the
apps on the Apps page. As the admin of Intune, you can assign one or more categories
to an app.
Featured
Education
Productivity
Developer
Communication
Security
Tools
Utilities
Storage
When you add an app to Intune, you're given the option to select the category you
want. Use the platform-specific articles to add an app and assign categories. For more
information, see Create and edit categories for apps.
Next step
Continue with Step 3 to purchase or acquire apps in Microsoft Intune.
Step 3. Purchase or acquire apps
Article • 03/28/2023
When your organization purchases a license to use Microsoft Intune, there are Microsoft
communication and productivity apps available that are included with your license.
Additionally, many of the store apps are free to add to Intune and assign to members of
your organization.
Purchase Apple store apps in-volume using Apple Business Manager. Apple
Business Manager provides an app Volume Purchase Program (VPP) that enables
you to purchase apps in-volume for Intune.
Work with an app vendor to purchase a subscription or license to use a specific
app based on platform. For a list of apps that have been designed to work with
Intune, see Microsoft Intune protected apps.
Purchase a line-of-business (LOB) app from an app developer or vendor. You must
work directly with the app developer or vendor to purchase the app. LOB apps
commonly have the following characteristics:
A customized app that has been specifically designed or modified for your
organization.
An app that has been created specifically for your organization by an app
developer.
) Important
Use the following steps to set up in-volume app purchases for iOS/iPadOS devices:
1. Check whether the app is included with your Microsoft Intune subscription.
2. Check if the app is freely available to download and use by checking if the app is
available directly in the Microsoft Intune admin center .
3. Check if you can purchase the app through a volume-purchase program (VPP),
such as iOS/iPadOS apps.
You may need to work directly with an app developer or vendor to use an app that has
been designed to be managed by Intune.
Next step
Continue with Step 4 to add apps to Intune to Microsoft Intune.
Step 4. Add apps to Intune
Article • 03/28/2023
Once you've assessed your app requirements, created categories for your apps in
Intune, and purchased any needed apps that aren't freely available, you can add the
apps to Intune.
You use Microsoft Intune admin center to find, select, and add apps to Intune. When
you add an app to Intune, you start by selecting the app type, such as iOS store app.
Then, you can find and select the app that you need to add. Once you've select the app,
you can add information about the app the members of your organization will see, such
as app name, description, and minimum operating system needed. Additionally, if you
already have groups of users available, you can assign those. Lastly, you create the app,
which adds it to Intune.
7 Note
You can specify that an app is required on the end-user's device. If the user
modifies a required app (such as deleting it), Intune will automatically reinstall,
update, or remove a required app within 24 hours.
For instance, if you have a Microsoft 365 E5 license, consider adding the following apps
to Intune first:
Microsoft Word
Microsoft Excel
Microsoft PowerPoint
Microsoft OneNote
Microsoft Outlook
Microsoft Teams
These apps support the core Intune app protection policy settings and are also capable
of supporting advanced app protection policy and app configuration policy settings.
Each app has a different protection and configuration capabilities. These include the
following capabilities:
Core app protection policy settings
App configuration
Org allowed accounts
Sync policy managed app data with native apps
Org data notifications
Open data into Org documents
Save copies of org data
7 Note
In addition, consider adding the following Microsoft apps based on your existing
license:
Microsoft Exchange
Microsoft SharePoint
Microsoft Viva Engage
Microsoft Viva
Project Online Desktop Client
Visio Online Plan 2
Microsoft Defender for Endpoint
2. Narrow your app list to focus on the apps that are most used and most needed.
3. Determine which apps require your organization to have a license for the apps and
that aren't already included as part of your Intune license.
4. Determine which apps are available in the Apple app stores as part of their volume
purchase program.
7 Note
Many apps that are part of a volume purchase program allow your
organization to obtain the app license for free.
5. Based on your organization's app platform needs, add your needed apps in-
volume:
a. Use Apple Business Manager to purchase or acquire apps in-volume:
i. Set up Apple Business Manager
ii. Purchase apps using Apple Business Manager
iii. Sync purchased Apple app licenses with Microsoft Intune
For more information, see Manage volume-purchased apps and books with Microsoft
Intune.
1. Determine which apps are needed by members of your organization that haven't
already been added to Intune using the steps above.
2. Determine which of those apps require your organization to have a license for the
apps.
3. Determine each store app type that your organization requires.
4. Determine which apps are available in the Microsoft, Apple, or Google app stores.
5. Add store apps to Intune based on your organization's app platform needs.
For more information, see Android store apps, iOS/iPadOS store apps, Microsoft Store
apps, and Managed Google Play apps.
Next step
Microsoft Intune makes it easy to manage both apps and app licenses used by each
member of your organization.
Connector status is used to keep your app license in sync with the app license
provider.
Monitor app licenses is used to keep your app instances in sync with Intune.
Connector status
Connectors are connections you configure from Intune to external services, such as the
Apple Volume Purchase Program service. Connector status is provided as part of the
tenant status in Intune. When you view the Connector status in Intune, you are provided
with connectors that are unhealthy, connectors with warnings, and connectors that are
healthy. In addition, Intune lists connectors that are Not Enabled.
Tip
A tenant is an instance of Azure Active Directory (Azure AD). When you set up
Microsoft Intune a tenant is created for you. Your subscription to Intune is hosted
by an Azure AD tenant.
Manage apps
You can view a list of all apps that have been added to Intune. This list provides details
about each apps, such as the type, status, and verision. Also, the list shows whether the
app has been assigned to members of your organization.
App reports
Microsoft Intune reports allow you to more effectively and proactively monitor the
health and activity of endpoints across your organization, and also provides other
reporting data across Intune. For example, you'll be able to see reports about device
compliance, device health, and device trends. In addition, you can create custom reports
to obtain more specific data.
The following list provides Intune reports that are specific to apps:
For more information about how to proceed, see the following topics:
The Microsoft Intune app lifecycle begins when an app is added and progresses through
additional phases until you remove the app. By understanding these phases, you'll have
the details you need to get started with app management in Intune.
Add
The first step in app deployment is to add the apps, which you want to manage and
assign, to Intune. While you can work with many different app types, the basic
procedures are the same. With Intune you can add different app types, including apps
written in-house (line-of-business), apps from the store, apps that are built in, and apps
on the web. For more information about each of these app types, see How to add an
app to Microsoft Intune.
Deploy
After you've added the app to Intune, you can then assign it to users and devices that
you manage. Intune makes this process easy, and after the app is deployed, you can
monitor the success of the deployment from the Intune within the portal. Additionally,
in some app stores, such as the Apple and Windows app stores, you can purchase app
licenses in bulk for your company. Intune can synchronize data with these stores so that
you can deploy and track license usage for these types of apps right from the Intune
administration console.
Configure
As part of the app lifecycle, new versions of apps are regularly released. Intune provides
tools to easily update apps that you have deployed to a newer version. Additionally, you
can configure extra functionality for some apps, for example:
Protect
Intune gives you many ways to help protect the data in your apps. The main methods
are:
Conditional Access, which controls access to email and other services based on
conditions that you specify. Conditions include device types or compliance with a
device compliance policy that you deployed.
App protection policies works with individual apps to help protect the company
data that they use. For example, you can restrict copying data between
unmanaged apps and apps that you manage, or you can prevent apps from
running on devices that have been jailbroken or rooted.
Retire
Eventually, it's likely that apps that you deployed become outdated and need to be
removed. Intune makes it easy to uninstall apps. For more information, see Uninstall an
app.
Next steps
Learn about app management in Microsoft Intune
Mobile Application Management and
personally-owned work profiles on
Android Enterprise devices in Intune
Article • 03/06/2023
The MAM and the Android Enterprise personally-owned work profile deployment
scenarios include the following key features important for BYOD environments:
End-user privacy: MAM separates end user and organization content in managed
applications and Android Enterprise personally-owned work profiles separate end
users content on the device, and data managed by the mobile device management
(MDM) administrator. In both scenarios, IT admins enforce policies, such as PIN-
only authentication on organization-managed apps or identities. IT admins are
unable to read, access, or erase data that's owned or controlled by end users.
Whether you choose MAM or Android Enterprise personally-owned work profiles for
your BYOD deployment depends on your requirements and business needs. The goal of
this article is to provide guidance to help you decide. For more information related to
managed Android devices, see Manage Android personally-owned/corporate-owned
work profile devices with Intune.
1. Natively integrated into Microsoft first-party apps: Microsoft Office apps for
Android, and a selection of other Microsoft apps, come with Intune APP built-in.
These Office apps, such as Word, OneDrive, Outlook, and so on, don't need any
more customization to apply policies. These apps can be installed by end users
directly from Google Play Store.
2. Integrated into app builds by developers using the Intune SDK: App developers
can integrate the Intune SDK into their source code and recompile their apps to
support Intune APP policy features.
3. Wrapped using the Intune app wrapping tool: Some customers compile Android
apps (.APK file) without access to source code. Without the source code, the
developer can't integrate with the Intune SDK. Without the SDK, they can't enable
their app for APP policies. The developer must modify or recode the app to
support APP policies.
To help, Intune includes the App Wrapping Tool tool for existing Android apps
(APKs), and creates an app that recognizes APP policies.
For more information on this tool, see prepare line-of-business apps for app
protection policies.
To see a list of apps enabled with APP, see managed apps with a rich set of mobile
application protection policies .
Deployment scenarios
This section describes the important characteristics of the MAM and Android Enterprise
personally-owned work profile deployment scenarios.
MAM
A MAM deployment defines policies on apps, not devices. For BYOD, MAM is often used
on unenrolled devices. To protect apps and access to organizational data, administrators
use APP-manageable apps, and apply data protection policies to these apps.
Android Enterprise personally-owned Work profiles and APP complement each other's
settings by providing additional coverage if one profile doesn't meet your organization's
data protection requirements. For example, work profiles don't natively provide controls
to restrict an app from saving to an untrusted cloud storage location. APP includes this
feature. You may decide that DLP provided solely by the work profile is sufficient, and
choose not to use APP. Or you may require the protections from a combination of the
two.
For example, you require end users to enter a PIN when opening a work app. Depending
on the device, the PIN features are handled by APP or by the work profile. For MAM
managed applications, access controls including the PIN-to-launch behavior is enforced
by APP. For enrolled devices, the APP PIN may be disabled to avoid requiring both a
device PIN and an APP PIN. (APP PIN setting for Android. For work profile devices, you
can use a device or work profile PIN enforced by the OS. To accomplish this scenario,
configure APP settings so that they don't apply when an app is deployed into a work
profile. If you don't configure it this way, the end user gets prompted for a PIN by the
device, and again at the APP layer.
When using Android Enterprise personally-owned work profiles, you may want to
disable this multi-identity behavior. When you disable it, badged instances of the app in
the work profile can only be configured with an organization identity. Use the Allowed
Accounts app configuration setting for supporting Office Android apps.
For more information, see deploy Outlook for iOS/iPadOS and Android app
configuration settings.
For example, customers in or have users in China can't use Android device management
since Google services are blocked. In this case, use Intune APP for DLP.
Summary
Using Intune, both MAM and Android Enterprise personally-owned work profiles are
available for your Android BYOD program. You can choose to use MAM and/or work
profiles depending upon your business and usage requirements. In summary, use
Android Enterprise personally-owned work profiles if you need MDM activities on
managed devices, such as certificate deployment, app push, and so on. Use MAM if you
want to protect org data within applications.
Next steps
Start using app protection policies, or enroll your devices.
How to use Intune in environments
without Google Mobile Services
Article • 05/01/2023
Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Microsoft
Intune company portal when managing Android devices. In some cases, devices may
temporarily or permanently not have access to GMS. For example, a device might ship
without GMS, or the device may be connecting to a closed network where GMS is not
available. This document summarizes the differences and limitations you may observe
when installing and using Intune to manage Android devices without GMS.
7 Note
These GMS related limitations also apply to Device Administrator management and
Android (AOSP) Management.
Scenario Features
App protection SafetyNet device attestation, Require threat scan on apps, and Max
policies Company Portal version age (days) are device conditions that cannot be
(conditional used for conditional launch.
launch)
Client apps Apps of type Android are not available. Use Line-of-business app instead to
deploy and manage apps.
Mobile Threat Work with your MTD vendor to understand if their solution is integrated with
Defense Intune, if it is available in the region of interest, and if it relies on GMS.
All Android devices enrolled with device administrator or Android (AOSP) management
report to Intune every 8 hours. For example, if a device reports to Intune at 1 PM and the
remote tasks are issued at 1:05 PM, Intune will contact the device at 9 PM to complete
the tasks.
In conditions where GMS isn't available, if the device is enrolled with device
administrator and running Company Portal 5.0.5655.0 and above, Intune also attempts
to check for new tasks and notifications approximately every 15 minutes. Note that this
frequency may be affected by the device manufacturer, device usage patterns, and
whether battery optimization is enabled for the Company Portal app.
Next steps
Assign apps to groups with Microsoft Intune
Frequently asked questions about
MAM and app protection
FAQ
This article provides answers to some frequently asked questions on Intune mobile
application management (MAM) and Intune app protection.
MAM Basics
What is MAM?
MAM Overview
Apply a less strict MAM policy to Intune managed devices, and apply a more
restrictive MAM policy to non MDM-enrolled devices.
Apply an equally strict MAM policy to Intune managed devices as to 3rd party
managed devices.
Apply a MAM policy to unenrolled devices only.
The end user must have a license for Microsoft Intune assigned to their Azure
Active Directory account. See Manage Intune licenses to learn how to assign Intune
licenses to end users.
The end user must belong to a security group that is targeted by an app
protection policy. The same app protection policy must target the specific app
being used. App protection policies can be created and deployed in the Microsoft
Intune admin center . Security groups can currently be created in the Microsoft
365 admin center .
The end user must sign into the app using their Azure AD account.
The end user must have a Microsoft 365 Exchange Online mailbox and license
linked to their Azure Active Directory account.
7 Note
The Outlook mobile app currently only supports Intune App Protection for
Microsoft Exchange Online and Exchange Server with hybrid modern
authentication and does not support Exchange in Office 365 Dedicated.
The end user must have a managed location configured using the granular save as
functionality under the "Save copies of org data" application protection policy
setting. For example, if the managed location is OneDrive, the OneDrive app
should be configured in the end user's Word, Excel, or PowerPoint app.
If the managed location is OneDrive, the app must be targeted by the app
protection policy deployed to the end user.
7 Note
The Office mobile apps currently only support SharePoint Online and not
SharePoint on-premises.
The PIN is shared among apps of the same publisher to improve usability: On
iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher.
On Android, one app PIN is shared amongst all apps.
The 'Recheck the access requirements after (minutes)' behavior after a device
reboot: A "PIN timer" tracks the number of minutes of inactivity that determine
when to show the Intune app PIN next. On iOS/iPadOS, the PIN timer is unaffected
by device reboot. Thus, device restart has no effect on the number of minutes the
user has been inactive from an iOS/iPadOS app with Intune PIN policy. On Android,
the PIN timer is reset on device reboot. As such, Android apps with Intune PIN
policy will likely prompt for an app PIN regardless of the 'Recheck the access
requirements after (minutes)' setting value after a device reboot.
The rolling nature of the timer associated with the PIN: Once a PIN is entered to
access an app (app A), and the app leaves the foreground (main input focus) on
the device, the PIN timer gets reset for that PIN. Any app (app B) that shares this
PIN will not prompt the user for PIN entry because the timer has reset. The prompt
will show up again once the 'Recheck the access requirements after (minutes)'
value is met again.
For iOS/iPadOS devices, even if the PIN is shared between apps from different
publishers, the prompt will show up again when the Recheck the access requirements
after (minutes) value is met again for the app that is not the main input focus. So, for
example, a user has app A from publisher X and app B from publisher Y, and those two
apps share the same PIN. The user is focused on app A (foreground), and app B is
minimized. After the Recheck the access requirements after (minutes) value is met and
the user switches to app B, the PIN would be required.
7 Note
In order to verify the user's access requirements more often (i.e. PIN prompt),
especially for a frequently used app, it is recommended to reduce the value of the
'Recheck the access requirements after (minutes)' setting.
In order to support this feature and ensure backward compatibility with previous
versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in
7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK.
Therefore, if a device has applications with Intune SDK for iOS/iPadOS versions before
7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs.
That being said, the two PINs (for each app) are not related in any way i.e. they must
adhere to the app protection policy that's applied to the app. As such, only if apps A and
B have the same policies applied (with respect to PIN), user may set up the same PIN
twice.
This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with
Intune Mobile App Management. Over time, as applications adopt later versions of the
Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher
becomes less of an issue. Please see the note below for an example.
7 Note
For example, if app A is built with a version prior to 7.1.12 and app B is built with a
version greater than or equal to 7.1.12 from the same publisher, the end user will
need to set up PINs separately for A and B if both are installed on an iOS/iPadOS
device.
If an app C that has SDK version 7.1.9 is installed on the device, it will share the
same PIN as app A.
An app D built with 7.1.14 will share the same PIN as app B.
If only apps A and C are installed on a device, then one PIN will need to be set. The
same applies to if only apps B and D are installed on a device.
What is wipe?
Wipe removes all user data and settings from the device by restoring the device to its
factory default settings. The device is removed from Intune.
7 Note
Wipe can only be achieved on devices enrolled with Intune mobile device
management (MDM).
When dealing with different types of settings, an app version requirement would take
precedence, followed by Android operating system version requirement and Android
patch version requirement. Then, any warnings for all types of settings in the same order
are checked.
The intent of this is to continue keeping your organization's data within the app secure
and protected at the app level. This feature is only available for iOS/iPadOS, and
requires the participation of applications that integrate the Intune APP SDK for
iOS/iPadOS, version 9.0.1 or later. Integration of the SDK is necessary so that the
behavior can be enforced on the targeted applications. This integration happens on a
rolling basis and is dependent on the specific application teams. Some apps that
participate include WXP, Outlook, Managed Browser, and Yammer.
When dealing with different types of settings, an Intune App SDK version requirement
would take precedence, and then an app version requirement, followed by the
iOS/iPadOS operating system version requirement. Then, any warnings for all types of
settings in the same order are checked. We recommend the Intune App SDK version
requirement be configured only upon guidance from the Intune product team for
essential blocking scenarios.
See also
Deploy Intune
Create a rollout plan
Android mobile app management policy settings in Microsoft Intune
iOS/iPadOS mobile app management policy settings
App protection policies policy refresh
Validate your app protection policies
Add app configuration policies for managed apps without device enrollment
How to get support in Microsoft Intune
Add apps to Microsoft Intune
Article • 08/18/2023
Before you can configure, assign, protect, or monitor apps, you must add them to
Microsoft Intune.
The users of apps and devices at your company (your company's workforce) might have
several app requirements. Before adding apps to Intune and making them available to
your workforce, you may find it helpful to assess and understand a few app
fundamentals. There are various types of apps that are available for Intune. You must
determine app requirements that are needed by the users at your company, such as the
platforms and capabilities that your workforce needs. You must determine whether to
use Intune to manage the devices (including apps) or have Intune manage the apps
without managing the devices. Also, you must determine the apps and capabilities that
your workforce needs, and who needs them. The information in this article helps you get
started.
Apps from the store (store Intune installs the app on the device. App updates are
apps) automatic.
Apps written in-house or Intune installs the app on the device (you supply You must
as a custom app (line-of- the installation file). update the app.
business)
Apps that are built-in Intune installs the app on the device. App updates are
(built-in apps) automatic.
Apps on the web (web link) Intune creates a shortcut to the web app on the App updates are
device home screen. automatic.
Apps from other Microsoft Intune creates a shortcut to the app in the App updates are
services Company Portal. For more information, see App automatic.
source setting options.
Android store apps Store app Select Android store app as the App type, click
Select, then enter the Google Play store URL for the
app.
iOS/iPadOS store apps Store app Select iOS store app as the app type, search for the
app, and select the app in Intune.
Microsoft store apps Store app Select Microsoft store app as the app type, and enter
the Microsoft store URL for the app.
Managed Google Play Store app Select Managed Google Play as the app type, search
apps for the app, and select the app in Intune.
Android Enterprise Store app Select Managed Google Play as the app type, search
apps for the app, and select the app in Intune. 1
Microsoft 365 apps for Store app Select Windows 10 and later under Microsoft 365
Windows 10 and later (Microsoft 365) Apps as the app type, and then select the Microsoft
365 app that you want to install.
Microsoft 365 apps for Store app Select macOS under Microsoft 365 Apps as the app
macOS (Microsoft 365) type, and then select the Microsoft 365 app suite.
Microsoft Edge, Store app Select Windows 10 and later under Microsoft Edge,
version 77 and later version 77 and later as the app type.
for Windows 10 and
later
Microsoft Edge, Store app Select macOS under Microsoft Edge, version 77 and
version 77 and later later as the app type.
for macOS
Android line-of- LOB app Select Line-of-business app app as the app type,
business (LOB) apps select the App package file, and then enter an
Android installation file with the extension .apk.
iOS/iPadOS LOB apps LOB app Select Line-of-business app as the app type, select
the App package file, and then enter an iOS/iPadOS
installation file with the extension .ipa.
Windows LOB apps LOB app Select Line-of-business app app as the app type,
select the App package file, and then enter a
Windows installation file with the extension .msi,
.appx, .appxbundle, .msix, and .msixbundle.
App-specific type General type App-specific procedures
Built-in iOS/iPadOS Built-in app Select Built-In app as the app type, and then select
app the built-in app in the list of provided apps.
Built-in Android app Built-in app Select Built-In app as the app type, and then select
the built-in app in the list of provided apps.
Web apps Web app Select Web link as the app type, and then enter a
valid URL pointing to the web app.
iOS/iPadOS web clip Web app Select iOS/iPadOS web clip as the app type, and then
enter a valid URL pointing to the web app. Note that
this app type applies only for the iOS/iPadOS
platform.
macOS web clip Web app Select macOS web clip as the app type, and then
enter a valid URL pointing to the web app. Note that
this app type applies only for the macOS platform.
Windows web link Web app Select Windows web link as the app type, and then
enter a valid URL pointing to the web app. Note that
this app type applies only for the Windows platform.
Cross platform web Web app Select Web link as the app type, and then enter a
apps valid URL pointing to the web app.
Android Enterprise Store app Select Android Enterprise system app as the app
system apps type, and then enter the app name, publisher, and
package file.
Windows app (Win32) LOB app Select Windows app (Win32) as the app type, select
the App package file, and then select an installation
file with the extension .intunewin.
macOS LOB apps LOB app Select Line-of-business app as the app type, select
the App package file, and then select an installation
file with the extension .pkg.
macOS apps (DMG) LOB app (non- Select macOS app (DMG) as the app type, select the
store app) App package file, and then select an installation file
with the extension .dmg.
macOS apps (PKG) LOB app Select macOS app (PKG) as the app type, select the
App package file, and then select an installation file
with the extension .pkg. This app type is used to add
an unmanaged macOS PKG app to Intune.
Microsoft Defender Store app Select macOS under Microsoft Defender for Endpoint
for Endpoint (macOS) (Microsoft as the app type and then continue by setting up the
Defender ATP) app in Intune.
1
For more information about Android Enterprise and Android work profiles, see
Understanding licensed apps.
You can add an app in Microsoft Intune by selecting Apps > All apps > Add. The Select
app type pane is displayed and allows you to select the App type.
Tip
An LOB app is one that you add from an app installation file. For example, to install
an iOS/iPadOS LOB app, you add the application by selecting Line-of-business app
as the App type in the Select app type pane. You then select the app package file
(extension .ipa). These types of apps are typically written in-house or as a custom
app.
Using Intune to manage apps with MAM without managing the device is useful when:
First, you must determine which group should have access to the app, based on the
sensitivity of the data the app contains. You might need to include or exclude certain
types of roles within your organization. For example, only certain LOB apps might be
required for your sales group, whereas people focused on engineering, finance, HR, or
legal might not need to use the LOB apps. In addition, your sales group might need
additional data protection and access to internal corporate services on their mobile
devices. You must determine how this group will connect to resources using the app.
Will the data that the app accesses live in the cloud or on-premises? Also, how will the
users connect to resources by using the app?
Intune also supports enabling access to client apps that require secure access to on-
premises data, such as line-of-business app servers. You ordinarily provide this type of
access by using Intune-managed certificates for access control, combined with a
standard VPN gateway or proxy in the perimeter, such as Azure Active Directory
Application Proxy. The Intune App Wrapping Tool and App SDK can help contain the
accessed data within your line-of-business app, so that it can't pass corporate data to
consumer apps or services.
Use the Intune deployment planning, design and implementation guide to help
determine how you identify the organizational groups. For information about assigning
apps to groups, see Assign apps to groups with Microsoft Intune.
Apps from the store: Apps that have been uploaded to either the Microsoft store,
the iOS/iPadOS store, or the Android store are store apps. The provider of a store
app maintains and provides updates to the app. You select the app in the store list
and add it by using Intune as an available app for your users.
Apps written in-house or as a custom app (line-of-business): Apps that are
created in-house or as a custom app are line-of-business (LOB) apps. The
functionality of this type of app has been created for one of the Intune supported
platforms, such as Windows, iOS/iPadOS, macOS, or Android. Your organization
creates and provides you with updates as a separate file. You provide updates of
the app to users by adding and deploying the updates using Intune.
Apps on the web: Web apps are client-server applications. The server provides the
web app, which includes the UI, content, and functionality. Additionally, modern
web hosting platforms commonly offer security, load balancing, and other benefits.
This type of app is separately maintained on the web. You use Intune to point to
this app type. You also assign which groups of users can access the app.
Apps from other Microsoft services: Apps that have been sourced from either
Azure AD or Office Online. Azure AD Enterprise applications are registered and
assigned via the Microsoft Intune admin center . Office Online applications are
assigned using the licensing controls available in the M365 Admin Center . You
can hide or show Azure AD Enterprise and Office Online applications to end-users
in the Company Portal. From the Microsoft Intune admin center , select Tenant
administration > Customization to find this configuration setting. Select to Hide
or Show either Azure AD Enterprise applications or Office Online applications in
the Company Portal for each end-user. Each end-user will see their entire
application catalog from the chosen Microsoft service. By default, each additional
app source will be set to Hide. For more information, see App source setting
options.
As you're determining which apps your organization needs, consider how the apps
integrate with cloud services, what data the apps access, whether the apps are available
to BYOD users, and whether the apps require internet access.
For more information about the types of apps that your organization needs, Create a
design.
Intune-managed apps can also enable app protection without requiring enrollment,
which gives you the choice of applying data loss-prevention policies without managing
the user's device. Additionally, you can incorporate mobile-app management in your
mobile and line-of-business apps by using the Intune App SDK and App Wrapping Tool.
For more information about these tools, see Intune App SDK overview.
Apple Volume Purchasing Program for Business (iOS): The iOS/iPadOS App Store
lets you purchase multiple licenses for an app that you want to run in your
company. Purchasing multiple copies helps you to efficiently manage apps in your
company. For more information, see Manage iOS/iPadOS volume-purchased apps.
Android Enterprise fully managed work profile: How you assign apps to Android
Enterprise fully managed work profile devices differs from how you assign them to
standard Android devices. All apps you install for Android Enterprise fully managed
work profiles come from the Managed Google Play store. You use Intune to
browse for the apps you want and approve them. The app then appears in the
Licensed apps node of the portal, and you can manage assignment of the app as
you would any other app.
Microsoft Store for Business (Windows 10): Microsoft Store for Business gives you
a place to find and purchase apps for your organization, individually or in volume.
By connecting the store to Microsoft Intune, you can manage volume-purchased
apps in the portal. For more information, see Manage apps from Microsoft Store
for Business.
7 Note
The file extensions for Windows apps include .msi, .appx, .appxbundle, .msix
and .msixbundle.
When you add and assign an app from a store, your users must have an account
with that store to be able to install the app.
Some apps or items that you assign might depend on built-in iOS/iPadOS apps.
For example, if you assign a book in the iOS/iPadOS store, the iBooks app must be
present on the device. If you have removed the iBooks built-in app, you cannot use
Intune to reinstate it.
) Important
If you change the name of the app through Intune after you have deployed and
installed the app, the app will no longer be able to be targeted using commands.
The maximum file size for any file that you upload is 8 GB.
7 Note
When you add an app to Intune, you're given the option to select the category you
want. Use the platform-specific articles to add an app and assign categories. To create
and edit your own categories, use the following procedure:
To add a category, in the Create category pane, select Add, and then enter a
name for the category.
Names can be entered in one language only, and they aren't translated by
Intune.
To edit a category, select the ellipsis (...) next to the category, and then select
Pin to dashboard or Delete.
4. Select Create.
7 Note
Intune will automatically reinstall, update, or remove a required app based on the
following conditions:
If an end user uninstalls an app that you have required to be installed on the end
user's device, Intune will automatically reinstall the app when this schedule elapses.
If a required app install fails or somehow the app isn't present on the device,
Intune evaluates compliance and reinstalls the app when this schedule elapses.
An admin targets an app as available to a user group and an end user installs the
app from the company portal on the device. Later, the admin updates the app
from v1 to v2. Intune will update the app when this schedule elapses, provided that
any previous version of the app is still present on the device.
If the admin deploys uninstall intent and the app is present on the device and
failed to uninstall, Intune evaluates compliance and uninstalls the app when this
schedule elapses.
7 Note
Using the Windows Company Portal, end users can restart an app installation if the
progress seems to have stalled or is frozen. This functionality is allowed if the app
installation progress has not changed in two hours.
From the Installed apps page of the Windows Company Portal or the Company
Portal website, end users can view the installation status and details for device-
assigned required apps. This functionality is provided in addition to the installation
status and details of user-assigned required apps.
Uninstall an app
When you need to uninstall an app from user's devices, use the following steps.
) Important
To uninstall the app successfully, make sure to remove the members or group
assignment for install before assigning them to be uninstalled. If a group is
assigned to both install an app and uninstall an app, the app will remain and not be
removed.
7 Note
End-users can uninstall Win32 apps and Microsoft store apps using the Windows
Company Portal if the apps were assigned as available and were installed on-
demand by the end-users. For Win32 apps, you have the option to enable or
disable this feature (off by default). For Microsoft store apps, it is always on and
available for your end-users. If an app can be uninstalled by the end-user, the end-
user will be able to select Uninstall for the app in the Windows Company Portal.
Next steps
To learn how to add apps for each platform to Intune, see:
The apps listed in this topic are supported partner and Microsoft apps that are commonly used with
Microsoft Intune. Intune protected apps are enabled with a rich set of mobile application protection
policies.
7 Note
For your client line-of-business apps, you can incorporate mobile app management using the
Intune App Software Development Kit (SDK), or the App Wrapping Tool for iOS and the App
Wrapping Tool for Android.
Protecting work or school account data while leaving personal data untouched in apps that
support multi-identity
Restricting data transfer and copy-and-paste functions
Encrypting work or school account data
Configuring work or school account web links to open inside a managed browser, like Microsoft
Edge
Enforcing access requirements to access work or school account data
Enforcing conditional launch behaviors to protect the work or school account data
Applying data loss prevention policies without managing the user's device
Enabling app protection without requiring enrollment
Enabling app protection on devices managed with third-party unified endpoint management
solutions
App Configuration Policies can be used by apps to customize app behavior and/or App
Protection Policy settings.
On enrolled devices, managed apps can leverage org allowed accounts mode to require sign-in
with a specific identity and disable multi-identity functionality.
The Sync policy managed app data with native apps App Protection Policy setting can be utilized
by apps to restrict the synchronization of contact or calendar data to the native apps.
The Org data notifications App Protection Policy setting can be utilized by apps to limit the
exposure of sensitive data in notifications.
The Open data into Org documents App Protection Policy setting can be utilized by apps to
restrict importing data from unmanaged locations.
The Save copies of org data App Protection Policy setting can be utilized by apps to restrict which
locations can be used when saving work or school account data.
Microsoft apps
7 Note
For more information on Conditional Access support, see App protection policy requirement.
The below apps support the Core Intune App Protection Policy settings and are also capable of
supporting advanced App Protection Policy and App Configuration Policy settings:
App Platform Core App App Org Sync Org data Open data Save
Protection configuration allowed policy notifications into Org copies
Policy accounts managed (iOS, documents of org
settings (iOS, app data Android) (iOS, data
Android) with Android) (iOS,
native Android)
apps
(iOS,
Android)
The below apps support the core Intune App Protection Policy settings.
7 Note
For Office (Microsoft 365) for Android, add the Office Hub, Office Hub (HL), and Office Hub (ROW)
apps to Android App Protection Policies.
) Important
Contact the app vendor for specific details on Intune related support.
Achievers The Achievers app puts the power of recognition in your hands. Achieving great Google Play
things is a challenge. Recognizing someone for great achievements is easy. link
Engage, align, and recognize colleagues with the touch of a screen at any time (Android) ,
and anywhere. App Store
link (iOS)
Acronis Access Safely access your business files from anywhere and any device with Acronis App Store
Access. Easily share documents with colleagues, customers, and vendors while link (iOS)
keeping files and data secure and private, where only you and your organization
can touch them. The app is designed for extreme ease of use with unparalleled
security, privacy, and management capabilities.
Adobe Acrobat Open, view, and work with PDFs in a Microsoft Intune managed environment Google Play
Reader with Adobe Acrobat Reader. Available for iOS/iPadOS and Android. link
(Android) ,
App Store
link (iOS)
Appian for Appian empowers business users to monitor, collaborate, and take action on the Google Play
Intune go, enabling your mobile workforce to stay connected to key business link
processes and enterprise data. (Android) ,
Appian’s Business Process Management and Case Management Suite delivers App Store
mobile access to event notifications, forms, tasks, information, reports, content, link (iOS)
and ad-hoc collaboration.
ArcGIS Indoors ArcGIS Indoors for Intune provides an indoor mapping experience for Google Play
for Intune understanding the location of things and activities happening within your link
organization’s indoor environment. Use the wayfinding, location sharing, and (Android) ,
workspace reservation capabilities to feel more connected to your workplace or
App title App description App store
links for
supported
platform(s)
campus, see increased levels of productivity and collaboration, and less time App Store
feeling the stress of being lost. link (iOS)
ArchXtract ArchXtract is used to decompress zip files between Microsoft Intune managed Google Play
(MDM) applications. The ArchXtract app is the upgraded version of the Intune managed link
decompression app known as ZipExtractor. ArchXtract supports a wide variety of (Android) ,
compression methods. App Store
link (iOS)
Characteristic:
Supported file types: bmp, jpeg, png, gif, PDF, txt, csv, html, xml
Important: To use the full functionality of this application, you need a connect to
a company work account and a valid subscription for Microsoft Intune. Some
functions may not be available in some countries or regions.
AssetScan For AssetScan is a proprietary application linked to the Asset Point tool suite. App Store
Intune AssetScan supports technology inventory gathering and verification for both link (iOS)
data centers and desktop locations.
AventX Mobile AventX Mobile Work Orders allows maintenance users of Oracle eAM to view App Store
Work Orders work order packets on the go with an iPhone or iPad – even offline. As with link (iOS)
paper, users can mark-up electronic work orders with the added benefit of
attaching rich media, like pictures and audio files, as context to the completed
work. Adding to the efficiency of mobile, AventX allows technicians to route,
close and upload completed work orders from anywhere, increasing time in the
field and decreasing time spent manually entering the same information after
the work is done.
Bluejeans BlueJeans delivers a premium video conferencing experience that is optimized Google Play
Video for the mobile workforce. With amazing features, like Dolby Voice® audio, link
Conferencing (Android) ,
App title App description App store
links for
supported
platform(s)
BlueJeans helps make every meeting more productive regardless of where the App Store
participants are located. link (iOS)
Features:
Board Papers Board Papers is a board portal solution that combines an iPad application with App Store
Microsoft SharePoint® integration. link (iOS)
Box - Cloud Box helps you get work done on the go. It's fast, secure and simple to use, so App Store
Content you can be productive from anywhere, which is the reason 97,000 businesses, link (iOS)
Management including Eli Lilly and Company, General Electric, KKR & Co., P&G and The GAP
securely access and manage their critical information with Box. The Box app
integrates with Intune SDK and supports a number of Intune Mobile Application
Management policies without using Mobile Device Management.
Board.Vision Board.Vision is the next generation board portal designed with industry-leading Google Play
features to accelerate the board’s decision-making process. Built in the Cloud link
and offered as a SaaS product, Board.Vision efficiently connects related parties (Android) ,
to the corporate governance ecosystem to accelerate collaboration and App Store
decision-making. link
Board.Vision is developed in collaboration with the Board.Vision team's in- (iPadOS) ,
house corporate secretarial subject matter experts (SMEs), contributing App Store
centuries of experience in corporate governance, corporate administration and link (iOS)
secretarial services. The Board.Vision team's SMEs not only possess in-depth
knowledge and understanding of the latest conventions and regulations
governing businesses and entities, they have influenced the development of
corporate governance standards in Singapore. Board.Vision is unique, enabling
the best practices in corporate governance in the Singaporean context.
The Board.Vision team understands their customers' pain points and what
boards need today to uphold their profound governance responsibilities.
Board.Vision enables boards to work more efficiently and effectively by offering
features and functionality that streamline board processes.
App title App description App store
links for
supported
platform(s)
Box for EMM Keep your employees connected and collaborative while you centrally manage App Store
security, policy, and provisioning across any mobile device using Box for EMM. link (iOS)
Breezy for Breezy For Intune provides secure print capabilities for your iOS device. Our App Store
Intune integration with Intune ensures that your data stays secure while on-device, and link (iOS)
own our end-to-end encryption and enterprise grade security ensure that it
stays that way on its way to the printer.
CAPTOR™ for CAPTOR is used by organizations to securely capture content on iOS/iPadOS Google Play
Intune and Android devices, especially in regulated industries such as healthcare, legal, link
government, law enforcement, insurance, real estate, manufacturing, and (Android) ,
financial services. CAPTOR combines the productivity functions of document App Store
scanning, audio/video recording, photo/document annotating, and QR-Code link (iOS)
reading. CAPTOR requires a license key from Inkscreen .
Key Features:
CellTrust SL2™ CellTrust SL2™ for Microsoft Intune is an enterprise-level application that works Google Play
for Microsoft by assigning a secure Mobile Business Number (MBN) on bring-your-own link
Intune devices to keep personal and business communications separate on a single (Android) ,
device. The seamless solution secures SMS messages and business calls on the App Store
device without using the personal number. This capability is vital for enterprises link (iOS)
that require greater security for business communications, as well as archiving
for eDiscovery and compliance needs.
CiiMS GO CiiMS Go allows for mobile access to your CiiMS Lite, integrated Occurrence Google Play
Book application used to record and manage occurrence related information in link
environments where manual occurrence books and registers are used. CiiMS Go (Android) ,
allows you to do the following: App Store
Report incidents and collect specific information relating to the type of link (iOS)
incident
Conduct inspections, assessments or audits using structured checklists
Attach photos, files or voice notes
Offline ability allows for recording of information while uploading of data
occurs once connectivity is available
Receive rule-based and proximity alerts as push notifications (requires
background location access)
Make and share comments on alerts
Initiate proximity based proactive or reactive roll-call (requires
background location access)
Cisco Jabber Cisco Jabber for Intune is for admins to organize and protect BYOD Google Play
for Intune environments with mobile application management (MAM). This app allows link
admins to protect corporate data while keeping employees connected. (Android) ,
App Store
link (iOS)
Webex for Webex for Intune brings together your teams, your customers, and your work in Google Play
Intune real-time and anytime. You can call, message, and meet. link
(Android) ,
Capabilities: App Store
link (iOS)
Calling built into the app for deeper conversations
Messaging and file sharing integrated with your content and workflow
Upgraded meeting experiences with personalized layouts & virtual
backgrounds
Smart presence lets you know when people are available
Control Webex Devices directly from the app
Built-in Intelligence:
Citrix Secure Citrix Secure Mail is a containerized email, calendar, and contacts app with a rich App Store
Mail user experience. link (iOS)
Comfy Comfy is the workplace experience app that empowers you to get the most out Google Play
of your office. link
(Android) ,
App Store
link (iOS)
Condeco The Condeco app allows you to book work spaces. With a few taps you can Google Play
book a workstation or a meeting room, along with other areas like parking, link (Android)
lockers, quiet spaces, breakout zones, and more.
Confidential The Confidential File Viewer (HIBUN) app is used to decrypt and reference Google Play
File Viewer password-protected encrypted files. Use the confidential file viewer to link
decrypted confidential files that have been created and encrypted using HIBUN (Android) ,
Data Encryption. Confidential files encrypted with HIBUN AE Information Cypher App Store
can also be decrypted using the confidential file viewer. link (iOS)
Diligent With Diligent Boards, organizations can conduct board, committee, and App Store
Boards leadership meetings. Diligent Boards provides executives and senior leaders a link (iOS)
secure way to access critical meeting and governance information. Diligent
provides immediate access to sensitive meeting materials, along with the tools
to review, discuss and collaborate on business topics.
Dooray! for Dooray! is the all-in-one collaboration solution including Task management, Google Play
Intune Messenger, Mail, Meeting, Calendar, Drive, Wiki, Workflow, Board, and more. link
Admins can manage policies to protect corporate data while keeping employees (Android) ,
connected through the Microsoft Intune admin center for Dooray! for Intune. App Store
link (iOS)
Dooray! for Intune includes the following:
Egnyte for The Egnyte mobile app allows you to extend the office by working from App Store
Intune anywhere with ease. You can securely access data, preview files, upload new link (iOS)
content, collaborate on folders and file links, and edit and co-edit files in
popular formats. You can also set up permissions for authorized access, create
link expirations, and receive notifications when files are accessed.
Egnyte for Intune works with workspaces and devices managed by Microsoft
Intune. Intune enables companies to control how the organization’s devices are
used and also to configure specific policies.
Egress Secure Send and receive encrypted emails and files from your mobile device. Egress Google Play
Mail for Intune Secure Email provides user-friendly tools to secure sensitive data, with end-to- link (Android)
end encryption, access revocation and message restrictions to empower users
to stay in control of the information they share.
The Egress Secure Email app requires you to be a licensed user of the Egress
platform, with a valid subscription and appropriate infrastructure.
Enterprise Files Integrated with Intune Mobile Application Management, the Enterprise Files for App Store
for Intune Intune app provides safe document access to multiple back-end file stores. You link (iOS)
can provide secure access to cloud and on-premises storage with enforceable
MAM Protection Polices for your data. Users can have as much control over file
actions as your business needs dictate, from viewing only to edit, copy, move
and delete. Whether it’s PDF annotation, video, audio or image presentations,
folder management, or document review and edit, Enterprise Files for Intune is
an ideal tool for the task.
EVALARM EVALARM is a mobile crisis communication system that automatically informs App Store
the right group of people about a crisis and provides them with individual link (iOS)
instructions and contact lists.
This application supports crisis communication processes as part of hazard
prevention management in companies, authorities, universities, schools,
kindergartens, hospitals and public institutions.
To configure the EVALARM platform, you define your individual crisis scenarios,
determine which people or groups of people are alerted, and determine which
instructions and contact lists are to be transmitted.
F2 Manager F2 Manager offers a combined calender and list view to view meetings and their App Store
Intune related items. F2 Manager supports inline annotation and submittal handling link (iOS)
(approval process).
App title App description App store
links for
supported
platform(s)
Note: To use the F2 Manager app with your business data, you must be a user
of the F2 eGovernment platform, with mobile services enabled by your IT
department.
F2 Touch With the F2 Touch app, you can access and edit corporate case and document Google Play
Intune information. The app accesses the cBrain F2 eGovernment platform and enables link
employees and corporate management to securely perform their daily tasks (Android) ,
while away from the office. App Store
link (iOS)
Key features of the F2 Touch app:
Note: To use the F2 Touch Intune app with your business data, you must be a
user of the F2 eGovernment platform, with mobile services and Intune enabled
by your IT department.
FactSet 3.0 FactSet delivers superior analytics, service, content, and technology to help Google Play
investment professionals see and seize opportunity sooner. Our Factset 3.0 app link
is a phone optimized experience that allows our subscribing users to leverage (Android) ,
the power and intelligence of the FactSet workstation anytime, anywhere. App Store
link (iOS)
Firstup - Firstup for Intune is a workforce communications app that helps companies App Store
Intune reach employees with relevant, personalized information that they need to do link (iOS)
their best work. Firstup for Intune allows Intune admins to create policies that
secure the application in a bring-your-own-device (BYOD) environment.
Firstup solves the problem of poor employee engagement by keeping all
workers informed and connected. Employees have one place to find out what’s
happening at work. Companies have an easier, faster way to publish content
and news and can measure how many employees engaged with their content.
IMPORTANT:
This software requires your company’s work account and a Microsoft managed
environment. Some functionality may not be available in all countries/regions.
Please contact your company’s IT administrator if you have issues or questions
about the use of the software.
FleetSafer FleetSafer is a risk measurement and mitigation tool that enforces Google Play
communications policies and monitors safe driving practices. FleetSafer requires link
a Cogosense enterprise account. FleetSafer uses GPS or a connected cogoB (Android) ,
smart device to automatically engage when driving movement is detected, App Store
disabling access to the device and silencing all calls and notifications. Calling, link (iOS)
text, social, and email functionality is disabled. Driving behavior is monitored.
Fuze Mobile Fuze Mobile for Intune allows end users to communicate using voice calling, Google Play
for Intune video meetings, contact center, chat messaging, and content sharing. Admins link
can deploy Fuze Mobile securely and at scale in a BYOD context. Fuze Mobile for (Android) ,
Intune requires both a Fuze account and a Microsoft managed environment. App Store
link (iOS)
Global Relay Put compliance at the heart of your communication with one powerful app. Google Play
Global Relay is an enterprise unified communication platform purpose-built for link
financial and other regulated industries to meet collaboration, compliance, (Android) ,
privacy, and security requirements. App Store
Global Relay supports BYOD and corporate programs, ensuring compliant link (iOS)
communication with customers, colleagues, and industry peers via text, voice,
WhatsApp, and other preferred channels.
The Global Relay App is available for mobile, desktop, and web. And, Global
Relay is fully integrated with Microsoft Intune SDK to provide MDM/MAM policy
control for IT Administrators.
NOTE: You must be a Global Relay customer or partner to use this app.
Groupdolists Groupdolists helps to coordinates incident response teams, whether corporate Google Play
or public sector, in a single organization or across multiple organizations. link
Groupdolists creates a common operating picture between all responders, (Android) ,
wherever they are, and synchronizes their efforts in real time. App Store
link (iOS)
Benefits include the following:
Hearsay Relate Hearsay Relate for Intune enables advisors to manage and nurture their book of Google Play
for Intune business in a protected BYOD environment with mobile application link
management (MAM). This version of Hearsay Relate allows IT administrators to (Android) ,
protect corporate data while keeping advisors in touch with their book of App Store
business. link (iOS)
HowNow Use HowNow to get all the knowledge you need, everywhere you work. You can Google Play
bring together the knowledge, business intelligence, and insights you need from link
a variety of internal and external sources. HowNow is tailored to you by (Android) ,
personalizing learning for you based on your role, business goals, skill App Store
requirements, performance, and work you’re doing. You can teach, learn, and link (iOS)
share knowledge with your team in any format you like at any time, from
anywhere.
iAnnotate for Designed for Microsoft Intune enterprise users, iAnnotate for Intune/O365 App Store
Intune/O365 allows you to read, annotate, and share PDFs, Office (Microsoft 365) files, link (iOS)
images and web pages. Seamlessly integrate with OneDrive and Outlook, while
easily converting all MS documents to PDFs for quick markup. IT administrators
must visit https://enterprise.iannotate.com/ to activate a 30-day free trial and
to view the iAnnotate for Intune deployment guide.
iBabs for ISEC7 Mobile Exchange Delegate allows authorized representatives via iPhone App Store
Intune and iPad to agree to appointments for their colleagues, to manage their link (iOS)
contacts, and to answer emails on behalf of other users.
Idenprotect Go Idenprotect Go is an Identity Driven internet browser designed specifically for Google Play
enterprise mobile users to access both Intranet and Internet web pages. link
Idenprotect Go’s unique use of PKI technology allows biometric-based (Android) ,
password-less authentication to Mutual TLS and Kerberos secured websites and App Store
services. Integration with Microsoft’s Intune SDK provides full app protection link (iOS)
App title App description App store
links for
supported
platform(s)
policy control via the Microsoft Intune platform providing MAM control of the
application giving the ultimate balance of usability and security.
Island Island is the browser designed for the enterprise that makes work fluid, while App Store
Enterprise keeping it fundamentally secure. With core security controls naturally link (iOS)
Browser embedded in the browser itself, Island enables organizations to control, see,
and govern how users, apps, and underlying data interact. This is done all while
delivering the same smooth Chromium-based experience users expect.
iManage Work Confidently and securely access content from iManage Work with Work Mobility App Store
10 For Intune for Intune. Empower users to find, edit, collaborate, and share documents and link (iOS)
emails from their iOS device. iManage Mobility enables users to be productive
from anywhere, with a consistent user experience and the same security
protections as iManage Work 10.
Incorta With on-the-go business intelligence using your iOS device and Incorta Mobile App Store
(BestBuy) App, dive deep into your operational analytics and favorite dashboards anytime, link (iOS)
anywhere.
Fuel your curiosity, explore insights, and stay current with near real-time trends
that impact business success.
ISEC7 MED for ISEC7 Mobile Exchange Delegate provides mobile access to authorized Google Play
Intune Microsoft® Exchange Mailboxes and Public Folders. link (Android)
ixArma IxArma app 6 is the mobile part of alarm server management for ixArma 6, Google Play
enabling comprehensive business continuity management for any alarm link
scenario. Users of the ixArma 6 app can rapidly respond to incidents and (Android) ,
emergencies in real time and on the go. The ixArma 6 app is browser App Store
independent and simple to operate. link (iOS)
The IxArma provides the following functionality:
App title App description App store
links for
supported
platform(s)
NOTE: ixArma 6 app does not work with older version of ixArma 5. Do not
upgrade your app unless your ixArma is version 6.
Klaxoon for Klaxoon for Intune is for Klaxoon customers that have enabled Microsoft Intune App Store
Intune Mobile Application Management (MAM). Every day, workshops replace link (iOS)
traditional meetings and are becoming a more efficient way to drive
performance. Klaxoon is a hybrid and complete workspace that enables every
type of workshop to be more engaging, mindful, and efficient: ideation
workshops, design thinking, project management, customer meetings, team
rituals, training sessions, business reviews, and more.
Leap Work for Leap Work is a B2C communication app. Employees can call or send text, voice, Google Play
Intune and file messages to client's messengers of their choice: WhatsApp™, WeChat™, link
Telegram™, Line™, SMS and others. Leap Work is a part of LeapXpert's (Android) ,
Federated Messaging Orchestration Platform (FMOP). FMOP concept allows the App Store
promotion of messaging to a formal business communication channel, similar to link (iOS)
calling or emailing.
Use Leap Work to:
LiquidText LiquidText offers a fast, natural way to review, gather, and organize information App Store
across all your documents and webpages—then apply the results to writing link (iOS)
reports, meeting prep, or simply studying. Pull out key facts and connect them
together, squeeze a document to compare sections, draw a line to connect
ideas in different documents, comment on multiple pages at once, build upon
your thoughts, and much more.
NOTE: To use LiquidText with InTune, you need a LiquidText Enterprise account.
Visit LiquidText to learn more.
LumApps for LumApps for Intune allows Intune admins to organize and protect Bring Your Google Play
Intune Own Device (BYOD) environments. From Microsoft Intune admin center, admins link
can create policies to protect corporate data while keeping employees (Android) ,
connected. The LumApps platform provides corporate news, business tools, App Store
essential documents, and social communities. link (iOS)
App title App description App store
links for
supported
platform(s)
M-Files for M-Files® is content management (ECM) and document management solution Google Play
Intune that helps to manages, find, track, and secure information for companies of all link
sizes. (Android) ,
The M-Files mobile application lets you access your M-Files documents anytime App Store
and anywhere – even when you’re on the go or not connected to your office link (iOS)
network. The application enables you to find documents from your M-Files
Vaults via search functions and various customizable views, as well as view and
approve documents and workflows.
To be able to utilize the mobile application, you need to have an M-Files system
set up and to possess the required access rights. To get started, you need an M-
Files server address and login credentials.
MangoApps - MangoApps - Work from Anywhere makes teamwork, file sharing, and Google Play
Work from collaboration easy. It is a comprehensive business collaboration tool for Mobile link
Anywhere and offers advanced team and company communication, project management, (Android) ,
and information sharing features that help companies and their employees stay App Store
organized while working together and sharing information. Collaboration link (iOS)
features such as chat, company intranet, and wikis, among other convenient task
management tools, can all be used from your phone while you're on the go or
from your desktop computer while you're in the office. It's a cross-platform
social collaboration app, so no matter where you are and which device you are
using, you can use MangoApps - Work from Anywhere to access work-related
information and stay in touch with colleagues and clients.
Meetings by Meetings by Decisions is a solution for Microsoft Teams and Microsoft Office Google Play
Decisions 365. With Decisions, users improve collaboration, engagement, and productivity link
by using agenda builder, Teams in-meeting extensions, secure voting, minutes (Android) ,
templates, task management, and more. App Store
link (iOS)
Meetio Meetio's mobile app for organizations using Meetio room management Google Play
Enterprise solutions. Meetio Enterprise simplifies your workday by allowing you to link
App title App description App store
links for
supported
platform(s)
schedule meetings and meeting rooms - all at once, while you're on the go. (Android) ,
App Store
link (iOS)
MultiLine for MultiLine for Intune is a secure, carrier-agnostic business application that Google Play
Intune enables employees to compliantly communicate with external clients through a link
separate business number on their own personal devices (BYOD) within the (Android) ,
Microsoft Intune environment. This version of MultiLine allows IT and mobility App Store
managers to secure their client communication data while ensuring employees link (iOS)
are not using their personal number or other consumer messengers for business
communications. MultiLine for Intune works over any iOS/Android device and
can be deployed over any global carrier. MultiLine’s technology allows
employees to make and receive calls on their business number over WiFi,
mobile data and/or GSM (not VoIP-only) ensuring employees are always
accessible and connected with their clients no matter where they work. The
solution unifies voice, SMS, and other consumer messaging channels through a
single inbox within the MultiLine mobile and desktop application, allowing
employees to reach their clients on their preferred channels. All voice and
messaging conversations can be automatically captured and ingested into any
CRM or archival/surveillance platform, ensuring firms are meeting their
regulatory requirements.
MURAL - MURAL is a collaborative intelligence company powering ideation, innovation, Google Play
Visual alignment, and team building. Use the MURAL - Visual Collaboration app to link
Collaboration work together in either real-time or asynchronously using digital whiteboard (Android) ,
and collaboration features that are designed to inspire better collaboration and App Store
lead to business-driving outcomes. link (iOS)
myBLDNG myBLDNG makes it easy to navigate your virtual office space, book a workplace, Google Play
and share your workday with your colleagues. It makes co-working easier. link
(Android) ,
App Store
link (iOS)
My Portal By My Portal is an all-in-one app for a mobile-first workplace. It brings Google Play
MangoApps communication, collaboration, engagement, and training tools into one link
comprehensive portal for your company. (Android) ,
This unified portal makes it easy to create a central location for fast access to all App Store
the tools that members need to connect, communicate, collaborate, and link (iOS)
manage.
MyITOps for With the MyITOps for Intune app you can do the following: Google Play
Intune link
Visualize business service health, at a glance via Sunburst, Cards and (Android) ,
ServiceTree widgets
App title App description App store
links for
supported
platform(s)
Create your own, branded custom mobile friendly dashboards App Store
Subscribe to push notifications for instant visibility of IT alerts and link (iOS)
incidents
See the status, severity, and business impact of alerts, clustered into
correlation scenarios and drill down to root cause
Take actions to assign, accept and close alerts and incidents
Work collaboratively in Service Outage Rooms to resolve issues by
leveraging ChatOps with seamless integration for Microsoft Teams and
Slack
Keep communications in sync with your ITSM tooling throughout the
incident/alert lifecycle
Securely deploy and configure the MyITOps for Intune app through
Microsoft's Intune Mobile Device Management platform
NOTE:
The MyITOps for Intune app requires active credentials for the Interlink Software
AIOps Platform.
MyQ Roger: Scan all your documents with a few clicks using a smartphone, save them in Google Play
OCR scanner your device or to your favorite cloud services (OneDrive, iCloud, Google Drive, link
PDF Dropbox, or Box), and carry them wherever you go. MyQ Roger is your digital (Android) ,
workplace assistant, allowing you to have the office in your pocket. This free app App Store
simplifies your life: at work, during studies, and on daily personal activities. link (iOS)
Download MyQ Roger now and scan your own way.
Nexis Newsdesk delivers relevant news from all media types – online, print, social, and Google Play
Newsdesk™ broadcast – in a single destination. With the Newsdesk mobile app you will: link
Mobile (Android) ,
Be in the know while on the go App Store
Enjoy a seamless experience between mobile and web link (iOS)
Access headlines and extracts of articles right in the app
Easily share articles
Tag favorite feeds or save articles to read later
See which favorite searches have new coverage
Nine Work for Nine is a full-fledged email application for Android based on Direct Push Google Play
Intune technology to synchronize with Microsoft Exchange Server using Microsoft link
Exchange ActiveSync, and also designed for entrepreneurs or ordinary people (Android) ,
who want to have efficient communication with their colleagues, friends, and App Store
family members at any time, anywhere. link (iOS)
Notate for Notate is the ultimate Exchange Information Manager. Go paperless and App Store
Intune improve collaboration. Let Notate advance your digital transformation. link (iOS)
App title App description App store
links for
supported
platform(s)
Now Mobile - Now employees can find answers and get work done across IT, HR, Facilities, Google Play
Intune Finance, Legal and other departments, all from a modern mobile app powered link
by the Now Platform®. (Android) ,
App Store
The Now Platform® delivers employee experiences and productivity through link (iOS)
digital workflows across departments, systems and people.
Now® Mobile powered by the Now Platform® - finally work life can be as great
as real life
Omnipresence Omnipresence is a Customer Experience Management platform for Life Sciences Google Play
Go companies. You can use Omnipresence CXM to engage with customers and link
patients of Life Sciences companies. (Android) ,
Omnipresence is built by life sciences experts who understand pharma, biotech, App Store
and med-device business needs and compliance requirements. As a unified link (iOS)
platform, functional teams can work together using a shared view of their
customers and plans across devices, online and offline, in harmony with their
Microsoft applications. By using Omnipresence, you can focus on enabling great
customer experiences based on advanced analytics and AI that deliver insights
to enrich every stage of the customer journey.
PenPoint PenPoint works with PenLink’s on-premises software, PLX, to conduct lawful Google Play
communications surveillance operations in the support of law enforcement link
investigations. PenPoint for Intune provides secure mobile access to (Android) ,
communications surveillance data collected and stored by a PLX system. App Store
link (iOS)
PrinterOn for PrinterOn's wireless mobile printing solutions enable users to remotely print Google Play
Microsoft from anywhere at any time over a secure network. link (Android)
Qlik Sense Qlik Sense is a market leading, next generation application for self-service Google Play
Mobile oriented analytics. Qlik's patented associative technology allows people to easily link
(Android) ,
App title App description App store
links for
supported
platform(s)
combine data from many different sources and explore it freely, without the App Store
limitations of query-based tools. link (iOS)
Re:Work Re:Work Enterprise, an email client app using ActiveSync, is a secure, safe, and Google Play
Enterprise convenient email client. Features include a shared mailbox and calendars for link
collaboration with colleagues. Re:Work Enterprise supports Microsoft Exchange (Android) ,
Server and Office (Microsoft 365), as well Microsoft Exchange email, calendar, App Store
contacts, tasks, and notes. link (iOS)
RICOH Spaces RICOH Spaces is a cloud hosted workplace enhancement platform designed to Google Play
optimize your business with areas such as desk bookings, space bookings, link
wayfinding, workplace insights, and more. (Android) ,
App Store
link (iOS)
RingCentral for RingCentral for Intune gives users messaging, video, and phone services in one Google Play
Intune simple app, while allowing IT admins to enforce granular security controls to link
protect corporate data. (Android) ,
App Store
link (iOS)
SAP Fiori Increase your daily productivity by tackling your most common business tasks
anywhere and anytime with the SAP Fiori Client mobile app for iPhone and iPad.
Deliver a next-level mobile experience with enhanced attachment handling and
full-screen operations using this enhanced mobile runtime for the Web version
of over 750 SAP Fiori app. Plus, access custom SAP Fiori mobile apps—built by
customers using SAP Fiori mobile service—that are ready to support Intune
mobile app management.
Secure The Secure Contacts app allows you to synchronize your business contacts on App Store
Contacts iOS devices from various corporate data sources in a compliant way. link (iOS)
Features:
Requirements:
Seismic | Seismic | Intune is for administrators to add security and protection policies to Google Play
Intune protect corporate data while enabling employees to sell. Seismic provides the link
following capabilities: (Android) ,
Find content fast with fast search results App Store
Get buyer-specific recommendations when you need them, where you link (iOS)
need them
Access sales content, training, and communications online and offline
Stay informed with a real-time newsfeed you dial in to your specific
interests
Collaborate with your team and stay in the loop, wherever you are
Delight buyers with a modern, eloquent engagement experience
Gain insights by tracking buyer engagement, down to which pages and
how long
Senses Senses is a cloud sales support tool. Senses helps manage sales and customer App Store
success, and proposes best practices based on accumulated customer link (iOS)
information.
ServiceNow ServiceNow Mobile Agent app delivers out-of-the-box, mobile-first experiences Google Play
Agent - Intune for the most common service desk agent workflows, making it easy for agents link
to triage, act on and resolve requests on the go. The app enables service desk (Android) ,
agents to promptly manage and resolve end user issues from their mobile App Store
devices. Agents use the app’s intuitive interface to accept and update work even link (iOS)
App title without Internet connectivity. The app greatly simplifies work by leveraging
App description App store
native device capabilities for tasks like navigation, barcode scanning, or links for
collecting a signature. supported
platform(s)
The app comes with out-of-the-box workflows for service desk agents in IT,
Customer Service, HR, Field Services, Security Ops and IT Asset Management.
Organizations can easily configure and extend the workflows to meet their own
unique needs.
Slack for Slack for Intune is for Slack customers that have enabled Microsoft Intune Google Play
Intune Mobile Application Management (MAM). link
(Android) ,
App Store
link (iOS)
PK Protect for PK Protect for Intune is specifically designed for existing PKWARE customers Google Play
Intune operating in an Intune environment. PK Protect lets you get your work done on link
the go. It's fast, secure and simple to use so you can be productive from (Android) ,
anywhere. If you are unsure if you have PK Protect, contact your company's IT App Store
administrator. With PK Protect, you can: Encrypt and decrypt files using link (iOS)
Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage
Smartkeys, Perform digital signing and authentication of data with X.509 Digital
Certificates, Encrypt and decrypt files with Strong Passphrase encryption,
including AE2, Log in with existing Active Directory credentials, Create and view
unencrypted zip archives. PK Protect armors data at its core, eliminating
vulnerabilities everywhere data is used, shared or stored. For nearly three
decades, PKWARE has provided encryption and compression software to more
than 30,000 enterprise customers and over 200 government agencies. Available
for iOS/iPadOS and Android.
Speaking Email Get more time in your day by having your email read to you on the move. Voice App Store
commands and simple gestures designed to be safe to use while driving give link (iOS)
you the ability to archive, flag or even reply on the move.
Smart content detection skips over disclaimers, reply headers, and email
signatures to speak only the content without the clutter.
Employees can sign in via Intune to access Microsoft 365 Exchange email.
Synergi Life Synergi Life Mobile App, an extension of Synergi Life, lets users easily create Google Play
observations and incident reports anytime and from anywhere, using their link
phones to take a snapshot and make a voice recording. (Android) ,
Synergi Life (previously named Synergi) is a complete business solution for risk App Store
and QHSE management, managing all non-conformances, incidents, risk, risk link (iOS)
analyses, audits, assessments and improvement suggestions.
App title App description App store
links for
supported
platform(s)
The Synergi Life Mobile App requires you to be a licensed user of the Synergi
Life risk and QHSE management system, and have the necessary back-end
licensed software and services.
Tableau Mobile Tableau Mobile gives you the freedom to stay on top of your data, no matter Google Play
for Intune where you are or when you need it. With a fast, intuitive, and interactive link
experience, explore your dashboards and find just what you’re looking for, all (Android) ,
from the convenience of your mobile device. App Store
The Tableau Mobile app requires a Tableau Server or Tableau Online account. link (iOS)
Please note, it does not work with Tableau Public.
Features:
Interactive previews let you access your data even when you’re offline.
Mark your favorite dashboards or views to always have them at your
fingertips.
Scroll, search, and browse your organization’s dashboards with a
navigation experience that’s both intuitive and familiar.
Interact with your data to ask and answer questions on the go.
Varicent Varicent helps sellers understand which activities provide the best results. Google Play
Reports, dashboards, and workflows help sales to understand: link
Achievement (Android) ,
Bonus App Store
Commission link (iOS)
Credits
Disputes
Key Performance Indicators (KPIs)
Opportunity potential
Plan approval
Plan assignment
Quota
Ranking
Rewards
Territory
Transactional payout
NOTE:
This application requires that you are a client of Varicent to utilize all features
and functionalities and maximize seller performance.
Vbrick Mobile Customers using Vbrick Enterprise Video Platform (EVP) can upload and view Google Play
on-demand videos using the Vbrick mobile app. Customers can use Microsoft link
Intune to manage access to the Vbrick mobile app. The Vbrick mobile app (Android) ,
includes the following features: App Store
View a carousel of featured videos link (iOS)
App title App description App store
links for
supported
platform(s)
NOTE: The Vbrick app requires users to have an active account and email
address in their company’s cloud-hosted Vbrick tenant.
Vera for Intune Encrypt, track, and revoke access to files and email attachments directly from Google Play
your mobile device with Vera for Intune. Protect your most valuable information, link
no matter what apps you use: Microsoft, Box, Google, Dropbox, and more. (Android) ,
App Store
link (iOS)
VerityRMS VerityRMS for iOS offers Asset Managers and Investment Professionals a full- App Store
featured and modern mobile experience. Equipped with a full suite of link (iOS)
consumption and authoring tools, users can harness their firm’s investment
process from anywhere.
Voltage Send and receive Voltage encrypted secure email and attachments in the Google Play
SecureMail Microsoft Intune managed environment with Voltage SecureMail Mobile. Any link
user can receive and read Voltage encrypted messages. However, replying to (Android) ,
messages and composing new secure emails requires these features to be App Store
enabled by the sending organization. Users can also compose, send, reply to, link (iOS)
forward, and print encrypted messages, according to the SecureMail Mobile
policy for their organization or for the organization sending the secure message.
Zero for Intune The ZERØ for Intune application is specifically designed for MDM deployment App Store
via Microsoft Intune. This app allows both ZERØ and Microsoft Intune customers link (iOS)
to take advantage of a secure Intune MDM deployment, as well as organize and
protect BYOD environments with mobile application management (MAM).
Zoom for Zoom is your communications hub for meetings, webinars, chat and cloud Google Play
Intune phone. Start or join meetings with flawless video, crystal clear audio and instant link
screen sharing from desktop, mobile or conference rooms. (Android) ,
App Store
link (iOS)
Blackberry BlackBerry Enterprise BRIDGE allows you to securely view, edit, and save Google Play link
Enterprise documents using Intune-managed Microsoft apps, such as Microsoft Word, (Android) ,
BRIDGE Microsoft PowerPoint, and Microsoft Excel from BlackBerry Dynamics. You can App Store link
share your documents as email attachments and maintain data encryption (iOS)
during the document-sharing process between BlackBerry Dynamics and
Intune-managed mobile apps.
Workspace Workspace ONE Send provides seamless editing and sending capabilities for Google Play link
ONE Send customers using Microsoft Intune to manage Microsoft 365 apps using (Android) ,
VMware productivity apps. App Store link
(iOS)
Next steps
To learn how to add apps for each platform to Intune, see:
Before you assign an app to a device or a group of users, you must first add the app to
Microsoft Intune.
Add an app
You can add an Android store app to Intune from the portal by doing the following:
Next steps
Assign apps to groups
Related topics
Add Managed Google Play apps to Android Enterprise devices with Intune
Add iOS store apps to Microsoft Intune
Article • 03/06/2023
Use the information in this article to help you add iOS store apps to Microsoft Intune.
iOS store apps are apps that Intune installs on your users' devices. A user is part of your
company's workforce. iOS store apps are automatically updated.
7 Note
Although users of iOS/iPadOS devices can remove some built-in iOS/iPadOS apps,
such as Stocks and Maps, you cannot use Intune to redeploy those apps. If your
users delete these apps, they must go to the App Store and manually reinstall
them.
7 Note
When you work with Microsoft Intune, we recommend that you use either the
Microsoft Edge or Google Chrome browser.
3. In the Select app type pane, under the available Store app types, select iOS store
app.
4. Click Select.
6. In the Search the App Store pane, select the App Store country/region locale.
7. In the Search box, type the name (or part of the name) of the app.
The App information page will be displayed in the Add app pane. When possible,
app information will be added based on the app you selected from the store.
9. In the App information page, add the app details. Depending on the app you have
chosen, some of the values in this pane might have been automatically filled in:
13. Select the group assignments for the app. For more information, see Add groups
to organize users and devices.
14. Click Next to display the Review + create page. Review the values and settings you
entered for the app.
15. When you are done, click Create to add the app to Intune.
Next steps
Assign apps to groups
Add Microsoft Store apps to Microsoft
Intune
Article • 08/28/2023
Admins can browse, deploy, and monitor Microsoft Store applications inside Intune.
Upon deployment, Intune automatically keeps the apps up to date when a new version
becomes available. The Microsoft Store supports Universal Windows Platform (UWP)
apps, desktop apps packaged in .msix , and now Win32 apps packaged in .exe or .msi
installers.
) Important
There are key improvements to the most recent Microsoft Store apps functionality
over legacy functionality. Specifically, the following differences:
You can browse and search for store apps within Intune
You can install and uninstall with required app deployments
You can monitor the installation progress and results for store apps
Win32 store apps are supported (in preview)
System context and user context are supported for UWP apps
When a device is enrolled by being Azure AD registered, system context
must be used.
Prerequisites
To use Microsoft Store apps, be sure the following criteria are met:
Client devices must support at least two core processors to successfully install and
run Microsoft Store apps.
Client device need to be able to support the Intune Management Extension (IME)
to install Microsoft Store apps.
Client device need access to both the Microsoft Store and the destination content
to install Microsoft Store apps. For more information, see Microsoft Store proxy
configuration.
App information
Assignments
Review + create
1. Select Search the Microsoft Store app to display the search panel which features a
search bar and includes the following columns:
2. In the search bar, type the name of the app that you want to find. You can also
search by other app details, such as publisher, type, or store app ID. Once you
search, a list of apps are displayed.
7 Note
Specific Microsoft Store apps may not be displayed and available in Intune.
Common reasons an app doesn't appear when searching within Intune
include the following:
3. Choose the app that you want to deploy and choose Select.
The app information is presented with the selected app's metadata. Specific fields
are prepopulated.
Name The name of the app is prepopulated from the store's Required
metadata and you have the choice to edit the field.
Enter the name of the app as it appears in the Company
Portal. Make sure all app names that you use are
unique. If the same app name exists twice, only one of
the apps appears in the company portal.
Installer Type The installer type of the application package is the UWP N/A Prefilled
or Win32 installer types. For related information, see
Universal Windows Platform (UWP) apps.
Package The app's unique ID in the Microsoft Store. This value is N/A Prefilled
Identifier read-only and is displayed before Installer Type in the
UI.
Install behavior The install behavior of the app. If the app to be installed Admin must
has the option of either System or User install select
behaviors, you must ensure that the installation works System or
on devices as expected. NOTE: If the option is greyed User
out, the specific store application only supports the
selected install behavior.
Show this as a Display the app prominently on the main page of the Admin must
featured app in company portal when users browse for apps. select Yes or
the Company No
Portal
Information URL Optionally, enter the URL of a website that contains Optional
information about this app. The URL appears in the
company portal.
Privacy URL Optionally, enter the URL of a website that contains N/A Prefilled
privacy information for this app. The URL appears in the
company portal.
Owner Optionally, enter a name for the owner of this app. An Optional
example is HR department.
Notes Enter any notes that you want to associate with this Optional
app.
Logo Upload an icon that is associated with the app. This icon Optional
is displayed with the app when users browse through
the company portal.
Required Add group, Add all users, The app is installed on devices in the selected
Add all devices groups.
Available for Add group, Add all users Users install the app from the Company Portal
enrolled devices app or the Company Portal website.
Uninstall Add group, Add all users, The app is uninstalled from devices in the
Add all devices selected groups.
1. Select Add group and assign the groups that use this app.
2. On the Select groups pane, select groups to assign based on users or devices.
3. After you select your groups, choose whether to set End user notifications, Restart
grace period, and Installation deadline.
4. If you don't want the app assignment to affect groups of users, select Included
under the Filter mode column. In the Edit assignment pane, change the Filter
mode value from Included to Excluded. Select OK to close the Edit assignment
pane.
5. Select Next to display the Review + create page after you finish setting the
assignments for the apps.
App update
Apps that are deployed from the Microsoft Store are automatically kept up to date to
the latest version of the app. For this feature to work properly for UWP apps, the Turn
off Automatic Download and Install of updates shouldn't be enabled.
) Important
Win32 apps that are in the Microsoft Store are currently in preview. Not all Win32
apps will be available or searchable. The Win32 apps that are in preview will be
identifiable with Win32 and a banner.
Third party vendors or publishers that add Win32 apps to the Microsoft Store are
responsible for hosting their own content in their respective infrastructure. If your
devices are behind a firewall, please reach out to application owner to understand
and confirm network requirements.
The Microsoft Store supports Win32 app types including .exe and .msi installers. These
apps have external content sourcing hosted by the app publisher. Based on their
installer definition in the store, each Win32 app supports either User or System context
installation.For related information, see Traditional desktop apps in the Microsoft Store
on Windows.
7 Note
Microsoft Store Win32 apps are kept up to date by Intune, therefore in order for
the app to be updated it must be assigned in Intune. App updates are not affected
by the Store's update policies.
7 Note
Assigning a UWP app using the "Microsoft Store app (new)" type with the
installation behavior set as "System" to a device which already has that app
installed will result in this error: "The application was not detected after installation
completed successfully (0x87D1041C)". However, the app will still install correctly
on the device.
For more information on the Microsoft Store integration with Intune due to the
Microsoft Store for Business and Education retirement, go to the Adding your Microsoft
Store for Business and Education apps to the Microsoft Store in Intune blog post.
store to auto
update
Not configured: This policy isn't changed or updated. By default, the OS might
allow end users to install arbitrary store apps outside of Intune.
- - Settings Administrative
ADMX_WindowsStore/RemoveWindowsStore_1 Catalog Templates > Windows
- - Administrative Components > Store
ADMX_WindowsStore/RemoveWindowsStore_2 templates
If you want to allow automatic UWP app updates from the Microsoft Store,
including built-in Windows apps, and block users from installing apps from the
Microsoft Store or winget.exe , then:
Set Turn off Automatic Download and Install of updates to Disabled or Not
configured, AND
Set Turn off the Store application to Enabled or Not configured.
For Win32 Store apps, if Turn off Automatic Download and Install of updates is
set, then the Win32 apps with an active Intune assignment are still automatically
updated.
Tip
Using the Only display the private store within the Microsoft Store app policy
(RequirePrivateStoreOnly CSP) is still valid. This policy:
So, it's not the preferred choice to prevent end user access to the Microsoft Store.
Instead, it's recommended to use the Turn off the Store application policy.
Unsupported functionality for Microsoft Store
apps
Microsoft Store apps don't support the following features:
Next step
Assign apps to groups
Add Microsoft Store apps to Intune
(legacy)
Article • 08/31/2023
Before you can assign, monitor, configure, or protect apps, you must add them to
Intune.
) Important
The steps provided in this topic refer to adding Microsoft Store apps using the
legacy method. For the latest method, see Add Microsoft Store apps to Microsoft
Intune.
The app that you've created is displayed in the apps list, where you can assign it to the
groups that you select.
) Important
Microsoft Store apps can only be assigned to groups with the assignment type
Available for enrolled devices (users install the app from the Company Portal app
or website).
Next steps
Assign apps to groups
How to manage volume purchased apps
from the Microsoft Store for Business
with Microsoft Intune
Article • 05/22/2023
) Important
The Microsoft Store for Business connector is no longer accessible in the Microsoft
Intune admin center . Apps added from the Microsoft Store for Business or
Microsoft Store for Education will no longer sync with Intune. Apps that have
previously synced will continue to be available and deploy to devices and users. For
related information, see Deprecation of Microsoft Store for Business and
Education.
The Microsoft Store for Business gives you a place to find and purchase apps for your
organization, individually, or in volume. By connecting the store to Microsoft Intune, you
can manage volume-purchased apps from the portal. For example:
You can synchronize the list of apps you have purchased (or that are free) from the
store with Intune.
Apps that are synchronized appear in the Microsoft Intune admin center; you can
assign these apps like any other apps.
Both Online and Offline licensed versions of Apps are synchronized to Intune. App
names will be appended with "Online" or "Offline" in the portal.
You can track how many licenses are available, and how many are being used in
the admin center.
Intune blocks assignment and installation of apps if there are an insufficient
number of licenses available.
Intune will revoke app licenses for apps managed by Microsoft Store for Business
when the user is deleted from Azure AD.
) Important
The retirement of the Microsoft Store for Business and the Microsoft Store for
Education, originally scheduled for March 31, 2023, has been postponed. Until they
are retired, admins can still leverage the connection to Store for Business and
Education from their UEM solution to deploy apps to managed Windows 11
devices.
Review the following information before you start syncing and assigning apps from the
Microsoft Store for Business:
7 Note
Online Microsoft Store for Business apps can be used only for user context install;
that is, when deployed through Intune, you need to target user groups. Device
licensed offline Microsoft Store for Business apps can be installed in device context;
that is, when deployed through Intune, you can target device groups as well as user
groups.
7 Note
If you disable access to the Store on managed devices (either manually, via policy
or Group Policy), Online licensed apps will fail to install.
Associate your Microsoft Store for Business
account with Intune
Before you enable synchronization in the Microsoft Intune admin center, you must
configure your store account to use Intune as a management tool:
1. Ensure that you sign into the Microsoft Store for Business using the same tenant
account you use to sign into Intune.
2. In the Business Store, choose the Manage tab, select Settings, and choose the
Distribute tab.
3. If you don't specifically have Microsoft Intune available as a mobile device
management tool, choose Add management tool to add Microsoft Intune. If you
don't have Microsoft Intune activated as your mobile device management tool,
click Activate next to Microsoft Intune. Note that you should activate Microsoft
Intune rather than Microsoft Intune Enrollment.
7 Note
Previously you could associate only one management tool to assign apps with the
Microsoft Store for Business. Now you can associate multiple management tools
with the store, for example, Intune and Configuration Manager.
Configure synchronization
1. Sign in to the Microsoft Intune admin center .
2. Select Tenant administration > Connectors and tokens > Microsoft Store for
Business.
3. Click Enable.
4. If you haven't already done so, click the link to sign up for the Microsoft Store for
Business and associate your account as detailed previously.
5. From the Language drop-down list, choose the language in which apps from the
Microsoft Store for Business are displayed in the portal. Regardless of the language
in which they are displayed, they are installed in the end user's language when
available.
6. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.
Synchronize apps
If you've already associated your Microsoft Store for Business account with your Intune
admin credentials, you can manually sync your Microsoft Store for Business apps with
Intune using the following steps.
1. Select Tenant administration > Connectors and tokens > Microsoft Store for
Business.
2. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.
7 Note
Apps with encrypted app packages are currently not supported and will not be
synchronized to Intune.
Assign apps
You assign apps from the store in the same way you assign any other Intune app. For
more information, see How to assign apps to groups with Microsoft Intune.
Offline apps can be targeted to user groups, device groups, or groups with users and
devices.
Offline apps can be installed for a specific user on a device or for all users on a
device.
When you assign a Microsoft Store for Business app, a license is used by each user who
installs the app. If you use all of the available licenses for an assigned app, you cannot
assign any more copies. Take one of the following actions:
Remove apps
To remove an app that is synced from the Microsoft Store for Business, you need to log
into the Microsoft Store for Business and complete the following steps. The process is
the same whether the app is free or not.
1. Ensure that you sign into the Microsoft Store for Business using the same tenant
account you use to sign into Intune.
2. Look for the app that you want to remove by selecting Products & services >
Apps & software and select it.
3. In the Users pane select all users, click on the ... symbol under the Actions column
and choose to Reclaim license.
4. Open the Private store availability tab of the app and change its availability to No
one.
5. Select the Product details link on the top and then select the ... button next to
Install. If the previous steps have been completed successfully, a Remove product
option will be available. Select Remove product to remove the app from the
Microsoft Store for Business.
6. Sync the apps using the Microsoft for Business Store connector in Intune in order
to remove the app from the list of Windows apps in Intune.
Next steps
Manage volume-purchased apps and books with Microsoft Intune
Add Managed Google Play apps to
Android Enterprise devices with Intune
Article • 07/20/2023
Managed Google Play is Google's enterprise app store and sole source of applications
for Android Enterprise in Intune. You can use Intune to orchestrate app deployment
through Managed Google Play for any Android Enterprise scenario (including personally
owned work profile, dedicated, fully managed, and corporate-owned work profile
enrollments). How you add Managed Google Play apps to Intune differs from how
Android apps are added for non-Android Enterprise scenarios. Store apps, line-of-
business (LOB) apps, and web apps are approved in or added to Managed Google Play,
and then synchronized into Intune so that they appear in the Client Apps list. Once they
appear in the Client Apps list, you can manage assignment of any Managed Google Play
app as you would any other app.
To make it easier for you to configure and use Android Enterprise management, upon
connecting your Intune tenant to Managed Google Play, Intune automatically adds four
common Android Enterprise related apps to the Intune admin center. The four apps are
follow:
Microsoft Intune - Used for Android Enterprise fully managed scenarios. This
app is automatically installed to fully managed devices during the device
enrollment process.
Microsoft Authenticator - Helps you sign-in to your accounts if you use two-
factor verification. This app is automatically installed to fully managed devices
during the device enrollment process.
Intune Company Portal - Used for App Protection Policies (APP) and Android
Enterprise personally owned work profile scenarios. This app is automatically
installed to fully managed devices during the device enrollment process.
Managed Home Screen - Used for Android Enterprise dedicated multi-app kiosk
scenarios. IT admins should create an assignment to install this app on dedicated
devices that are going to be used in multi-app kiosk scenarios.
7 Note
When an end user enrolls their Android Enterprise fully managed device, the Intune
Company Portal app is automatically installed and the application icon may be
visible to the end user. If the end user attempts to launch the Intune Company
Portal app, the end user will be redirected to the Microsoft Intune app and the
Company Portal app icon will be subsequently hidden. Additionally, the Microsoft
Intune and Authenticator apps will not be able to have an uninstall issued to them
as they are crucial applications for multiple Android Enterprise enrollment
scenarios.
7 Note
When you work with Microsoft Intune, we recommend that you use either the
Microsoft Edge or Google Chrome browser.
Managed Google Play store app - Public apps that are generally available in the
Play Store. Manage these apps in Intune by browsing for the apps you want to
manage, approving them, and then synchronizing them into Intune.
Managed Google Play private app - These are LOB apps published to Managed
Google Play by Intune admins. These apps are private and are available only to
your Intune tenant. This is how LOB apps are managed and deployed with
Managed Google Play and Android Enterprise.
Managed Google Play web link - Web links with IT admin-defined icons that are
deployable to Android Enterprise devices. These links appear on devices in the
device's app list just like regular apps.
7 Note
Most newly-created items in Intune take on the scope tags of the creator. This is
not the case for Managed Google Play Store apps. Admins can assign a scope tag
to apply to all newly-synced Managed Google Play apps on the Managed Google
Play connector pane. For more information, see Connect your Intune Account to
your Managed Google Play account.
There are two ways to browse and approve Managed Google Play store apps with
Intune:
1. Directly in the Intune admin center - Browse and approve store apps in a view
hosted within Intune. This view opens directly in the Microsoft Intune admin
center and doesn't require you to reauthenticate with a different account.
2. In Managed Google Play console - You can optionally open the Managed Google
Play console directly and approve apps there. See Sync a Managed Google Play
app with Intune for more information. This option requires a separate login using
the account you used to connect your Intune tenant to Managed Google Play.
3. In the Select app type pane, under the available Store app types, select Managed
Google Play app.
7 Note
You can create an app collection to organize apps and control the order that
collections are displayed for your organization. For more information, see Use
Collections in Managed Google Play.
8. Click Refresh to update the app list and display the newly added app.
) Important
1. Go to the Managed Google Play store . Sign in with the same account you used
to configure the connection between Intune and Android Enterprise.
2. Search the store and select the app you want to assign by using Intune.
3. On the page that displays the app, click Approve. In the following example, the
Microsoft Excel app has been chosen.
A window for the app opens asking you to give permissions for the app to perform
various operations.
The app is approved, and it is displayed in your IT admin console. Next, you can
Sync a Managed Google Play app with Intune.
Managed Google Play private (LOB) apps
There are two ways to add LOB apps to Managed Google Play:
1. Directly in the Microsoft Intune admin center - This allows you to add LOB apps by
submitting just the app APK and a title, directly within Intune. This method does
not require you to have a Google developer account and does not require you to
pay the fee to register with Google as a developer. This method is simpler and has
a significantly reduced number of steps, and makes LOB apps available for
management in as little as ten minutes.
2. In the Google Play Developer Console - If you have a Google developer account or
want to configure advanced distribution features that are only available in the
Google Play Developer Console (like adding additional app screenshots), you can
use the Google Play Developer Console .
3. In the Select app type pane, under the available Store app types, select Managed
Google Play app.
4. Click Select. The Managed Google Play app store is displayed within Intune.
5. Select Private apps (next to the lock icon) in the Google Play window.
6. Click the "+" button at the lower right to add a new app.
7. Add an app Title and click Upload APK add the APK app package.
7 Note
Your app's package name must be globally unique in Google Play (not just
unique within your enterprise or Google Play Developer account). Otherwise,
you will receive the Upload a new APK file with a different package name
error.
8. Click Create.
9. Close the Managed Google Play pane if you are done adding apps.
10. Click Sync on the App app pane to sync with the Managed Google Play service.
7 Note
Private apps may take several minutes to become available to sync. If the app
does not appear the first time you perform a sync, wait a couple minutes and
initiate a new sync. You can also sync apps from the Managed Google Play
store. For related information, see Sync a Managed Google Play app with
Intune.
For more information about Managed Google Play private apps including a FAQ, see
Google's support article: https://support.google.com/googleplay/work/answer/9146439
) Important
Private apps added using this method can never be made public. Only use this
publishing option if you are sure that this app will always be private to your
organization.
7 Note
If you are signing in for the first time, you must register and pay a fee to
become a member of the Google Developer program.
2. In the console, add new application. For details, see Google's support doc: Publish
Private apps .
3. You upload and provide information about your app in the same way as you
publish any app to the Google Play store. However, you must specifically add your
organization using the Google Play Console. For details, see Google's support doc
Publish to your own organization .
7 Note
Follow Google's support documentation to make the app available only to
your organization. The app won't be available on the public Google Play store.
For more information about uploading and publishing Android apps, see Google
Developer Console Help .
4. After you've published your app, sign in to the Managed Google Play store with
the same account that you used to configure the connection between Intune and
Android Enterprise.
5. In the Apps node of the store, verify that the app you've published is displayed.
The app is automatically approved to be synchronized with Intune.
7 Note
Web links pushed down from Managed Google Play will not open in the corporate
context of Microsoft Edge if you have configured your Intune application
protection policy setting Receive data from other apps to be Policy managed
apps. When a web link is pushed down through Managed Google Play, it’s not
recognized as a MAM-managed app, which is why Microsoft Edge will open in the
personal context or InPrivate mode if the user is not signed in with a personal
account. For related information, see Android app protection policy settings in
Microsoft Intune.
Web links will open with Microsoft Edge or any other browser app you choose to
deploy. Be sure to deploy at least one browser app to devices in order for web links to
be able to open properly. However, all of the Display options available for web links (full
screen, standalone, and minimal UI) will only work with the Chrome browser.
4. Click Select. The Managed Google Play app store is displayed within Intune.
5. Select Web apps (next to the Globe icon) in the Google Play window.
6. Click the "+" button at the lower right to add a new app.
7. Add an app Title, the web app URL, select how the app should be displayed, and
select an app icon.
8. Click Create.
9. Close the Managed Google Play pane if you are done adding apps.
10. Click Sync on the App app pane to sync with the Managed Google Play service.
7 Note
Web apps may take several minutes to become available to sync. If the app
does not appear the first time you perform a sync, wait a couple minutes and
initiate a new sync.
It may take some time after editing for the end user to see the changes made to their
collections. If the changes haven't finished syncing yet, the end user may see an empty
screen with no results text if they open the Play Store app. End users can still use the
search bar to search for and download apps, even if the screen appears. Once at least
one collection is created, all existing approved Managed Google Play apps that are not
in any other collection will appear in a default My work app collection. Apps approved
after initial collection creation will have no collection assignment and will not be
automatically added to the My work app collection.
Apps that are not part of any collection will not appear on the end users' Play Store
front page. However, the end user can still search for them and install in the Play Store.
You can add the same Managed Google Play app to multiple collections. Each collection
can contain up to 100 apps. For more information on collections, see Google's
documentation .
7 Note
Only apps that have been assigned will show up in the Managed Google Play store
for an end user. As such, this is a key step for the admin to take when setting up
apps with Managed Google Play.
By default, an Android Enterprise fully managed device will not allow employees to
install any apps that are not approved by the organization. Also, employees will not be
able to remove any installed apps against policy. If you wish to allow users to access the
full Google Play store to install apps rather than only having access to the approved
apps in Managed Google Play store, you can set the Allow access to all apps in Google
Play store to Allow. With this setting, the user can access all the apps in the Google Play
store using their corporate account, however purchases may be limited. You can remove
the limited purchases restriction by allowing users to add new accounts to the device.
Doing so will enable end users to have the ability to purchase apps from the Google
Play store using personal accounts, as well as conduct in-app purchases. For more
information, see Android Enterprise device settings to allow or restrict features using
Intune.
7 Note
The Microsoft Intune app, the Microsoft Authenticator app, and the Company
Portal app will be installed as required apps onto all fully managed devices during
onboarding. Having these apps automatically installed provides Conditional Access
support, and Microsoft Intune app users can see and resolve compliance issues.
Update a Managed Google Play app
By default, Managed Google Play apps will not update unless the following conditions
are met:
For more information, see the Manage App Updates documentation from Google.
You can choose to configure the wi-fi requirement for dedicated, fully managed, and
corporate-owned work profile devices by configuring app auto-updates in device
configurations policies.
For dedicated, fully managed, and corporate-owned work profile devices, you can
choose an app update mode when an app is assigned to groups. The update modes
available are:
Default: The app's updates are subject to default conditions (described above).
High Priority: The app will update as soon as possible from when a new update is
released, disregarding all of the default conditions. This may be disruptive for
some users since the update can occur while the device is being used.
Postpone: When the app receives a new update, a 90-day waiting period is
triggered. After 90 days, the app is updated to the newest version available, even if
that version was not the update that triggered the waiting period. Note that the
90-day window is not configurable. To terminate the waiting period early, change
the update mode to either Default or High Priority.
When an app developer updates permissions with a new version of the app, the
permissions are not automatically accepted even if you approved the previous
permissions. Devices that run the previous version of the app can still use it. However,
the app is not upgraded until the new permissions are approved. Devices without the
app installed do not install the app until you approve the app's new permissions.
1. Go to Google Play .
2. Sign in with the Google account that you used to publish and approve the apps.
3. Select the Updates tab, and check to see whether any apps require an update. Any
listed apps require new permissions and are not assigned until they are applied.
7 Note
Required app deployments for non-production app tracks are currently unavilable
for devices enrolled in Android Enterprise personally owned work profile (BYOD).
7 Note
If an app is unapproved or deleted from the managed Google Play store, it will not
be removed from the Intune client apps list. This allows you to still target an
uninstall policy to users even if the app is unapproved.
To turn off Android Enterprise enrollment and management, see Disconnect your
Android Enterprise administrative account.
Next steps
Assign apps to groups
Add Microsoft 365 Apps to Windows
10/11 devices with Microsoft Intune
Article • 08/31/2023
Before you can assign, monitor, configure, or protect apps, you must add them to
Intune. One of the available app types is Microsoft 365 apps for windows 10/11 devices.
By selecting this app type in Intune, you can assign and install Microsoft 365 apps to
devices you manage that run Windows 10/11. You can also assign and install apps for
the Microsoft Project Online desktop client and Microsoft Visio Online Plan 2, if you own
licenses for them. The available Microsoft 365 apps are displayed as a single entry in the
list of apps in the Microsoft Intune admin center .
7 Note
Microsoft Office 365 ProPlus has been renamed to Microsoft 365 Apps for
enterprise. In our documentation, we'll commonly refer to it as Microsoft 365
Apps.
You must use Microsoft 365 Apps licenses to activate Microsoft 365 Apps apps
deployed through Microsoft Intune. Microsoft 365 Apps for business edition is
supported by Intune, however you must configure the app suite of the Microsoft
365 Apps for business edition using XML data. For more information, see Configure
app suite using XML data.
Using the Office Deployment Tool (ODT) to install OneDrive through Intune is not
supported. However, OneDrive will install as a component of some Microsoft 365
App installations. For related information, see Configuration options for the Office
Deployment Tool.
) Important
If there are .msi Office apps on the end-user device, you must use the Remove MSI
feature to safely uninstall these apps. Otherwise, the Intune delivered Microsoft 365
apps will fail to install.
Multiple required or available app assignments are not additive. A later app
assignment will overwrite pre-existing installed app assignments.
Devices to which you deploy these apps must be running the windows 10/11
Creators Update or later.
Intune supports adding Office apps from the Microsoft 365 Apps suite only.
If any Office apps are open when Intune installs the app suite, the installation
might fail, and users might lose data from unsaved files.
This installation method is not supported on Windows Home, Windows Team,
Windows Holographic, or Windows Holographic for Business devices.
Intune does not support installing Microsoft 365 desktop apps from the Microsoft
Store (known as Office Centennial apps) on a device to which you have already
deployed Microsoft 365 apps with Intune. If you install this configuration, it might
cause data loss or corruption.
Multiple required or available app assignments are not additive. A later app
assignment will overwrite pre-existing installed app assignments. For example, if
the first set of Office apps contains Word, and the later one does not, Word will be
uninstalled. This condition does not apply to any Visio or Project applications.
Multiple Microsoft 365 deployments are not currently supported. Only one
deployment will be delivered to the device.
Office version - Choose whether you want to assign the 32-bit or 64-bit version of
Office. You can install the 32-bit version on both 32-bit and 64-bit devices, but you
can install the 64-bit version on 64-bit devices only.
Remove MSI from end-user devices - Choose whether you want to remove pre-
existing Office .MSI apps from end-user devices. The installation won't succeed if
there are pre-existing .MSI apps on end-user devices. The apps to be uninstalled
are not limited to the apps selected for installation in Configure App Suite, as it
will remove all Office (MSI) apps from the end user device. For more information,
see Remove existing MSI versions of Office when upgrading to Microsoft 365
Apps. When Intune reinstalls Office on your end user's machines, end users will
automatically get the same language packs that they had with previous .MSI Office
installations.
1. In the App suite information page, you can confirm or modify the default values:
Suite Name: Enter the name of the app suite as it is displayed in the company
portal. Make sure that all suite names that you use are unique. If the same
app suite name exists twice, only one of the apps is displayed to users in the
company portal.
Suite Description: Enter a description for the app suite. For example, you
could list the apps you've selected to include.
Publisher: Microsoft appears as the publisher.
Category: Optionally, select one or more of the built-in app categories or a
category that you created. This setting makes it easier for users to find the
app suite when they browse the company portal.
Show this as a featured app in the Company Portal: Select this option to
display the app suite prominently on the main page of the company portal
when users browse for apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL is displayed to users in the company portal.
Developer: Microsoft appears as the developer.
Owner: Microsoft appears as the owner.
Notes: Enter any notes that you want to associate with this app.
Configuration designer
Enter XML data
When you choose Configuration designer the Add app pane will change to offer three
additional settings areas:
Select Office apps: Select the standard Office apps that you want to assign to
devices by choosing the apps in the dropdown list.
Select other Office apps (license required): Select additional Office apps that
you want to assign to devices and that you have licenses for by choosing the
apps in the dropdown list. These apps include licensed apps, such as
Microsoft Project Online desktop client and Microsoft Visio Online Plan 2.
Architecture: Choose whether you want to assign the 32-bit or 64-bit version
of Microsoft 365 Apps. You can install the 32-bit version on both 32-bit and
64-bit devices, but you can install the 64-bit version on 64-bit devices only.
Default file format: Choose whether you want to use Office Open Document
Format or Office Open XML Format.
The available versions will change over time. Therefore, when creating a
new deployment, the versions available may be newer and not have
certain older versions available. Current deployments will continue to
deploy the older version, but the version list will be continually updated
per channel.
For devices that update their pinned version (or update any other
properties) and are deployed as available, the reporting status will show as
Installed if they installed the previous version until the device check-in
occurs. When the device check-in happens, the status will temporarily
change to Unknown, however it will not be shown to the user. When the
user initiates the install for the newer available version, the user will see
the status changed to Installed.
For more information, see Overview of update channels for Microsoft 365
Apps.
Use shared computer activation: Select this option when multiple users share
a computer. For more information, see Overview of shared computer
activation for Microsoft 365 Apps.
Automatically accept the app end user license agreement: Select this option
if you don't require end users to accept the license agreement. Intune then
automatically accepts the agreement.
You can deploy additional languages for Microsoft 365 Apps managed
through Intune. The list of available languages includes the Type of language
pack (core, partial, and proofing). In the portal, select Microsoft Intune >
Apps > All apps > Add. In the App type list of the Add app pane, select
Windows 10 and later under Microsoft 365 Apps. Select Languages in the
App Suite Settings pane. For additional information, see Overview of
deploying languages in Microsoft 365 Apps.
2. Click Next to display the Scope tags page.
7 Note
For more information about entering XML data, see Configuration options for the Office
Deployment Tool.
1. Click Select scope tags to optionally add scope tags for the app suite.
2. Click Next to display the Assignments page.
Step 4 - Assignments
1. Select the Required, Available for enrolled devices, or Uninstall group
assignments for the app suite. For more information, see Add groups to organize
users and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.
2. When you are done, click Create to add the app to Intune.
Deployment details
Once the deployment policy from Intune is assigned to the target machines through
Office configuration service provider (CSP), the end device will automatically download
the installation package from the officecdn.microsoft.com location. You will see two
directories appearing in the Program Files directory:
Under the Microsoft Office directory, a new folder is created where the installation files
are stored:
Under the Microsoft Office 15 directory, the Office Click-to-Run installation launcher files
are stored. The installation will start automatically if the assignment type is required:
The installation will be in silent mode if the assignment of Microsoft 365 is configured as
required. The downloaded installation files will be deleted once the installation
succeeded. If the assignment is configured as Available, the Office applications will
appear in the Company Portal application so that end-users can trigger the installation
manually.
Troubleshooting
Intune uses the Office Deployment Tool to download and deploy Microsoft 365 Apps to
your client computers using the Office 365 CDN. Reference the best practices outlined in
Managing Office 365 endpoints to ensure that your network configuration permits
clients to access the CDN directly rather than routing CDN traffic through central proxies
to avoid introducing unnecessary latency.
) Important
For custom Office Deployment Tool XML installs, the install status only reflects the
result of the installation attempt. The install status does not reflect whether the app
is currently installed on the machine.
Run the Microsoft Support and Recovery Assistant for Microsoft 365 on a targeted
device if you encounter installation or run-time issues.
Both Intune and Microsoft 365 network requirements are met and the related IP
ranges are accessible based on the following articles:
Intune network configuration requirements and bandwidth
Office 365 URLs and IP address ranges
The correct groups have been assigned the Microsoft 365 app suite.
Once you can conclude that both Intune and the network infrastructure work as
expected, you should further analyze the issue from an OS perspective. Consider the
following conditions:
The target device must run on windows 10/11 Creators Update or later.
No existing Office apps are opened while Intune deploys the applications.
Existing MSI versions of Office have been properly removed from the device.
Intune utilizes Office Click-to-Run which is not compatible with Office MSI. This
behavior is further mentioned in this document:
Office installed with Click-to-Run and Windows Installer on same computer isn't
supported
The sign-in user should have permission to install applications on the device.
Confirm there are no issues based on the Windows Event Viewer log Windows
Logs > Applications.
Capture Office installation verbose logs during the installation. To do this, follow
these steps:
REG_DWORD /d 3
The verbose logs can provide further detailed information on the installation
process.
The following tables list common error codes you might encounter and their meaning.
installation
This app type makes it easy for you to assign Microsoft 365 apps to macOS devices. By
using this app type, you can install Word, Excel, PowerPoint, Outlook, OneNote, Teams,
and OneDrive. To help keep the apps more secure and up to date, the apps come with
Microsoft AutoUpdate (MAU). The apps that you want are displayed as one app in the
list of apps in the Intune admin center.
) Important
With Office for Mac update (16.67), macOS Big Sur 11 or later will be required to
receive updates to Office for Mac. If you continue with an older version of macOS,
your Office apps will still work, but you'll no longer receive any updates, including
security updates. Upgrading your operating system to macOS Big Sur 11 or later
will allow Office updates to be delivered for your apps. The October 2022 Office for
Mac update (16.66) will be the last build to support macOS Catalina 10.15. For
related information, see Upgrade macOS to continue receiving Microsoft 365 and
Office for Mac updates .
7 Note
Other versions of Office for Mac can be added to the Microsoft Intune admin
center. For more information, see Most current packages for Office for Mac.
Microsoft Office 365 ProPlus has been renamed to Microsoft 365 Apps for
enterprise. In our documentation, we'll commonly refer to it as Microsoft 365
Apps.
Devices to which you deploy these apps must be running macOS 10.14 or later.
If any Office apps are open when Intune installs the app suite, users might lose
data from unsaved files.
Select Microsoft 365 Apps
1. Sign in to the Microsoft Intune admin center .
2. Select Apps > All apps > Add.
3. Select macOS in the Microsoft 365 Apps section of the Select app type pane.
4. Click Select. The Add Microsoft 365 Apps steps are displayed.
1. In the App suite information page, you can confirm or modify the default values:
Suite Name: Enter the name of the app suite as it is displayed in the company
portal. Make sure that all suite names that you use are unique. If the same
app suite name exists twice, only one of the apps is displayed to users in the
company portal.
Suite Description: Enter a description for the app suite. For example, you
could list the apps you've selected to include.
Publisher: Microsoft appears as the publisher.
Category: Optionally, select one or more of the built-in app categories or a
category that you created. This setting makes it easier for users to find the
app suite when they browse the company portal.
Show this as a featured app in the Company Portal: Select this option to
display the app suite prominently on the main page of the company portal
when users browse for apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL is displayed to users in the company portal.
Developer: Microsoft appears as the developer.
Owner: Microsoft appears as the owner.
Notes: Enter any notes that you want to associate with this app.
Logo: The Microsoft 365 Apps logo is displayed with the app when users
browse the company portal.
1. Click Select scope tags to optionally add scope tags for the app suite.
2. Click Next to display the Assignments page.
Step 3 - Assignments
1. Select the Required or Available for enrolled devices group assignments for the
app suite. For more information, see Add groups to organize users and devices
and Assign apps to groups with Microsoft Intune.
7 Note
You cannot uninstall the 'Microsoft 365 apps for macOS' app suite through
Intune.
2. When you are done, click Create to add the app to Intune.
The Overview blade is displayed. The suite appears in the list of apps as a single
entry.
Next steps
To learn about adding Microsoft 365 apps to Windows 10 devices, see Assign
Microsoft 365 Apps to Windows 10 devices with Microsoft Intune.
To learn about including and excluding app assignments from groups of users, see
Include and exclude app assignments.
Manage Android Enterprise system apps
in Microsoft Intune
Article • 05/01/2023
Before you assign an Android Enterprise system app to a device, you must first enable
the app in Microsoft Intune. System apps are supported on Android Enterprise devices.
You can enable a system app for Android Enterprise dedicated devices, fully managed
devices, Android Enterprise corporate-owned with work profile, or Android Enterprise
personally-owned work profiles. When you no longer need the system app, you can
disable it. Android Enterprise system apps will enable or disable apps that are already
part of the platform. To enable an app, assign the system app as Required. To disable an
app, assign the system app as Uninstall. System apps cannot be assigned as available
for a user.
7 Note
You will need to work with the OEM of your device to find the package name of the
app you would like to enable/disable.
You cannot create an Android Enterprise system app when there is the same app in
Managed Google Play in Intune.
The Notes section will not appear for an Android Enterprise system app and is not
editable.
The app you've created is displayed in the apps list, where you can assign it to the
groups that you select.
Next steps
Assign apps to groups
Add web apps to Microsoft Intune
Article • 07/24/2023
Intune supports a variety of app types, including web apps. A web app is a client-server
application. The server provides the web app, which includes the UI, content, and
functionality. Additionally, modern web-hosting platforms commonly offer security, load
balancing, and other benefits. A web app is separately maintained on the web. You use
Microsoft Intune to point to this app type. You also assign the groups of users that can
access this app.
Before you can manage and assign an app for your users, add the app to Intune.
Intune creates a shortcut to the web app on the user's device. For iOS/iPadOS devices, a
shortcut to the web app is added to the home screen. For Android Device Admin
devices, a shortcut to the web app is added to the Intune company portal widget and
the widget needs to be pinned manually by the user. For Windows devices, a shortcut to
the web app is placed on the Start Menu.
7 Note
For Android Enterprise devices, see Managed Google Play web links.
For iOS devices, new web clips (pinned web apps) will open in Microsoft Edge
instead of the Intune Managed Browser when required to open in a protected
browser. For older iOS web clips, you must retarget these web clips to ensure they
open in Microsoft Edge rather then the Managed Browser.
For legacy device admin Android devices, web links pinned through the Company
Portal widget can only open with the Intune Managed Browser if users' Company
Portal version is older than 5.0.4737.0.
7 Note
If you change the name of the app through Intune after you have
deployed and installed the app, the app will no longer be able to be
targeted using commands.
App URL: Enter the URL of the website that hosts the app that you want to
assign.
Require a managed browser to open this link: Select this option to assign to
your users a link to a website or web app that they can open in the Intune
managed browser. This browser must be installed on their device.
Full screen: [iOS/iPadOS only] If configured to Yes, launches the web clip as a
full-screen web app without a browser. Additionally, there’s no URL or search
bar, and no bookmarks.
Show this as a featured app in the Company Portal: Select this option to
display the app suite prominently on the main page of the company portal
when users browse for apps.
Privacy URL: Provide a link for people who want to learn more about the
app's privacy settings and terms. The privacy URL will be visible to users in
Company Portal.
Developer: The name of the company or Individual that developed the app.
This information will be visible to people signed into the admin center.
Owner: The name of the person in your organization who manages licensing
or is the point-of-contact for this app. This name will be visible to people
signed in to the admin center.
Notes: Add additional notes about the app. Notes will be visible to people
signed in to the admin center.
Logo: Upload an icon that will be associated with the app. This icon is
displayed with the app when users browse the company portal.
7. Click Select scope tags to optionally add scope tags for the app. For more
information, see Use role-based access control (RBAC) and scope tags for
distributed IT.
9. Select the group assignments for the app. For more information, see Add groups
to organize users and devices.
10. Click Next to display the Review + create page. Review the values and settings you
entered for the app.
11. When you are done, click Create to add the app to Intune.
Next steps
The app that you've created is displayed in the apps list, where you can assign it to the
groups that you select. For help, see Assign apps to groups.
Add built-in apps to Microsoft Intune
Article • 03/07/2023
The built-in app type makes it easy for you to assign curated managed apps, such as
Microsoft 365 apps and third-party apps, to iOS/iPadOS and Android devices. You can
assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and
others. After you add an app, the app type is displayed as either Built-in iOS app or
Built-in Android app. By using the built-in app type, you can choose which of these apps
to publish to device users.
In earlier versions of the Microsoft Intune admin center , Intune provided several
default managed Microsoft 365 apps, such as Outlook and OneDrive. The app types for
these managed apps were tagged as Managed iOS Store App or Managed Android App.
Instead of using these app types, we recommend that you use the built-in app type. By
using the built-in app type, you have the additional flexibility to edit and delete
Microsoft 365 apps.
7 Note
Default Microsoft 365 apps that are tagged as Managed iOS Store and Managed
Android App are removed from the app list when all assignments are deleted.
3. In the Select app type pane, under the available Other types, select Built-In app.
5. In the Select Built-in apps page, click Select app to select the apps that you want
to include.
7. Once you have selected the apps, click Select on the Select Built-in apps pane.
11. Select the group assignments for the app. For more information, see Add groups
to organize users and devices.
12. Click Next to display the Review + create page. Review the values and settings you
entered for the app.
13. When you are done, click Create to add the app to Intune.
1. Select Apps > All apps and select the built-in app that you want to modify.
2. Select Properties.
4. In the App information pane, you can modify the following information:
Name: Enter the name of the built-in app as it is displayed in the company
portal. Make sure all names that you use are unique. If the same app name
exists twice, only one of the apps is displayed to users in the company portal.
Description: Enter a description for the app.
Publisher: Enter the name of the publisher of the app.
Category: Optionally, select one or more of the built-in app categories.
Setting this option makes it easier for users to find the app when they browse
the company portal.
Show this as a featured app in the company portal: Display the app
prominently on the main page of the company portal when users browse for
apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL is displayed to users in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app (for example, HR
department).
Notes: Enter any notes that you want to associate with this app.
Upload Icon: Upload an icon that is displayed with the app when users
browse the company portal.
5. Click Review + save to display the Review + create page. Review the values and
settings you entered for the app.
6. When you are done, click Save to update the app in Intune.
Next steps
You can now assign the apps to the groups that you choose. For more information,
see Assign apps to groups.
Add an Android line-of-business app to
Microsoft Intune
Article • 03/06/2023
A line-of-business (LOB) app is an app that you add to Intune from an app installation
file. This kind of app is typically written in-house. Intune installs the LOB app on the
user's device.
7 Note
For more information about LOB apps and the Google Play Developer Console, see
Managed Google Play private (LOB) app publishing using the Google Developer
Console.
7 Note
For Android Enterprise devices, see Add Managed Google Play apps to Android
Enterprise devices with Intune.
Name: Enter the name of the app as it appears in the company portal. Make
sure all app names that you use are unique. If the same app name exists
twice, only one of the apps appears in the company portal.
Description: Enter the description of the app. The description appears in the
company portal.
Publisher: Enter the name of the publisher of the app.
Minimum Operating System: From the list, choose the minimum operating
system version on which the app can be installed. If you assign the app to a
device with an earlier operating system, it will not be installed.
Category: Select one or more of the built-in app categories, or select a
category that you created. Categories make it easier for users to find the app
when they browse through the company portal.
Show this as a featured app in the Company Portal: Display the app
prominently on the main page of the company portal when users browse for
apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL appears in the company portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL appears in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app. An example is HR
department.
Notes: Enter any notes that you want to associate with this app.
Logo: Upload an icon that is associated with the app. This icon is displayed
with the app when users browse through the company portal.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.
Step 3 - Assignments
1. Select the Required, Available for enrolled devices, or Uninstall group
assignments for the app. For more information, see Add groups to organize users
and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.
2. When you are done, click Create to add the app to Intune.
If Check apps from external sources is enabled on the Android device, the user will be
prompted before installing the update. Otherwise the update will be installed
automatically.
7 Note
For the Intune service to successfully deploy a new APK file to the device, you must
increment the android:versionCode string in the AndroidManifest.xml file in your
APK package.
Next steps
The app that you created appears in the list of apps. You can now assign it to
groups that you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. See How to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of device and
app lifecycles.
Add an iOS/iPadOS line-of-business app
to Microsoft Intune
Article • 05/25/2023
Use the information in this article to help you add an iOS/iPadOS line-of-business (LOB)
app to Microsoft Intune. A line-of-business (LOB) app is an app that you add to Intune
from an IPA app installation file. This kind of app is typically written in-house. You will
first need to join the iOS Developer Enterprise Program. For more information about
how to do this see Apple's website .
7 Note
Users of iOS/iPadOS devices can remove some of the built-in iOS/iPadOS apps, like
Stocks and Maps. You cannot use Intune to redeploy these apps. If users delete
these apps, they must go to the app store and manually reinstall them.
You can deploy LOB apps to Shared iPad devices. For Shared iPad devices, line-of-
business apps must be assigned as required to a device group containing Shared iPad
devices from the Microsoft Intune admin center.
Name: Enter the name of the app as it appears in the company portal. Make
sure all app names that you use are unique. If the same app name exists
twice, only one of the apps appears in the company portal.
Description: Enter the description of the app. The description appears in the
company portal.
Publisher: Enter the name of the publisher of the app.
Minimum Operating System: From the list, choose the minimum operating
system version on which the app can be installed. If you assign the app to a
device with an earlier operating system, it will not be installed.
Category: Select one or more of the built-in app categories, or select a
category that you created. Categories make it easier for users to find the app
when they browse through the company portal.
Show this as a featured app in the Company Portal: Display the app
prominently on the main page of the company portal when users browse for
apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL appears in the company portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL appears in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app. An example is HR
department.
Notes: Enter any notes that you want to associate with this app.
Logo: Upload an icon that is associated with the app. This icon is displayed
with the app when users browse through the company portal.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.
Step 3 - Assignments
1. Select the Required, Available for enrolled devices, Available with or without
enrollment, or Uninstall group assignments for the app. For more information, see
Add groups to organize users and devices and Assign apps to groups with
Microsoft Intune.
2. Click Next to display the Review + create page.
2. When you are done, click Create to add the app to Intune.
The app that you created now appears in the list of apps. From the list, you can assign
the apps to groups that you choose. For help, see How to assign apps to groups.
7 Note
Provisioning profiles for iOS/iPadOS LOB apps have a 30 day notice before they will
expire.
7 Note
For the Intune service to successfully deploy a new IPA file to the device, you must
update the CFBundleVersion string in the Info.plist file in your IPA package. You are
allowed to upgrade an app by increasing the value, or downgrade an app by
decreasing the value, however you cannot upload a new version of
CFBundleVersion if the new app is identical to the existing one.
For an iOS LOB app targeted with available intent, auto-update of the application will
happen as long as the following conditions are met:
The end user must request the specific Intune app from the Company Portal and
the app must be successfully installed, or the app is already installed on the device.
The targeting for the user has not changed (app assignment with available intent is
not removed and user is not removed from the group membership in the life cycle
of the app assignment).
If the previous version of the app is installed through required intent, then the
available app update will not happen. The app will be updated automatically as
long as the user/device is part of required intent group.
If the app has both available and required deployments targeted, the resolved
intent becomes 'RequiredAndAvailable'. Note: You cannot create Available and
Required deployments to the same AAD Group, but you can use different AAD
group with same members in it. If the app was installed automatically on devices
after the Required deployment is created (not manually installed from Company
Portal) and the required deployment is later removed, the Available app update
won't happen automatically on those devices and the users have to request the
app from Company Portal.
Next steps
The app that you created appears in the list of apps. You can now assign it to
groups that you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. See How to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of device and
app lifecycles.
Add a Windows line-of-business app to
Microsoft Intune
Article • 03/06/2023
A line-of-business (LOB) app is one that you add from an app installation file. This kind
of app is typically written in-house. The following steps provide guidance to help you
add a Windows LOB app to Microsoft Intune.
) Important
When deploying Win32 apps using an installation file with the .msi extension
(packaged in an .intunewin file using the Content Prep Tool), consider using Intune
Management Extension. If you mix the installation of Win32 apps and line-of-
business apps during Autopilot enrollment, the app installation may fail as they
both use the Trusted Installer service at the same time.
2. In the App package file pane, select the browse button. Then, select a Windows
installation file with the extension .msi, .appx, or .appxbundle.
The app details will
be displayed.
7 Note
The file extensions for Windows apps include .msi, .appx, .appxbundle, .msix,
and .msixbundle. For more information about .msix, see MSIX
documentation and MSIX App Distribution.
3. When you're finished, select OK on the App package file pane to add the app.
Name: Enter the name of the app as it appears in the company portal. Make
sure all app names that you use are unique. If the same app name exists
twice, only one of the apps appears in the company portal.
Description: Enter the description of the app. The description appears in the
company portal.
Publisher: Enter the name of the publisher of the app.
App Install Context: Select the install context to be associated with this app.
For dual mode apps, select the desired context for this app. For all other
apps, this is pre-selected based on the package and cannot be modified.
Ignore app version: Set to Yes if the app developer automatically updates the
app. This option applies to mobile .msi apps and Windows apps with self-
updating installers (such as Google Chrome).
Command-line arguments: Optionally, enter any command-line arguments
that you want to apply to the .msi file when it runs. An example is /q. Do not
include the msiexec command or arguments, such as /i or /x, as they are
automatically used. For more information, see Command-Line Options. If the
.MSI file needs additional command-line options consider using Win32 app
management.
Category: Select one or more of the built-in app categories, or select a
category that you created. Categories make it easier for users to find the app
when they browse through the company portal.
Show this as a featured app in the Company Portal: Display the app
prominently on the main page of the company portal when users browse for
apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL appears in the company portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL appears in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app. An example is HR
department.
Notes: Enter any notes that you want to associate with this app.
Logo: Upload an icon that is associated with the app. This icon is displayed
with the app when users browse through the company portal.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.
Step 3 - Assignments
1. Select the Required, Available for enrolled devices, or Uninstall group
assignments for the app. For more information, see Add groups to organize users
and devices and Assign apps to groups with Microsoft Intune.
2. Click Next to display the Review + create page.
2. When you are done, click Create to add the app to Intune.
The app that you created now appears in the list of apps. From the list, you can assign
the apps to groups that you choose. For help, see How to assign apps to groups.
7 Note
For the Intune service to successfully deploy a new APPX file to the device, you
must increment the Version string in the AppxManifest.xml file in your APPX
package.
Some MSI installer-based apps are automatically updated by the app developer or
another update method. For these automatically updated MSI apps, you can configure
the Ignore app version setting in the App information pane. When you switch this
setting to Yes, Microsoft Intune will not enforce the app version that's installed on the
Windows client.
This capability is useful to avoid getting into a race condition. For instance, a race
condition can occur when the app is automatically updated by the app developer and is
updated by Intune. Both might try to enforce a version of the app on a Windows client,
which creates a conflict.
Next steps
The app that you created appears in the list of apps. You can now assign it to
groups that you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. See How to monitor app information and assignments.
Learn more about the context of your app in Intune. See Overview of the app
lifecycle in Microsoft Intune.
7 Note
Microsoft Intune will be ending support on October 21, 2022 for devices running
Windows 8.1. Intune will no longer support Windows 8.1 sideloading.
You can unlock a device for sideloading using an enterprise policy. Intune provides
a device config policy called "Trusted app installation". Setting this to allow is all
that is needed for devices that already trust the certificate used to sign the appx
app.
Symantec Phone certificates and Sideloading License keys aren't required. However
if an on-premises certificate authority isn't available then you may need to obtain a
code signing certificate from a public certification authority. For more information,
see Introduction to Code Signing.
If you deploy the app as required to users or devices then you don't need the Intune
Company Portal app. However if you deploy the app as available to users, then they can
either use the Company Portal app from the Public Microsoft Store, use the Company
Portal app from the Private Microsoft Store for Business, or you'll need to sign and
manually deploy the Intune Company Portal app.
Now any Windows 10/11 Desktop & Mobile device with an appx deployment by the
Intune service will automatically download the corresponding enterprise certificate and
the application will be allowed to launch after installation.
Intune only deploys the latest .cer file that was uploaded. If you have multiple appx files
created by different developers that aren't associated with your organization, then you'll
need to either have them provide unsigned appx files for signing with your certificate, or
provide them with the code signing certificate used by your organization.
The Intune service can no longer deploy LOB apps for this platform once the existing
Symantec Mobile Enterprise code-signing certificate expires.
If the cert period has expired, then the appx files may stop launching. You should obtain
a new .cer file and follow the instructions to code-sign each deployed appx file and
reupload all appx files and the updated .cer file to the Windows Enterprise Certificates
section of the Intune in the Microsoft Intune admin center .
7 Note
This option will require deploying manual updates each time an app update is
released.
1. Sign in to your account in the Microsoft Store for Business and acquire the
offline license version of the Company Portal app.
2. Once the app has been acquired, select the app in the Inventory page.
3. Select Windows 10 all devices as the Platform, then the appropriate Architecture
and download. An app license file isn't needed for this app.
4. Download all the packages under "Required Frameworks". This must be done for
x86, x64, ARM, and ARM64 architectures – resulting in a total of 9 packages as
shown below.
5. Before uploading the Company Portal app to Intune, create a folder (for example,
C:\Company Portal) with the packages structured in the following way:
a. Place the Company Portal package into C:\Company Portal. Create a
Dependencies subfolder in this location as well.
6. Return to Intune, then upload the Company Portal app as a new app. Deploy it as a
required app to the desired set of target users.
See Deploying an appxbundle with dependencies via Microsoft Intune MDM for more
information about how Intune handles dependencies for Universal apps.
If you need to sideload the app and deployed the Windows 8.1 Company Portal without
signing it with the Symantec Certificate, follow the steps in the Deploy directly via Intune
section above to complete the upgrade.
If you need to sideload the app and you signed and deployed the Windows 8.1
Company Portal with the Symantec code-signing certificate, follow the steps in the
section below.
Otherwise, the Windows 10 Company Portal app needs to be appropriately updated and
signed to ensure that the upgrade path is respected.
If the Windows 10 Company Portal app is signed and deployed in this way, you'll need
to repeat this process for each new app update when it's available in the store. The app
won't automatically update when the store is updated.
Here's how you sign and deploy the app in this way:
1. Download the Microsoft Intune Signing Script for Windows 10 Company Portal .
This script requires the Windows SDK for Windows 10 to be installed on the host
computer. To download the Windows SDK, see Windows SDK for Windows 11.
2. Download the Windows 10 Company Portal app from the Microsoft Store for
Business, as detailed above.
3. Run the script with the input parameters detailed in the script header to sign the
Windows 10 Company Portal app (extracted below). Dependencies don't need to
be passed into the script. These are only required when the app is being uploaded
to the Microsoft Intune admin center .
Parameter Description
Win81Appx The path to where the Windows 8.1 Company Portal (.APPX) file is
located.
PublisherId The Publisher ID of the enterprise. If absent, the 'Subject' field of the
Symantec Enterprise Mobile Code Signing Certificate is used.
SdkPath The path to the root folder of the Windows SDK for Windows 10. This
argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10
The script will output the signed version of the Windows 10 Company Portal app when it
has finished running. You can then deploy the signed version of the app as an LOB app
via Intune, which will upgrade the currently deployed versions to this new app.
How to add macOS line-of-business
(LOB) apps to Microsoft Intune
Article • 05/01/2023
Use the information in this article to help you add macOS line-of-business apps to
Microsoft Intune.
7 Note
macOS LOB apps need to have a logo. If they don't have a logo, they will not be
displayed in the apps section.
While users of macOS devices can remove some of the built-in macOS apps like
Stocks, and Maps, you cannot use Intune to redeploy those apps. If end users
delete these apps, they must go to the app store, and manually re install them.
App requirements
The .pkg file must satisfy the following requirements to successfully be deployed using
Microsoft Intune.
7 Note
In August 2022, we removed the ability to upload wrapped .intunemac files in the
Microsoft Intune admin center. You can now upload .pkg files to the Microsoft
Intune admin center .
) Important
The .pkg file must be signed using "Developer ID Installer" certificate, obtained
from an Apple Developer account. Only .pkg files may be used to upload macOS
LOB apps to Microsoft Intune. However, conversion of other formats, such as .dmg
to .pkg is supported. For more information about converting non-pkg application
types, see How to deploy DMG or APP-format apps to Intune-managed Macs .
Name: Enter the name of the app as it appears in the company portal. Make
sure all app names that you use are unique. If the same app name exists
twice, only one of the apps appears in the company portal.
Description: Enter the description of the app. The description appears in the
company portal.
Publisher: Enter the name of the publisher of the app.
Minimum Operating System: From the list, choose the minimum operating
system version on which the app can be installed. If you assign the app to a
device with an earlier operating system, it will not be installed.
Ignore app version: Select Yes to install the app if the app is not already
installed on the device. Select No to only install the app when it is not already
installed on the device, or if the deploying app's version number does not
match the version that's already installed on the device.
Install as managed: Select Yes to install the Mac LOB app as a managed app
on supported devices (macOS 11 and higher). A macOS LOB app can only be
installed as managed when the app distributable contains a single app
without any nested packages and installs to the /Applications directory.
Managed line-of-business apps will be able to be removed using the
uninstall assignment type on supported devices (macOS 11 and higher). In
addition, removing the MDM profile removes all managed apps from the
device. The default value is No.
Included apps: Review and edit the apps that are contained in the uploaded
file. Included app bundle IDs and build numbers are used for detecting and
monitoring app installation status of the uploaded file. The app listed first is
used as the primary app in app reporting.
Included apps list should only contain the application(s) installed by the
uploaded file in Applications folder on Macs. Any other type of file that is not
an application or an application that is not installed to Applications folder
should be removed from the Included apps list. If Included apps list contains
files that are not applications or if all the listed apps are not installed, app
installation status does not report success.
Mac Terminal can be used to look up and confirm the included app details of
an installed app.
1. Click Select scope tags to optionally add scope tags for the app.
2. Click Next to display the Assignments page.
Step 3 - Assignments
1. Select the Required, Available for enrolled devices, or Uninstall group
assignments for the app. For more information, see Add groups to organize users
and devices and Assign apps to groups with Microsoft Intune.
7 Note
Uninstall intend will only be displayed for LOB apps created with Install as
managed set to Yes. For more information review App information section
earlier on this article.
2. When you are done, click Create to add the app to Intune.
The app you have created appears in the apps list where you can assign it to the groups
you choose. For help, see How to assign apps to groups.
7 Note
If the .pkg file contains multiple apps or app installers, then Microsoft Intune will
only report that the app is successfully installed when all installed apps are detected
on the device.
To update a line-of-business app deployed as a .pkg file, you must increment the
CFBundleShortVersionString of the .pkg file.
Intune will update the app when this schedule elapses, provided that any previous
version of the app is still present on the device.
Next steps
The app you have created is displayed in the apps list. You can now assign it to the
groups you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. For more information, see How to monitor app
information and assignments.
Learn more about the context of your app in Intune. For more information, see
Overview of device and app lifecycles
Microsoft Intune management agent for
macOS
Article • 08/16/2023
The Sync action for devices in Microsoft Intune admin center initiates an MDM
check-in and does not force an agent check-in.
Next steps
The app you've created is displayed in the apps list. You can now assign it to the
groups you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. For more information, see How to monitor app
information and assignments.
Learn more about the context of your app in Intune. For more information, see
Overview of device and app lifecycles
Add a macOS DMG app to Microsoft
Intune
Article • 08/10/2023
Use the information in this article to help you add a macOS DMG app to Microsoft
Intune. A DMG app is a disk image file that contains one or more applications within it.
Many common applications for macOS are available in DMG format. For more
information about how to create a disk image file, see Apple’s website .
7 Note
The DMG file must contain one or more files with .app extensions. DMG files
containing other types of installer files will not be installed.
Prerequisites
The following prerequisites must be met before a macOS DMG app is installed on
macOS devices.
7 Note
The full disk access permission is required to update or delete DMG apps. Intune
automatically requests the permission when a DMG app policy is assigned on
macOS 13 and higher.
7 Note
You can update apps of type macOS apps (DMG) deployed using Intune. Edit a
DMG app that is already created in Intune by uploading the update for the app
with the same bundle identifier as the original DMG app. In addition, you must use
the Microsoft Intune agent for macOS version 2304.039 or greater.
Name: Enter the name of the app as it appears in the policy name and
company portal. Make sure all app names that you use are unique. If the
same app name exists twice, only one of the apps appears in the company
portal.
Description: Enter the description of the app. The description appears in the
company portal.
Publisher: Enter the name of the publisher of the app.
Category: Select one or more of the built-in app categories, or select a
category that you created. Categories make it easier for users to find the app
when they browse through the company portal.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL appears in the company portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL appears in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app. An example is HR
department.
Notes: Enter any notes that you want to associate with this app.
Logo: Upload an icon that is associated with the app. This icon is displayed
with the app when users browse through the company portal.
Step 2 – Requirements
You can choose the minimum operating system required to install this app.
Minimum Operating System: From the list, choose the minimum operating system
version on which the app can be installed. If you assign the app to a device with an
earlier operating system, it will not be installed.
Ignore app version: Select Yes to install the app if the app is not already installed on the
device. This will only look for the presence of the app bundle ID. For apps that have an
auto-update mechanism, select Yes. Select No to install the app when it is not already
installed on the device, or if the deploying app's version number does not match the
version that's already installed on the device.
7 Note
To Uninstall group assignments, consider the Ignore app version setting. When
Ignore app version is set to No, the app bundle ID and version number must
match to remove the app. When Ignore app version is set to Yes, only the app
bundle ID must match to remove the app.
Included apps: Provide the apps that are contained in the uploaded file. Included app
bundle IDs and build numbers are used for detecting and monitoring app installation
status of the uploaded file. Included apps list should only contain the application(s)
installed by the uploaded file in Applications folder on Macs. Any other type of file that
is not an application or an application that is not installed to Applications folder should
be excluded from the Included apps list. If Included apps list contains files that are not
applications or if all the listed apps are not installed, app installation status does not
report success.
7 Note
The first app on the Included apps list is used for identifying the app when
multiple apps are present in the DMG file.
Mac Terminal can be used to lookup and confirm the included app details of
an installed app. For example, to look up the bundle ID and build number of
Company Portal, run the following:
CFBundleIdentifier
CFBundleShortVersionString
7 Note
A macOS app deployed using Intune agent will not automatically be removed from
the device when the device is retired. The app and data it contains will remain on
the device. It is recommended that the app is removed prior to retiring the device.
The app you have created appears in the apps list where you can assign it to the groups
you choose. For help, see How to assign apps to groups.
7 Note
If the .dmg file contains multiple apps, then Microsoft Intune will only report that
the app is successfully installed when all installed apps are detected on the device.
Next steps
The app you have created is displayed in the apps list. You can now assign it to the
groups you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. For more information, see How to monitor app
information and assignments.
Learn more about the context of your app in Intune. For more information, see
Overview of device and app lifecycles
Known issues
"Available for enrolled devices" assignment type is not available: Only Required
and Uninstall assignment types are currently supported.
DMG apps report once after deployment: Assigned DMG apps report back on
initial deployment only. These apps will not report back again during preview.
Some app icons may not display immediately after installation: Some app icons
may take some time after installation to start displaying on the installed device.
Monitoring reports only show error code: failed app installations only show an
error code in "device status" monitoring reports. To show error details, refresh the
browser window or refer to the table in the Troubleshooting section.
Troubleshooting
macOS app installation may not be successful due to any of the following reasons
provided in the table below. To resolve these errors, follow the remediation steps. If the
app remains assigned, failed installations are retried at the next agent check-in.
0x87D30137 The device doesn't meet Update macOS to the minimum OS version
the minimum OS required by the admin.
requirement set by the
admin.
0x87D3013E The DMG file doesn't Ensure that the uploaded file contains one
contain any supported or more .app files.
app. It must contain at
least one .app file.
0x87D30139 The DMG file couldn't be Try manually mounting the DMG file to
mounted for installation. verify that the volume loads successfully.
Check the DMG file if the
error persists.
0x87D3013B The app couldn't be Ensure that the device can install apps
installed to the locally to the Applications directory.
Applications directory.
Sync the device to retry
installing the app.
0x87D3012F, The app couldn't be Something went wrong while installing the
0x87D30130, installed due to an internal app using Intune. Try installing the app
0x87D30133, error. Contact Intune manually or try creating a new macOS app
0x87D30134, support if the error profile containing the app. Contact Intune
0x87D30136, persists. support if the error persists.
0x87D30135 The app couldn't be This could be due to insufficient disk space
installed due to a device or the app could not be written to the
error. Sync the device to folder. Ensure that the device can install
retry installing the app. apps to the Applications folder.
0x87D3013A The physical resources of This could be due to the hard disk running
this disk have been out of space or binaries of the installation
exhausted. files being corrupt. Fix the Hard disk space
and restart the Microsoft Intune
Management Extension service and try
again.
Add an unmanaged macOS PKG app to
Microsoft Intune (public preview)
Article • 07/24/2023
7 Note
Use the information in this article to help you add an unmanaged macOS PKG app to
Microsoft Intune. To deploy a managed PKG app, see How to add macOS line-of-
business (LOB) apps to Microsoft Intune.
Prerequisites
The following prerequisites must be met before an unmanaged macOS PKG app is
installed on macOS devices.
7 Note
These types of PKG apps may not successfully deploy using the managed LOB app-
type.
The containing app files can be listed under the Included apps section in the Detection
rules tab in order, starting with the parent app to be used in reports.
Name: Enter the name of the app as it appears in the policy name and
company portal. Make sure all app names that you use are unique. If the
same app name exists twice, only one of the apps appears in the company
portal.
Description: Enter the description of the app. The description appears in the
company portal.
Publisher: Enter the name of the publisher of the app.
Category: Select one or more of the built-in app categories, or select a
category that you created. Categories make it easier for users to find the app
when they browse through the company portal.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL appears in the company portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL appears in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app. An example is HR
department.
Notes: Enter any notes that you want to associate with this app.
Logo: Upload an icon that is associated with the app. This icon is displayed
with the app when users browse through the company portal.
Step 2 – Requirements
You can choose the minimum operating system required to install this app.
Minimum Operating System: From the list, choose the minimum operating system
version on which the app can be installed. If you assign the app to a device with an
earlier operating system, it will not be installed.
Ignore app version: Select Yes to install the app if the app is not already installed on the
device. This will only look for the presence of the app bundle ID. For apps that have an
auto-update mechanism, select Yes. Select No to install the app when it is not already
installed on the device, or if the deploying app's version number does not match the
version that's already installed on the device.
Included apps: Provide the apps that are contained in the uploaded file. Included app
bundle IDs and build numbers are used for detecting and monitoring app installation
status of the uploaded file. Included apps list should only contain the application(s)
installed by the uploaded file. Any other type of file that is not an application should be
excluded from the Included apps list. If Included apps list contains files that are not
applications or if all the listed apps are not installed, app installation status does not
report success.
7 Note
The first app on the Included apps list is used for identifying the app when
multiple apps are present in the PKG file.
the CFBundleIdentifier and CFBundleShortVersionString can be found under
the <app_name>.app/Contents/Info.plist file of an installed app on a Mac.
Alternatively, Mac Terminal can be used to look up and confirm the included
app details of an installed app at a known location.
For example, to look up the bundle ID and build number of Company Portal,
run the following:
defaults read /Applications/Company\ Portal.app/Contents/Info
CFBundleIdentifier
CFBundleShortVersionString
Step 5 - Assignments
You can select the Required group assignment for the app. For more information, see
Add groups to organize users and devices and Assign apps to groups with Microsoft
Intune.
7 Note
A macOS app deployed using Intune agent will not automatically be removed from
the device when the device is retired. The app and data it contains will remain on
the device. It is recommended that the app is removed prior to retiring the device.
The app you have created appears in the apps list where you can assign it to the groups
you choose. For help, see How to assign apps to groups.
Known issues
"Available for enrolled devices" and "uninstall" assignment type are not
available: Only Required assignment type is currently supported.
Troubleshooting
macOS app installation may not be successful due to any of the following reasons
provided in the table below. To resolve these errors, follow the remediation steps. If the
app remains assigned, failed installations are retried at the next agent check-in.
0x87D30137 The device doesn't meet Update macOS to the minimum OS version
the minimum OS required by the admin.
requirement set by the
admin.
0x87D3012F, The app couldn't be Something went wrong while installing the
0x87D30130, installed due to an app using Intune. Try installing the app
0x87D30133, internal error. Contact manually or try creating a new macOS app
0x87D30134, Intune support if the error profile containing the app. Contact Intune
0x87D30136, persists. support if the error persists.
Next steps
The app you have created is displayed in the apps list. You can now assign it to the
groups you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and
assignment of your app. For more information, see How to monitor app
information and assignments.
Learn more about the context of your app in Intune. For more information, see
Overview of device and app lifecycles
Win32 app management in Microsoft
Intune
Article • 08/24/2023
Microsoft Intune enables Windows Win32 app management. Although it's possible for
cloud-connected customers to use Microsoft Configuration Manager for Windows app
management, Intune-only customers will have greater management capabilities for their
Win32 apps. This topic provides an overview of the Intune Win32 app management
features and related information.
7 Note
This app management capability supports both 32-bit and 64-bit operating system
architecture for Windows applications.
) Important
When you're deploying Windows Win32 apps, consider using the Win32 app type
in Intune exclusively, particularly when you have a multiple-file Win32 app installer.
If you mix the installation of Win32 apps and line-of-business apps during
Autopilot enrollment, the app installation might fail as they both may attempt to
use the Trusted Installer service at the same time which causes a failure due to this
conflict.
Prerequisites
To use Win32 app management, be sure the following criteria are met:
7 Note
The Microsoft Intune management extension (IME) provides Intune's Win32
app type capabilities on managed clients. It is installed automatically when a
PowerShell script or Win32 app is assigned to the user or device. Additionally,
the Intune management extension agent checks every hour (or on service or
device restart) for any new Win32 app assignments.
7 Note
Delivery optimization
Windows 10 1709 and later clients will download Intune Win32 app content by using the
delivery optimization component of Windows. Delivery optimization provides peer-to-
peer functionality that's turned on by default.
You can configure Delivery Optimization to download Win32 app content in either
background or foreground mode based on assignment. Delivery optimization can be
configured using Intune device configuration (or by group policy). For more information,
see Delivery Optimization for Windows 10.
7 Note
You can also install a Microsoft Connected Cache server on your Configuration
Manager distribution points to cache delivery optimization aware content like
Intune Win32 app content. For more information, see Microsoft Connected Cache
in Configuration Manager.
The following image notifies the user that app changes are being made to the device.
Additionally, the Company Portal app shows more app installation status messages to
users. The following conditions apply to Win32 dependency features:
App failed to be installed. Dependencies defined by the admin were not met.
App was installed successfully but requires a restart.
App is in the process of being installed but requires a restart to continue.
For available apps, the start time will dictate when the app is visible in the company
portal, and content will be downloaded when the user requests the app from the
company portal. You can also enable a restart grace period.
7 Note
Set the app availability and other app assignment properties using the following steps:
3. Select an app from the list with Windows app (Win32) as its Type.
4. From the app pane, select Properties and then Edit next to the Assignments
section. Then select Add group, Add all users, or Add all devices below one of the
assignment types.
Required
Available for enrolled devices
Uninstall
7 Note
Win32 apps installed using the Available for enrolled devices assignment will
not be automatically reinstalled by Intune if they are uninstalled from a device
in any way.
5. If Add group was used, select a group on the Select groups pane to specify which
groups will be assigned the app.
7. In the Edit assignment pane, you can set the following properties:
Restart grace period to Enabled or Disabled. The restart grace period starts
as soon as the app installation has finished on the device. When the setting is
disabled, the device can restart without warning.
) Important
Next steps
For more information about adding apps to Intune, see Add apps to Microsoft
Intune.
Prepare Win32 app content for upload
Article • 06/12/2023
Before you can add a Win32 app to Microsoft Intune, you must prepare the app by
using the Microsoft Win32 Content Prep Tool .
Prerequisites
To use Win32 app management, be sure you meet the following criteria:
Use Windows 10 version 1607 or later (Enterprise, Pro, and Education versions).
Devices must be registered or joined to Azure Active Directory (Azure AD) and
auto-enrolled. The Intune management extension supports devices that are Azure
AD registered, Azure AD joined, hybrid domain joined, and group policy enrolled.
7 Note
For the scenario of group policy enrollment, the user uses the local user
account to Azure AD join their Windows 10 device. The user must log on to
the device by using their Azure AD user account and enroll in Intune. Intune
management extension is installed automatically when a PowerShell script or
Win32 app, Microsoft Store apps, Custom compliance policy settings, or
Proactive remediations is assigned to the user or device.
) Important
The Microsoft Win32 Content Prep Tool zips all files and subfolders when it
creates the .intunewin file. Be sure to keep the Microsoft Win32 Content Prep Tool
separate from the installer files and folders, so that you don't include the tool or
other unnecessary files and folders in your .intunewin file.
You can download the Microsoft Win32 Content Prep Tool from GitHub as a .zip file.
The zipped file contains a folder named Microsoft-Win32-Content-Prep-Tool-master. The
folder contains the prep tool, the license, a readme, and the release notes.
Command-line Description
parameter
-h Help
Command-line Description
parameter
-c <setup_folder> Folder for all setup files. All files in this folder will be compressed into an
.intunewin file.
-q Quiet mode.
Example commands
IntuneWinAppUtil -c This command generates the .intunewin file from the specified
c:\testapp\v1.0 -s source folder and setup file. For the MSI setup file, this tool retrieves
c:\testapp\v1.0\setup.exe required information for Intune. If -q is specified, the command runs
-o c:\testappoutput\v1.0 in quiet mode. If the output file already exists, it is overwritten. Also,
-q if the output folder doesn't exist, it's created automatically.
When you're generating an .intunewin file, put any files you need to reference into a
subfolder of the setup folder. Then, use a relative path to reference the specific file you
need. For example:
Next steps
Add a Win32 app to Microsoft Intune
Add, assign, and monitor a Win32 app
in Microsoft Intune
Article • 08/22/2023
After you've prepared a Win32 app to be uploaded to Intune by using the Microsoft
Win32 Content Prep Tool , you can add the app to Intune. To learn more about
preparing a Win32 app to be uploaded, see Prepare Win32 app content for upload.
Prerequisites
To use Win32 app management, be sure you meet the following criteria:
Use Windows 10 version 1607 or later (Enterprise, Pro, and Education versions).
Devices must be joined or registered to Azure Active Directory (Azure AD) and be
auto-enrolled. The Intune management extension supports devices that are Azure
AD joined, Azure AD registered, hybrid domain joined, or group policy enrolled.
7 Note
For the scenario of group policy enrollment, the user uses the local user
account to Azure AD join their Windows 10 device. The user must log on to
the device by using their Azure AD user account and enroll in Intune. Intune
will install the Intune Management extension on the device if a PowerShell
script or a Win32 app is targeted to the user or device.
Much like a standard line-of-business (LOB) app, you can add a Win32 app to Microsoft
Intune. This type of app is typically written in-house or by a third party.
) Important
Be sure to use the latest version of the Microsoft Win32 Content Prep Tool. If
you don't use the latest version, you'll see a warning that says the app was
packaged using an older version of the tool.
Name: Enter the name of the app as it appears in the company portal. Make sure
all app names that you use are unique. If the same app name exists twice, only one
of the apps appears in the company portal.
Description: Enter the description of the app. The description appears in the
company portal.
Publisher: Enter the name of the publisher of the app.
Category: Select one or more of the built-in app categories, or select a category
that you created. Categories make it easier for users to find the app when they
browse through the company portal.
Show this as a featured app in the Company Portal: Display the app prominently
on the main page of the company portal when users browse for apps.
Information URL: Optionally, enter the URL of a website that contains information
about this app. The URL appears in the company portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL appears in the company portal.
Developer: Optionally, enter the name of the app developer.
Owner: Optionally, enter a name for the owner of this app. An example is HR
department.
Notes: Enter any notes that you want to associate with this app.
Logo: Upload an icon that's associated with the app. This icon is displayed with the
app when users browse through the company portal.
Step 2: Program
On the Program page, configure the app installation and removal commands for the
app:
Install command: Add the complete installation command line to install the app.
For example, if your app's file name is MyApp123, add the following:
msiexec /p "MyApp123.msp"
ApplicationName.exe /quiet
For the specific arguments that the application package supports, contact your
application vendor.
) Important
Admins must be careful when they use the command tools. Unexpected or
harmful commands might be passed via the Install command and Uninstall
command fields.
%SystemRoot%\Sysnative\WindowsPowerShell\v1.0\powershell.exe
Uninstall command: Add the complete command line to uninstall the app based
on the app's GUID.
For example:
msiexec /x "{12345A67-89B0-1234-5678-000001000000}"
Installation time required: The number of minutes the system will wait for install
program to finish. Default value is 60 minutes. If the app takes longer to install
than the set installation time, the system will fail the app install. Max timeout value
is 1440 minutes (1 day).
Allow available uninstall: Select Yes to provide the uninstall option for this app for
users from the Company Portal. Select No to prevent users from uninstalling the
app from the Company Portal.
7 Note
You can configure a Win32 app to be installed in User or System context. User
context refers to only a particular user. System context refers to all users of a
Windows 10 device.
Users are not required to be logged in on the device to install Win32 apps.
The Win32 app installation and uninstallation will happen under admin
privilege (by default) when the app is set to install in user context and the user
on the device has admin privileges.
Specify return codes to indicate post-installation behavior: Add the return codes
that are used to specify either app installation retry behavior or post-installation
behavior. Return code entries are added by default during app creation. However,
you can add more return codes or change existing return codes.
1. In the Code type column, set the Code type to one of the following:
Failed: The return value that indicates an app installation failure.
Hard reboot: The hard reboot return code doesn't allow the next Win32
app to be installed on the client without reboot.
Soft reboot: The soft reboot return code allows the next Win32 app to be
installed without requiring a client reboot. Reboot is necessary to
complete installation of the current application.
Retry: The retry return code agent will attempt to install the app three
times. It will wait for five minutes between each attempt.
Success: The return value that indicates the app was successfully installed.
2. If needed, select Add to add more return codes, or modify existing return
codes.
Step 3: Requirements
On the Requirements page, specify the requirements that devices must meet before the
app is installed:
Operating system architecture: Choose the architectures needed to install the app.
Minimum operating system: Select the minimum operating system needed to
install the app.
Disk space required (MB): Optionally, add the free disk space needed on the
system drive to install the app.
Physical memory required (MB): Optionally, add the physical memory (RAM)
required to install the app.
Minimum number of logical processors required: Optionally, add the minimum
number of logical processors required to install the app.
Minimum CPU speed required (MHz): Optionally, add the minimum CPU speed
required to install the app.
Configure additional requirement rules:
1. Select Add to display the Add a Requirement rule pane and configure more
requirement rules. Select the Requirement type value to choose the type of
rule that you'll use to determine how a requirement is validated. Requirement
rules can be based on file system information, registry values, or PowerShell
scripts.
File: When you choose File as the Requirement type value, the
requirement rule must detect a file or folder, date, version, or size.
Path: The full path of the folder that contains the file or folder to detect.
File or folder: The file or folder to detect.
Property: Select the type of rule used to validate the presence of the
app.
Associated with a 32-bit app on 64-bit clients: Select Yes to expand
any path environment variables in the 32-bit context on 64-bit clients.
Select No (default) to expand any path variables in the 64-bit context
on 64-bit clients. 32-bit clients will always use the 32-bit context.
Registry: When you choose Registry as the Requirement type value, the
requirement rule must detect a registry setting based on value, string,
integer, or version.
Key path: The full path of the registry entry that contains the value to
detect.
Value name: The name of the registry value to detect. If this value is
empty, the detection will happen on the key. The (default) value of a
key will be used as detection value if the detection method is other
than file or folder existence.
Registry key requirement: Select the type of registry key comparison
that's used to determine how the requirement rule is validated.
Associated with a 32-bit app on 64-bit clients: Select Yes to search the
32-bit registry on 64-bit clients. Select No (default) to search the 64-bit
registry on 64-bit clients. 32-bit clients will always search the 32-bit
registry.
Script: Choose Script as the Requirement type value when you can't
create a requirement rule based on file, registry, or any other method
available to you in the Microsoft Intune admin center.
Script file: For a rule based on a PowerShell script requirement, if the
existing code is 0, we'll detect the standard output (STDOUT) in more
detail. For example, we can detect STDOUT as an integer that has a
value of 1.
Run script as 32-bit process on 64-bit clients: Select Yes to run the
script in a 32-bit process on 64-bit clients. Select No (default) to run the
script in a 64-bit process on 64-bit clients. 32-bit clients run the script in
a 32-bit process.
Run this script using the logged on credentials: Select Yes to run the
script by using the signed-in device credentials.
Enforce script signature check: Select Yes to verify that a trusted
publisher has signed the script, which will allow the script to run with no
warnings or prompts displayed. The script will run unblocked. Select No
(default) to run the script with user confirmation without signature
verification.
Select output data type: Select the data type used for determining a
requirement rule match.
2. When you're finished setting the requirement rules, select OK.
Rules format: Select how the presence of the app will be detected. You can choose
to either manually configure the detection rules or use a custom script to detect
the presence of the app. You must choose at least one detection rule.
7 Note
The conditions for all rules must be met to detect the app.
If Intune detects that the app isn't present on the device, Intune will offer the
app again within approximately 24 hours. This will occur only for apps
targeted with the required intent.
Manually configure detection rules: You can select one of the following rule types:
MSI: Verify based on an MSI version check. This option can be added only once.
When you choose this rule type, you have two settings:
MSI product code: Add a valid MSI product code for the app.
MSI product version check: Select Yes to verify the MSI product version in
addition to the MSI product code.
Script file: Select a PowerShell script that will detect the presence of the app on
the client. The app will be detected when the script both returns a 0 value exit
code and writes a string value to STDOUT.
Run script as 32-bit process on 64-bit clients: Select Yes to run the script in a
32-bit process on 64-bit clients. Select No (default) to run the script in a 64-bit
process on 64-bit clients. 32-bit clients run the script in a 32-bit process.
Enforce script signature check: Select Yes to verify that a trusted publisher has
signed the script, which will allow the script to run with no warnings or prompts
displayed. The script will run unblocked. Select No (default) to run the script
without signature verification.
The Intune agent checks the results from the script. It reads the values written by
the script to the STDOUT stream, the standard error (STDERR) stream, and the exit
code. If the script exits with a nonzero value, the script fails and the application
detection status isn't installed. If the exit code is zero and STDOUT has data, the
application detection status is installed.
7 Note
We recommend encoding your script as UTF-8. When the script exits with the
value of 0, the script execution was successful. The second output channel
indicates that the app was detected. STDOUT data indicates that the app was
found on the client. We don't look for a particular string from STDOUT.
The version of your Win32 app is displayed in the Microsoft Intune admin center. The
app version is provided in the All apps list, where you can filter by Win32 apps and
select the optional version column. In the Microsoft Intune admin center , select Apps
> All apps > Columns > Version to display the app version in the app list.
After you've added your rules, select Next to display the Dependencies page.
Step 5: Dependencies
App dependencies are applications that must be installed before your Win32 app can be
installed. You can require that other apps are installed as dependencies.
Specifically, the device must install the dependent apps before it installs the Win32 app.
There's a maximum of 100 dependencies, which includes the dependencies of any
included dependencies, as well as the app itself.
You can add Win32 app dependencies only after your Win32 app has been added and
uploaded to Intune. After your Win32 app has been added, you'll see the Dependencies
option on the pane for your Win32 app.
Any Win32 app dependency needs to also be a Win32 app. It doesn't support
depending on other app types, such as single MSI LOB apps or Microsoft Store apps.
When you're adding an app dependency, you can search based on the app name and
publisher. Additionally, you can sort your added dependencies based on app name and
publisher. Previously added app dependencies can't be selected in the list of added app
dependencies.
You can choose whether or not to install each dependent app automatically. By default,
the Automatically install option is set to Yes for each dependency. By automatically
installing a dependent app, even if the dependent app isn't targeted to the user or
device, Intune will install the app on the device to satisfy the dependency before
installing your Win32 app.
7 Note
The install status of a dependent app will be displayed within Intune if the app is
targeted to the user or device.
It's important to note that a dependency can have recursive sub-dependencies, and
each sub-dependency will be installed before the main dependency is installed.
Additionally, installation of dependencies doesn't follow a specific order at a
dependency level.
Win32 apps added to Intune can't be removed while they are in a dependency
relationship. These apps can only be deleted after the dependency relationship is
removed. This requirement is applied to both parent and child apps in a dependency
relationship. Also, this requirement ensures that dependencies are enforced properly
and that dependency behavior is more predictable.
After you've selected dependencies, select Next to display the Scope tags page.
Dependency limitations
The following bulleted list provides additional clarity about dependency limitations:
If an app has 100 dependencies, then the app graph has a total size of 101 (100
dependency apps + 1 parent app).
If an app has 3 dependencies, and one of the dependency apps has 2
dependencies, then the app graph has a total size of 6 (1 parent app + 3
dependency app + 2 dependency apps that are from another dependency app).
If an app is a dependency for multiple app “graphs”, meaning that the dependency
is somewhere in the dependency chain for some app graph, then all apps from all
the separate graphs are summed to calculate the dependency size. For example, if
graph A has 23 apps, graph B has 62 apps, and graph C has 20 apps, and app X
exist as a dependency app somewhere in the dependency chain in all 3 graphs,
then the total size of the graph is 103 (app X is only counted once), which
surpasses the 100 limit restriction.
Dependency failures
When a dependent app isn't installed, the user will commonly see one of the following
notifications:
If you choose not to put a dependency in the Automatically install column, the Win32
app installation won't be attempted. Additionally, app reporting will show that the
dependency was flagged as failed and provide a failure reason. You can view the
dependency installation failure by selecting a failure (or warning) provided in the Win32
app installation details.
Each dependency will adhere to Intune Win32 app retry logic (try to install three times
after waiting for five minutes) and the global reevaluation schedule. Also, dependencies
are applicable only at the time of installing the Win32 app on the device. Dependencies
aren't applicable for uninstalling a Win32 app. To delete a dependency, you must select
the ellipsis (three dots) to the left of the dependent app located at the end of the row of
the dependency list.
Step 6: Supersedence
When you supersede an application, you can specify which app will be updated or
replaced. To update an app, disable the uninstall previous version option. To replace an
app, enable the uninstall previous version option. There's a maximum of 10 updated or
replaced apps, including references to other apps. For example, your app references
another app. This other app references other apps, and so on. This scenario creates a
graph of apps. All apps in the graph count toward the maximum value of 10.
To add apps that the current app will supersede:
1. In the Supersedence step, click Add to choose apps that should be superseded.
7 Note
2. Find and click the apps to apply the supersedence relationship in the Add Apps
pane. Click Select to add the apps to your supersedence list.
3. In the list of superseded apps, modify the Uninstall previous version option for
each selected app to specify whether an uninstall command will be sent by Intune
to each selected app. If the installer of the current app updates the selected app
automatically, then it isn't necessary to send an uninstall command. When
replacing a selected app with a different app, it may be necessary to turn on the
Uninstall previous version option to remove and replace the older app.
Step 7: Assignments
You can select the Required, Available for enrolled devices, or Uninstall group
assignments for the app. For more information, see Add groups to organize users and
devices and Assign apps to groups with Microsoft Intune.
) Important
For the scenario when a Win32 app is deployed and assigned based on user
targeting, if the Win32 app requires device admin privileges or any other
permissions that the standard user of the device doesn't have, the app will fail to
install.
After you finish setting the assignments for the apps, select Next to display the Review
+ create page.
At this point, you've completed steps to add a Win32 app to Intune. For information
about app assignment and monitoring, see Assign apps to groups with Microsoft Intune
and Monitor app information and assignments with Microsoft Intune.
Next steps
Monitor app information and assignments with Microsoft Intune
Troubleshoot Win32 app issues
Add Win32 app supersedence
Article • 05/25/2023
After you've added a Win32 app to Intune, you can use Intune to create one or more
supersedence relationships between apps. In general, supersedence is where you
update or replace something. In Intune, supersedence enables you to update and
replace existing Win32 apps with newer versions of the same app or an entirely different
Win32 app. This topic provides an overview of the supersedence feature.
) Important
Supersedence, which enables you to update and replace a version of a Win32 app,
doesn't currently allow you to interchange the Win32 app with an app dependency.
For more information about app dependencies, see Dependencies.
Prerequisites
App supersedence can only be applied to Win32 apps. For more information, see Add a
Win32 app to Intune.
A Microsoft Intune permission is required to create and edit Win32 app supersedence
and dependency relationships with other apps. The permission is available under the
Mobile apps category by selecting Relate. Starting in the 2202 service release, Intune
admins need this permission to add supersedence and dependency apps when creating
or editing a Win32 app in Microsoft Intune admin center. To find this permission in
Microsoft Intune admin center , choose Tenant administration > Roles > All roles >
Create.
This Win32 app supersedence permission has been added to the following built-in roles:
Application Manager
School administrator
2. Select Apps > All apps, and then select a Win32 app from the list. If you haven't
added a Win32 app, you can follow the steps to add a Win32 app to Intune.
3. After you have selected the existing Win32 app, click Properties.
4. In the Supersedence section, click Edit > Add to choose apps that should be
superseded.
7 Note
5. Find and click the apps to apply the supersedence relationship in the Add Apps
pane. Click Select to add the apps to your supersedence list.
6. In the list of superseded apps, modify the Uninstall previous version option for
each selected app to specify whether an uninstall command will be sent by Intune
to each selected app. If the installer of the current app updates the selected app
automatically, then it isn't necessary to send an uninstall command. When
replacing a selected app with a different app, it may be necessary to turn on the
Uninstall previous version option to remove and replace the older app.
Superseding apps do not get automatic targeting. Each app must have explicit
targeting to take effect. Superseding apps that aren't targeted will be ignored
by the agent. If the superseding app is targeted to a device with a superseded
app, then the supersedence will take place regardless of whether the
superseded app has targeting or not. For more information on Supersedence
behavior, please refer to the matrix below. This behavior is in direct contrast
to dependencies, which doesn't require targeting. Additionally, only apps that
are targeted will show install statuses in Microsoft Intune admin center.
Supersedence behavior
A superseding app is an app that updates or replaces other apps. A superseded app is an
app that is being updated or replaced. Supersedence behavior can be illustrated based
on the following scenarios.
Scenario 1:
The superseded app will be uninstalled, and Only superseding apps
The superseded app the superseding app will be installed on the will be shown in the
exists on the device and device. company portal and
Uninstall previous NOTE: Even if the superseded app isn't can be installed.
version is set to Yes. targeted, it will be uninstalled.
Scenario 2:
The superseding app will be installed on the Only superseding apps
The superseded app device. Whether the superseded app will be will be shown in the
exists on the device and uninstalled or not is dependent on the company portal and
Uninstall previous superseding app’s installer. can be installed.
version is set to No.
Scenario 3:
The superseding app will be installed. The new app will
The superseded app appear in the
doesn't exist on the Company Portal.
device.
App update IT admin The installer of the newer Since the installer will complete
wants to version of the app (the the updating, it isn't necessary to
update an superseding app) will send down an uninstall
app with a automatically update the older command to the older version.
newer version of the app to the newer Hence, the Uninstall previous
version of version. version is toggled off.
the same
app.
App IT admin The superseded app will be Since the two apps are different,
replacement wants to uninstalled and the superseding the admin can turn the Uninstall
replace an app will be installed. Both install previous version toggle on to
app with an and uninstall will be based on IT uninstall the older app from the
entirely Pro’s defined install/uninstall device.
different command line.
app.
In-place app With an in-place app update, admin can only swap the app content,
update update the metadata, and change the detection and install commands.
Admin cannot change any of the fields that aren't stored on the app with
an in-place app update. For example, the admin cannot modify targeting at
the same time as an update.
Admin can only perform the in-place app update one app at a time.
Supersedence Admin can update an app in its entirety with a new set of configurations.
app update Admin can elect to send down an uninstall command to uninstall previous
app versions.
Admin can update devices containing multiple app versions to the newest
app version with one Supersedence configuration. The admin also
maintains access to older version of the app.
7 Note
Legend Definition
Scenario: Neither App update means that admin chose not to uninstall the
app is detected on superseded app during the configuration stage. See above in the
the device. A is Supersedence Step in App Deployment.
superseded by B via
app update.
Result: Install B.
Scenario: Only A is Since admin chose not to uninstall the previous version during
detected on the configuration, A isn't explicitly uninstalled by Intune. A may be
device. A is uninstalled based on the behavior of B’s installer.
superseded by B via
app update.
Result: Install B.
Result: Nothing.
Case Resolution Notes
Scenario: Both apps Since B is already detected on the device, no action is taken.
are detected on the Admin chose not to uninstall the previous version when
device. A is configuring, hence A isn't uninstalled.
superseded by B via
app update.
Result: Nothing.
Scenario: Neither App replacement means that admin chose to uninstall the
apps are detected superseded app during the configuration stage. See above in the
on the device. A is Supersedence Step in App Deployment.
superseded by B via
app replacement.
Result: Install B.
Scenario: Only A is A will be uninstalled and once the agent detects that A is no
detected on the longer present on the device, it will install B. If the detection
device. A is continues to detect A as present, then the agent won’t install B.
superseded by B via Whether B is installed on the device is predicated on whether A is
app replacement. detected on the device.
Result: Uninstall A,
then install B.
Scenario: Only B is No actions are taken because B is already installed and A doesn’t
detected on the exist on the device.
device. A is
superseded by B via
app replacement.
Result: None
Scenario: Both apps A is uninstalled as part of the app replacement process. Detection
are detected on the of a replaced app after the replacing app is already installed will
device. A is incur a remediation enforcement.
superseded by B via
app replacement.
Result: Uninstall A.
To better understand the behavior of a supersedence chain, the following table provides
a list of cases and resolutions. When reviewing these supersedence chains, assume all
apps are targeted and are applicable to the device.
Scenario: None of the Since none of the apps exist on the device, we install the
apps exist on the superseding app: App C. The superseding app refers to
device. The relationship the app that supersedes all other apps in the chain.
between apps is one of
app update.
Result: Install C.
Scenario: Only Apps A Since App C already exists on the device and this is an
and C exist on the app update scenario, App A isn't uninstalled.
device. The relationship
between apps is one of
app update.
Result: None.
Scenario: Only App A Simply install App C. App A isn't uninstalled because it is
exists on the device. an app update scenario. C’s installer may or may not have
The relationship behavior to remove A, where "remove" means A is no
between apps is one of longer detected via its detection rules (usually due to
app update. version detection).
Result: Install C.
Scenario: Only App C Since App C, the superseding app, already exists on the
exists on the device. device, and this is an app update scenario, no action is
The relationship taken.
between apps is one of
app update.
Result: None.
Case Resolution Notes
Scenario: None of the Since none of the apps exist on the device, simply install
apps exist on the the superseding app, App C.
device. The relationship
between apps is one of
app replacement.
Result: Install C.
Scenario: Apps A and C Since App C exists on the device and this is an app
exist on the device. The replacement scenario, simply uninstall App A.
relationship between
apps is one of app
replacement.
Result: Uninstall A.
Scenario: Only App C Since the superseding app, App C, exists on the device
exists on the device. and none of the other superseded apps exist, no action is
The relationship taken.
between apps is one of
app replacement.
Result: None.
Supersedence Limitations
There can only be a maximum of 11 nodes in a single supersedence graph. The nodes
include the superseding app, the superseded apps, and all subsequent related apps.
In
the following Supersedence diagram, there are five nodes in total. Hence, five more
nodes could be created until the max node count is reached.
Additional supersedence limitations:
Next steps
Troubleshoot Win32 app issues
Monitor app information and assignments with Microsoft Intune
Win32 app management in Microsoft Intune
Troubleshoot Win32 app issues
Article • 05/25/2023
When you're troubleshooting Win32 apps used in Microsoft Intune, you can use a
number of methods. This article provides troubleshooting details and information to
help you solve Win32 app problems. For more information, see Win32 app installation
troubleshooting resources.
7 Note
This app management capability supports both 32-bit and 64-bit operating system
architectures for Windows applications.
) Important
When you're deploying Win32 apps, consider using the Intune Management
Extension approach exclusively, particularly when you have a multiple-file Win32
app installer. If you mix the installation of Win32 apps and line-of-business (LOB)
apps during Autopilot enrollment, the app installation might fail. The Intune
management extension is installed automatically when a PowerShell script or
Win32 app is assigned to the user or device.
For the scenario when a Win32 app is deployed and assigned based on user
targeting, if the Win32 app requires device admin privileges or any other
permissions that the standard user of the device does not have, the app will fail to
install.
) Important
To allow proper installation and execution of LOB Win32 apps, antimalware settings
should exclude the following directories from being scanned:
C:\windows\IMECache
C:\windows\IMECache
PowerShell
$FileVersion = [System.Diagnostics.FileVersionInfo]::GetVersionInfo("<path
to binary file>").FileVersion
#The below line trims the spaces before and after the version name
$FileVersion = $FileVersion.Trim();
$FileVersion
exit 0
else
exit 1
In the preceding PowerShell command, replace the <path to binary file> string with
the path to your Win32 app file. An example path would be similar to the following:
18\Common7\IDE\ssms.exe
Also, replace the <file version of successfully detected file> string with the file
version that you need to detect. An example file version string would be similar to the
following:
2019.0150.18118.00 ((SSMS_Rel).190420-0019)
If you need to get the version information of your Win32 app, you can use the following
PowerShell command:
PowerShell
[System.Diagnostics.FileVersionInfo]::GetVersionInfo("<path to binary
file>").FileVersion
In the preceding PowerShell command, replace <path to binary file> with your file
path.
Additional troubleshooting areas to consider
Check targeting to make sure the agent is installed on the device. A Win32 app
targeted to a group or a PowerShell Script targeted to a group will create an agent
installation policy for a security group.
Check the OS version: Windows 10 1607 and later.
Check the Windows 10 SKU. Windows 10 S, or Windows versions running with S-
mode enabled, doesn't support MSI installation.
For more information about troubleshooting Win32 apps, see Win32 app installation
troubleshooting. For information about app types on ARM64 devices, see App types
supported on ARM64 devices.
Next steps
Troubleshoot app installation issues
Enable Win32 apps on S mode devices
Article • 03/07/2023
Windows 10 S mode is a locked-down operating system that only runs Store apps. By
default, Windows S mode devices don't allow installation and execution of Win32 apps.
These devices include a single Win 10S base policy, which locks the S mode device from
running any Win32 apps on it. However, by creating and using an S mode supplemental
policy in Intune, you can install and run Win32 apps on Windows 10 S mode managed
devices. By using the Microsoft Defender Application Control (WDAC) PowerShell tools,
you can create one or more supplemental policies for Windows S mode. You must sign
the supplemental policies with the Device Guard Signing Service (DGSS) or with
SignTool.exe and then upload and distribute the policies via Intune. As an alternative,
you can sign the supplemental policies with a codesigning certificate from your
organization, however the preferred method is to use DGSS. In the instance that you use
the codesigning certificate from your organization, the root certificate that the
codesigning certificate chains up to, must be present on the device.
By assigning the S mode supplemental policy in Intune, you enable the device to make
an exception to the device's existing S mode policy, which allows the uploaded
corresponding signed app catalog. The policy sets an allowlist of apps (the app catalog)
that can be used on the S mode device.
7 Note
The steps to allow Win32 apps to run on a Windows 10 device in S mode are the
following:
You can use Microsoft Defender Application Control (WDAC) tools to create a
supplemental policy. The base policy ID within the policy must match the S
mode base policy ID (which is hard coded on the client). Also, make sure that
the policy version is higher than the previous version.
You use DGSS to sign your supplemental policy. For more information, see
Sign code integrity policy with Device Guard signing.
You upload the signed supplemental policy to Intune by creating a Windows
10 S mode supplemental policy (see below).
You create catalog files (one for every app) and signs them using DGSS or
other certificate infrastructure.
You package the signed catalog into the .intunewin file using the Microsoft
Win32 Content Prep Tool . There are no naming restrictions when creating a
catalog file using the Microsoft Win32 Content Prep Tool . When generating
the .intunewin file from the specified source folder and setup file, you can
provide a separate folder containing only catalog files by using the -a
cmdline option. For more information, see Win32 app management - Prepare
the Win32 app content for upload.
Intune applies the signed app catalog to install the Win32 app on the S mode
device using the Intune Management Extension.
7 Note
S mode supplemental policy for apps must be delivered via Intune Management
Extension.
S mode policies are enforced at the device level. Multiple targeted policies will be
merged on the device. The merged policy will be enforced on the device.
3. Before adding the Policy file, you must create and sign it. For more information,
see:
On the Scope tags page you can optionally configure scope tags to determine
who can see the app policy in Intune. For more information about scope tags, see
Use role-based access control and scope tags for distributed IT.
The Assignments page allows you can assign the policy to users and devices. It's
important to note that you can assign a policy to a device whether or not the
device is managed by Intune.
7. Select Next: Review + create to review the values you entered for the profile.
8. When you're done, select Create to create the S mode supplemental policy in
Intune.
Once the policy is created, you'll see it added to the list of S mode supplemental policies
in Intune. Once the policy is assigned, the policy gets deployed to the devices. Note that
you must deploy the app to same security group as the supplemental policy. You can
start targeting and assigning apps to those devices. This will allow your end users to
install and execute the apps on the S mode devices.
Policy Reporting
The S mode supplemental policy, which is enforced at device level, only has device level
reporting.Device level reporting is available for success and error conditions.
Reporting values that are shown in the Microsoft Intune admin center for S mode
reporting policies:
Next steps
For more information, see Win32 apps on s mode.
For more information about adding apps to Intune, see Add apps to Microsoft
Intune.
For more information about Win32 apps, see Intune Win32 app management.
Deploy Windows update packages in
Intune
Article • 03/07/2023
If you want to deploy a specific Windows update package (.msu file) to Windows 10/11
devices managed by Intune, you can use the Intune Win32 app management capabilities
to deploy an .msu file as a Win32 app.
The following steps help you deploy a Windows update package to Intune.
3. In the Select app type pane, under Other app types, select Windows app (Win32).
4. Click Select, locate the Add app pane, and then select Select app package file.
5. In the App package file pane, select the .intunewin file, and then select OK.
6. On the App information page, add the details for your app.
7. On the Program page, specify the following installation and removal commands
for the app:
Install command:
wusa.exe .\windows10.0-kb4532693-
x64_e22f60a077a0ec5896266a18cc3daf26bfc29e16.msu /quiet /norestart -Wait
Uninstall command:
Use the /quiet switch to run Wusa.exe in quiet mode without user interaction. Use
the /norestart switch to prevent Wusa.exe from restarting the computer. For more
information about Wusa.exe, see Description of the Windows Update Standalone
Installer in Windows .
The -Wait option is used to make sure that the app installation returns after
Wusa.exe exits.
8. On the Requirements page, specify the requirements that devices must meet
before the app is installed.
For example, to install the app on only devices that are running Windows 10,
version 1903, build 18362, UBR less than 329, select Registry as the Requirement
type, and then specify the following rules:
Example:
PowerShell
if ($result)
exit 0
else
exit 1
11. Review your settings, and then select Create to add the app to Intune.
Next steps
For more information about adding apps to Intune, see Add apps to Microsoft
Intune.
For more information about Win32 apps, see Intune Win32 app management.
Add and assign the Windows Company
Portal app for Intune managed devices
Article • 04/06/2023
To manage devices and install apps, your users can optionally use the Company Portal
app. You can assign the Windows Company Portal app directly from Intune using
Microsoft Store app (new) apps.
Prerequisites
You can choose to install the Company Portal app using the steps below. The Company
Portal app will be installed in device context (also known as system-context) when
assigned to the Autopilot group and will be installed on the device before the user logs
in.
Next steps
To learn more about assigning apps, see Assign apps to groups.
To learn more about Microsoft Store app (new) apps, see Add Microsoft Store
apps to Microsoft Intune.
Add the Windows 10 Company Portal
app by using Microsoft Intune
Article • 03/06/2023
To manage devices and install apps, your users can install the Company Portal app
themselves from the Microsoft Store. If your business needs require that you assign the
Company Portal app to them, however, you can assign the Windows 10 Company Portal
app directly from Intune. You can do so even if you haven't integrated Intune with the
Microsoft Store for Business.
) Important
If you download the Company Portal app, the option described in this article
requires that you assign manual updates each time an app update is released. To
deploy the Company Portal app for Windows 10 Autopilot provisioned devices, see
Add Windows 10 Company Portal app Autopilot devices.
7 Note
2. Set the License type to Offline. Offline apps are managed by Intune, whereas
online apps are managed by the store. Use offline apps when you need to install
and maintain a specific app version.
3. Select Get the app to acquire and add the offline Company Portal app to your
inventory. If you already have the offline app, you can select the Manage option.
4. For Platform, select Windows 10 all devices, and then select the appropriate
Minimum version, Architecture, and Download app metadata values.
This action must be completed for x86, x64, and ARM architectures:
There are 9 Required Framework Packages when selecting 1507 as the minimum OS
Version, 12 packages when selecting 1511, and 15 packages when selecting 1607.
7. In Microsoft Intune in the portal, upload the Company Portal app as a new app.
You add the application by selecting Line-of-business app as the App type in the
Select app type pane. You then select the app package file (extension
.AppxBundle).
8. Under Select dependency app files select all the dependencies you downloaded in
step 7 by using shift-click, and verify that the Added column displays Yes for the
architectures you need.
7 Note
If the dependencies are not added, the app might not install on the specified
device types.
9. Click Ok, enter any desired App Information, and click Add.
10. Assign the Company Portal app as a required app to your selected set of user or
device groups.
For more information about how Intune handles dependencies for Universal apps, see
Deploying an appxbundle with dependencies via Microsoft Intune MDM.
7 Note
Microsoft Intune will be ending support on October 21, 2022 for devices running
Windows 8.1. Intune will no longer support Windows 8.1 sideloading.
If you need to sideload the app and you assigned the Windows 8.1 Company Portal
without signing it with the Symantec Certificate, complete the upgrade by completing
the steps in the preceding sections of this article.
If you need to sideload the app and you signed and assigned the Windows 8.1
Company Portal app with the Symantec code-signing certificate, follow the steps in the
next section.
Otherwise, the Windows 10 Company Portal app must be appropriately updated and
signed to ensure that the upgrade path is respected.
If you sign and assign the Windows 10 Company Portal app in this way, you will need to
repeat this process for each new app update when it is available in the store. The app is
not automatically updated when the store is updated.
Here's how you sign and assign the app in this way:
1. Download the Microsoft Intune Windows 10 Company Portal App Signing Script .
This script requires the Windows SDK for Windows 10 to be installed on the host
computer. Download the Windows SDK for Windows 10 .
2. Download the Windows 10 Company Portal app from the Microsoft Store for
Business, as discussed previously.
3. To sign the Windows 10 Company Portal app, run the script with the input
parameters detailed in the script header, as shown in the following table.
Dependencies do not need to be passed into the script. They are required only
when the app is being uploaded to the Microsoft Intune admin center.
Parameter Description
Win81Appx The path to the Windows 8.1 Company Portal (.APPX) file.
PfxFilePath The path to the Symantec Enterprise Mobile Code Signing Certificate
(.PFX) file.
SdkPath The path to the root folder of the Windows SDK for Windows 10. This
argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10.
When the script has finished running, it outputs the signed version of the Windows 10
Company Portal app. You can then assign the signed version of the app as a line-of-
business (LOB) app via Intune, which upgrades the currently assigned versions to this
new app.
Next steps
Assign apps to groups
Add the macOS Company Portal app
Article • 03/07/2023
To manage devices, install optional apps, and gain access to resources protected by
Conditional Access on macOS devices with user affinity, users must install and sign in to
the Company Portal app. You can provide instructions to your users to install Company
Portal for macOS or install it on devices already enrolled directly from Intune.
You can use any of the following options to install the Company Portal for macOS app:
To help keep the apps more secure and up to date once installed, the Company Portal
app comes with Microsoft AutoUpdate (MAU).
7 Note
The Company Portal app can only be installed automatically on devices using
Intune that are already enrolled using direct enrollment or Automated Device
Enrollment. For personal device or manual enrollment, the Company Portal app
must be downloaded and installed to initiate enrollment. See Instruct users to
download and install Company Portal.
7 Note
When you download the Intune Company Portal for macOS devices version
2.18.2107 and later, it installs the new universal version of the app that runs natively
on Apple Silicon Macs. The same app will install the x64 version of the app on Intel
Mac machines.
Install Company Portal for macOS as a macOS
LOB app
Company Portal for macOS can be downloaded and installed using the macOS LOB apps
feature. The version downloaded is the version that will always be installed and may
need to be updated periodically to ensure users get the best experience during initial
enrollment.
2. Follow the instructions to create a macOS LOB app in macOS LOB apps.
7 Note
Once installed, the Company Portal for macOS app will automatically update using
Microsoft AutoUpdate (MAU).
1. Download a sample script to install Company Portal for macOS from Intune Shell
Script Samples - Company Portal.
2. Follow instructions to deploy the macOS Shell Script using macOS Shell Scripts.
Set Run script as signed-in user to No (to run in the system context).
Set Maximum number of retries if script fails to 3.
7 Note
The script will require Internet access when it runs to download the current version
of the Company Portal for macOS.
Signing into the Company Portal for macOS
when using Setup Assistant with Modern
Authentication
For macOS devices running 10.15 and later, when creating an Automated Device
Enrollment profile, you can now choose a new authentication method: Setup Assistant
with modern authentication. The user has to authenticate using Azure AD credentials
during the setup assistant screens. This will require an additional Azure AD login post-
enrollment in the Company Portal app to gain access to corporate resources protected
by Conditional Access and for Intune to assess device compliance. The Company Portal
can be installed in any of the three ways documented here for Setup Assistant with
modern authentication.
Use one of the ways documented above to deploy the macOS Company Portal to the
devices enrolling with Setup Assistant with modern authentication so that the end user
can authenticate and complete Azure AD registration.
Users must sign into the Company Portal to complete Azure AD authentication and gain
access to resources protected by Conditional Access. User affinity is established when
users complete the enrollment and reach the home screen of the macOS device. If the
tenant has multi-factor authentication turned on for these devices or users, the users
will be asked to complete multi-factor authentication during enrollment during Setup
Assistant. Multi-factor authentication is not required, but it is available for this
authentication method within Conditional Access if needed.
For more information about configuring Setup Assistant with modern authentication for
macOS, see Create an Apple enrollment profile.
Next steps
To learn more about assigning apps, see Assign apps to groups.
To learn more about configuring Automated Device Enrollment, see Device
Enrollment Program - Enroll macOS.
To learn more about configuring Microsoft AutoUpdate settings on macOS, see
Mac Updates.
Add Microsoft Edge for Windows 10/11
to Microsoft Intune
Article • 04/19/2023
Before you can deploy, configure, monitor, or protect apps, you must add them to
Intune. One of the available app types is Microsoft Edge version 77 and later. By
selecting this app type in Intune, you can assign and install Microsoft Edge version 77
and later to devices you manage that run Windows 10.
) Important
This app type offers stable, beta, and dev channels for Windows 10. The
deployment is in English (EN) only, however end users can change the display
language in the browser under Settings > Languages. Microsoft Edge is a Win32
app installed in system context and on like architectures (x86 app on x86 OS, and
x64 app on x64 OS). Intune will detect any preexisting Microsoft Edge installations.
If it is installed in user context, a system installation will overwrite it. If it is installed
in system context, installation success is reported. In addition, automatic updates of
Microsoft Edge are On by default.
7 Note
You cannot use the built-in application deployment of Microsoft Edge for
workplace join computers. Built-in application deployment requires the Intune
management extension, which only exists for AAD joined devices. You can still
deploy Microsoft Edge version 77 and later using an .msi uploaded to Apps, see
Add a Windows line-of-business app to Microsoft Intune.
Prerequisites
Windows 10 version 1709 or later.
Any pre-installed versions of Microsoft Edge version 77 and later for all channels in
user context will be overwritten with Edge installed in system context.
Name: Enter the name of the app as it will be displayed in the company
portal. Make sure that all names are unique. If the same app name exists
twice, only one of the apps is displayed to users in the company portal.
Description: Enter a description for the app. For example, you could list the
targeted users in the description.
Publisher: Microsoft appears as the publisher.
Category: Optionally, select one or more of the built-in app categories or a
category that you created. This setting makes it easier for users to find the
app when they browse the company portal.
Display this as a featured app in the Company Portal: Select this option to
display the app prominently on the main page of the company portal when
users browse for apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL is displayed to users in the company portal.
Developer: Microsoft appears as the developer.
Owner: Microsoft appears as the owner.
Notes: Optionally, enter any notes that you want to associate with this app.
3. Select OK.
2. In the App settings pane, select either Stable, Beta or Dev from the Channel list to
determine which Edge Channel you will deploy the app from. For more
information, see Microsoft Edge release schedule.
7 Note
The Microsoft Edge browser logo is displayed with the app when users
browse the company portal.
3. Select OK.
7 Note
Currently, if you unassign the deployment of Microsoft Edge, it will remain on the
device.
2. Select Apps > All apps > Microsoft Edge app > Assignments > Add group.
7 Note
The app is uninstalled from devices in the selected groups if Intune has
previously installed the application onto the device via an Available for
enrolled devices or Required assignment using the same deployment.
4. Select Included Groups to select the groups of users that are affected by this app
assignment.
5. Select the groups that you want to apply the uninstall assignment.
8. If you want to exclude any groups of users from being affected by this app
assignment, select Exclude Groups.
9. If you have chosen to exclude any groups, in Select groups, select Select.
) Important
To uninstall the app successfully, make sure to remove the members or group
assignment for install before assigning them to be uninstalled. If a group is
assigned to both install an app and uninstall an app, the app will remain and not be
removed.
Troubleshooting
Microsoft Edge version 77 and later for Windows 10:
Intune uses the Intune management extension to download and deploy the Microsoft
Edge installer to assigned Windows 10 devices, then communicates the deployment
settings to the Microsoft Edge installer, which downloads and installs the Microsoft Edge
browser directly from the CDN. Reference the prerequisites for the Intune management
extension, and the best practices outlined in accessing Azure Update Service and the
CDN to ensure that your network configuration permits Windows 10 devices to access
these locations. In addition, to allow access to installation files from a CDN to install the
browser, you need to allow access to Windows Update endpoints. For more information,
see Manage connection endpoints for Windows 10, version 1809 – Windows Update
and Network endpoints for Microsoft Intune.
Next steps
Assign apps to groups
Add Microsoft Edge to macOS devices
using Microsoft Intune
Article • 05/01/2023
Before you can deploy, configure, monitor, or protect apps, you must add them to
Intune. One of the available app types is Microsoft Edge version 77 and later. By
selecting this app type in Intune, you can assign and install Microsoft Edge version 77
and later to devices you manage that run macOS. This app type makes it easy for you to
assign Microsoft Edge to macOS devices without requiring you to use the macOS app
wrapping tool. To help keep the apps more secure and up to date, the app comes with
Microsoft AutoUpdate (MAU).
) Important
This app type offers developer and beta channels for macOS. The deployment is in
English (EN) only, however end users can change the display language in the
browser under Settings > Languages.
7 Note
Prerequisites
The macOS device must be running macOS 10.14 or later before installing
Microsoft Edge.
Name: Enter the name of the app as it will be displayed in the company
portal. Make sure that all names are unique. If the same app name exists
twice, only one of the apps is displayed to users in the company portal.
Description: Enter a description for the app. For example, you could list the
targeted users in the description.
Publisher: Microsoft appears as the publisher.
Category: Optionally, select one or more of the built-in app categories or a
category that you created. This setting makes it easier for users to find the
app when they browse the company portal.
Display this as a featured app in the Company Portal: Select this option to
display the app prominently on the main page of the company portal when
users browse for apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL is displayed to users in the company portal.
Developer: Microsoft appears as the developer.
Owner: Microsoft appears as the owner.
Notes: Optionally, enter any notes that you want to associate with this app.
3. Select OK.
2. In the App settings pane, select either Stable, Beta or Dev from the Channel list to
determine which Edge Channel you will deploy the app from. For more
information, see Microsoft Edge release schedule.
Stable channel is the recommended channel for deploying broadly in
Enterprise environments. It updates every four weeks, each release
incorporating improvements from the Beta channel.
Beta channel is the most stable Microsoft Edge preview experience and the
best choice for a full pilot within your organization. With major updates every
four weeks, each release incorporates the learnings and improvements from
the Dev channel.
Dev channel is ready for enterprise feedback on Windows, Windows Server
and macOS. It updates every week and contains the latest improvements and
fixes.
7 Note
The Microsoft Edge browser logo is displayed with the app when users
browse the company portal.
3. Select OK.
The app you've created is displayed in the apps list, where you can assign it to the
groups that you select.
Next steps
To learn how to configure Microsoft Edge on macOS devices, see Configure
Microsoft Edge on macOS devices.
To learn about including and excluding app assignments from groups of users, see
Include and exclude app assignments.
Assign apps to groups
Add Microsoft Defender for Endpoint to
macOS devices using Microsoft Intune
Article • 05/01/2023
Before you can deploy, configure, monitor, or protect apps, you must add them to
Intune. One of the available app types is Microsoft Defender for Endpoint. By selecting
this app type in Intune, you can assign and install Microsoft Defender for Endpoint to
devices you manage that run macOS. This app type makes it easy for you to assign
Microsoft Defender for Endpoint to macOS devices without requiring you to use the
macOS app wrapping tool. To help keep the apps more secure and up to date, the app
comes with Microsoft AutoUpdate (MAU).
Prerequisites
The macOS device must be running macOS 10.13 or later.
The macOS device must have at least 650 MB of disk space.
Deploy kernel extension in Intune. See more information, see Add macOS kernel
extensions in Intune.
) Important
Name: Enter the name of the app as it will be displayed in the company
portal. Make sure that all names are unique. If the same app name exists
twice, only one of the apps is displayed to users in the company portal.
Description: Enter a description for the app. For example, you could list the
targeted users in the description.
Publisher: Microsoft appears as the publisher.
Category: Optionally, select one or more of the built-in app categories or a
category that you created. This setting makes it easier for users to find the
app when they browse the company portal.
Display this as a featured app in the Company Portal: Select this option to
display the app prominently on the main page of the company portal when
users browse for apps.
Information URL: Optionally, enter the URL of a website that contains
information about this app. The URL is displayed to users in the company
portal.
Privacy URL: Optionally, enter the URL of a website that contains privacy
information for this app. The URL is displayed to users in the company portal.
Developer: Microsoft appears as the developer.
Owner: Microsoft appears as the owner.
Notes: Optionally, enter any notes that you want to associate with this app.
3. Select OK.
The app you've created is displayed in the apps list, where you can assign it to the
groups that you select.
7 Note
Currently, Apple does not provide a way for Intune to uninstall Microsoft Defender
for Endpoint on macOS devices.
Next steps
To learn about Intune-based deployment for Microsoft Defender for Endpoint on
macOS, see Intune-based deployment for Microsoft Defender for Endpoint on
macOS
To learn about applying an antivirus policy for endpoint security in Intune, see
Antivirus policy for endpoint security in Intune
To learn about including and excluding app assignments from groups of users, see
Include and exclude app assignments.
To learn how to assign apps to groups in Intune, see Assign apps to groups.
Use PowerShell scripts on Windows
10/11 devices in Intune
Article • 07/17/2023
Use the Microsoft Intune management extension to upload PowerShell scripts in Intune.
Then, run these scripts on Windows 10 devices. The management extension enhances
Windows device management (MDM), and makes it easier to move to modern
management.
7 Note
Once the Intune management extension prerequisites are met, the Intune
management extension is installed automatically when a PowerShell script or
Win32 app, Microsoft Store apps, Custom compliance policy settings or Proactive
remediations is assigned to the user or device. For more information, see Intune
Management Extensions prerequisites.
PowerShell scripts, which are not officially supported on Workplace join (WPJ)
devices, can be deployed to WPJ devices. Specifically, device context PowerShell
scripts work on WPJ devices, but user context PowerShell scripts are ignored by
design. User context scripts will be ignored on WPJ devices and will not be reported
to the Microsoft Intune admin center.
MDM services, such as Microsoft Intune, can manage mobile and desktop devices
running Windows 10. The built-in Windows 10 management client communicates with
Intune to run enterprise management tasks. There are some tasks that you might need,
such as advanced device configuration and troubleshooting. For Win32 app
management, you can use the Win32 app management feature on your Windows 10
devices.
The Intune management extension supplements the in-box Windows 10 MDM features.
You can create PowerShell scripts to run on Windows 10 devices. For example, create a
PowerShell script that does advanced device configurations. Then, upload the script to
Intune, assign the script to an Azure Active Directory (AD) group, and run the script. You
can then monitor the run status of the script from start to finish.
End users aren't required to sign in to the device to execute PowerShell scripts.
The Intune management extension agent checks after every reboot for any new
scripts or changes. After you assign the policy to the Azure AD groups, the
PowerShell script runs, and the run results are reported. Once the script executes, it
doesn't execute again unless there's a change in the script or policy. If the script
fails, the Intune management extension agent retries the script three times for the
next three consecutive Intune management extension agent check-ins.
For shared devices, the PowerShell script will run for every new user that signs in.
PowerShell scripts are executed before Win32 apps run. In other words, PowerShell
scripts execute first. Then, Win32 apps execute.
) Important
Best practices for privacy awareness when using PowerShell scripts and
Remediation scripts include the following:
Devices running Windows 10 version 1607 or later. If the device is enrolled using
bulk auto-enrollment, devices must run Windows 10 version 1709 or later. The
Intune management extension isn't supported on Windows 10 in S mode, as S
mode doesn't allow running non-store apps.
OR
User signs in to the device using their Azure AD account, and then enrolls in
Intune.
Scripts deployed to clients running the Intune management extension will fail to
run if the device's system clock is exceedingly out of date by months or years.
Once the system clock is brought up to date, script will run as expected.
7 Note
For information about using Window 10 VMs, see Using Windows 10 virtual
machines with Intune.
2. Select Devices > Scripts > Add > Windows 10 and later.
3. In Basics, enter the following properties, and select Next:
Script location: Browse to the PowerShell script. The script must be less than
200 KB (ASCII).
Run this script using the logged on credentials: Select Yes (default) to run
the script with the user's credentials on the device. Choose No to run the
script in the system context. Many administrators choose Yes. If the script is
required to run in the system context, choose No.
Enforce script signature check: Select Yes (default) if the script must be
signed by a trusted publisher. Select No if there isn't a requirement for the
script to be signed.
Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit
PowerShell host on a 64-bit client architecture. Select No (default) runs the
script in a 32-bit PowerShell host.
When setting to Yes or No, use the following table for new and existing
policy behavior:
5. Select Scope tags. Scope tags are optional. Use role-based access control (RBAC)
and scope tags for distributed IT has more information.
a. Choose Select scope tags > select an existing scope tag from the list > Select.
a. Select one or more groups that include the users whose devices receive the
script. Choose Select. The groups you chose are shown in the list, and will
receive your policy.
7 Note
b. Select Next.
7. In Review + add, a summary is shown of the settings you configured. Select Add
to save the script. When you select Add, the policy is deployed to the groups you
chose.
Check in
Run script ConfigScript01
Script fails
9AM
Check in
Run script ConfigScript01
Script fails (retry count = 1)
10 AM
Check in
Run script ConfigScript01
Script fails (retry count = 2)
11 AM
Check in
Run script ConfigScript01
Script fails (retry count = 3)
12 PM
Check in
No additional attempts are made to run ConfigScript01script.
If no additional changes are made to the script, then no additional attempts are
made to run the script.
In PowerShell scripts, select the script to monitor, choose Monitor, and then choose
one of the following reports:
Device status
User status
Delete a script
In PowerShell scripts, right-click the script, and select Delete.
The device isn't joined to Azure AD. Be sure the devices meet the prerequisites (in
this article).
There are no PowerShell scripts or Win32 apps assigned to the groups that the
user or device belongs.
The device can't check in with the Intune service. For example, there's no internet
access, no access to Windows Push Notification Services (WNS), and so on.
The device is in S mode. The Intune management extension isn't supported on
devices running in S mode.
The PowerShell scripts don't run at every sign in. They run:
If you change the script, upload it, and assign the script to a user or device
Tip
The Microsoft Intune Management Extension is a service that runs on the
device, just like any other service listed in the Services app (services.msc).
After a device reboots, this service may also restart, and check for any
assigned PowerShell scripts with the Intune service. If the Microsoft Intune
Management Extension service is set to Manual, then the service may not
restart after the device reboots.
Be sure devices are joined to Azure AD. Devices that are only joined to your
workplace or organization (registered in Azure AD) won't receive the scripts.
Review the logs for any errors. See Intune management extension logs (in this
article).
For possible permission issues, be sure the properties of the PowerShell script are
set to Run this script using the logged on credentials . Also check that the
signed in user has the appropriate permissions to run the script.
Run a sample script using the Intune management extension. For example,
create the C:\Scripts directory, and give everyone full control. Run the
following script:
PowerShell
To test script execution without Intune, run the scripts in the System account
using the psexec tool locally:
psexec -i -s
If the script reports that it succeeded, but it didn't actually succeed, then it's
possible your antivirus service may be sandboxing AgentExecutor. The following
script always reports a failure in Intune. As a test, you can use this script:
PowerShell
To capture the .error and .output files, the following snippet executes the
script through AgentExecutor to PowerShell x86
( C:\Windows\SysWOW64\WindowsPowerShell\v1.0 ). It keeps the logs for your
review. Remember, the Intune Management Extension cleans up the logs after
the script executes:
PowerShell
Next steps
Monitor and troubleshoot your profiles.
Use shell scripts on macOS devices in
Intune
Article • 05/25/2023
Use shell scripts to extend device management capabilities in Intune, beyond what is
supported by the macOS operating system.
7 Note
Rosetta 2 is required to run x64 (Intel) version of apps on Apple Silicon Macs. To
install Rosetta 2 on Apple Silicon Macs automatically, you can deploy a shell script
in Endpoint Manager. To view a sample script, see Rosetta 2 Installation Script .
Prerequisites
Ensure that the following prerequisites are met when composing shell scripts and
assigning them to macOS devices.
Upload script: Browse to the shell script. The script file must be less than 200
KB in size.
Run script as signed-in user: Select Yes to run the script with the user's
credentials on the device. Choose No (default) to run the script as the root
user.
Hide script notifications on devices: By default, script notifications are shown
for each script that is run. End users see a IT is configuring your computer
notification from Intune on macOS devices.
Script frequency: Select how often the script is to be run. Choose Not
configured (default) to run a script only once.
Max number of times to retry if script fails: Select how many times the script
should be run if it returns a non-zero exit code (zero meaning success).
Choose Not configured (default) to not retry when a script fails.
5. In Scope tags, optionally add scope tags for the script, and select Next. You can
use scope tags to determine who can see scripts in Intune. For full details about
scope tags, see Use role-based access control and scope tags for distributed IT.
7 Note
7. In Review + add, a summary is shown of the settings you configured. Select Add
to save the script. When you select Add, the script policy is deployed to the groups
you chose.
The script you created now appears in the list of scripts. If needed, you can view the
contents of macOS shell scripts after you upload them to Intune.
) Important
Irrespective of the selected Script frequency, the script run status is reported only
the first time a script is run. Script run status is not updated on subsequent runs.
However, updated scripts are treated as new scripts and will report the run status
again.
A script run status of Failed indicates that the script returned a non-zero exit code
or the script is malformed.
A script run status of Success indicated that the script returned zero as the exit
code.
Troubleshoot macOS shell script policies using
log collection
You can collect device logs to help troubleshoot script issues on macOS devices.
4. Select Collect logs, provide folder paths of log files separated only by a semicolon
(;) without spaces or newlines in between paths.
) Important
Multiple log file paths separated using comma, period, newline or quotation
marks with or without spaces will result in log collection error. Spaces are also
not allowed as separators between paths.
5. Select OK. Logs are collected the next time the Intune management agent on the
device checks in with Intune. This check-in usually occurs every 8 hours.
7 Note
Collected logs are encrypted on the device, transmitted and stored in
Microsoft Azure storage for 30 days. Stored logs are decrypted on
demand and downloaded using Microsoft Intune admin center.
In addition to the admin-specified logs, the Intune management agent
logs are also collected from these folders:
/Library/Logs/Microsoft/Intune and ~/Library/Logs/Microsoft/Intune .
0X87D300D1 2016214834 Log file size cannot exceed 60 MB. Ensure that
compressed logs are
less than 60 MB in
size.
0X87D300D1 2016214831 The provided log file path must exist. Ensure that the
The system user folder is an invalid provided file path is
location for log files. valid and accessible.
0X87D300D2 2016214830 Log collection file upload failed due Retry the Collect logs
to expiration of upload URL. action.
0X87D300D3, 2016214829, Log collection file upload failed due Retry the Collect logs
0X87D300D5, 2016214827, to encryption failure. Retry log action.
0X87D300D7 2016214825 upload.
2016214828 The number of log files exceeded the Only up to 25 log files
allowed limit of 25 files. can be collected at a
time.
0X87D300D6 2016214826 Log collection file upload failed due Retry the Collect logs
to zip error. Retry log upload. action.
2016214739 The logs were collected but couldn't Retry the Collect logs
be stored. action.
Data type of attribute: Select the data type of the result that the script
returns. Available values are String, Integer, and Date.
Script: Select a script file.
Additional details:
The shell script must echo the attribute to be reported and the data type of
the output must match the data type of attribute in the custom attribute
profile.
The result returned by the shell script must be 20KB or less.
7 Note
When using Date type attributes, ensure that the shell script returns dates in
ISO-8601 format. See the examples below.
Shell
#!/bin/sh
var=$(date +"%Y-%m-%dT%H:%M:%S%z")
Shell
#!/bin/sh
var=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
5. In Assignments, click Select groups to include. When you choose Select groups to
include an existing list of Azure AD groups is shown. Select one or more user or
device groups that are to receive the script. Choose Select. The groups you choose
are shown in the list, and will receive your script policy. Alternatively, you can
choose to select All users, All devices, or All users and all devices by selecting one
of these options in the dropdown box next to Assign to.
7 Note
6. In Review + add, a summary is shown of the settings you configured. Select Add
to save the script. When you select Add, the script policy is deployed to the groups
you chose.
The script you created now appears in the list of custom attributes. If needed, you can
view the contents of custom attributes after you upload them to Intune.
Custom attributes > select the custom attribute profile to monitor > Device status
Custom attributes > select the custom attribute profile to monitor > User status
) Important
Shell scripts provided in custom attribute profiles are run every 8 hours on
managed Macs and reported.
Once a custom attribute profile runs, it returns one of the following statuses:
A status of Failed indicates that the script returned a non-zero exit code or the
script is malformed. The error is reported in the Result column.
As status of Success indicates that the script returned zero as the exit code. The
output echoed by the script is reported in the Result column.
The agent might need to check in to receive new or updated scripts. This check-in
process occurs every 8 hours and is different from the MDM check-in. Make sure
that the device is awake and connected to a network for a successful agent check-
in and wait for the agent to check in. You can also request the end user to open
Company Portal on the Mac, select the device and click Check settings.
The agent may not be installed. Check that the agent is installed at
/Library/Intune/Microsoft Intune Agent.app on the macOS device.
The agent may not be in a healthy state. The agent will attempt to recover for 24
hours, remove itself and reinstall if shell scripts are still assigned.
Known issues
No script run status: In the unlikely event that a script is received on the device
and the device goes offline before the run status is reported, the device will not
report run status for the script in the admin center.
Additional information
When you deploy shell scripts or custom attributes for macOS devices from Microsoft
Endpoint Manager, it deploys the new universal version of the Intune management
agent app that runs natively on Apple Silicon Mac machines. The same deployment will
install the x64 version of the app on Intel Mac machines. Rosetta 2 is required to run x64
(Intel) version of apps on Apple Silicon Macs. To install Rosetta 2 on Apple Silicon Macs
automatically, you can deploy a shell script in Endpoint Manager. To view a sample
script, see Rosetta 2 Installation Script .
Next steps
Create a compliance policy in Microsoft Intune
Assign apps to groups with Microsoft
Intune
Article • 04/19/2023
After you've added an app to Microsoft Intune, you can assign the app to users and
devices. It is important to note that you can deploy an app to a device whether or not
the device is managed by Intune.
7 Note
The Available for enrolled devices deployment intent is supported for user groups
and device groups when targeting Android Enterprise fully managed devices
(COBO) and Android Enterprise corporate-owned personally-enabled (COPE)
devices.
The following table lists the various options for assigning apps to users and devices:
End users install available apps from the web-based Yes Yes
Company Portal
7 Note
Currently, you can assign iOS/iPadOS and Android apps (line-of-business and
store-purchased apps) to devices that aren't enrolled with Intune.
To receive app updates on devices that aren't enrolled with Intune, device users
must go to their organization's Company Portal and manually install app updates.
For almost all app types and platforms, Available assignments are only valid when
assigning to user groups, not device groups. Win32 apps can be assigned to either
user or device groups.
Assign an app
1. Sign in to the Microsoft Intune admin center .
6. Select Add Group to open the Add group pane that is related to the app.
Available for enrolled devices: Assign the app to groups of users who can
install the app from the Company Portal app or website.
7 Note
8. To select the groups of users that are affected by this app assignment, select
Included Groups.
9. After you have selected one or more groups to include, select Select.
10. In the Assign pane, select OK to complete the included groups selection.
11. If you want to exclude any groups of users from being affected by this app
assignment, select Exclude Groups.
12. If you have chosen to exclude any groups, in Select groups, select Select.
The app is now assigned to the groups that you selected. For more information about
including and excluding app assignments, see Include and exclude app assignments.
Tip
Intune supports assigning apps to nested groups too. For example, if you assigned
an app to the "Engineering Global" group and have "Engineering APAC",
"Engineering EMEA" and "Engineering US" nested as child groups, the members of
those child groups will also be targeted with the assignment.
7 Note
While we don't expect managed apps on devices to backup data to iCloud, note
that data saved locally for managed apps may not be available after a backup and
restore.
For existing devices, when Prevent iCloud app backup is set to Yes for an app/apps, the
new behavior will be automatically updated for all required App Store/LOB apps (with or
without VPP). Required apps previously installed on devices will be automatically re-
configured for all devices once the setting value is saved to Yes. Available apps will
require the user to re-download the available app from the Company Portal app or the
Company Portal website . Additionally, depending on the app’s configurations and
licensing, a sync between Intune and the device may be needed.
User Available Device Both exist, Intune resolves Required (Required and Available)
Required
Group 1 intent Group 2 Resulting intent
intent
Uninstall
App shows up in the Company Portal.
If the user selects Install from the Company Portal, the app
is installed, and the uninstall intent is not honored.
User Required Device Both exist, Intune resolves Required (Required and Available)
and Available Uninstall
without Uninstall
enrollment If the user didn't install the app from the Company Portal,
the uninstall is honored.
If the user installs the app from the Company Portal, the
install is prioritized over the uninstall.
7 Note
For managed iOS store apps only, when you add these apps to Microsoft Intune
and assign them as Required, the apps are automatically created with both
Required and Available intents.
iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent
will be enforced on the device at the time of the device check-in and will also show
in the Company Portal app.
When conflicts occur in Uninstall on device removal setting, the app is not
removed from the device when the device is no longer managed.
7 Note
1. Connect your Intune tenant to managed Google Play. If you have already done this
in order to manage Android Enterprise personally owned, dedicated, fully
managed, or corporate-owned work profile devices, you do not need to do it
again.
2. Add apps from managed Google Play to your Intune admin center.
3. Target managed Google Play apps as Available with or without enrollment to the
desired user group. Required and Uninstall app targeting are not supported for
non-enrolled devices.
6. The next time the end user opens the Company Portal app and completes the log
in process, they will see a message indicating in the Apps section that there are
apps available for them. The user can select this notification to navigate to the Play
Store.
7 Note
7. The end user can expand the context menu within the Play Store app and switch
between their personal Google account (where they see their personal apps), and
their work account (where they will see store and LOB apps targeted to them). End
users install the apps by tapping Install in the Play Store app.
When an APP selective wipe is issued in the Intune admin center, the work account will
be automatically removed from the Play Store app and the end user will from that point
no longer see work apps in the Play Store app catalog. When the work account is
removed from a device, apps installed from the Play Store will remain installed on the
device and will not uninstall.
App uninstall setting for iOS managed apps
For iOS/iPadOS devices, you can choose what happens to managed apps on unenrolling
the device from Intune or removing the management profile using Uninstall on device
removal setting. This setting only applies to apps after the device is enrolled and apps
are installed as managed. The setting cannot be configured for web apps or web links.
Only data protected by Mobile Application Management (MAM) is removed after
retirement by an App Selective Wipe.
Default values for the setting are prepopulated for new assignments as follows:
Store app No
VPP app No
Built-in app No
7 Note
"Available" assignment types: If you're updating this setting for "available for
enrolled devices" or "available with or without enrollment" groups, users who
already have the managed app won't get the updated setting until they sync the
device with Intune and re-install the app.
Pre-existing assignments: The App uninstall setting was introduced in May 2019.
Assignments that existed prior to this date are unmodified and all managed apps
will be removed on device removal from management. If your assignment was
created before May 2019, you may need to explicitly set the App uninstall setting,
as the default settings above may not apply.
Next steps
To learn more about monitoring app assignments, see How to monitor apps.
Include and exclude app assignments in
Microsoft Intune
Article • 05/01/2023
In Intune, you can determine who has access to an app by assigning groups of users to
include and exclude. Before you assign groups to the app, you must set the assignment
type for an app. The assignment type makes the app available, required, or uninstalls the
app.
To set the availability of an app, you include and exclude app assignments to a group of
users or devices by using a combination of include and exclude group assignments. This
capability can be useful when you make the app available by including a large group,
and then narrow the selected users by also excluding a smaller group. The smaller group
might be a test group or an executive group.
As a best practice, create and assign apps specifically for your user groups, and
separately for your device groups. For more information on groups, see Add groups to
organize users and devices.
Exclusion takes precedence over inclusion in the following same group type
scenarios:
Including user groups and excluding user groups when assigning apps
Including device groups and excluding device group when assigning apps
For example, if you assign a device group to the All corporate users user group,
but exclude members in the Senior Management Staff user group, All
corporate users except the Senior Management staff get the assignment,
because both groups are user groups.
Intune doesn't evaluate user-to-device group relationships. If you assign apps to
mixed groups, the results may not be what you want or expect.
For example, if you assign a device group to the All Users user group, but exclude an All
personal devices device group, All users get the app. The exclusion does not apply.
7 Note
When you set a group assignment for an app, the Not Applicable type is
deprecated and replaced with exclude group functionality.
Intune provides pre-created All Users and All Devices groups in the Microsoft
Intune admin center. The groups have built-in optimizations for your convenience.
It's highly recommended that you use these groups to target all users and all
devices instead of any "all users" or "all devices" groups that you might create
yourself.
Android enterprise supports including and excluding groups. You can leverage the
built-in All Users and All Devices groups for Android enterprise app assignment.
2. Select Apps > All apps. The list of added apps is shown.
3. Select the app that you want to assign. A dashboard displays information about
the app.
5. Select Add group to add the groups of users who are assigned the app.
6. In the Add group pane, select an Assignment type from the available assignment
types.
7 Note
When you add a group, if any other group has already been included for a
specific assignment type, the app is preselected and can't be modified for
other include assignment types. The group that has been used can't be used
as an included group.
11. Select Excluded Groups to select the groups of users that you want to make this
app unavailable to.
12. Select the groups to exclude. This makes this app unavailable to those groups.
13. Select Select to complete your group selection.
14. In the Add group pane, select OK. The app Assignments list appears.
15. Click Save to make your group assignments active for the app.
When you make group assignments, groups that have already been assigned aren't
available to be modified. If you want to select a group that currently isn't available, first
remove the app from the app's assigned list.
To edit assignments, in the app Assignments list, select the row that contains the
specific assignment that you want to change. You can also remove an assignment by
selecting the ellipse (…) at the end of a row, and then selecting Remove.
7 Note
Removing a group assignment does not remove the related app except on Android
Enterprise dedicated, fully managed, and corporate-owned work profile devices.
The installed app will remain on the device.
To change the view of the Assignments list, group by Assignment type or by
Included/Excluded.
Next steps
For more information about including and excluding group assignments for apps,
see the Microsoft Intune blog .
Learn how to monitor app information and assignments.
Windows 10/11 app deployment by using
Microsoft Intune
Article • 04/19/2023
Microsoft Intune supports a variety of app types and deployment scenarios on Windows 10 devices.
After you've added an app to Intune, you can assign the app to users and devices. This article
provides more details on the supported Windows 10 scenarios, and also covers key details to note
when you're deploying apps to Windows. For information about deploying an app, also known as
assigning an app, see Assign an app to a group.
Line-of-business (LOB) apps and Microsoft Store for Business apps are the app types supported on
Windows 10 devices. The file extensions for Windows apps include .msi, .appx, and .appxbundle.
7 Note
Only Windows 10 1803 and later support installing apps when there is no primary user
associated.
LOB app deployment isn't supported on devices running Windows 10 Home editions.
App type Home Pro Business Enterprise Education S- HoloLens1 Surface WCOS Mobile
Mode Hub
LOB: Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
APPX/MSIX
MSFB Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Offline
MSFB Yes Yes Yes Yes Yes Yes RS4+ No Yes Yes
Online
App type Home Pro Business Enterprise Education S- HoloLens1 Surface WCOS Mobile
Mode Hub
Web Apps Yes Yes Yes Yes Yes Yes Yes2 Yes2 Yes Yes2
Store Link Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
1 To unlock app management, upgrade your HoloLens device to Holographic for Business.
2
Launch from the Company Portal only.
3
For Edge app to install successfully, devices must also be assigned an S-Mode policy.
7 Note
User Context: When an app is deployed in user context, the managed app is installed for that
user on the device when the user signs in to the device. Note that the app installation doesn't
succeed until the user signs in to the device.
Modern LOB apps and Microsoft Store for Business apps (both online and offline) can be
deployed in user context. The apps support both the Required and Available intents.
Win32 apps built as User Mode or Dual Mode can be deployed in user context, and support
both the Required and Available intents.
Device Context: When an app is deployed in device context, the managed app is installed
directly to the device by Intune.
Only modern LOB apps and offline licensed Microsoft Store for Business apps can be
deployed in device context. These apps only support the Required intent.
Win32 apps built as Machine Mode or Dual Mode can be deployed in device context, and
support only the Required intent.
7 Note
For Win32 apps built as Dual Mode apps, the admin must choose if the app will function as a
User Mode or Machine Mode app for all assignments associated with that instance. The
deployment context can't be changed per assignment.
Apps can only be installed in the device context when supported by the device and the Intune app
type. Device context installs are supported on Windows 10 desktops and Teams devices, such as the
Surface Hub. They aren't supported on devices running Windows Holographic for Business, such as
the Microsoft HoloLens.
You can install the following app types in the device context and assign these apps to a device
group:
Win32 apps
Offline licensed Microsoft Store for Business apps
LOB apps (MSI, APPX and MSIX)
Microsoft 365 Apps for enterprise
Windows LOB apps (specifically APPX and MSIX) and Microsoft Store for Business apps (Offline
apps) that you've selected to install in device context must be assigned to a device group. The
installation fails if one of these apps is deployed in the user context. The following status and error
appears in the admin center:
Status: Failed.
Error: A user can't be targeted with a device context install.
) Important
7 Note
After you save an app assignment with a specific deployment, you can't change the context for
that assignment, except for modern apps. For modern apps, you can change the context from
user context to device context.
If there's a conflict in policies on a single user or device, the following priorities apply:
For more information, see Include and exclude app assignments in Microsoft Intune. For more
information about app types in Intune, see Add apps to Microsoft Intune.
Next steps
Assign apps to groups with Microsoft Intune
How to monitor apps
Deploying apps using Intune on the
GCC High and DoD Environments
Article • 03/07/2023
7 Note
For commercial environments, a tenant admin can sync their Microsoft Store for
Business (MSFB) with Intune, however for GCC High and DoD environments, this
service is not available. Admins in this situation must deploy an app by uploading
directly to Intune. To get the offline version of the desired app, an actual
commercial account will have to be used to log in to MSFB to download the
package, and this is currently the only work-around for GCC high and DOD
environments.
When shopping for apps, if an offline version is available, you can choose to change the
license type to offline. After getting the app, you can then manage it by selecting
Manage > Products & Services in the Store for Business . Additionally, you can
download the app and its dependencies. Then, you can deploy this downloaded app
(and its dependencies) to users using Intune.
To sync Intune to your Store for Business account, see How to manage apps you
purchased from the Microsoft Store for Business with Microsoft Intune.
Compliance
Review the privacy and compliance statements of apps and compare them to the
compliance, security and privacy requirements of your organization when assessing the
appropriate use of these services.
Next steps
To learn more about deploying and assigning apps, see Assign apps to groups with
Microsoft Intune.
Monitor app information and
assignments with Microsoft Intune
Article • 03/07/2023
Intune provides several ways to monitor the properties of apps that you manage and to
manage app assignment status.
7 Note
Microsoft Store and Android Store apps that are deployed as Available do not
report their installation status.
From the Installed apps page of the Windows Company Portal or the Company
Portal website, end users can view the installation status and details for device-
assigned required apps. This functionality is provided in addition to the installation
status and details of user-assigned required apps.
Essentials
The Essentials section contains the following information about the app:
App Description
details
Operating The app operating system (Windows, iOS/iPadOS, Android, and so on)
system
Created The date and time when this revision was created Note: This date value is updated
when an IT admin changes app metadata, such as changing the app category or
app description.
Install Pending The number of apps that are in the process of being installed
Not Applicable The number of apps for which status is not applicable
7 Note
Be aware that Android LOB apps (.APK) deployed as Available with or without
enrollment only report app installation status for enrolled devices. App installation
status is not available for devices that are not enrolled in Intune.
Device Description
column
Device The name of the device on platforms that allow naming a device Note: On other
name platforms, Intune creates a name from other properties. This attribute isn't available
to any other device.
Device Description
column
Platform The operating system of the device (Windows, iOS/iPadOS, Android, and so on)
Version The version number of the app Note: For line-of-business (LOB) apps and Microsoft
Store for Business apps, the full version number of the app is shown. The full
version number identifies a specific release of the app. The number appears as
Version(Build). For example, 2.2(2.2.17560800). For standard Store apps, no versions
are shown.
7 Note
Even if the App is targetted to device context and into a device group, the user
name will always be reported. You may refer to the corresponded API Call.
Additionally, the system context may appear as "No user".
Next steps
To learn more about working with your Intune data, see Use the Intune Data
Warehouse.
To learn about app configuration policies, see App configuration policies for
Intune.
Intune discovered apps
Article • 03/07/2023
Intune discovered apps is a list of detected apps on the Intune enrolled devices in your
tenant. It acts as a software inventory for your tenant. Discovered apps is a separate
report from the app installation reports. For personal devices, Intune never collects
information on applications that are unmanaged. On corporate devices, any app
whether it's a managed app or not is collected for this report. Below is the table
mapping the expected behavior. In general, the report refreshes every seven days from
the time of enrollment (not a weekly refresh for the entire tenant). The only exception to
this refresh cycle for the Discovered apps report is application information collected
through the Intune Management Extension for Win32 Apps, which is collected every 24
hours.
7 Note
You can export the list of discovered apps to a .csv file by selecting Export from the
Discovered apps pane.
For discovered Win32 apps, there currently is no aggregate count. This type of data
can only be viewed on a per-device basis.
Intune also provides the list of discovered apps for the individual device in your tenant.
Windows 10/11 (Win32 Apps) NOTE: Not Applicable MSI installed Every 24 hours
Requires Intune Management apps on the from device
Extension on device device enrollment
Windows 10/11 (Modern Apps) Only managed All modern apps Every seven days
modern apps installed on the from device
device enrollment
Android device administrator Only managed All apps installed Every seven days
apps on the device from device
enrollment
Android Enterprise personally owned Only managed Not applicable Every seven days
enrollment apps in the work from device
profile enrollment
7 Note
Windows 10/11 co-managed devices, as shown in the client apps workload in
Configuration Manager, do not currently collect app inventory through the
Intune Management Extension (IME) as per the above schedule. To mitigate
this issue, the client apps workload in Configuration Manager should be
switched to Intune for the IME to be installed on the device (IME is required
for Win32 inventory and PowerShell deployment). Note that any changes or
updates on this behavior are announced in in development and/or what's
new.
Personally-owned macOS devices enrolled before November 2019 may
continue to show all apps installed on the device until the devices are enrolled
again.
Android Enterprise corporate-owned enrollments (fully managed, dedicated,
and corporate-owned work profile) do not display discovered apps.
Android Open Source Project (AOSP) enrollments do not display discovered
apps.
For customers using a Mobile Threat Defense partner with Intune, App Sync
data is sent to Mobile Threat Defense partners at an interval based on device
check-in, and should not be confused with the refresh interval for the
Discovered Apps report.
The number of discovered apps may not match the app install status count. Possibilities
for inconsistencies include:
A targeting change of an installed managed app can cause the install count in the
status pane to decrement, but remain reported in the detected apps.
Targeting multiple instances of the same app in a tenant will result in different
counts due to potential overlap of users or devices. Each instance of the app will
count overlapping users, but discovered apps will have duplicated counts.
Discovered apps and app status are collected at different time intervals, which
could cause a discrepancy in the app counts.
Next steps
App types in Microsoft Intune
Monitor app information and assignments with Microsoft Intune
App configuration policies for Microsoft
Intune
Article • 03/31/2023
App configuration policies can help you eliminate app setup problems by letting you
assign configuration settings to a policy that is assigned to end-users before they run
the app. The settings are then supplied automatically when the app is configured on the
end-users device, and end-users don't need to take action. The configuration settings
are unique for each app.
You can create and use app configuration policies to provide configuration settings for
both iOS/iPadOS or Android apps. These configuration settings allow an app to be
customized by using app configuration and management. The configuration policy
settings are used when the app checks for these settings, typically the first time the app
is run.
An app configuration setting, for example, might require you to specify any of the
following details:
If end-users were to enter these settings instead, they could do this incorrectly. App
configuration policies can help provide consistency across an enterprise and reduce
helpdesk calls from end-users trying to configure settings on their own. By using app
configuration policies, the adoption of new apps can be easier and quicker.
7 Note
In the Managed Google Play Store, apps that support configuration will be marked
as such:
You will only see apps from Managed Google Play store , not the Google Play
store , when using Managed Devices as the Enrollment Type for Android devices.
You can assign an app configuration policy to a group of end-users and devices by
using a combination of include and exclude assignments. As part of the process to add
or update an app configuration policy, you can set the assignments for the app
configuration policy. When you set the assignments for the policy, you can choose to
include and exclude the groups of end-users for which the policy applies. When you
choose to include one or more groups, you can choose to select specific groups to
include or select built-in groups. Built-in groups include All Users, All Devices, and All
Users + All Devices.
You can also use filters to refine the assignment scope when deploying app
configuration policies for managed iOS and Android devices. You must first create a
filter using any of the available properties for iOS and Android. Then, in Microsoft Intune
admin center you can assign your managed app configuration policy by selecting
Apps > App configuration policies > Add > Managed devices and go to the
assignment page. After selecting a group, you can refine the applicability of the policy
by choosing a filter and deciding to use it in Include or Exclude mode.
The app configuration policy workload provides a list of app configuration policies that
have been created for your tenant. This list provides details, such as Name, Platform,
Updated, Enrollment type, and Scope Tags. For additional details about a specific app
configuration policy, select the policy. On the policy Overview pane, you can see specific
details, such as the policy status based on device and based on user, as well as whether
the policy has been assigned.
Apps may handle app configuration policy settings differently with respect to user
preference. For example, with Outlook for iOS and Android, the Focused Inbox app
configuration setting will respect the user setting, allowing the user to override admin
intent. Other settings may let you control whether a user can or cannot change the
setting based on the admin intent.
7 Note
Intune requires Android 8.x or higher for device enrollment scenarios and app
configuration delivered through Managed devices app configuration policies. This
requirement does not apply to Microsoft Teams Android devices as these
devices will continue to be supported.
For Intune app protection policies and app configuration delivered through
Managed apps app configuration policies, Intune requires Android 9.0 or higher.
Managed devices
Selecting Managed devices as the Device Enrollment Type specifically refers to apps
deployed by Intune on the enrolled device and thus are managed by Intune as the
enrollment provider.
To support app configuration for apps deployed through Intune on enrolled devices,
apps must be written to support the use of app configurations as defined by the OS.
Consult your app vendor for details for which app config keys they support for delivery
through the MDM OS channel. There are generally four scenarios for app configuration
delivery in using the MDM OS channel:
Managed apps
Selecting Managed apps as the Device Enrollment Type specifically refers to apps
configured with an Intune App Protection Policy on devices regardless of the enrollment
state.
To support app configuration through the MAM channel, the app must be integrated
with Intune App SDK. Line-of-business apps can either integrate the Intune App SDK or
use the Intune App Wrapping Tool. For a comparison between the Intune App SDK and
the Intune App Wrapping Tool, see Prepare line-of-business apps for app protection
policies.
Delivery of app configuration through the MAM channel does not require the device to
be enrolled or for the app to be managed or delivered through the unified endpoint
management solution. There are three scenarios for app configuration delivery using the
MAM channel:
7 Note
Intune managed apps will check-in with an interval of 30 minutes for Intune App
Configuration Policy status, when deployed in conjunction with an Intune App
Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then
the Intune App Configuration Policy check-in interval is set to 720 minutes.
For information on which apps support app configuration through the MAM channel,
see Microsoft Intune protected apps.
All Profile Types: If a new profile is created and All Profile Types is selected for
device enrollment type, you will not be able to associate a certificate profile with
the app config policy. This option supports username and password
authentication. If you use certificate-based authentication, don't use this option.
Fully Managed, Dedicated, and Corporate-Owned Work Profile Only: If a new
profile is created and Fully Managed, Dedicated, and Corporate-Owned Work
Profile Only is selected, Fully Managed, Dedicated, and Corporate-Owned Work
Profile certificate policies created under Device > Configuration profiles can be
utilized. This option supports certificate-based authentication, and username and
password authentication. Fully Managed relates to Android Enterprise fully
managed devices (COBO). Dedicated relates to Android Enterprise dedicated
devices (COSU). Corporate-Owned Work Profile relates to Android Enterprise
corporate-owned work profile (COPE).
Personally-Owned Work Profile Only: If a new profile is created and Personally-
Owned Work Profile Only is selected, Work Profile certificate policies created
under Device > Configuration profiles can be utilized. This option supports
certificate-based authentication, and username and password authentication.
7 Note
) Important
Existing policies created prior to the release of this feature (April 2020 release -
2004) that do not have any certificate profiles associated with the policy will default
to All Profile Types for device enrollment type. Also, existing policies created prior
to the release of this feature that have certificate profiles associated with them will
default to Work Profile only.
1. Verify the app configuration policy visibly on the device. Confirm that the targeted
app is exhibiting the behavior applied in the app configuration policy.
2. Verify via Diagnostic Logs (see the Diagnostic Logs section below).
3. Verify in the Microsoft Intune admin center. In the Microsoft Intune admin
center , select Apps > All apps > select the related app*. Then, under the Monitor
section, select either Device install status or User install status:
Device Install
Status Report monitors the latest check-in's for all the devices the configuration
policy has been targeted to.
User Install Status Report monitors the latest changes to the user details, such as
name, e-mail, and UPN. User Report is also independent of Device Report.
Additionally,in the Microsoft Intune admin center , select Devices > All Devices >
select a device > App configuration. The app configuration** pane will display all
the assigned policies and their state:
Diagnostic Logs
1. If not already installed on the device, download and install the Microsoft Edge
from the App Store. For more information, see Microsoft Intune protected apps.
2. Launch the Microsoft Edge and enter about:intunehelp in the address box.
5. Use the mail app of your choice to send the log to yourself so they can be viewed
on your PC.
7. Search for ApplicationConfiguration . The results will look like the following:
JSON
{
Name =
"com.microsoft.intune.mam.managedbrowser.BlockListURLs";
Value = "https://www.aol.com";
},
Name =
"com.microsoft.intune.mam.managedbrowser.bookmarks";
Value = "Outlook
Web|https://outlook.office.com||Bing|https://www.bing.com";
);
},
ApplicationConfiguration =
Name = IntuneMAMUPN;
Value =
"CMARScrubbedM:13c45c42712a47a1739577e5c92b5bc86c3b44fd9a27aeec3f32857f
69ddef79cbb988a92f8241af6df8b3ced7d5ce06e2d23c33639ddc2ca8ad8d9947385f8
a";
},
Name =
"com.microsoft.outlook.Mail.BlockExternalImagesEnabled";
Value = true;
);
1. If not already installed on the device, download and install the Microsoft Edge
from the App Store. For more information, see Microsoft Intune protected apps.
2. Launch Microsoft Edge and enter about:intunehelp in the address box.
3. Click Get Started.
4. Click Share Logs.
5. Use the mail app of your choice to send the log to yourself so they can be viewed
on your PC.
6. Review IntuneMAMDiagnostics.txt in your text file viewer.
7. Search for AppConfig . Your results should match the application configuration
policies configured for your tenant.
To collect logs from an Android device, you or the end user must download the logs
from the device via a USB connection (or the File Explorer equivalent on the device).
Here are the steps:
1. Connect the Android device to your computer with the USB cable.
2. On the computer, look for a directory that has the name of your device. In that
directory, find Android
Device\Phone\Android\data\com.microsoft.windowsintune.companyportal .
4. Search for AppConfigHelper to find app configuration related messages. The results
will look similar to the following block of data:
[{"Name":"com.microsoft.intune.mam.managedbrowser.BlockListURLs","Value":"http
s:\/\/www.aol.com"},
{"Name":"com.microsoft.intune.mam.managedbrowser.bookmarks","Value":"Outlook
Web|https:\/\/outlook.office.com||Bing|https:\/\/www.bing.com"},
{"Name":"com.microsoft.intune.mam.managedbrowser.homepage","Value":"https:\/\/
www.arstechnica.com"}]},{"ApplicationConfiguration":
[{"Name":"IntuneMAMUPN","Value":"AdeleV@M365x935807.OnMicrosoft.com"},
{"Name":"com.microsoft.outlook.Mail.NotificationsEnabled","Value":"false"},
{"Name":"com.microsoft.outlook.Mail.NotificationsEnabled.UserChangeAllowed","V
alue":"false"}]}] for user User-875363642
Troubleshooting
Next steps
Managed devices
Learn how to use app configuration with your iOS/iPadOS devices. See Add app
configuration policies for managed iOS/iPadOS devices.
Learn how to use app configuration with your Android devices. See Add app
configuration policies for managed Android devices.
Managed apps
Learn how to use app configuration with managed apps. See Add app
configuration policies for managed apps without device enrollment.
Add app configuration policies for
managed iOS/iPadOS devices
Article • 03/31/2023
As the Microsoft Intune admin, you can control which user accounts are added to
Microsoft Office applications on managed devices. You can limit access to only allowed
organization user accounts and block personal accounts on enrolled devices. The
supporting applications process the app configuration and remove and block
unapproved accounts. The configuration policy settings are used when the app checks
for them, typically the first time it is run.
Once you add an app configuration policy, you can set the assignments for the app
configuration policy. When you set the assignments for the policy, you can choose to
use a filter and to include and exclude the groups of users for which the policy applies.
When you choose to include one or more groups, you can choose to select specific
groups to include or select built-in groups. Built-in groups include All Users, All Devices,
and All Users + All Devices.
7 Note
Intune provides pre-created All Users and All Devices groups in the console with
built-in optimizations for your convenience. It is highly recommended that you use
these groups to target all users and all devices instead of any 'All users' or 'All
devices' groups you may have created yourself.
Once you have selected the included groups for your application configuration policy,
you can also choose the specific groups to exclude. For more information, see Include
and exclude app assignments in Microsoft Intune.
Tip
This policy type is currently available only for devices running iOS/iPadOS 8.0 and
later. It supports the following app installation types:
Managed iOS/iPadOS app from the app store
App package for iOS
For more information about app installation types, see How to add an app to
Microsoft Intune. For more information about incorporating app config into your
.ipa app package for managed devices, see Managed App Configuration in the iOS
developer documentation .
2. Choose the Apps > App configuration policies > Add > Managed devices. Note
that you can choose between Managed devices and Managed apps. For more
information see Apps that support app configuration.
Name - The name of the profile that appears in the Microsoft Intune admin
center.
Description - The description of the profile that appears in the Microsoft
Intune admin center.
Device enrollment type - This setting is set to Managed devices.
5. Click Select app next to Targeted app. The Associated app pane is displayed.
6. On the Targeted app pane, choose the managed app to associate with the
configuration policy and click OK.
8. In the dropdown box, select the Configuration settings format. Select one of the
following methods to add configuration information:
For details about using the configuration designer, see Use configuration
designer. For details about entering XML data, see Enter XML data.
12. On the Assignments page, select either Add groups, Add all users, or Add all
devices to assign the app configuration policy. Once you've selected an
assignment group, you can select a filter to refine the assignment scope when
deploying app configuration policies for managed devices.
14. [Optional] Click Edit filter to add a filter and refine the assignment scope.
15. Click Select groups to exclude to display the related pane.
16. Choose the groups you want to exclude and then click Select.
7 Note
When adding a group, if any other group has already been included for a
given assignment type, it is pre-selected and unchangeable for other include
assignment types. Therefore, that group that has been used, cannot be used
as an excluded group.
Add a setting
1. For each key and value in the configuration, set:
Configuration key - The case sensitive key that uniquely identifies the
specific setting configuration.
Value type - The data type of the configuration value. Types include Integer,
Real, String, or Boolean.
Configuration value - The value for the configuration.
Delete a setting
1. Choose the ellipsis (...) next to the setting.
2. Select Delete.
The {{ and }} characters are used by token types only and must not be used for other
purposes.
Key Values
7 Note
The following apps process the above app configuration and only allow
organization accounts:
For iOS/iPadOS devices, use the following key/value pairs in a Managed Devices app
configuration policy for each Microsoft app:
Key Values
7 Note
Apps must have Intune APP SDK for iOS version 12.3.3 or later and be targeted with
an Intune app protection policy when requiring sign-in to work or school account.
Within the app protection policy, the “Receive data from other apps” must be set to
“All apps with incoming Org data”.
At this time, app sign-in is only required when there is incoming Org data to a targeted
app.
Intune validates the XML format. However, Intune does not check that the XML property
list (PList) works with the target app.
XML
<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
<key>aaddeviceid</key>
<string>{{aaddeviceid}}</string>
<key>IsSupervised</key>
<string>{{IsSupervised}}</string>
</dict>
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
1. In Microsoft Intune admin center , add the Intune Company Portal app if it has
not been added yet, by going to Apps > All apps > Add > iOS Store App.
2. Go to Apps > App configuration policies, to create an app configuration policy for
the Company Portal app.
3. Create an app configuration policy with the XML below. More information on how
to create an app configuration policy and enter XML data can be found at Add app
configuration policies for managed iOS/iPadOS devices.
7 Note
When the enrollment profile has "Install Company Portal" set to yes,
Intune pushes the application configuration policy below automatically
as part of the initial enrollment process. This configuration should not be
deployed manually to users or devices as this will cause a conflict with
the payload already sent during enrollment, resulting on end-users
being asked to download a new management profile after signing in to
Company Portal (when they shouldn't, because there is a management
profile already installed on these devices).
XML
<dict>
<key>IntuneCompanyPortalEnrollmentAfterUDA</key>
<dict>
<key>IntuneDeviceId</key>
<string>{{deviceid}}</string>
<key>UserId</key>
<string>{{userid}}</string>
</dict>
</dict>
Use the Company Portal on a ADE device enrolled without user affinity
(also known as Device Staging):
7 Note
The user signing in to Company Portal is set as the primary user of the
device.
XML
<dict>
<key>IntuneUDAUserlessDevice</key>
<string>{{SIGNEDDEVICEID}}</string>
</dict>
4. Deploy the Company Portal to devices with the app configuration policy targeted
to desired groups. Be sure to only deploy the policy to groups of devices that are
already ADE enrolled.
5. Tell end users to sign into the Company Portal app when it is automatically
installed.
7 Note
When you add an app configuration to allow the Company Portal app on ADE
devices without user affinity, you may experience a STATE Policy Error . Unlike
other app configurations, this situation does not apply every time the device checks
in. Instead, this app configuration is meant to be a one-time operation to enable
existing devices enrolled without user affinity to attain user affinity when a user
signs into the Company Portal. This app configuration is removed from the policy in
the background once it has been successfully applied. The policy assignment will
exist, but it will not report "success" once the app configuration is removed in the
background. Once the app configuration policy has applied to the device, you can
unassign the policy.
Monitor iOS/iPadOS app configuration status
per device
Once a configuration policy has been assigned, you can monitor iOS/iPadOS app
configuration status for each managed device. From Microsoft Intune in the Microsoft
Intune admin center , select Devices > All devices. From the list of managed devices,
select a specific device to display a pane for the device. On the device pane, select App
configuration.
Additional information
Deploying Outlook for iOS/iPadOS and Android app configuration settings
Next steps
Continue to assign and monitor the app.
Add app configuration policies for
managed Android Enterprise devices
Article • 03/31/2023
App configuration policies in Microsoft Intune supply settings to Managed Google Play
apps on managed Android Enterprise devices. The app developer exposes Android-
managed app configuration settings. Intune uses these exposed setting to let the admin
configure features for the app. The app configuration policy is assigned to your user
groups. The policy settings are used when the app checks for them, typically the first
time the app runs.
Not every app supports app configuration. Check with the app developer to see if their
app supports app configuration policies.
7 Note
Intune requires Android 8.x or higher for device enrollment scenarios and app
configuration delivered through Managed devices app configuration policies. This
requirement does not apply to Microsoft Teams Android devices as these
devices will continue to be supported.
For Intune app protection policies and app configuration delivered through
Managed apps app configuration policies, Intune requires Android 9.0 or higher.
Email apps
Android Enterprise has several enrollment methods. The enrollment type depends on
how email is configured on the device:
2. Choose the Apps > App configuration policies > Add > Managed devices. Note
that you can choose between Managed devices and Managed apps. For more
information see Apps that support app configuration.
5. Click Select app next to Targeted app. The Associated app pane is displayed.
6. On the Associated app pane, choose the managed app to associate with the
configuration policy and click OK.
9. Click the permissions that you want to override. Permissions granted will override
the "Default app permissions" policy for the selected apps.
10. Set the Permission state for each permission. You can choose from Prompt, Auto
grant, or Auto deny.
11. If the managed app supports configuration settings, the Configuration settings
format dropdown box is visible. Select one of the following methods to add
configuration information:
For details about using the configuration designer, see Use configuration designer.
For details about entering XML data, see Enter JSON data.
12. If you need to enable users to connect the targeted app across both the work and
personal profiles, select Enabled next to Connected apps.
7 Note
This setting only works for personally-owned work profile and corporate-
owned work profile devices.
Changing the Connected apps setting to Not Configured will not remove the
configuration policy from the device. To remove the Connected apps
functionality from a device, you must unassign the related configuration
policy.
14. [Optional] You can configure scope tags for your app configuration policy. For
more information about scope tags, see Use role-based access control (RBAC) and
scope tags for distributed IT.
16. In the dropdown box next to Assign to, select either Add groups, Add all users, or
Add all devices to assign the app configuration policy. Once you've selected an
assignment group, you can select a filter to refine the assignment scope when
deploying app configuration policies for managed devices.
17. Select All users in the dropdown box.
18. [Optional] Click Edit filter to add a filter and refine the assignment scope.
19. Click Select groups to exclude to display the related pane.
20. Choose the groups you want to exclude and then click Select.
7 Note
When adding a group, if any other group has already been included for a
given assignment type, it is pre-selected and unchangeable for other include
assignment types. Therefore, that group that has been used, cannot be used
as an excluded group.
1. Select Add. Choose the list of configuration settings that you want to enter for the
app.
If you're using Gmail or Nine Work email apps, Android Enterprise device settings
to configure email has more information on these specific settings.
Value type: The data type of the configuration value. For String value types,
you can optionally choose a variable or certificate profile as the value type.
Configuration value: The value for the configuration. If you select variable or
certificate for the Value type, choose from a list of variables or certificate
profiles. If you choose a certificate, then the certificate alias of the certificate
deployed to the device is populated at runtime.
Option Example
Account ID fc0dc142-71d8-4b12-bbea-bae2a8514c81
Domain contoso.com
Mail john@contoso.com
User ID 3ec2c00f-b125-4519-acf0-302ac3761822
Key com.microsoft.intune.mam.AllowedAccountUPNs
7 Note
The following apps process the above app configuration and only allow
organization accounts:
Android 11+
Personally-owned work profile users must have Company Portal version 5.0.5291.0 or
newer. Corporate-owned work profile users do not need a specific version of the
Microsoft Intune app for support.
You can allow users using Android personally-owned and corporate-owned work
profiles to turn on connected apps experiences for supported apps. This app
configuration setting enables apps to connect and integrate app data across the work
and personal app instances.
For an app to provide this experience, the app needs to integrate with Google's
connected apps SDK, so only limited apps support it. You can turn on the connected
apps setting proactively, and when apps add support, users will be able to enable the
connected apps experience.
Changing the Connected apps setting to Not Configured will not remove the
configuration policy from the device. To remove the Connected apps functionality from
a device, you must unassign the related configuration policy.
2 Warning
If you enable the connected apps functionality for an app, work data in personal
apps will not be protected by an app protection policy.
There are two ways users may be able to connect work and personal apps after you've
enabled the connected apps setting:
) Important
If multiple app configuration policies are assigned for the same app targeting the
same device, and one policy sets Connected Apps to Enabled while the other
policy does not, the app configuration will report a conflict and the resulting
behavior applied on the device will be to disallow the connected apps.
For example, an app uses the device's microphone. The user is prompted to grant the
app permission to use the microphone.
1. In the Microsoft Intune admin center , select Apps > App configuration policies
> Add > Managed devices.
2. Add the following properties:
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is Android
Enterprise prompt permissions app policy for entire company.
Description. Enter a description for the profile. This setting is optional, but
recommended.
Device enrollment type: This setting is set to Managed devices.
Platform: Select Android Enterprise.
7. To assign the app configuration policy, select the app configuration policy >
Assignment > Select groups. Choose the user groups to assign > Select.
8. Choose Save to assign the policy.
Additional information
Assign a Managed Google Play app to Android Enterprise personally-owned and
corporate-owned work profile devices
Deploying Outlook for iOS/iPadOS and Android app configuration settings
Next steps
Continue to assign and monitor the app.
App configuration policies for Intune
App SDK managed apps
Article • 04/05/2023
The Intune App Software Development Kit (SDK) supports app configuration delivery
through the mobile app management (MAM) channel. Within the Intune admin center,
the MAM channel is referred to as a Managed Apps app configuration policy. The MAM
channel is different than the mobile device management (MDM) OS platform channels
that are offered when a device is enrolled.
To support app configuration through the MAM channel, the app must be integrated
with Intune App SDK. Line-of-business apps can either integrate the Intune App SDK or
use the Intune App Wrapping Tool. For a comparison between the Intune App SDK and
the Intune App Wrapping Tool, see Prepare line-of-business apps for app protection
policies.
By using the MAM channel, apps can receive app configuration policies regardless of
the device enrollment state. For information on which apps support app configuration
through the MAM channel, see Microsoft Intune protected apps. Documentation from
the app vendor should be reviewed to see what configurations are available and how
the configurations influence the behavior of the app.
For more information, see App configuration policies for Microsoft Intune.
7 Note
Intune requires Android 8.x or higher for device enrollment scenarios and app
configuration delivered through Managed devices app configuration policies. This
requirement does not apply to Microsoft Teams Android devices as these
devices will continue to be supported.
For Intune app protection policies and app configuration delivered through
Managed apps app configuration policies, Intune requires Android 9.0 or higher.
Name: The name of the profile that will appear in the portal.
Description: The description of the profile that will appear in the portal.
Device enrollment type: Managed apps is selected.
4. Choose either Select public apps or Select custom apps to choose the app that
you are going to configure. Select the app from the list of apps that you've
approved and synchronized with Intune.
6. The Settings page provides options that are displayed based on the app that
you're configuring:
7 Note
For information about app configuration settings for specific Microsoft apps, see:
9. Select a group in the Select groups to include pane and click Select.
11. Choose the groups you want to exclude and then click Select.
7 Note
When adding a group, if any other group has already been included for a
given assignment type, it is pre-selected and unchangeable for other include
assignment types. Therefore, that group that has been used, cannot be used
as an excluded group.
Intune supports the following token types in the configuration settings. Other custom
key/value pairs aren't supported.
7 Note
The {{ and }} characters are used by token types only and must not be used for
other purposes.
Next steps
Continue to assign and monitor the app as usual.
Use iOS app provisioning profiles to
prevent your apps from expiring
Article • 03/31/2023
Introduction
Apple iOS/iPadOS line-of-business apps that are assigned to iPhones and iPads are built
with an included provisioning profile and code that is signed with a certificate. When the
app is run, iOS/iPadOS confirms the integrity of the iOS/iPadOS app and enforces
policies that are defined by the provisioning profile. The following validations happen:
Installation file integrity - iOS/iPadOS compares the app's details with the
enterprise signing certificate's public key. If they differ, the app's content might
have changed, and the app is not allowed to run.
Capabilities enforcement - iOS/iPadOS attempts to enforce the app's capabilities
from the enterprise provisioning profile (not individual developer provisioning
profiles) that are in the app installation (.ipa) file.
The enterprise signing certificate that you use to sign apps typically lasts for three years.
However, the provisioning profile expires after a year. While the certificate is still valid,
Intune gives you the tools to proactively assign a new provisioning profile to devices
that have apps that are nearing expiry.
After the certificate expires, you must sign the
app again with a new certificate and embed a new provisioning profile with the key of
the new certificate.
As the admin, you can include and exclude security groups to assign iOS/iPadOS app
provisioning configuration. For example, you can assign an iOS/iPadOS app provisioning
configuration to All Users, but exclude an executive group.
2. Select Apps > iOS app provisioning profiles > Create profile.
The Expiration date will be populated from a value in the Apple Mobile
Configuration Profile file that you added above.
On the Scope tags page you can optionally configure scope tags to determine
who can see iOS/iPadOS app provisioning profile in Intune. For more information
about scope tags, see Use role-based access control and scope tags for distributed
IT.
The Assignments page allows you can assign the profile to users and devices. It is
important to note that you can assign a profile to a device whether or not the
device is managed by Intune.
6. Click Next: Review + create to review the values you entered for the profile.
7. When you are done, click Create to create the iOS/iPadOS app provisioning profile
in Intune.
Next steps
Assign the profile to the required iOS/iPadOS devices. For more information, use the
steps in How to assign device profiles.
Configure the Microsoft Managed
Home Screen app for Android
Enterprise
Article • 08/14/2023
The Managed Home Screen is the application used for corporate-owned Android
Enterprise dedicated devices enrolled via Intune and running in multi-app kiosk mode.
For these devices, the Managed Home Screen acts as the launcher for other approved
apps to run on top of it. The Managed Home Screen provides IT admins the ability to
customize their devices and to restrict the capabilities that the end user can access. For
even more details, see How to setup Microsoft Managed Home Screen on Dedicated
devices in multi-app kiosk mode .
Typically, if settings are available to you through Device configuration, configure the
settings there. Doing so will save you time, minimize errors, and will give you a better
Intune-support experience. However, some of the Managed Home Screen settings are
currently only available via the App configuration policies pane in the Intune admin
center. Use this document to learn how to configure the different settings either using
the configuration designer or a JSON script. Additionally, use this document to learn
what Managed Home Screen settings are available using Device configuration. You may
also see Dedicated device settings for a full list of settings available in Device
configuration that impact the Managed Home Screen.
If using App configuration, navigate to the Microsoft Intune admin center and select
Apps > App configuration policies. Add a configuration policy for Managed devices
running Android and choose Managed Home Screen as the associated app. Select
Configuration settings to configure the different available Managed Home Screen
settings.
Choosing a Configuration Settings Format
There are two methods that you can use to define configuration settings for Managed
Home Screen:
If you add properties with Configuration Designer, you can automatically convert these
properties to JSON by selecting Enter JSON data from the Configuration settings
format dropdown.
The following table lists the Managed Home Screen available configuration keys, value
types, default values, and descriptions. The description provides the expected device
behavior based on selected values. Configuration keys of type BundleArray are disabled
in the Configuration Designer and are further described in the Enter JSON Data section
of this document.
Configuration to customize applications, folders, and general appearance of Managed
Home Screen:
Set allow-listed bundleArray See Enter Allows you to define the set of ✔️
applications JSON Data apps visible on the home screen
section of from amongst the apps installed
this on the device. You can define
document. the apps by entering the app
package name of the apps that
you want visible. For example,
com.microsoft.emmx would make
settings accessible on the home
screen. The apps that you allow-
list in this section should already
be installed on the device to be
visible on the home screen.
Set pinned web bundleArray See Enter Allows you to pin websites as ✔️
links JSON Data quick launch icons on the home
section of screen. With this configuration,
this you can define the URL and add
document. it to the home screen for the
end user to launch in the
browser with a single tap. Note:
We recommend that you create,
assign, and approve Managed
Google Play web links to your
devices. When you do, they're
treated like allow-listed
applications.
Set Grid Size string Auto Allows you to set the grid size ✔️
for apps to be positioned on the
managed home screen. You can
set the number of app rows and
columns to define grid size in
the following format:
columns;rows . If you define the
grid size, then the maximum
number of apps that shown in a
row on the home screen is the
number of rows you set. The
maximum number of apps
shown in a column in the home
screen is the number of columns
you set.
Set app icon integer 2 Allows you to set the icon size ✔️
size for apps displayed on the home
screen. You can choose the
following values in this
configuration for different sizes
- 0 (Smallest), 1 (Small), 2
(Regular), 3 (Large) and 4
(Largest).
Enable Wi-Fi bool FALSE True fills out the Wi-Fi allow- ✔️
allow-list list key to restrict what Wi-Fi
networks are shown within
Managed Home Screen. Set
to False to show all possible
available Wi-Fi networks the
device has discovered. This
setting is only relevant if
show Wi-Fi setting has been
set to True and the Wi-Fi
allow-list has been filled out.
Wi-Fi allow-list bundleArray See Enter JSON Allows you to list all the ✔️
Data section of SSIDs of what Wi-Fi
this document. networks you want the
device to show within
Managed Home Screen. This
list is only relevant if show
Wi-Fi setting and Enable Wi-
Fi allow-list have been set to
True. If either setting has
Configuration Value Type Default Value Description Available in
Key device
configuration
) Important
The Managed Home Screen app has been updated at the API level to better adhere
with the Google Play Store's requirements. In doing so, there were some changes
to how Wi-Fi configuration works from Managed Home Screen. The changes
include the following:
Being unable to change (enable or disable) the Wi-Fi connection for the
device. Users will be able to switch between networks, but will not be able to
turn on/off Wi-Fi.
Being unable to automatically connect to a configured Wi-Fi network that
requires a password for the first time. The configured network will
automatically connect after you enter the password the first time.
) Important
For devices running on Android 10+ and using Managed Home Screen, for
Bluetooth pairing to successfully work on devices that require a pairing key, admins
must enable the following Android system apps:
For more information on how to enable Android system apps, go to: Manage
Android Enterprise system apps
Enable screen bool FALSE To enable screen saver mode or not. If set ✔️
saver to true, you can configure
screen_saver_image,
screen_saver_show_time,
inactive_time_to_show_screen_saver, and
media_detect_screen_saver.
Screen saver string Set the URL of the screen saver image. If ✔️
image no URL is set, devices will show the
default screen saver image when screen
saver is activated. The default image
shows the Managed Home Screen app
icon.
Media detect bool TRUE Choose whether the device screen should ✔️
before show screen saver if audio/video is
showing playing on device. If set to true, the
screen saver device won't play audio/video, regardless
of the value in
inactive_time_to_show_scree_saver. If set
to false, device screen will show screen
saver according to value set in
inactive_time_to_show_screen_saver.
7 Note
Managed Home Screen will start the screensaver whenever the lock screen appears.
If the system's lock screen timeout is longer than Screensaver show time then the
screen saver will show until the lock screen appears. If the system's lock screen
timeout is shorter than inactive time to enable screen saver the screensaver will
appear as soon as the device's lock screen appears.
Enable easy bool FALSE Turn this setting to True to access the ✔️
access debug debug menu from the Managed
menu Settings app or from swipe-down while
in Managed Home Screen. The debug
menu is currently where the capability
to exit kiosk mode lives, and is accessed
by clicking the back button about 15
times. Keep this setting set to False to
keep the entry point to debug menu
only accessible via the back button.
Enable sign in bool FALSE Turn this setting to True to enable end- ✔️
users to sign into Managed Home
Screen. When used with Azure AD
Shared device mode, users who sign in
to Managed Home Screen will get
automatically signed in to all other apps
on the device that have participated
with Azure AD’s Shared device mode. By
default this setting is off.
Enable session bool FALSE Turn this setting to True if you want ✔️
PIN end-users to get prompted to create a
local Session PIN after they’ve
successfully signed in to Managed
Home Screen. The Session PIN prompt
will appear before end-user gets access
to the home screen, and can be used in
conjunction with other features. The
Session PIN lasts for the duration of a
user’s sign-in, and is cleared upon sign-
Configuration Value Default Description Available in
Key Type Value device
configuration
Require PIN bool FALSE Turn this setting True if you want to ✔️
code after require end-users to enter their Session
returning from PIN to resume activity on Managed
screensaver Home Screen after the screensaver has
appeared. This setting can only be used
if Enable sign in has been set to True.
7 Note
Managed Home Screen uses the exact alarm permission to do the following
actions:
Automatically sign users out after a set time of inactivity on the device
Launch a screen saver after a set period of inactivity
Automatically relaunch MHS after a certain period of time when a user exits
kiosk mode
For devices running Android 14 and higher, by default, the exact alarm permission
will be denied. To make sure critical user functionality is not impacted, end-users
will be prompted to grant exact alarm permission upon first launch of Managed
Home Screen.
Set allow-listed bundleArray Allows you to define the set of apps visible on the
applications home screen from all the apps installed on the
device. You can define the apps by entering the
app package name of the apps that you want to
make visible. For example, com.android.settings
would make settings accessible on the home
screen. The apps that you allow-list in this section
should already be installed on the device to be
visible on the home screen.
Set pinned web bundleArray Allows you to pin websites as quick launch icons
links on the home screen. With this configuration, you
can define the URL and add it to the home screen
for the end user to launch in the browser with a
single tap. Note: We recommend that you create,
assign, and approve Managed Google Play web
links to your devices. When you do, they're
treated like allow-listed applications.
Create Managed bundleArray Allows you to create and name folders and group
Folder for apps within these folders. End users can't move
grouping apps folders, rename the folders, or move the apps
within the folders. Folders will appear in the order
created, and apps within the folders will appear
alphabetically. Note: all apps that you want to
group into folders must be assigned as required
to the device and must have been added to the
Managed Home Screen.
The following syntax is an example JSON script with all the available configuration keys
included:
JSON
{
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.microsoft.launcher.enterprise",
"managedProperty": [
{
"key": "lock_home_screen",
"valueBool": true
},
{
"key": "wallpaper",
"valueString": "default"
},
{
"key": "icon_size",
"valueInteger": 2
},
{
"key": "app_folder_icon",
"valueInteger": 0
},
{
"key": "screen_orientation",
"valueInteger": 1
},
{
"key": "applications",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "app package name here"
}
]
}
]
},
{
"key": "weblinks",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "link",
"valueString": "link here"
},
{
"key": "label",
"valueString": "weblink label here"
}
]
}
]
},
{
"key": "widgets",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "package name of application that
exposes the widget here. An example: com.microsoft.launcher.enterprise"
},
{
"key": "widget_class",
"valueString": "class name of widget here. an
example: Time"
},
{
"key": "span_x",
"valueInteger": 5
},
{
"key": "span_y",
"valueInteger": 2
}
]
}
]
},
{
"key": "show_virtual_home",
"valueBool": false
},
{
"key": "virtual_home_type",
"valueString": "swipe_up"
},
{
"key": "show_virtual_status_bar",
"valueBool": true
},
{
"key": "exit_lock_task_mode_code",
"valueString": "123456"
},
{
"key": "show_wifi_setting",
"valueBool": false
},
{
"key": "show_bluetooth_setting",
"valueBool": false
},
{
"key": "show_flashlight_setting",
"valueBool": false
},
{
"key": "show_volume_setting",
"valueBool": false
},
{
"key": "show_device_info_setting",
"valueBool": false
},
{
"key": "show_device_name",
"valueBool": false
},
{
"key": "device_name",
"valueString": "{{DeviceName}}"
},
{
"key": "device_serial_number",
"valueString": "{{SerialNumber}}"
},
{
"key": "show_managed_setting",
"valueBool": false
},
{
"key": "enable_easy_access_debugmenu",
"valueBool": false
},
{
"key": "enable_wifi_allowlist",
"valueBool": false
},
{
"key": "wifi_allowlist",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "SSID",
"valueString": "name of Wi-Fi network 1 here"
}
]
},
{
"managedProperty": [
{
"key": "SSID",
"valueString": "name of Wi-Fi network 2 here"
}
]
}
]
},
{
"key": "grid_size",
"valueString": "4;5"
},
{
"key": "app_order_enabled",
"valueBool": true
},
{
"key": "apps_in_folder_ordered_by_name",
"valueBool": true
},
{
"key": "app_orders",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "com.Microsoft.emmx"
},
{
"key": "type",
"valueString": "application"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 1
}
]
},
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "Work"
},
{
"key": "type",
"valueString": "managed_folder"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 2
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString":
"com.microsoft.launcher.enterprise"
},
{
"key": "type",
"valueString": "application"
},
{
"key": "class",
"valueString": "com.microsoft.launcher.launcher"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 3
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString": "class name for widget here"
},
{
"key": "type",
"valueString": "widget"
},
{
"key": "container",
"valueInteger": 1
},
{
"key": "position",
"valueInteger": 1
}
]
}
]
},
{
"key": "managed_folders",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "Folder name here"
},
{
"key": "applications",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString":
"com.microsoft.emmx"
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString":
"com.microsoft.bing"
}
]
},
{
"managedProperty": [
{
"key": "link",
"valueString":
"https://microsoft.com/"
}
]
}
]
}
]
},
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "Example folder name 2"
},
{
"key": "is_customer_facing",
"valueBool": true
},
{
"key": "applications",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString":
"com.microsoft.office.word"
}
]
}
]
}
]
}
]
},
{
"key": "show_notification_badge",
"valueBool": true
},
{
"key": "show_screen_saver",
"valueBool": true
},
{
"key": "screen_saver_image",
"valueString": "URL to desired screen saver image here"
},
{
"key": "screen_saver_show_time",
"valueInteger": 0
},
{
"key": "inactive_time_to_show_screen_saver",
"valueInteger": 30
},
{
"key": "media_detect_before_screen_saver",
"valueBool": true
},
{
"key": "enable_max_inactive_time_outside_MHS",
"valueBool": false
},
{
"key": "enable_max_absolute_time_outside_MHS",
"valueBool": false
},
{
"key": "max_inactive_time_outside_MHS",
"valueInteger": 180
},
{
"key": "max_absolute_time_outside_MHS",
"valueInteger": 600
},
{
"key": "theme_color",
"valueString": "light"
},
{
"key": "enable_mhs_signin",
"valueBool": true
},
{
"key": "block_pinning_browser_web_pages_to_MHS",
"valueBool": true
},
{
"key": "signin_type",
"valueString": "AAD"
},
{
"key": "signin_screen_wallpaper",
"valueString": "URL to desired image for signin screen wallpaper
here"
},
{
"key": "enable_corporate_logo",
"valueBool": true
},
{
"key": "signin_screen_branding_logo",
"valueString": "URL to desired image for branding logo here"
},
{
"key": "enable_session_PIN",
"valueBool": true
},
{
"key": "session_PIN_complexity",
"valueString": "simple"
},
{
"key": "max_number_of_attempts_for_session_PIN",
"valueInteger": 0
},
{
"key": "minimum_length_for_session_PIN",
"valueInteger": 1
},
{
"key": "max_number_of_attempts_for_exit_PIN",
"valueInteger": 0
},
{
"key": "amount_of_time_before_try_exit_PIN_again",
"valueInteger": 0
},
{
"key": "enable_auto_signout",
"valueBool": true
},
{
"key": "inactive_time_to_signout",
"valueInteger": 300
},
{
"key": "auto_signout_time_to_give_user_notice",
"valueInteger": 30
},
{
"key": "enable_PIN_to_resume",
"valueBool": true
},
{
"key": "custom_privacy_statement_title",
"valueString": "name of custom privacy statement here"
},
{
"key": "custom_privacy_statement_url",
"valueString": "link to custom privacy statement here"
}
]
}
Next steps
For more information about Android Enterprise dedicated devices, see Set up
Intune enrollment of Android Enterprise dedicated devices.
How to configure the Intune Company
Portal apps, Company Portal website,
and Intune app
Article • 03/23/2023
The Company Portal apps, Company Portal website, and Intune app on Android are
where users access company data and can do common tasks. Common task may include
enrolling devices, installing apps, and locating information (such as for assistance from
your IT department). Additionally, they allow users to securely access company
resources. The end-user experience provides several different pages, such as Home,
Apps, App details, Devices, and Device details. To quickly find apps within the Company
Portal, you can filter the apps on the Apps page.
7 Note
The minimum supported version of the iOS Company Portal app is v4.16.0. If users
are running v4.14.1 or below, they will be prompted for an update at login.
Branding
The following table provides the branding customization details for the end-user
experience:
Organization This name is displayed throughout the messaging in the end-user experience. It
name can be set to display in headers as well using the Show in header setting. Max
length is 40 characters.
Color Choose Standard to choose from five standard colors. Choose Custom to select a
specific color based on a hex code value.
Theme color Set theme color to show across end-user experience. We'll automatically set the
text color to black or white so that it's most visible on top of your selected theme
color.
Show in Select whether the header in the end-user experiences should display the
header Organization logo and name, the Organization logo only, or the Organization
name only. The preview boxes below will only show the logos, not the name.
Upload logo Upload the logo you want to show on top of your selected theme color. For the
for theme best appearance, upload a logo with a transparent background. You can see how
color this will look in the preview box below the setting.
background Recommended image height: Greater than 72 px
Upload logo Upload the logo you want to show on top of white or light-colored backgrounds.
for white or For the best appearance, upload a logo with a transparent background. You can
light see how this will look on a white background in the preview box below the
background setting.
Recommended image height: Greater than 72 px
When a user is installing an iOS/iPadOS application from the Company Portal they
will receive a prompt. This occurs when the iOS/iPadOS app is linked to the app
store, linked to a volume-purchase program (VPP), or linked to a line-of-business
(LOB) app. The prompt allows the users to accept the action or allow management
of the app. The prompt will display your company name, or when your company
name is unavailable, Company Portal will be displayed.
Reach out to your marketing or art department. They may already have an
approved set of brand images. They may also be able to help you optimize images
as needed.
Consider both landscape and portrait composition. The image should have
sufficient background surrounding the focal point. The image may be cropped
differently based on device size, orientation, and platform.
Avoid using a generic, stock image. The image should reflect your organization's
brand and feel familiar to users. If you don't have one, it's better to not use one
than use a generic one that has no meaning to your user.
Remove unnecessary metadata. Image file can come with metadata such as camera
profile, geo location, title, caption, and so on. Use an image optimization tool to
strip out this information to maintain quality while meeting file size limit.
Support information
Enter your organization's support information, so employees can reach out with
questions. This support information will be displayed on Support, Help & Support, and
Helpdesk pages across the end-user experience.
Contact 40 This name is who users will reach when they contact support.
name
Email 40 This email address is where users can send emails for support. You
address must enter a valid email address in the format alias@domainname.com .
Website 40 This is the friendly name that is displayed in some locations for the
name URL to the support website. If you specify a support website URL and
no friendly name, then the URL itself is displayed in the end-user
experiences.
Website 150 The support website that users should use. The URL must be in the
URL format https://www.contoso.com .
Configuration
You can configure the Company Portal experience specifically for enrollment, privacy,
notifications, device categories, app sources, and self-service actions.
Enrollment
The following table provides enrollment-specific configuration details:
Device N/A Specify if and how users should be prompted to enroll into mobile
enrollment device management. For more information, see Device enrollment
setting options.
Device enrollment setting options
Support for the device enrollment setting requires end users have these Company Portal
versions:
) Important
The following settings do not apply to iOS/iPadOS devices configured to enroll with
Automated Device Enrollment. Regardless of how these setting are configured,
iOS/iPadOS devices configured to enroll with Automated Device Enrollment will
enroll during the out of box flow and users will be prompted to sign in when they
launch the Company Portal.
The following settings do apply to Android devices configured with Samsung Knox
Mobile Enrollment (KME). If a device has been configured for KME and device
enrollment is set to Unavailable, the device will not be able to enroll during the out
of box flow.
For the Android Company Portal app, if Intune detects that the user's device is set
up for app protection policies without enrollment, the user will not get prompted
to enroll in the Company Portal, even if the device enrollment setting is configured
to prompt enrollment. This applies to all Android device types except Surface Duo
devices.
Privacy
The following table provides privacy-specific configuration details:
Privacy message 520 Keep the default message or customize the message to list
about what support the items that your organization can't see on managed
can't see or do iOS/iPadOS devices. You can use markdown to add bullets,
(iOS/iPadOS) bolding, italics, and links.
Privacy message 520 Keep the default message or customize the message to list
about what support the items that your organization can see on managed
can see or do iOS/iPadOS devices. You can use markdown to add bullets,
(iOS/iPadOS) bolding, italics, and links.
For related information, see Configure feedback settings for Company Portal and
Microsoft Intune apps.
Device categories
You can allow or block the device category prompt in Intune Company Portal.
Let users N/A If your tenant has device categories set up, users on targeted devices
select are prompted to choose a category when they sign in to Company
device Portal. Select Block to hide the prompt across all platforms. Select
categories Allow to show the prompt.
in the
Company The category selection prompt goes away once someone chooses a
Portal category, and doesn't reappear. This setting is intended to be used
with device categories. If there are no device categories in your tenant,
no selection prompt will appear. For more information about creating
device categories, see Categorize devices into groups.
App sources
You can choose which additional app sources will be shown in Company Portal.
7 Note
Office Online N/A Select Hide or Show to display Office Online applications in the
Applications Company Portal for each end user. For more information, see App
source setting options.
The display of apps from the Configuration Manager Applications app source is
only displayed in the Windows Company Portal. However, the display of apps from
either the Azure AD Enterprise Applications app source or the Office Online
Applications app source are displayed in the Windows Company Portal and the
Company Portal website.
You can hide or show Azure AD Enterprise applications, Office Online applications, and
Configuration Manager applications in the Company Portal for each end user. Show
will cause the Company Portal to display the entire applications catalog from the chosen
Microsoft service(s) assigned to the user. Azure AD Enterprise applications are
registered and assigned via the Microsoft Intune admin center . Office Online
applications are assigned using the licensing controls available in the M365 Admin
Center . In the Microsoft Intune admin center , select Tenant administration >
Customization to find this configuration setting. By default, each additional app source
will be set to Hide.
Hide Remove button on corporate Windows devices. (This setting will always show
as disabled because the Remove button for corporate Windows devices is always
hidden.)
Hide Reset button on corporate Windows devices.
Hide Remove button on corporate iOS/iPadOS devices.
Hide Reset button on corporate iOS/iPadOS devices.
7 Note
These actions can be used to restrict device actions in the Company Portal app and
website and do not implement any device restriction policies. To restrict users from
performing factory reset or MDM removal from settings, you must configure device
restriction policies.
Also, these customizations are only available in the default Customization policy,
not in the group targeted Customization policies.
Upon selecting the Company Portal, the user will be directed to the corresponding page
in the application when the URI path is one of the following:
/apps - The Web Company Portal will open the Apps page that lists all of the apps.
/apps/[appID] - The Web Company Portal will open the Details page of the
corresponding app.
The URI path is different or unexpected - The Web Company Portal home page will
be displayed.
If the user does not have the Company Portal app installed, the user will be taken to the
Web Company Portal.
7 Note
To improve page load performance on the Company Portal website, app icons will
now load in batches. End users may temporarily see a placeholder icon for some of
their applications while loading the Company Portal website.
For feedback related information, see Configure feedback settings for Company Portal
and Microsoft Intune apps.
Company Portal and Apple Setup Assistant for
iOS/iPadOS
For iOS/iPadOS devices running 13.0 and later, when creating an Automated Device
Enrollment profile, you can now choose a new authentication method: Setup Assistant
with modern authentication. This method provides all the security from authenticating
with the Company Portal but avoids the issue of leaving end users stuck on a device that
they can't use while the Company Portal installs on the device. The user has to
authenticate using Azure AD credentials during the setup assistant screens. This will
require an additional Azure AD login post-enrollment in the Company Portal app to gain
access to corporate resources protected by Conditional Access and for Intune to assess
device compliance. The correct Company Portal version will automatically be sent down
as a required app to the device for iOS/iPadOS, which we recommend choosing a VPP
token for from the enrollment profile.
Enrollment is completed once the user lands on the home screen, and users can freely
use the device for resources not protected by Conditional Access. User affinity is
established when users complete the additional Azure AD login into the Company Portal
app on the device. If the tenant has multi-factor authentication turned on for these
devices or users, the users will be asked to complete multi-factor authentication during
enrollment during Setup Assistant. Multi-factor authentication is not required, but it is
available for this authentication method within Conditional Access if needed.
7 Note
The user will see instructions about derived credentials based on the link that you
have specified via Intune.
For more information about derived credentials for iOS/iPadOS devices, see Use derived
credentials in Microsoft Intune.
The following keyboard shortcuts are available in the Windows Company Portal app.
Home Alt+H
My profile Alt+P
Settings Alt+T
End users will also be able to see the available shortcuts in the Windows Company
Portal app.
To customize the available user self-service actions, see Customizing user self-service
actions for the Company Portal.
Self-Service Actions
Some platforms and configurations do not allow self-service device actions. This table
below provides further details about self-service actions:
(2)
Key Recovery for macOS is only available via the Web Portal.
(3) All remote actions are disabled if using a Device Enrollment Manager enrollment.
(4) Rename only changes the device name in the Company Portal app or Web Portal, not
on the device.
(5)
Wipe is not available on User Enrolled iOS/iPadOS devices.
(6) Reset Passcode is not supported on some Android and Android Enterprise
configurations. For more information, see Reset or remove a device passcode in Intune.
(7) Retire and Wipe are not available on Android Enterprise Device Owner scenarios
(COPE, COBO, COSU).
(9)All iOS/iPadOS Automated Device Enrollment devices (formerly known as DEP) have
Retire and Wipe options disabled.
App logs
App users can share their logs with you when requesting help through the Intune
Company Portal app or Microsoft Intune app. If you're using Azure Government, users
get to select their sharing preference when they initiate the sharing process. If you're
not using Azure Government, user-submitted logs are sent directly to Microsoft support
or the admin center.
) Important
Support for accessing mobile app diagnostics in the admin center is in public
preview. For more information, see Public preview in Microsoft Intune.
You can download user-submitted mobile app diagnostics in the admin center for the
Android, AOSP, and Windows versions of the Company Portal app. To download user-
submitted logs, go to Troubleshooting + support > Diagnostics. For more information,
see Use the troubleshooting dashboard to help users at your company.
7 Note
Consistent with Microsoft and Apple policy, we do not sell any data collected by
our service to any third parties for any reason.
7 Note
Users must updated to recent versions of the Android Company Portal (version
5.0.5291.0, released in October 2021) or Android Intune app (version 2021.09.04,
released in September 2021) to receive custom notifications on Android devices. If
users do not update prior to Intune's November (2111) service release and they are
sent a custom notification, they will instead receive a notification telling them to
update their app to view the notification. Once they update their app, they will see
the message sent by your organization in the Notifications section in the app.
Notifications from the iOS/iPadOS Company Portal app are now delivered to devices
using the default Apple sound, rather than being delivered silently. To turn the
notification sound off from the iOS/iPadOS Company Portal app, select Settings >
Notifications > Comp Portal and select the Sound toggle.
Allow the use of connected experiences in Enabled Controls whether clients can use the
Office suite of connected experiences,
including feedback.
Allow users to submit feedback to Microsoft Enabled Controls the feedback entry points
across applications.
Allow users to receive and respond to in- Enabled Controls the survey prompts within the
product surveys from Microsoft product.
Allow users to include screenshots and Disabled Controls the metadata the user can
attachments when they submit feedback to decide to submit with the feedback
Microsoft and survey.
Policy Name Default Policy Summary
State
Allow Microsoft to follow up on feedback Disabled Controls whether the user can share
submitted by users contact info with the feedback and
survey.
Allow users to include log files and content Disabled Controls the metadata the user can
samples when feedback is submitted to decide to submit with the feedback
Microsoft and survey.
Next steps
Configure your organization's logo and brand color for new tab pages in Microsoft
Edge for iOS and Android
Add apps
Configure Microsoft Launcher
Article • 03/06/2023
Microsoft Launcher is an Android application that lets users personalize their phone, stay
organized on the go, and transfer from working from their phone to their PC.
Configuration designer allows you to configure settings with an easy-to-use UI that lets
you toggle features on or off and set values. In this method, there are a few disabled
configuration keys with value type BundleArray. These configuration keys can only be
configured by entering JSON data.
JSON data allows you to define all possible configuration keys using a JSON script.
If you add properties with Configuration Designer, you can automatically convert these
properties to JSON by selecting Enter JSON data from the Configuration settings format
dropdown list as shown below.
7 Note
Once properties are configured via the Configuration Designer, the JSON data will also
be updated to only reflect these properties. To add additional configuration keys into
the JSON Data, use the JSON script example to copy the necessary lines for each
configuration key.
When editing previously created app configuration policies, if complex properties have been
configured, the edit process will display the JSON Data editor. All previously configured
settings will be preserved and you can switch to use the configuration designer to modify
supported settings.
The following table lists the Microsoft Launcher available configuration keys, value types,
default values, and descriptions. The description provides the expected device behavior
based on the selected values. Configuration keys that are disabled in Configuration Designer
are not listed in the table.
Enrollment String Default Allows you to set the enrollment type this policy should apply to.
Type Currently, the value Default refers to CorporateOwnedBusinessOnly.
There are no other supported enrollment types at present. JSON key
name: management_mode_key
Configuration Value Default Description
Key type value
Home Screen Boolean True Allows you to specify if the Home Screen App Order setting can be
App Order changed by the end user.
User Change
Allowed If set to True, the app order defined in the policy will only be
enforced for the initial deployment. Subsequently, the policy will
not be enforced to respect any changes the user may have made.
If set to False, the app order will be enforced on every sync.
Note: The Home Screen App order can only be configured via the JSON
editor.
com.microsoft.launcher.HomeScreen.AppOrder.UserChangeAllowed
Set Grid Size String Auto Allows you to set the grid size for apps to be positioned on the home
screen. You can set the number of app rows and columns to define grid
size in the following format: columns;rows . If you define the grid size,
the maximum number of apps that will be shown in a row on the home
screen would be the number of rows you set and the maximum number
of apps that will be shown in a column in the home screen would be
the number of columns you set.
com.microsoft.launcher.HomeScreen.GridSize
Set Device String Null Allows you to set a wallpaper of your choice by entering the URL of the
Wallpaper image that you want to set as a wallpaper.
com.microsoft.launcher.Wallpaper.URL
Set Device Boolean True Allows you to specify if the Set Device Wallpaper setting can be
Wallpaper changed by the end user.
User Change If set to True, the wallpaper in the policy will only be enforced for
Allowed the initial deployment. Subsequently, the policy will not be
enforced to respect any changes the user may have made.
If set to False, the wallpaper will be enforced on every sync.
com.microsoft.launcher.Wallpaper.URL.UserChangeAllowed
Configuration Value Default Description
Key type value
Feed Enable Boolean True Allows you to enable the launcher feed on the device when the user
swipes to the right on the home screen.
If set to True, the feed will be enabled.
If set to False, the feed will be disabled.
com.microsoft.launcher.Feed.Enabled
Feed Enable Boolean True Allows you to specify if the Feed Enable setting can be changed by the
User Change end user.
Allowed
If set to True, the feed will only be enforced for the initial
deployment. Subsequently, the policy will not be enforced to
respect any changes the user may have made.
If set to False, the feed will be enforced on every sync.
JSON key
name: com.microsoft.launcher.Feed.Enabled.UserChangeAllowed
Search Bar String Bottom Allows you to specify the placement of search bar on the home screen.
Placement
If set to Bottom, the search bar will be located on the bottom of
the home screen.
If set to Top, the search bar will be located on the top of the
home screen.
If set to Hidden, the search bar will be removed from the home
screen.
com.microsoft.launcher.Search.SearchBar.Placement
Search Bar Boolean True Allows you to specify if the Search Bar Placement setting can be
Placement changed by the end user.
User Change
Allowed If set to True, the search bar placement will only be enforced for
the initial deployment. Subsequently, the policy will not be
enforced to respect any changes the user may have made.
If set to False, the placement of search bar will be enforced on
every sync.
com.microsoft.launcher.Search.SearchBar.Placement.UserChangeAllowed
NOTE: For Microsoft Launcher v 6.2 and later, this setting will no longer
be enforced. Therefore, setting this value to True will have no effect.
Your end users will not be able to customize the location of the search
bar placement on their device.
Configuration Value Default Description
Key type value
Dock Mode String Show Allows you to enable the dock on the device when the user swipes up
from the bottom on the home screen.
If set to Show, the dock will be enabled.
If set to Hidden, the dock will hide from the home screen, but the
user can display it when it is needed.
If set to Disabled, the dock will be disabled.
com.microsoft.launcher.Dock.Mode
Dock Mode String True Allows you to specify if the Dock Mode setting can be changed by the
User Change end user.
Allowed If set to True, the dock mode setting will only be enforced for the
initial deployment. Subsequently, the policy will not be enforced
to respect any changes the user may have made.
If set to False, the dock mode setting will be enforced on every
sync.
com.microsoft.launcher.Dock.Mode.UserChangeAllowed
Properties:
Package: The
application
package name
Class: The
application
activity, which is
specific to a
certain app
page. It would
use the default
app page if this
value is empty.
Properties:
Type: If you
want to specify
positions of
apps, the only
type supported
Configuration Key Value type Default Description
value
is application .
If you want to
specify
positions of
web links, the
type is weblink .
Position: This
specifies
application icon
slot on home
screen. This
starts from
position 1 on
the top left, and
goes left to
right, top to
bottom.
Package: This is
application
package name
used for
specifying app
order.
Class: The is an
application
activity, which is
specific to a
certain app
page. The
default app
page will be
used if this
value is empty.
This property is
used for app.
Label: The is an
application
activity, which is
specific to a
certain app
page. The
default app
page will be
used if this
value is empty.
This property is
used for app.
Link: The url to
be launched
Configuration Key Value type Default Description
value
Properties:
Label: The
weblink title
displayed on
MS Launcher
home screen.
Link: The url to
be launched
after end user
clicks the web
link icon.
Configuration Key Value type Default Description
value
Properties:
folderShape:
This key can be
set as one of
the five values:
Rounded_square ,
Square ,
Squircle ,
Round , and
Teardrop .
openFullScreen:
This key can be
set as one of
the values: True
or False . If it
set to True , the
folder will be
opened in the
full screen. If it
set to False ,
the folder will
not be opened
in the full
screen.
folderScroll:
This key can be
set as one of
the values:
vertical or
horizontal . The
default value is
set as vertical .
Configuration Key Value type Default Description
value
Set Folder Icon Shape, Open Format, and Scroll Direction Boolean True Allows you to specify
User Change Allowed
if the Folder Style
JSON key: setting can be
com.microsoft.launcher.Folder.Style.UserChangeAllowed changed by the end
user.
If set to True ,
the shape of
folder, the way
the folder
opens, and the
way the folder
scrolls as
defined in the
policy will only
be enforced for
the initial
deployment.
Subsequently,
the policy will
not be enforced
to respect any
changes the
user may have
made later.
If set to False ,
the shape of
folder, the way
the folder
opens, and the
way the folder
scrolls will be
enforced on
every sync.
"key": "com.microsoft.launcher.HomeScreen.Applications",
"valueBundleArray":
"managedProperty": [
"key": "package",
"valueString": "com.android.settings"
},
"key": "class",
"valueString": ""
"key": "com.microsoft.launcher.HomeScreen.AppOrder",
"valueBundleArray":
"managedProperty": [
"key": "type",
"valueString": "application"
},
"key": "position",
"valueInteger": 1
},
"key": "package",
"valueString": "com.android.settings"
},
"key": "class",
"valueString": ""
"key": "com.microsoft.launcher.HomeScreen.WebLinks",
"valueBundleArray": [
"managedProperty": [
"key": "label",
"valueString": "weblink"
},
"key": "link",
"valueString": "https://www.microsoft.com"
},
"key": "com.microsoft.launcher.HomeScreen.AppOrder",
"valueBundleArray": [
"managedProperty": [
"key": "type",
"valueString": "weblink"
},
"key": "position",
"valueInteger": 2
},
"key": "label",
"valueString": "Microsoft"
},
"key": "link",
"valueString": "https://www.microsoft.com"
JSON
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.microsoft.launcher",
"managedProperty": [
"key": "management_mode_key",
"valueString": "Default"
},
"key": "com.microsoft.launcher.Feed.Enable.UserChangeAllowed",
"valueBool": false
},
"key": "com.microsoft.launcher.Feed.Enable",
"valueBool": true
},
"key": "com.microsoft.launcher.Wallpaper.Url.UserChangeAllowed",
"valueBool": false
},
"key": "com.microsoft.launcher.Wallpaper.Url",
"valueString": "http://www.contoso.com/wallpaper.png"
},
"key": "com.microsoft.launcher.HomeScreen.GridSize",
"valueString": "5;5"
},
"key": "com.microsoft.launcher.HomeScreen.Applications",
"valueBundleArray": [
"managedProperty": [
"key": "package",
"valueString": "com.ups.mobile.android"
},
"key": "class",
"valueString": ""
},
"managedProperty": [
"key": "package",
"valueString": "com.microsoft.teams"
},
"key": "class",
"valueString": ""
},
"managedProperty": [
"key": "package",
"valueString": "com.microsoft.bing"
},
"key": "class",
"valueString": ""
},
"key": "com.microsoft.launcher.HomeScreen.WebLinks",
"valueBundleArray": [
"managedProperty": [
"key": "label",
"valueString": "News"
},
"key": "link",
"valueString": "https://www.contoso.com"
},
"key":
"com.microsoft.launcher.HomeScreen.AppOrder.UserChangeAllowed",
"valueBool": false
},
"key": "com.microsoft.launcher.HomeScreen.AppOrder",
"valueBundleArray": [
"managedProperty": [
"key": "type",
"valueString": "application"
},
"key": "position",
"valueInteger": 17
},
"key": "package",
"valueString": "com.ups.mobile.android"
},
"key": "class",
"valueString": ""
},
"managedProperty": [
"key": "type",
"valueString": "application"
},
"key": "position",
"valueInteger": 18
},
"key": "package",
"valueString": "com.microsoft.teams"
},
"key": "class",
"valueString": ""
},
"managedProperty": [
"key": "type",
"valueString": "application"
},
"key": "position",
"valueInteger": 19
},
"key": "package",
"valueString": "com.microsoft.bing"
},
"key": "class",
"valueString": ""
},
"managedProperty": [
"key": "type",
"valueString": "weblink"
},
"key": "position",
"valueInteger": 20
},
"key": "label",
"valueString": "News"
},
"key": "link",
"valueString": "https://www.contoso.com"
Next steps
For more information about Android Enterprise fully managed devices, see Set up
Intune enrollment of Android Enterprise fully manage devices.
Manage Microsoft Edge on iOS and Android with Intune
Article • 08/24/2023
Edge for iOS and Android is designed to enable users to browse the web and supports multi-identity. Users can add a work account, as
well as a personal account, for browsing. There is complete separation between the two identities, which is like what is offered in other
Microsoft mobile apps.
7 Note
Edge for iOS and Android doesn't consume settings that users set for the native browser on their devices, because Edge for iOS and
Android can't access these settings.
The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility +
Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. At a minimum,
you will want to deploy a conditional access policy that only allows connectivity to Edge for iOS and Android from mobile devices and an
Intune app protection policy that ensures the browsing experience is protected.
7 Note
New web clips (pinned web apps) on iOS devices will open in Edge for iOS and Android instead of the Intune Managed Browser
when required to open in a protected browser. For older iOS web clips, you must re-target these web clips to ensure they open in
Edge for iOS and Android rather than the Managed Browser.
Follow the steps in Require approved client apps or app protection policy with mobile devices, which allows Edge for iOS and Android,
but blocks other mobile device web browsers from connecting to Microsoft 365 endpoints.
7 Note
This policy ensures mobile users can access all Microsoft 365 endpoints from within Edge for iOS and Android. This policy also
prevents users from using InPrivate to access Microsoft 365 endpoints.
With Conditional Access, you can also target on-premises sites that you have exposed to external users via the Azure AD Application
Proxy.
7 Note
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android
devices, the Intune Company Portal app is required. For more information, see App-based Conditional Access with Intune.
The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe
operations. For Android devices, this level validates Android device attestation. This is an entry level configuration that provides
similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS
requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP
Mobile Threat Defense. This configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection
framework using app protection policies.
Regardless of whether the device is enrolled in a unified endpoint management (UEM) solution, an Intune app protection policy needs to
be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These policies, at a
minimum, must meet the following conditions:
They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this ensures that users can
access and manipulate work or school data within any Microsoft app in a secure fashion.
They are assigned to all users. This ensures that all users are protected, regardless of whether they use Edge for iOS or Android.
Determine which framework level meets your requirements. Most organizations should implement the settings defined in
Enterprise enhanced data protection (Level 2) as that enables data protection and access requirements controls.
For more information on the available settings, see Android app protection policy settings and iOS app protection policy settings.
) Important
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install
the Intune Company Portal.
SSO requires your device to be registered by either the Microsoft Authenticator app for iOS devices, or the Intune Company Portal on
Android. When users have either of these, they are prompted to register their device when they go to an Azure AD-connected web app
in a policy-protected browser (this is only true if their device hasn't already been registered). After the device is registered with the user's
account managed by Intune, that account has SSO enabled for Azure AD-connected web apps.
7 Note
Device registration is a simple check-in with the Azure AD service. It doesn't require full device enrollment, and doesn't give IT any
additional privileges on the device.
App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed
App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the MAM (Mobile Application
Management) channel. Edge for iOS and Android supports the following configuration scenarios:
For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Edge
for Android must be deployed via the Managed Google Play store. For more information, see Set up enrollment of Android
Enterprise personally-owned work profile devices and Add app configuration policies for managed Android Enterprise devices.
Each configuration scenario highlights its specific requirements. For example, whether the configuration scenario requires device
enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.
) Important
App configuration keys are case sensitive. Use the proper casing to ensure the configuration takes effect.
7 Note
With Microsoft Intune, app configuration delivered through the MDM OS channel is referred to as a Managed Devices App
Configuration Policy (ACP); app configuration delivered through the MAM (Mobile Application Management) channel is referred to
as a Managed Apps App Configuration Policy.
You can learn more about configuring the org allowed accounts mode setting here:
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM provider is supported. If you are not using Microsoft
Intune, you need to consult with your UEM documentation on how to deploy these configuration keys.
These settings can be deployed to the app regardless of device enrollment status.
Edge for iOS and Android offers organizations several options for adjusting the New Tab Page experience.
To upload your organization's logo and color, first complete the following steps:
1. Within Microsoft Intune admin center , navigate to Tenant Administration > Customization. Next to Settings, click Edit.
2. To set your brand's logo, next to Show in header, choose "Organization logo only". Transparent background logos are
recommended.
3. To set your brand's background color, select a Theme color. Edge for iOS and Android applies a lighter shade of the color on the
New Tab Page, which ensures the page has high readability.
7 Note
As Azure Active Directory (Azure AD) Graph is deprecated, it has entered its retire phase. See details on Migrate Azure AD Graph
Overview. As a result, organization logo and brand color maintained within Intune Admin center will be inaccessible when Azure
Active Directory (Azure AD) Graph is completely retired.
Therefore, starting version v116 of Edge for iOS and Android, organization logo and brand color will be retrieved from Microsoft
Graph. You need to maintain your organization logo and brand color via steps. Favicon will be used as your organization and
Background image will be used as brand color.
Next, use the following key/value pairs to pull your organization's branding into Edge for iOS and Android:
Key Value
Homepage shortcut
This setting allows you to configure a homepage shortcut for Edge for iOS and Android in the New Tab Page. The homepage shortcut
you configure appears as the first icon beneath the search bar when the user opens a new tab in Edge for iOS and Android. The user
can't edit or delete this shortcut in their managed context. The homepage shortcut displays your organization's name to distinguish it.
Key Value
com.microsoft.intune.mam.managedbrowser.homepage Specify a valid URL. Incorrect URLs are blocked as a security measure.
For example: https://www.bing.com
Key Value
com.microsoft.intune.mam.managedbrowser.managedTopSites Specify set of value URLs. Each top site shortcut consists of a title and URL. Separate the
title and URL with the | character.
For example: GitHub|https://github.com/||LinkedIn|https://www.linkedin.com
Industry news
You can configure the New Tab Page experience within Edge for iOS and Android to display industry news that is relevant to your
organization. When you enable this feature, Edge for iOS and Android uses your organization's domain name to aggregate news from
the web about your organization, organization's industry, and competitors, so your users can find relevant external news all from the
centralized new tab pages within Edge for iOS and Android. Industry News is off by default.
Key Value
Key Value
com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL Specify a valid URL. If no URL is specified, the app uses the New Tab Page
experience. Incorrect URLs are blocked as a security measure.
For example: https://www.bing.com
Bookmark experiences
Edge for iOS and Android offers organizations several options for managing bookmarks.
Managed bookmarks
For ease of access, you can configure bookmarks that you'd like your users to have available when they are using Edge for iOS and
Android.
Bookmarks only appear in the work or school account and are not exposed to personal accounts.
Bookmarks can't be deleted or modified by users.
Bookmarks appear at the top of the list. Any bookmarks that users create appear below these bookmarks.
If you have enabled Application Proxy redirection, you can add Application Proxy web apps by using either their internal or external
URL.
Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
Bookmarks are created in a folder named after the organization's name which is defined in Azure Active Directory.
Key Value
com.microsoft.intune.mam.managedbrowser.bookmarks The value for this configuration is a list of bookmarks. Each bookmark consists of the
bookmark title and the bookmark URL. Separate the title and URL with the | character.
For example: Microsoft Bing|https://www.bing.com
To configure multiple bookmarks, separate each pair with the double character || .
For example: Microsoft Bing|https://www.bing.com||Contoso|https://www.contoso.com
My Apps bookmark
By default, users have the My Apps bookmark configured within the organization folder inside Edge for iOS and Android.
Key Value
com.microsoft.intune.mam.managedbrowser.MyApps true (default) shows My Apps within the Edge for iOS and Android bookmarks
false hides My Apps within Edge for iOS and Android
The Azure AD Password single sign-on (SSO) functionality offered by Azure Active Directory brings user access management to web
applications that don't support identity federation. By default, Edge for iOS and Android does not perform SSO with the Azure AD
credentials. For more information, see Add password-based single sign-on to an application.
Key Value
Key Value
Key Value
Edge for iOS and Android allows organizations to disable certain features that are enabled by default. To disable these features,
configure the following setting:
Key Value
com.microsoft.intune.mam.managedbrowser.disabledFeatures password disables prompts that offer to save passwords for the end user
inprivate disables InPrivate browsing
autofill disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will
be disabled even for previously saved information
translator disables translator
readaloud disables read aloud
drop disables drop
developertools grays out the build version numbers to prevent users from accessing
Developer options (Edge for Android only)
Key Value
7 Note
Key Value
Organizations can modify their network stack preference by configuring the following setting.
Key Value
7 Note
Using the Chromium network stack is recommended. If you experience sync issues or failure when sending feedback with the
Chromium network stack, for example with certain per-app VPN solutions, using the iOS network stack may solve the issues.
Key Value
Key Value
As there is only one persistent website data store in Edge for iOS, by default the website data store is always statically used only by
personal account. Work or school account cannot use the website data store, which causes the browsing data expect cookies lost after
each session ends. Organizations can make the website data store used by work or school account so the browsing data will be persisted
for a better users experience.
Key Value
com.microsoft.intune.mam.managedbrowser.PersistentWebsiteDataStore 0 (default) The website data store is always statically used only by personal
account
1 The website data store will be used by the first signed-in account
2 The website data store will be used by work or school account first
regardless of the sign-in order
Bing Chat Enterprise
Bing Chat Enterprise is available on Microsoft Edge for iOS and Android. Users can start Bing Chat Enterprise by clicking on Bing button
in bottom bar.
There are three settings in Settings->General->New Bing copilot mode for Bing Chat Enterprise.
New Bing copilot mode – Control whether to show Bing button on bottom bar
Page context – Control whether to allow Bing Chat Enterprise to access page content
Show Quick chat panel – Control whether to show quick chat panel when text on a webpage is selected
Key Value
com.microsoft.intune.mam.managedbrowser.Chat true (default) Users will see Bing button in bottom bar. Setting “New Bing co-pilot
mode” is on by default and can be turned off by users.
false Users cannot see Bing button in bottom bar. Setting “New Bing co-pilot mode” will
be disabled and cannot be turned on by users
com.microsoft.intune.mam.managedbrowser.ChatPageContext true (default) Bing Chat Enterprise can access to page content. “Page context” and
“Show quick chat panel” option under “New Bing co-pilot mode” settings are on by
default and can be turned off by users.
false Bing Chat Enterprise can NOT access to page content. “Page context” and “Show
quick chat panel” option under “New Bing co-pilot mode” settings will be disabled and
cannot be turned on by users
7 Note
Bing Chat Enterprise is only avaiable on Edge for iOS and com.microsoft.intune.mam.managedbrowser.Chat will have false as the
default value before Aug 28, 2023. You can enable Bing Chat Enterprise by setting the policy value to true. The default value will
become true after Aug 28, 2023 with new release avaiable on Edge for iOS and Android.
These settings can be deployed to the app regardless of device enrollment status.
Favorites
Passwords
Addresses and more (autofill form entry)
Sync functionality is enabled via user consent and users can turn sync on or off for each of the data types listed above. For more
information see Microsoft Edge Sync.
Organizations have the capability to disable Edge sync on iOS and Android.
Key Value
Organizations also define what happens when a user attempts to navigate to a restricted web site. By default, transitions are allowed. If
the organization allows it, restricted web sites can be opened in the personal account context, the Azure AD account’s InPrivate context,
or whether the site is blocked entirely. For more information on the various scenarios that are supported, see Restricted website
transitions in Microsoft Edge mobile . By allowing transitioning experiences, the organization's users stay protected, while keeping
corporate resources safe.
7 Note
Edge for iOS and Android can block access to sites only when they are accessed directly. It doesn't block access when users use
intermediate services (such as a translation service) to access the site. URL that launch Edge, such as Edge://* , Edge://flags , and
Edge://net-export , are not supported in app configuration policy AllowListURLs or BlockListURLs for managed apps. Instead, you
can use app configuration policy URLAllowList or URLBlocklist for managed devices. For related information inforamtion, see
Microsoft Edge mobile policies.
Use the following key/value pairs to configure either an allowed or blocked site list for Edge for iOS and Android.
Key Value
com.microsoft.intune.mam.managedbrowser.AllowListURLs The corresponding value for the key is a list of URLs. You enter all the URLs you
want to allow as a single value, separated by a pipe | character.
Examples:
URL1|URL2|URL3
http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com
com.microsoft.intune.mam.managedbrowser.BlockListURLs The corresponding value for the key is a list of URLs. You enter all the URLs you
want to block as a single value, separated by a pipe | character.
Examples:
URL1|URL2|URL3
http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com
com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock true (default) allows Edge for iOS and Android to transition restricted sites.
When personal accounts are not disabled, users are prompted to either switch
to the personal context to open the restricted site, or to add a personal
account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked
is set to true, users have the capability of opening the restricted site in the
InPrivate context.
false prevents Edge for iOS and Android from transitioning users. Users are
simply shown a message stating that the site they are trying to access is
blocked.
com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked true allows restricted sites to be opened in the Azure AD account's InPrivate
context. If the Azure AD account is the only account configured in Edge for iOS
and Android, the restricted site is opened automatically in the InPrivate
context. If the user has a personal account configured, the user is prompted to
choose between opening InPrivate or switch to the personal account.
false (default) requires the restricted site to be opened in the user's personal
account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect,
com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be
set to true.
com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar Enter the number of seconds that users will see the snack bar notification
"Access to this site is blocked by your organization. We’ve opened it in
InPrivate mode for you to access the site." By default, the snack bar notification
is shown for 7 seconds.
The following sites are always allowed regardless of the defined allow list or block list settings:
https://*.microsoft.com/*
http://*.microsoft.com/*
https://microsoft.com/*
http://microsoft.com/*
https://*.windowsazure.com/*
https://*.microsoftonline.com/*
https://*.microsoftonline-p.com/*
You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
You can use the wildcard symbol (*) according to the rules in the following permitted patterns list.
A wildcard can only match a portion (e.g., news-contoso.com ) or entire component of the hostname (e.g., host.contoso.com ) or
entire parts of the path when separated by forward slashes ( www.contoso.com/images ).
You can specify port numbers in the address. If you do not specify a port number, the values used are:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported. For example, http://www.contoso.com:* and http://www.contoso.com:*/ are
not supported.
The following are examples of some of the inputs that you can't specify:
*.com
*.contoso/*
www.contoso.com/*images
www.contoso.com/*images*pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*
Manage proxy configuration
You can use Edge for iOS and Android and Azure AD Application Proxy together to give users access to intranet sites on their mobile
devices. For example:
A user is using the Outlook mobile app, which is protected by Intune. They then click a link to an intranet site in an email, and Edge
for iOS and Android recognizes that this intranet site has been exposed to the user through Application Proxy. The user is
automatically routed through Application Proxy, to authenticate with any applicable multi-factor authentication and Conditional
Access, before reaching the intranet site. The user is now able to access internal sites, even on their mobile devices, and the link in
Outlook works as expected.
A user opens Edge for iOS and Android on their iOS or Android device. If Edge for iOS and Android is protected with Intune, and
Application Proxy is enabled, the user can go to an intranet site by using the internal URL they are used to. Edge for iOS and
Android recognizes that this intranet site has been exposed to the user through Application Proxy. The user is automatically routed
through Application Proxy, to authenticate before reaching the intranet site.
7 Note
Edge for iOS and Android updates the Application Proxy redirection data based on the last successful refresh event. Updates are
attempted whenever the last successful refresh event is greater than one hour.
Target Edge for iOS with the following key/value pair, to enable Application Proxy:
Key Value
7 Note
Edge for Android does not consume this key. Instead, Edge for Android consumes Azure AD Application Proxy configuration
automatically as long as the signed-in Azure AD account has an App Protection Policy applied.
For more information about how to use Edge for iOS and Android and Azure AD Application Proxy in tandem for seamless (and
protected) access to on-premises web apps, see Better together: Intune and Azure Active Directory team up to improve user access .
This blog post references the Intune Managed Browser, but the content applies to Edge for iOS and Android as well.
Organizations can enable NTLM credential caching for particular web sites. For these sites, after the user enters credentials and
successfully authenticates, the credentials are cached by default for 30 days.
Key Value
com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs The corresponding value for the key is a list of URLs. You enter all the URLs you want
to allow as a single value, separated by a pipe | character.
Examples:
URL1|URL2
http://app.contoso.com/|https://expenses.contoso.com
Key Value
For more information on the types of URL formats that are supported, see URL
formats for allowed and blocked site list.
As app configuration policies for managed devices needs device enrollment, any unified endpoint management (UEM) is supported. To
find more policies under the MDM channel, see Microsoft Edge Mobile Policies.
com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL EdgeNewTabPageCustomURL
com.microsoft.intune.mam.managedbrowser.MyApps EdgeMyApps
com.microsoft.intune.mam.managedbrowser.defaultHTTPS EdgeDefaultHTTPS
com.microsoft.intune.mam.managedbrowser.disableShareUsageData EdgeDisableShareUsageData
com.microsoft.intune.mam.managedbrowser.disableShareBrowsingHistory EdgeDisableShareBrowsingHistory
com.microsoft.intune.mam.managedbrowser.disabledFeatures EdgeDisabledFeatures
com.microsoft.intune.mam.managedbrowser.enableKioskMode EdgeEnableKioskMode
com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode EdgeShowAddressBarInKioskMode
com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode EdgeShowBottomBarInKioskMode
com.microsoft.intune.mam.managedbrowser.account.syncDisabled EdgeSyncDisabled
com.microsoft.intune.mam.managedbrowser.NetworkStackPref EdgeNetworkStackPref
3. On the App Configuration policies blade, choose Add and select Managed apps.
4. On the Basics section, enter a Name, and optional Description for the app configuration settings.
5. For Public apps, choose Select public apps, and then, on the Targeted apps blade, choose Edge for iOS and Android by selecting
both the iOS and Android platform apps. Click Select to save the selected public apps.
6. Click Next to complete the basic settings of the app configuration policy.
8. If you want to manage the data protection settings, configure the desired settings accordingly:
For Application proxy redirection, choose from the available options: Enable, Disable (default).
For Homepage shortcut URL, specify a valid URL that includes the prefix of either http:// or https://. Incorrect URLs are
blocked as a security measure.
For Managed bookmarks, specify the title and a valid URL that includes the prefix of either http:// or https://.
For Allowed URLs, specify a valid URL (only these URLs are allowed; no other sites can be accessed). For more information on
the types of URL formats that are supported, see URL formats for allowed and blocked site list.
For Blocked URLs, specify a valid URL (only these URLs are blocked). For more information on the types of URL formats that
are supported, see URL formats for allowed and blocked site list.
For Redirect restricted sites to personal context, choose from the available options: Enable (default), Disable.
7 Note
When both Allowed URLs and Blocked URLs are defined in the policy, only the allowed list is honored.
9. If you want to additional app configuration settings not exposed in the above policy, expand the General configuration settings
node and enter in the key value pairs accordingly.
10. When you are finished configuring the settings, choose Next.
11. On the Assignments section, choose Select groups to include. Select the Azure AD group to which you want to assign the app
configuration policy, and then choose Select.
12. When you are finished with the assignments, choose Next.
13. On the Create app configuration policy Review + Create blade, review the settings configured and choose Create.
The newly created configuration policy is displayed on the App configuration blade.
Use Edge for iOS and Android to access managed app logs
Users with Edge for iOS and Android installed on their iOS or Android device can view the management status of all Microsoft published
apps. They can send logs for troubleshooting their managed iOS or Android apps by using the following steps:
You can retrieve logs from Microsoft Support by giving them the user's incident ID.
For a list of the settings stored in the app logs, see Review client app protection logs.
Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
Manage collaboration experiences in
Office for iOS and Android with
Microsoft Intune
Article • 07/05/2023
Office for iOS and Android delivers several key benefits including:
Combining Word, Excel, and PowerPoint in a way that simplifies the experience
with fewer apps to download or switch between. It requires far less phone storage
than installing individual apps while maintaining virtually all the capabilities of the
existing mobile apps people already know and use.
Integrating Office Lens technology to unlock the power of the camera with
capabilities like converting images into editable Word and Excel documents,
scanning PDFs, and capturing whiteboards with automatic digital enhancements to
make the content easier to read.
Adding new functionality for common tasks people often encounter when working
on a phone—things like making quick notes, signing PDFs, scanning QR codes,
and transferring files between devices.
The richest and broadest protection capabilities for Microsoft 365 data are available
when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft
Intune and Azure Active Directory Premium features, such as conditional access. At a
minimum, you will want to deploy a conditional access policy that allows connectivity to
Office for iOS and Android from mobile devices and an Intune app protection policy
that ensures the collaboration experience is protected.
1. Follow the steps in Require approved client apps or app protection policy with
mobile devices, which allows Office for iOS and Android, but blocks third-party
OAuth capable mobile device clients from connecting to Microsoft 365 endpoints.
7 Note
This policy ensures mobile users can access all Microsoft 365 endpoints using
the applicable apps.
7 Note
The APP data protection framework is organized into three distinct configuration levels,
with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices,
this level validates Android device attestation. This is an entry level configuration
that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage
prevention mechanisms and minimum OS requirements. This is the configuration
that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection
mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This
configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum
apps that must be protected, review Data protection framework using app protection
policies.
1. They include all Microsoft 365 mobile applications, such as Edge, Outlook,
OneDrive, Office, or Teams, as this ensures that users can access and manipulate
work or school data within any Microsoft app in a secure fashion.
2. They are assigned to all users. This ensures that all users are protected, regardless
of whether they use Office for iOS or Android.
For more information on the available settings, see Android app protection policy
settings and iOS app protection policy settings.
) Important
To apply Intune app protection policies against apps on Android devices that are
not enrolled in Intune, the user must also install the Intune Company Portal.
App configuration can be delivered either through the mobile device management
(MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS
or the Android in the Enterprise channel for Android) or through the Intune App
Protection Policy (APP) channel. Office for iOS and Android supports the following
configuration scenarios:
) Important
For configuration scenarios that require device enrollment on Android, the devices
must be enrolled in Android Enterprise and Office for Android must be deployed
via the Managed Google Play store. For more information, see Set up enrollment
of Android Enterprise personally-owned work profile devices and Add app
configuration policies for managed Android Enterprise devices.
Each configuration scenario highlights its specific requirements. For example, whether
the configuration scenario requires device enrollment, and thus works with any UEM
provider, or requires Intune App Protection Policies.
) Important
App configuration keys are case sensitive. Use the proper casing to ensure the
configuration takes effect.
7 Note
With Microsoft Intune, app configuration delivered through the MDM OS channel is
referred to as a Managed Devices App Configuration Policy (ACP); app
configuration delivered through the App Protection Policy channel is referred to as
a Managed Apps App Configuration Policy.
You can learn more about configuring the org allowed accounts mode setting here:
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM
provider is supported. If you are not using Microsoft Intune, you need to consult with
your UEM documentation on how to deploy these configuration keys.
7 Note
Key Value
Key Value
Key Value
If you need to enable or disable the Office Store portion of the platform for iOS devices,
you can use the following key.
Key Value
For more information about adding configuration keys, see Add app configuration
policies for managed iOS/iPadOS devices.
There may be additional management requirements specific to Office for iOS and
Android. You may want to:
Only allow specific users in your organization to try enhanced Teams apps on
Office for iOS and Android, or
Block all users in your organization from using enhanced Teams apps on Office for
iOS and Android.
Key Value
Key Value
This key can be used both by managed devices and managed apps.
To manage the Microsoft 365 Feed, you can use the following key:
Key Value
Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
Manage messaging collaboration access
by using Outlook for iOS and Android
with Microsoft Intune
Article • 03/07/2023
The Outlook for iOS and Android app is designed to enable users in your organization
to do more from their mobile devices, by bringing together email, calendar, contacts,
and other files.
The richest and broadest protection capabilities for Microsoft 365 data are available
when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft
Intune and Azure Active Directory Premium features, such as conditional access. At a
minimum, you will want to deploy a conditional access policy that allows connectivity to
Outlook for iOS and Android from mobile devices and an Intune app protection policy
that ensures the collaboration experience is protected.
1. Follow the steps in Require approved client apps or app protection policy with
mobile devices. This policy allows Outlook for iOS and Android, but blocks OAuth
and basic authentication capable Exchange ActiveSync mobile clients from
connecting to Exchange Online.
7 Note
This policy ensures mobile users can access all Microsoft 365 endpoints using
the applicable apps.
2. Follow the steps in Block Exchange ActiveSync on all devices, which prevents
Exchange ActiveSync clients using basic authentication on non-mobile devices
from connecting to Exchange Online.
The above policies leverage the grant access control Require app protection policy,
which ensures that an Intune App Protection Policy is applied to the associated
account within Outlook for iOS and Android prior to granting access. If the user
isn't assigned to an Intune App Protection Policy, isn't licensed for Intune, or the
app isn't included in the Intune App Protection Policy, then the policy prevents the
user from obtaining an access token and gaining access to messaging data.
3. Follow the steps in How to: Block legacy authentication to Azure AD with
Conditional Access to block legacy authentication for other Exchange protocols on
iOS and Android devices; this policy should target only Microsoft Exchange Online
cloud app and iOS and Android device platforms. This ensures mobile apps using
Exchange Web Services, IMAP4, or POP3 protocols with basic authentication
cannot connect to Exchange Online.
7 Note
The APP data protection framework is organized into three distinct configuration levels,
with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices,
this level validates Android device attestation. This is an entry level configuration
that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage
prevention mechanisms and minimum OS requirements. This is the configuration
that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection
mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This
configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum
apps that must be protected, review Data protection framework using app protection
policies.
They include all Microsoft 365 mobile applications, such as Edge, Outlook,
OneDrive, Office, or Teams, as this ensures that users can access and manipulate
work or school data within any Microsoft app in a secure fashion.
They are assigned to all users. This ensures that all users are protected, regardless
of whether they use Outlook for iOS or Android.
For more information on the available settings, see Android app protection policy
settings and iOS app protection policy settings.
) Important
To apply Intune app protection policies against apps on Android devices that are
not enrolled in Intune, the user must also install the Intune Company Portal.
App configuration can be delivered either through the mobile device management
(MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS
or the Android in the Enterprise channel for Android) or through the Intune App
Protection Policy (APP) channel. Outlook for iOS and Android supports the following
configuration scenarios:
For specific procedural steps and detailed documentation on the app configuration
settings Outlook for iOS and Android supports, see Deploying Outlook for iOS and
Android app configuration settings.
Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
Manage collaboration experiences in
Teams for iOS and Android with
Microsoft Intune
Article • 03/09/2023
Microsoft Teams is the hub for team collaboration in Microsoft 365 that integrates the
people, content, and tools your team needs to be more engaged and effective.
The richest and broadest protection capabilities for Microsoft 365 data are available
when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft
Intune and Azure Active Directory Premium features, such as conditional access. At a
minimum, you'll want to deploy a conditional access policy that allows connectivity to
Teams for iOS and Android from mobile devices and an Intune app protection policy
that ensures the collaboration experience is protected.
7 Note
Follow the steps in Require approved client apps or app protection policy with mobile
devices, which allows Teams for iOS and Android, but blocks third-party OAuth capable
mobile device clients from connecting to Microsoft 365 endpoints.
7 Note
This policy ensures mobile users can access all Microsoft 365 endpoints using the
applicable apps.
Create Intune app protection policies
App Protection Policies (APP) define which apps are allowed and the actions they can
take with your organization's data. The choices available in APP enable organizations to
tailor the protection to their specific needs. For some, it may not be obvious which
policy settings are required to implement a complete scenario. To help organizations
prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its
APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels,
with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices,
this level validates Android device attestation. This is an entry level configuration
that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage
prevention mechanisms and minimum OS requirements. This is the configuration
that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection
mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This
configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum
apps that must be protected, review Data protection framework using app protection
policies.
1. They include all Microsoft 365 mobile applications, such as Edge, Outlook,
OneDrive, Office, or Teams, as this ensures that users can access and manipulate
work or school data within any Microsoft app in a secure fashion.
2. They're assigned to all users. This ensures that all users are protected, regardless of
whether they use Teams for iOS or Android.
) Important
To apply Intune app protection policies against apps on Android devices that aren't
enrolled in Intune, the user must also install the Intune Company Portal.
App configuration can be delivered either through the mobile device management
(MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS
or the Android in the Enterprise channel for Android) or through the Intune App
Protection Policy (APP) channel. Teams for iOS and Android supports the following
configuration scenarios:
) Important
For configuration scenarios that require device enrollment on Android, the devices
must be enrolled in Android Enterprise and Teams for Android must be deployed
via the Managed Google Play store. For more information, see Set up enrollment
of Android Enterprise personally-owned work profile devices and Add app
configuration policies for managed Android Enterprise devices.
Each configuration scenario highlights its specific requirements. For example, whether
the configuration scenario requires device enrollment, and thus works with any UEM
provider, or requires Intune App Protection Policies.
) Important
App configuration keys are case sensitive. Use the proper casing to ensure the
configuration takes effect.
7 Note
With Microsoft Endpoint Manager, app configuration delivered through the MDM
OS channel is referred to as a Managed Devices App Configuration Policy (ACP);
app configuration delivered through the App Protection Policy channel is referred
to as a Managed Apps App Configuration Policy.
You can learn more about configuring the org allowed accounts mode setting here:
Android setting
iOS setting
This configuration scenario only works with enrolled devices. However, any UEM
provider is supported. If you aren't using Microsoft Endpoint Manager, you need to
consult with your UEM documentation on how to deploy these configuration keys.
Options Description
Allow Display actual notification with all the details (title and content).
Block Remove title and replace content with “You have a new message” for chat notifications,
org and “There is new activity” for others. A user won't be able to Reply to a notification
data from a lock screen.
2. In the left navigation pane, navigate to Apps > App protection policies.
3. Click Create Policy and select your desired platform, such as iOS/iPadOS.
4. On the Basics page, add details such as Name and Description. Click Next.
5. On the Apps page, click Select public apps, then find and select the Microsoft
Teams apps. Click Next.
6. On the Data Protection page, find the Org data notifications setting and select
the Block org Data option. Set the Assignments for the groups of users to include
and then create your policy.
7. Once the app protection policy has been created, go to Apps > App configuration
policies > Add > Managed apps.
8. On the Basics page, add a Name and click Select public apps, then find and select
the Microsoft Teams apps. Click Next.
9. Under General configuration settings, set any of the following keys to 1 to turn
this feature ON for chat, channels, all other notifications or any of these
combinations. And, set to 0 to turn off the feature.
Name Value
11. Once the policy has been created, go to Apps > App protection policies. Find your
newly created App protection policy and check whether the policy has been
deployed by reviewing the Deployed column. The Deployed column should
display Yes for the created policy. If it displays No, refresh the page, and check
after 10 minutes.
No option for Reply or other quick notification reactions from lock screen
should be visible.
The notification should display title but replace content with "You have a new
message" for chat notifications, and "There is new activity" for others.
For more information about app configuration policies and app protection policies, see
the following topics:
Next steps
What are app protection policies?
App configuration policies for Microsoft Intune
Configure Google Chrome for Android
devices using Intune
Article • 03/14/2023
You can use an Intune app configuration policy to configure Google Chrome for Android
devices. The settings for the app can be automatically applied. For example, you can
specifically set the bookmarks and the URLs that you would like to block or allow.
Prerequisites
The user's Android Enterprise device must be enrolled in Intune. For more
information, see Set up enrollment of Android Enterprise personally-owned work
profile devices.
Google Chrome is added as a Managed Google Play app. For more information
about Managed Google Play, see Connect your Intune account to your Managed
Google Play account.
2. Select Apps > All apps > Add then add the Managed Google Play app.
4. Assign Google Chrome to a group as a required app type. Google Chrome will be
deployed automatically when the device is enrolled into Intune.
For additional details about adding a Managed Google Play app to Intune, see Managed
Google Play store apps.
3. Click Associated app to display the Associated app pane. Find and select Google
Chrome. This list contains Managed Google Play apps that you've approved and
synchronized with Intune.
4. Click Configuration settings, select Use configuration designer, and then click
Add to select the configuration keys.
Once the configuration settings are added using the configuration designer, they
will be listed in a table.
The above settings create bookmarks and block access to all URLs except
baidu.com , youtube.com , chromium.org , and chrome:// .
6. Assign this configuration policy to a user group. For more information, see Assign
apps to groups with Microsoft Intune.
Blocked URL:
Allow URL:
Incognito tab:
Troubleshooting
1. Check Intune to monitor the policy deployment status.
2. Launch Google Chrome and visit chrome://policy. We can confirm if the settings
are applied successfully.
Additional information
Add app configuration policies for managed Android Enterprise devices
Chrome Enterprise policy list
Next steps
For more information about Android Enterprise fully managed devices, see Set up
Intune enrollment of Android Enterprise fully manage devices.
Use a VPN and per-app VPN policy on
Android Enterprise devices in Microsoft
Intune
Article • 03/07/2023
Virtual private networks (VPN) allow users to access organization resources remotely,
including from home, hotels, cafes, and more. In Microsoft Intune, you can configure
VPN client apps on Android Enterprise devices using an app configuration policy. Then,
deploy this policy with its VPN configuration to devices in your organization.
You can also create VPN policies that are used by specific apps. This feature is called
per-app VPN. When the app is active, it can connect to the VPN, and access resources
through the VPN. When the app isn't active, the VPN isn't used.
Android Enterprise
There are two ways to build the app configuration policy for your VPN client app:
Configuration designer
JSON data
This article shows you how to create a per-app VPN and VPN app configuration policy
using both options.
7 Note
Many of the VPN client configuration parameters are similar. But, each app has its
unique keys and options. Consult with your VPN vendor if you have questions.
When you create the VPN policy in Intune, you'll select different keys to configure.
These key names vary with the different VPN client apps. So, the key names in your
environment may be different than the examples in this article.
The Configuration designer and JSON data can successfully use certificate-based
authentication. If VPN authentication requires client certificates, then create the
certificate profiles before you create the VPN policy. The VPN app configuration
policies use the values from the certificate profiles.
Android Enterprise personally owned work profile devices support SCEP and PKCS
certificates. Android Enterprise fully managed, dedicated, and corporate-owned
work profile devices only support SCEP certificates. For more information, see Use
certificates for authentication in Microsoft Intune.
1. Select the VPN client application. Before you begin (in this article) lists the
supported apps.
2. Get the application package IDs of the apps that will use the VPN connection. Get
the app package ID (in this article) shows you how.
3. If you use certificates to authenticate the VPN connection, then create and deploy
the certificate profiles before you deploy the VPN policy. Make sure the certificate
profiles deploy successfully. For more information, see Use certificates for
authentication in Microsoft Intune.
4. Add the VPN client application to Intune, and deploy the app to your users and
devices.
5. Create the VPN app configuration policy. Use the app package IDs and certificate
information in the policy.
6. Deploy the new VPN policy.
7. Confirm the VPN client app successfully connects to your VPN server.
8. When the app is active, confirm that traffic from your app successfully goes
through the VPN.
In the following example, the package ID of the Microsoft Edge browser app is
com.microsoft.emmx . The package ID is part of the URL:
For Line of Business (LOB) apps, get the package ID from the vendor or application
developer.
Certificates
This article assumes your VPN connection uses certificate-based authentication. It also
assumes you successfully deployed all the certificates in the chain needed for clients to
successfully authenticate. Typically, this certificate chain includes the client certificate,
any intermediate certificates, and the root certificate.
For more information on certificates, see Use certificates for authentication in Microsoft
Intune.
If you’re not familiar with creating app configuration policies, see Add app configuration
policies for managed Android Enterprise devices.
Use the Configuration Designer
1. Sign in to the Microsoft Intune admin center .
2. Select Apps > App configuration policies > Add > Managed devices.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is App config
policy: Cisco AnyConnect VPN policy for Android Enterprise work profile
devices.
Description: Enter a description for the policy. This setting is optional, but
recommended.
Targeted app: Select the VPN client app you previously added. In the
following example, the Cisco AnyConnect VPN client app is used:
4. Select Next.
Add: Shows the list of configuration keys. Select all the configuration keys
needed for your configuration > OK.
Per App VPN Allowed Apps: Enter the application package ID(s) you
collected earlier. For example:
KeyChain Certificate Alias (optional): Change the Value type from string
to certificate. Select the client certificate profile to use with VPN
authentication. For example:
Host: Enter the host name URL to the headend router. For example, enter
vpn.contoso.com .
6. Select Next.
7. In Assignments, select the groups to assign the VPN app configuration policy.
Select Next.
8. In Review + create, review your settings. When you select Create, your changes are
saved, and the policy is deployed to your groups. The policy is also shown in the
app configuration policies list.
Use JSON
Use this option if you don't have, or don't know all the required VPN settings used in
the Configuration designer. If you need help, consult your VPN vendor.
1. In the Microsoft Intune admin center , select Apps > App configuration policies
> Add > Managed devices.
3. Select Next.
Add: Shows the list of configuration keys. Select any key with a Value type of
string. Select OK.
5. Change the Value type from string to certificate. This step lets you select the
correct client certificate profile that authenticates the VPN:
6. Immediately change the Value type back to string. The Configuration value
changes to a token {{cert:GUID}} :
7. Copy and paste this certificate token to another file, such as a text editor.
8. Discard this policy. Don't save it. The only purpose is to copy and paste the
certificate token.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is App config
policy: JSON Cisco AnyConnect VPN policy for Android Enterprise work
profile devices in entire company.
Description: Enter a description for the policy. This setting is optional, but
recommended.
Platform: Select Android Enterprise.
Profile type: Your options:
All profile types: This option supports username and password
authentication. If you use certificate-based authentication, don't use this
option.
Fully Managed, Dedicated, and Corporate-Owned work profile only: This
option supports certificate-based authentication, and username and
password authentication.
Personally-Owned Work Profile Only: This option supports certificate-
based authentication, and username and password authentication.
Targeted app: Select the VPN client app you previously added.
3. Select Next.
Configuration settings format: Select Enter JSON data. You can edit the
JSON directly.
Download JSON template: Use this option to download, and update the
template in any external editor. Be careful with text editors that use Smart
quotes, as they may create invalid JSON.
After you enter the values needed for your configuration, remove all settings that
have "STRING_VALUE" or STRING_VALUE .
5. Select Next.
6. In Assignments, select the groups to assign the VPN app configuration policy.
Select Next.
7. In Review + create, review your settings. When you select Create, your changes are
saved, and the policy is deployed to your groups. The policy is also shown in the
app configuration policies list.
JSON
"kind": "androidenterprise#managedConfiguration",
"productId": "app:com.f5.edge.client_ics",
"managedProperty": [
"key": "disallowUserConfig",
"valueBool": false
},
"key": "vpnConfigurations",
"valueBundleArray": [
"managedProperty": [
"key": "name",
"valueString": "MyCorpVPN"
},
"key": "server",
"valueString": "vpn.contoso.com"
},
"key": "weblogonMode",
"valueBool": false
},
"key": "fipsMode",
"valueBool": false
},
"key": "clientCertKeychainAlias",
"valueString": "{{cert:77333880-14e9-0aa0-9b2c-
a1bc6b913829}}"
},
"key": "allowedApps",
"valueString": "com.microsoft.emmx"
},
"key": "mdmAssignedId",
"valueString": ""
},
"key": "mdmInstanceId",
"valueString": ""
},
"key": "mdmDeviceUniqueId",
"valueString": ""
},
"key": "mdmDeviceWifiMacAddress",
"valueString": ""
},
"key": "mdmDeviceSerialNumber",
"valueString": ""
},
"key": "allowBypass",
"valueBool": false
Additional information
Add app configuration policies for managed Android Enterprise devices
Android Enterprise device settings to configure VPN in Intune
Next steps
Create VPN profiles to connect to VPN servers in Intune
Manage volume-purchased apps and
books with Microsoft Intune
Article • 05/04/2023
Introduction
Some app stores give you the ability to purchase multiple licenses for an app or books
that you want to use in your company. Buying licenses in bulk can help you reduce the
administrative overhead of tracking multiple purchased copies of apps and books.
Microsoft Intune helps you manage apps and books that you purchased through such a
program. You import license information from the store, and track how many licenses
you have used. This process helps to ensure that you don't install more copies of the
app or book than you own.
Apple lets you purchase multiple licenses for an app that you want to use in your
organization on iOS/iPadOS and macOS devices using Apple Business Manager or
Apple School Manager . You can then synchronize your volume purchase information
with Intune and track your volume-purchased app use. Purchasing app licenses helps
you efficiently manage apps within your company and retain ownership and control of
purchased apps.
Microsoft Intune helps you manage apps purchased through this program by:
Additionally, you can synchronize, manage, and assign books you purchased from Apple
Business Manager with Intune to iOS/iPadOS devices. For more information, see How to
manage iOS/iPadOS eBooks you purchased through a volume-purchase program.
7 Note
The Apple Volume Purchase Program (VPP) has been integrated into Apple
Business Manager. Apple Business Manager is a portal for admins to deploy Apple
devices and acquire content in volume. Content may include apps, books, and
custom apps. Location tokens are used to assign and manage licenses purchased
using Apple Business Manager. VPP is now called legacy VPP tokens.
How are purchased apps licensed?
Purchased apps can be assigned to groups using two types of licenses that Apple offers
for iOS/iPadOS and macOS devices.
7 Note
Device-licensed VPP apps must be installed and updated through the MDM
channel only. Users cannot go the store directly to manually install or update a VPP
app.
App Store Not required. Each end user must use a unique Apple
sign-in ID when prompted to sign in to App
Store.
Device Apps can be installed and updated The invitation to join Apple Business
configuration using Company Portal. Manager requires access to App Store.
blocking If you have set a policy to disable App
access to Store, user licensing for VPP apps will
App Store not work.
Licenses 1 license per device. The license is 1 license for up to 5 devices using the
used associated with the device. same personal Apple ID. The license is
associated with the user.
An end user associated with a personal
Apple ID and a Managed Apple ID in
Intune consumes 2 app licenses.
Action Device Licensing User Licensing
License Apps can migrate silently from user to Apps cannot migrate from device to
migration device licenses only when using user licenses for any assignment type.
Required assignment type.
7 Note
Company Portal does not show device-licensed apps on User Enrollment devices
because only user-licensed apps can be installed on User Enrollment devices.
When you create a new assignment for a Apple Volume Purchase Program (VPP)
app, the default license type is now "device". Existing assignments remain
unchanged.
Store apps: Using Apple Business Manager, Content Managers can acquire both
free and paid apps that are available in the App Store.
Custom Apps: Using Apple Business Manager, Content Managers can also acquire
Custom Apps made available privately to your organization. These apps are
tailored to your organization's specific needs by developers with whom you work
directly. Learn more about how to distribute Custom Apps .
Prerequisites
An Apple Business Manager or Apple School Manager account for your
organization.
Purchased app licenses assigned to one or more location tokens.
Downloaded location tokens.
) Important
A location token can only be used with one device management solution at a
time. Before you start to use purchased apps with Intune, revoke and remove
any existing location tokens used with other mobile device management
(MDM) vendor.
A location token is only supported for use on one Intune tenant at a time. Do
not reuse the same token for multiple Intune tenants.
By default, Intune synchronizes the location tokens with Apple once a day.
You can initiate a manual sync at any time from Intune.
After you have imported the location token to Intune, do not import the same
token to any other device management solution. Doing so might result in the
loss of license assignment and user records.
) Important
For the best migration experience, migrate only one VPP purchaser per
location. If each purchaser migrates to a unique location, all licenses —
assigned and unassigned — will move to Apps and Books.
Do not delete the existing legacy VPP token in Intune or apps and
assignments associated with existing legacy VPP token in Intune. These
actions will require all app assignments to be recreated in Intune.
Migrate existing purchased VPP content and tokens to Apps and Books in Apple
Business Manager or Apple School Manager as follows:
1. Invite VPP purchasers to join your organization and direct each user to select a
unique location.
2. Ensure that all VPP purchasers within your organization have completed step 1
before proceeding.
3. Verify that all purchased apps and licenses have migrated to Apps and Books in
Apple Business Manager or Apple School Manager.
4. Download the new location token by going to Apple Business (or School)
Manager > Settings > Apps and Books > My Server Tokens.
5. Update the location token in Microsoft Intune admin center by going to Tenant
administration > Connectors and tokens > Apple VPP tokens and manually
upload the token.
Upload an Apple VPP or Apple Business
Manager location token
1. Sign in to the Microsoft Intune admin center .
2. Select Tenant administration > Connectors and tokens > Apple VPP tokens.
3. On the list of VPP tokens pane, select Create. The Create VPP token process is
displayed. There are four pages used when creating a VPP token. The first is Basics.
4. On the Basics page, specify the following information:
Take control of token from another MDM - Setting this option to yes allows
the token to be reassigned to Intune from another MDM solution.
2 Warning
Changing the country/region will update the apps metadata and App
Store URL on next sync with the Apple service for apps created with this
token. The app will not be updated if it does not exist in the new
country/region store.
7 Note
Automatic app updates for Apple VPP apps will automatically update for
both Required and Available install intents. For apps deployed with
Available install intent, the automatic update generates a status
message for the IT admin informing that a new version of the app is
available. This status message is viewable by selecting the app, selecting
Device Install Status, and checking the Status Details.
When updating a VPP app, it can take up to 24 hours for the device to
receive the updated VPP app. The device must be unlocked and
available to install the update successfully.
2. On the list of apps pane, choose the app you want to assign, and then choose
Properties. Select Edit next to Assignments.
3. On the Assignments tab, choose whether the app will be Required or Available for
enrolled devices.
4. Choose Add group under the assignment type you've selected, then on the Select
groups pane choose the Azure AD user or device groups to which you want to
assign the app.
7 Note
When you create a new assignment for a Apple Volume Purchase Program
(VPP) app, the default license type is "device". Existing assignments remain
unchanged.
7 Note
The Available deployment intent is not supported for device groups, only user
groups are supported. The list of apps displayed is associated with a token. If you
have an app that is associated with multiple VPP tokens, you see the same app
being displayed multiple times; once for each token.
7 Note
Apps assigned as Available do not become managed on the device until the user
initiates an install of the application. Once an app assigned as Available has been
installed, or the user has attempted to install the application, Intune will ensure that
the app is licensed.
7 Note
Intune (or any other MDM for that matter) does not actually install VPP apps.
Instead, Intune connects to your VPP account and tells Apple which app licenses to
assign to which devices. From there, all the actual installation is handled between
Apple and the device.
7 Note
User and device licensed apps running on supervised devices (scenarios 3 and 6 in
the table above) will still prompt for updates if the app is in use or is running in the
background. Accepting the prompt to install the app may not result in the app
installing. In order to update the app, you must: close the app, initiate a sync, and
leave the device unlocked while the app updates.
7 Note
7 Note
You cannot update any app while the device is locked in Single App Mode. You
need to exit Single App Mode long enough to update apps as needed. During that
time, you should restrict the visible apps as much as possible, except for Settings
and other apps that cannot be blocked.
Revoking app licenses
You can revoke all associated iOS/iPadOS or macOS volume-purchase program (VPP)
app licenses based on a given device, user, or app. But there are some differences
between iOS/iPadOS and macOS platforms.
Revoke After changing the app assignment After changing the app assignment to
app license to Uninstall, you can reclaim an app Uninstall, you can reclaim an app license
license from the user or device using from the user or device using the Revoke
the Revoke license action. You must license action. The macOS app with
change the assignment to Uninstall revoked license remains usable on the
to remove the app from the device device, but cannot be updated until a
and revoke the app license. license is reassigned to the user or device.
According to Apple, such apps are removed
after a 30-day grace period. You must
change the assignment to Uninstall to
remove the app from the device and
revoke the app license.
7 Note
Intune reclaims app licenses when an employee leaves the company and is no
longer part of the AAD groups.
When assigning a purchased app with Uninstall intent, Intune both reclaims
the license and uninstalls the app.
App licenses are not reclaimed when a device is removed from Intune
management.
Intune will revoke app licenses when the user is deleted from Azure AD.
Deleting VPP tokens
You can delete an Apple Volume Purchasing Program (VPP) token using the console.
This may be necessary when you have duplicate instances of a VPP token. Deleting a
token will also delete any associated apps and assignment. Deleting a token revokes
associated app licenses but doesn't uninstall the apps.
7 Note
Intune cannot revoke app licenses after a token has been deleted.
To revoke the license of all VPP apps for a given VPP token, you must first revoke all app
licenses associated with the token, then delete the token.
To renew an Apple Business Manager location token (Apple VPP token), use the
following steps:
7 Note
You must renew the existing Apple VPP token or location token when the user who
set up the token in Apple Business Manager changes their password or the user
leaves your Apple Business Manager organization. Tokens that are not renewed will
show "invalid" status in Intune.
Configure updates for VPP apps
You can control the automatic update behavior for Apple VPP at the per-app
assignment level using the Prevent automatic updates setting. The Prevent automatic
updates setting is dependent on the token-level Allow automatic updates setting. To
use the Prevent automatic updates, the Allow automatic updates setting must be set
to Yes. This setting is available in Microsoft Intune admin center by selecting Apps >
iOS/iPadOS or macOS > Select a volume purchase program app > Properties >
Assignments.
7 Note
7 Note
You can view and manage VPP apps with only the Mobile apps permission
assigned. Previously, the Managed apps permission was required to view and
manage VPP apps. This change does not apply to Intune for Education tenants who
still need to assign the Managed apps permission.
Additional information
Apple provides direct assistance to create and renew VPP tokens. For more information,
see Distribute content to your users with the Volume Purchase Program (VPP) as part
of Apple's documentation.
If Assigned to external MDM is indicated in Intune, then you (the admin) must remove
the VPP token from the 3rd party MDM before using the VPP token in Intune.
If status is Duplicate for a token, then multiple tokens with the same Token Location
have been uploaded. Remove the duplicate token to begin syncing the token again. You
can still assign and revoke licenses for tokens that are marked as duplicate. However,
licenses for new apps and books purchased may not be reflected once a token is
marked as duplicate.
7 Note
When the amount of used licenses is greater than or equal to 50% of total available
licenses for a specific app, an alert will appear under the Enrollment alerts tab. The
alert will disappear when the amount of used licenses is less than 50% of total
available licenses for the app.
Next steps
See How to monitor apps for information to help you monitor app assignments.
) Important
The Microsoft Store for Business connector is no longer accessible in the Microsoft
Intune admin center . Apps added from the Microsoft Store for Business or
Microsoft Store for Education will no longer sync with Intune. Apps that have
previously synced will continue to be available and deploy to devices and users. For
related information, see Deprecation of Microsoft Store for Business and
Education.
The Microsoft Store for Business gives you a place to find and purchase apps for your
organization, individually, or in volume. By connecting the store to Microsoft Intune, you
can manage volume-purchased apps from the portal. For example:
You can synchronize the list of apps you have purchased (or that are free) from the
store with Intune.
Apps that are synchronized appear in the Microsoft Intune admin center; you can
assign these apps like any other apps.
Both Online and Offline licensed versions of Apps are synchronized to Intune. App
names will be appended with "Online" or "Offline" in the portal.
You can track how many licenses are available, and how many are being used in
the admin center.
Intune blocks assignment and installation of apps if there are an insufficient
number of licenses available.
Intune will revoke app licenses for apps managed by Microsoft Store for Business
when the user is deleted from Azure AD.
) Important
The retirement of the Microsoft Store for Business and the Microsoft Store for
Education, originally scheduled for March 31, 2023, has been postponed. Until they
are retired, admins can still leverage the connection to Store for Business and
Education from their UEM solution to deploy apps to managed Windows 11
devices.
Review the following information before you start syncing and assigning apps from the
Microsoft Store for Business:
7 Note
Online Microsoft Store for Business apps can be used only for user context install;
that is, when deployed through Intune, you need to target user groups. Device
licensed offline Microsoft Store for Business apps can be installed in device context;
that is, when deployed through Intune, you can target device groups as well as user
groups.
7 Note
If you disable access to the Store on managed devices (either manually, via policy
or Group Policy), Online licensed apps will fail to install.
Associate your Microsoft Store for Business
account with Intune
Before you enable synchronization in the Microsoft Intune admin center, you must
configure your store account to use Intune as a management tool:
1. Ensure that you sign into the Microsoft Store for Business using the same tenant
account you use to sign into Intune.
2. In the Business Store, choose the Manage tab, select Settings, and choose the
Distribute tab.
3. If you don't specifically have Microsoft Intune available as a mobile device
management tool, choose Add management tool to add Microsoft Intune. If you
don't have Microsoft Intune activated as your mobile device management tool,
click Activate next to Microsoft Intune. Note that you should activate Microsoft
Intune rather than Microsoft Intune Enrollment.
7 Note
Previously you could associate only one management tool to assign apps with the
Microsoft Store for Business. Now you can associate multiple management tools
with the store, for example, Intune and Configuration Manager.
Configure synchronization
1. Sign in to the Microsoft Intune admin center .
2. Select Tenant administration > Connectors and tokens > Microsoft Store for
Business.
3. Click Enable.
4. If you haven't already done so, click the link to sign up for the Microsoft Store for
Business and associate your account as detailed previously.
5. From the Language drop-down list, choose the language in which apps from the
Microsoft Store for Business are displayed in the portal. Regardless of the language
in which they are displayed, they are installed in the end user's language when
available.
6. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.
Synchronize apps
If you've already associated your Microsoft Store for Business account with your Intune
admin credentials, you can manually sync your Microsoft Store for Business apps with
Intune using the following steps.
1. Select Tenant administration > Connectors and tokens > Microsoft Store for
Business.
2. Click Sync to get the apps you've purchased from the Microsoft Store into Intune.
7 Note
Apps with encrypted app packages are currently not supported and will not be
synchronized to Intune.
Assign apps
You assign apps from the store in the same way you assign any other Intune app. For
more information, see How to assign apps to groups with Microsoft Intune.
Offline apps can be targeted to user groups, device groups, or groups with users and
devices.
Offline apps can be installed for a specific user on a device or for all users on a
device.
When you assign a Microsoft Store for Business app, a license is used by each user who
installs the app. If you use all of the available licenses for an assigned app, you cannot
assign any more copies. Take one of the following actions:
Remove apps
To remove an app that is synced from the Microsoft Store for Business, you need to log
into the Microsoft Store for Business and complete the following steps. The process is
the same whether the app is free or not.
1. Ensure that you sign into the Microsoft Store for Business using the same tenant
account you use to sign into Intune.
2. Look for the app that you want to remove by selecting Products & services >
Apps & software and select it.
3. In the Users pane select all users, click on the ... symbol under the Actions column
and choose to Reclaim license.
4. Open the Private store availability tab of the app and change its availability to No
one.
5. Select the Product details link on the top and then select the ... button next to
Install. If the previous steps have been completed successfully, a Remove product
option will be available. Select Remove product to remove the app from the
Microsoft Store for Business.
6. Sync the apps using the Microsoft for Business Store connector in Intune in order
to remove the app from the list of Windows apps in Intune.
Next steps
Manage volume-purchased apps and books with Microsoft Intune
How to manage iOS/iPadOS eBooks you
purchased through a volume-purchase
program with Microsoft Intune
Article • 03/06/2023
The Apple Volume Purchase Program (VPP) lets you purchase multiple licenses for a
book that you want to distribute to users in your company. You can distribute books
from the Business, or Education stores.
Microsoft Intune helps you synchronize, manage, and assign books that you purchased
through this program. You can import license information from the store and track how
many of the licenses you have used.
If you previously used a VPP token with a different product, you must generate a
new one to use with Intune.
Each token is valid for one year.
By default, Intune syncs with the Apple Business Manager service twice a day. You
can start a manual sync at any time.
After you have imported the VPP token to Intune, do not import the same token to
any other device management solution. Doing so might result in the loss of license
assignment and user records.
Before you start to use iOS/iPadOS books with Intune, remove any existing VPP
user accounts created with other mobile device management (MDM) vendors.
Intune does not synchronize those user accounts into Intune as a security measure.
Intune synchronizes only data from the Apple Business Manager service that
Intune created.
When you assign a book to a device, that device must have the built-in iBooks app
installed. If it is not, the end user must reinstall the app before they can read the
book. You cannot currently use Intune to restore removed built-in apps.
You can only assign books from the Apple Volume Purchase Program site. You
cannot upload, then assign books you created in-house.
You cannot currently assign books to end-user categories in the same way as you
do apps.
You cannot reclaim a license once the book is assigned.
When a user with an eligible device first tries to install a VPP book, they must join
the Apple Volume Purchase program before they can install a book. You can also
assign licenses to security groups with managed Apple IDs. If you do this, then
users are not prompted for their Apple ID when a book is installed.
Devices must be enrolled with user affinity as e-books can only be assigned to user
groups.
VPP token file - Ensure you have signed in to Apple Business Manager or
Apple School Manager . Note these services were previously known as
Apple's volume purchase program for business or the Apple volume purchase
program for education. Then, download the Apple location/VPP token for
your account and select it in Endpoint Manager.
Apple ID - Enter the Apple ID of the account associated with the volume-
purchase program.
Type of VPP account - Choose from Business or Education.
Next steps
See How to monitor apps for information to help you monitor book assignments.
How to wipe only corporate data from
Intune-managed apps
Article • 03/07/2023
When a device is lost or stolen, or if the employee leaves your company, you want to
make sure company app data is removed from the device. But you might not want to
remove personal data on the device, especially if the device is an employee-owned
device.
7 Note
The iOS/iPadOS, Android, and Windows 10 platforms are the only platforms
currently supported for wiping corporate data from Intune managed apps. Intune
managed apps are applications that include the Intune APP SDK, and have at least
one enabled and licensed user account in your organization. Deployment of
Application Protection Policies is required to enable app selective wipe on Android
and iOS.
7 Note
For iOS 16 and later devices, the "Device Name" value for all selective wipe actions
and status will be a generic device name. For more information, see Apple
Developer documentation .
To selectively remove company app data, create a wipe request by using the steps in this
topic. After the request is finished, the next time the app runs on the device, company
data is removed from the app. In addition, you can also configure a selective wipe of
your company data as a new action when the conditions of Application Protection
Policies (APP) Access settings are not met. This feature helps you automatically protect
and remove sensitive company data from applications based on pre-configured criteria.
) Important
Contacts synced directly from the app to the native address book are removed. Any
contacts synced from the native address book to another external source can't be
wiped. Currently, this only applies to the Microsoft Outlook app.
Deployed WIP policies without user enrollment
Windows Information Protection (WIP) policies can be deployed without requiring MDM
users to enroll their Windows 10 device. This configuration allows companies to protect
their corporate documents based on the WIP configuration, while allowing the user to
maintain management of their own Windows devices. Once documents are protected
with a WIP policy, the protected data can be selectively wiped by an Intune
administrator (Global administrator or an Intune Service administrator). By selecting the
user and device, and sending a wipe request, all data that was protected via the WIP
policy will become unusable. From the Intune in the portal, select Client app > App
selective wipe. For more information, see Create and deploy Windows Information
Protection (WIP) app protection policy with Intune.
2. Select Apps > App selective wipe > Create wipe request.
3. Click Select user, choose the user whose app data you want to wipe, and click
Select at the bottom of the Select user pane.
4. Click Select the device, choose the device, and click Select at the bottom of the
Select Device pane.
5. Click Create to make a wipe request.
The service creates and tracks a separate wipe request for each protected app on the
device, and the user associated with the wipe request.
1. On the Apps > App selective wipe pane, you can see the list of your requests
grouped by users. Because the system creates a wipe request for each protected
app running on the device, you might see multiple requests for a user. The status
indicates whether a wipe request is pending, failed, or successful.
Additionally, you are able to see the device name, and its device type, which can be
helpful when reading the reports.
) Important
The user must open the app for the wipe to occur, and the wipe may take up to 30
minutes after the request was made.
2. From the list, right-click on the wipe request you want to delete, then choose
Delete wipe request.
3. You're prompted to confirm the deletion, choose Yes or No, then click OK.
1. On the Client Apps - App selective wipe pane select User-Level Wipe
2. From the list, right-click on the user you want to delete, then choose Delete.
See also
What's app protection policy
App protection policies (APP) are rules that ensure an organization's data remains safe
or contained in a managed app. A policy can be a rule that is enforced when the user
attempts to access or move "corporate" data, or a set of actions that are prohibited or
monitored when the user is inside the app. A managed app is an app that has app
protection policies applied to it, and can be managed by Intune.
Mobile Application Management (MAM) app protection policies allows you to manage
and protect your organization's data within an application. Many productivity apps, such
as the Microsoft Office apps, can be managed by Intune MAM. See the official list of
Microsoft Intune protected apps available for public use.
You can use Intune app protection policies independent of any mobile-device
management (MDM) solution. This independence helps you protect your company's
data with or without enrolling devices in a device management solution. By
implementing app-level policies, you can restrict access to company resources and keep
data within the purview of your IT department.
7 Note
Mobile app management policies should not be used with third-party mobile
app management or secure container solutions.
Not enrolled in any mobile device management solution: These devices are
typically employee owned devices that aren't managed or enrolled in Intune or
other MDM solutions.
) Important
You can create mobile app management policies for Office mobile apps that
connect to Microsoft 365 services. You can also protect access to Exchange on-
premises mailboxes by creating Intune app protection policies for Outlook for
iOS/iPadOS and Android enabled with hybrid Modern Authentication. Before using
this feature, make sure you meet the Outlook for iOS/iPadOS and Android
requirements. App protection policies are not supported for other apps that
connect to on-premises Exchange or SharePoint services.
Protecting your company data at the app level. Because mobile app management
doesn't require device management, you can protect company data on both
managed and unmanaged devices. The management is centered on the user
identity, which removes the requirement for device management.
End-user productivity isn't affected and policies don't apply when using the app
in a personal context. The policies are applied only in a work context, which gives
you the ability to protect company data without touching personal data.
App protection policies makes sure that the app-layer protections are in place.
For example, you can:
Require a PIN to open an app in a work context
Control the sharing of data between apps
Prevent the saving of company app data to a personal storage location
MDM, in addition to MAM, makes sure that the device is protected. For example,
you can require a PIN to access the device, or you can deploy managed apps to
the device. You can also deploy apps to devices through your MDM solution, to
give you more control over app management.
There are additional benefits to using MDM with App protection policies, and
companies can use App protection policies with and without MDM at the same time. For
example, consider an employee that uses both a phone issued by the company, and
their own personal tablet. The company phone is enrolled in MDM and protected by
App protection policies while the personal device is protected by App protection
policies only.
If you apply a MAM policy to the user without setting the device state, the user will get
the MAM policy on both the BYOD device and the Intune-managed device. You can also
apply a MAM policy based on the managed state. So when you create an app protection
policy, next to Target to all app types, you'd select No. Then do any of the following:
Apply a less strict MAM policy to Intune managed devices, and apply a more
restrictive MAM policy to non MDM-enrolled devices.
Apply a MAM policy to unenrolled devices only.
Intune app protection policies platform support aligns with Office mobile application
platform support for Android and iOS/iPadOS devices. For details, see the Mobile apps
section of Office System Requirements .
) Important
The Intune Company Portal is required on the device to receive App Protection
Policies on Android.
The APP data protection framework is organized into three distinct configuration levels,
with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices,
this level validates Android device attestation. This is an entry level configuration
that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage
prevention mechanisms and minimum OS requirements. This is the configuration
that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection
mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This
configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum
apps that must be protected, review Data protection framework using app protection
policies.
Data relocation policies like Save copies of org data, and Restrict cut, copy, and
paste.
Access policy settings like Require simple PIN for access, and Block managed
apps from running on jailbroken or rooted devices.
Data protection with APP on devices managed by an
MDM solution
The below illustration shows the layers of protection that MDM and App protection
policies offer together.
The MDM solution adds value by providing the following:
Help protect company data from leaking to consumer apps and services
Apply restrictions like save-as, clipboard, or PIN, to client apps
Wipe company data when needed from apps without removing those apps from
the device
You can't deploy apps to the device. The end user has to get the apps from the
store.
You can't provision certificate profiles on these devices.
You can't provision company Wi-Fi and VPN settings on these devices.
The end user must have an Azure Active Directory (Azure AD) account. See Add
users and give administrative permission to Intune to learn how to create Intune
users in Azure Active Directory.
The end user must have a license for Microsoft Intune assigned to their Azure
Active Directory account. See Manage Intune licenses to learn how to assign Intune
licenses to end users.
The end user must belong to a security group that is targeted by an app
protection policy. The same app protection policy must target the specific app
being used. App protection policies can be created and deployed in the Microsoft
Intune admin center . Security groups can currently be created in the Microsoft
365 admin center .
The end user must sign into the app using their Azure AD account.
The end user must have the Outlook mobile app installed to their device.
The end user must have an Microsoft 365 Exchange Online mailbox and license
linked to their Azure Active Directory account.
7 Note
The Outlook mobile app currently only supports Intune App Protection for
Microsoft Exchange Online and Exchange Server with hybrid modern
authentication and does not support Exchange in Office 365 Dedicated.
The end user must have a license for Microsoft 365 Apps for business or
enterprise linked to their Azure Active Directory account. The subscription must
include the Office apps on mobile devices and can include a cloud storage account
with OneDrive for Business . Microsoft 365 licenses can be assigned in the
Microsoft 365 admin center following these instructions .
The end user must have a managed location configured using the granular save as
functionality under the "Save copies of org data" application protection policy
setting. For example, if the managed location is OneDrive, the OneDrive app
should be configured in the end user's Word, Excel, or PowerPoint app.
If the managed location is OneDrive, the app must be targeted by the app
protection policy deployed to the end user.
7 Note
The Office mobile apps currently only support SharePoint Online and not
SharePoint on-premises.
The settings, made available to the OneDrive Admin console, configure a special Intune
app protection policy called the Global policy. This global policy applies to all users in
your tenant, and has no way to control the policy targeting.
Once enabled, the OneDrive and SharePoint apps for iOS/iPadOS and Android are
protected with the selected settings by default. An IT Pro can edit this policy in the
Microsoft Intune admin center to add more targeted apps and to modify any policy
setting.
By default, there can only be one Global policy per tenant. However, you can use Intune
Graph APIs to create extra global policies per tenant, but doing so isn't recommended.
Creating extra global policies isn't recommended because troubleshooting the
implementation of such a policy can become complicated.
While the Global policy applies to all users in your tenant, any standard Intune app
protection policy will override these settings.
7 Note
The policy settings in the OneDrive Admin Center are no longer being updated.
Microsoft Endpoint Manager may be used instead. For more information, see
Control access to features in the OneDrive and SharePoint mobile apps.
Multi-identity
Multi-identity support allows an app to support multiple audiences. These audiences are
both "corporate" users and "personal" users. Work and school accounts are used by
"corporate" audiences, whereas personal accounts would be used for consumer
audiences, such as Microsoft Office users. An app that supports multi-identity can be
released publicly, where app protection policies apply only when the app is used in the
work and school ("corporate") context. Multi-identity support uses the Intune SDK to
only apply app protection policies to the work or school account signed into the app. If
a personal account is signed into the app, the data is untouched. App protection
policies can be used to prevent the transfer of work or school account data to personal
accounts within the multi-identity app, personal accounts within other apps, or personal
apps.
) Important
For an example of "personal" context, consider a user who starts a new document in
Word, this is considered personal context so Intune App Protection policies are not
applied. Once the document is saved on the "corporate" OneDrive account, then it is
considered "corporate" context and Intune App Protection policies are applied.
A user starts the OneDrive app by using their work account. In the work context,
they can't move files to a personal storage location. Later, when they use OneDrive
with their personal account, they can copy and move data from their personal
OneDrive without restrictions.
A user starts drafting an email in the Outlook app. Once the subject or message
body is populated, the user is unable to switch the FROM address from the work
context to the personal context as the subject and message body are protected by
the App Protection policy.
7 Note
Outlook has a combined email view of both "personal" and "corporate" emails. In
this situation, the Outlook app prompts for the Intune PIN on launch.
) Important
Although Edge is in "corporate" context, users can intentionally move OneDrive
"corporate" context files to an unknown personal cloud storage location. To avoid
this, see Manage restricted web sites and configure the allowed/blocked site list
for Edge.
PIN prompt
Intune prompts for the user's app PIN when the user is about to access "corporate" data.
In multi-identity apps such as Word, Excel, or PowerPoint, the user is prompted for their
PIN when they try to open a "corporate" document or file. In single-identity apps, such
as line-of-business apps managed using the Intune App Wrapping Tool, the PIN is
prompted at launch, because the Intune SDK knows the user's experience in the app is
always "corporate".
The IT admin can define the Intune app protection policy setting Recheck the access
requirements after (minutes) in the Microsoft Intune admin center . This setting
specifies the amount of time before the access requirements are checked on the device,
and the application PIN screen, or corporate credential prompt, is shown again.
However, important details about PIN that affect how often the user will be prompted
are:
The PIN is shared among apps of the same publisher to improve usability:
On iOS/iPadOS, one app PIN is shared amongst all apps of the same app
publisher. For example, all Microsoft apps share the same PIN. On Android, one
app PIN is shared amongst all apps.
The Recheck the access requirements after (minutes) behavior after a device
reboot:
A timer tracks the number of minutes of inactivity that determine when to show
the Intune app PIN, or corporate credential prompt next. On iOS/iPadOS, the timer
is unaffected by device reboot. Thus, device reboot has no effect on the number of
minutes the user has been inactive from an iOS/iPadOS app with Intune PIN (or
corporate credential) policy targeted. On Android, the timer is reset on device
reboot. As such, Android apps with Intune PIN (or corporate credential) policy will
likely prompt for an app PIN, or corporate credential prompt, regardless of the
'Recheck the access requirements after (minutes)' setting value after a device
reboot.
The rolling nature of the timer associated with the PIN:
Once a PIN is entered to access an app (app A), and the app leaves the foreground
(main input focus) on the device, the timer gets reset for that PIN. Any app (app B)
that shares this PIN will not prompt the user for PIN entry because the timer has
reset. The prompt will show up again once the 'Recheck the access requirements
after (minutes)' value is met again.
For iOS/iPadOS devices, even if the PIN is shared between apps from different
publishers, the prompt will show up again when the Recheck the access requirements
after (minutes) value is met again for the app that is not the main input focus. So, for
example, a user has app A from publisher X and app B from publisher Y, and those two
apps share the same PIN. The user is focused on app A (foreground), and app B is
minimized. After the Recheck the access requirements after (minutes) value is met and
the user switches to app B, the PIN would be required.
7 Note
In order to verify the user's access requirements more often (i.e. PIN prompt),
especially for a frequently used app, it is recommended to reduce the value of the
'Recheck the access requirements after (minutes)' setting.
The Intune PIN works based on an inactivity-based timer (the value of Recheck the
access requirements after (minutes)). As such, Intune PIN prompts show up
independently from the built-in app PIN prompts for Outlook and OneDrive which often
are tied to app launch by default. If the user receives both PIN prompts at the same
time, the expected behavior should be that the Intune PIN takes precedence.
The PIN serves to allow only the correct user to access their organization's data in the
app. Therefore, an end user must sign in with their work or school account before they
can set or reset their Intune app PIN. This authentication is handled by Azure Active
Directory via secure token exchange and is not transparent to the Intune SDK. From a
security perspective, the best way to protect work or school data is to encrypt it.
Encryption is not related to the app PIN but is its own app protection policy.
As part of the app PIN policy, the IT administrator can set the maximum number of
times a user can try to authenticate their PIN before locking the app. After the number
of attempts has been met, the Intune SDK can wipe the "corporate" data in the app.
Intune PIN and a selective wipe
On iOS/iPadOS, the app level PIN information is stored in the keychain that is shared
between apps with the same publisher, such as all first party Microsoft apps. This PIN
information is also tied to an end user account. A selective wipe of one app shouldn't
affect a different app.
For example, a PIN set for Outlook for the signed in user is stored in a shared keychain.
When the user signs into OneDrive (also published by Microsoft), they will see the same
PIN as Outlook since it uses the same shared keychain. When signing out of Outlook or
wiping the user data in Outlook, the Intune SDK does not clear that keychain because
OneDrive might still be using that PIN. Because of this, selective wipes do not clear that
shared keychain, including the PIN. This behavior remains the same even if only one app
by a publisher exists on the device.
Since the PIN is shared amongst apps with the same publisher, if the wipe goes to a
single app, the Intune SDK does not know if there are any other apps on the device with
the same publisher. Thus, the Intune SDK does not clear the PIN since it might still be
used for other apps. The expectation is that the app PIN should be wiped when last app
from that publisher will be removed eventually as part of some OS cleanup.
If you observe the PIN being wiped on some devices, the following is likely happening:
Since the PIN is tied to an identity, if the user signed in with a different account after a
wipe, they will be prompted to enter a new PIN. However, if they sign in with a
previously existing account, a PIN stored in the keychain already can be used to sign in.
MAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and
special characters (called 'passcode') which requires the participation of applications (i.e.
WXP, Outlook, Managed Browser, Yammer) to integrate the Intune SDK for iOS. Without
this, the passcode settings are not properly enforced for the targeted applications. This
was a feature released in the Intune SDK for iOS v. 7.1.12.
In order to support this feature and ensure backward compatibility with previous
versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in
7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK.
Another change was introduced in the Intune SDK for iOS v 14.6.0 that causes all PINs in
14.6.0+ to be handled separately from any PINs in previous versions of the SDK.
Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12
AND after 7.1.12 from the same publisher (or versions before 14.6.0 AND after 14.6.0),
they will have to set up two PINs. The two PINs (for each app) are not related in any way
(i.e. they must adhere to the app protection policy that's applied to the app). As such,
only if apps A and B have the same policies applied (with respect to PIN), user may set
up the same PIN twice.
This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with
Intune Mobile App Management. Over time, as applications adopt later versions of the
Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher
becomes less of an issue. Please see the note below for an example.
7 Note
For example, if app A is built with a version prior to 7.1.12 (or 14.6.0) and app B is
built with a version greater than or equal to 7.1.12 (or 14.6.0) from the same
publisher, the end user will need to set up PINs separately for A and B if both are
installed on an iOS/iPadOS device.
If an app C that has SDK version 7.1.9 (or 14.5.0)
is installed on the device, it will share the same PIN as app A.
An app D built with
7.1.14 (or 14.6.2) will share the same PIN as app B.
If only apps A and C are installed on a device, then one PIN will need to be set. The
same applies to if only apps B and D are installed on a device.
See the Android app protection policy settings and iOS/iPadOS app protection policy
settings for detailed information on the encryption app protection policy setting.
Email (Exchange)
Cloud storage (OneDrive app with a OneDrive for Business account)
For line-of-business apps managed by the Intune App Wrapping Tool, all app data is
considered "corporate".
Selective wipe
Remotely wipe data
For more information about remote wipe for MDM, see Remove devices by using wipe
or retire. For more information about selective wipe using MAM, see the Retire action
and How to wipe only corporate data from apps.
Full device wipe removes all user data and settings from the device by restoring the
device to its factory default settings. The device is removed from Intune.
7 Note
Full device wipe, and selective wipe for MDM can only be achieved on devices
enrolled with Intune mobile device management (MDM).
Selective wipe for MAM simply removes company app data from an app. The request is
initiated using Intune. To learn how to initiate a wipe request, see How to wipe only
corporate data from apps.
If the user is using the app when selective wipe is initiated, the Intune SDK checks every
30 minutes for a selective wipe request from the Intune MAM service. It also checks for
selective wipe when the user launches the app for the first time and signs in with their
work or school account.
When On-Premises (on-prem) services don't work with Intune protected apps
Intune app protection depends on the identity of the user to be consistent between the
application and the Intune SDK. The only way to guarantee that is through modern
authentication. There are scenarios in which apps may work with an on-prem
configuration, but they are neither consistent nor guaranteed.
The IT administrator can deploy and set app protection policy for Microsoft Edge, a web
browser that can be managed easily with Intune. The IT administrator can require all
web links in Intune-managed apps to be opened using a managed browser.
App protection experience for iOS devices
The intent of this process is to continue keeping your organization's data within the app
secure and protected at the app level. This feature is only available for iOS/iPadOS, and
requires the participation of applications that integrate the Intune SDK for iOS/iPadOS,
version 9.0.1 or later. Integration of the SDK is necessary so that the behavior can be
enforced on the targeted applications. This integration happens on a rolling basis and is
dependent on the specific application teams. Some apps that participate include WXP,
Outlook, Managed Browser, and Yammer.
Users can disable an app's Universal Links by visiting them in Safari and selecting Open
in New Tab or Open. In order to use Universal Links with Intune app protection policies,
it's important to re-enable the universal links. The end user would need to do an Open
in <app name> in Safari after long pressing a corresponding link. This should prompt
any additional protected app to route all Universal Links to the protected application on
the device.
When dealing with different types of settings, an Intune SDK version requirement would
take precedence, then an app version requirement, followed by the iOS/iPadOS
operating system version requirement. Then, any warnings for all types of settings in the
same order are checked. We recommend the Intune SDK version requirement be
configured only upon guidance from the Intune product team for essential blocking
scenarios.
7 Note
App protection policies (APP) are not supported on Intune managed Android
Enterprise dedicated devices without Shared device mode. On these devices,
Company Portal installation is needed for an APP block policy to take effect with no
impact to the user. App protection policies are supported on Intune managed
Android Enterprise dedicated devices with Shared device mode, as well as on AOSP
userless devices that leverage Shared device mode.
When dealing with different types of settings, an app version requirement would take
precedence, followed by Android operating system version requirement and Android
patch version requirement. Then, any warnings for all types of settings in the same order
are checked.
As more organizations implement mobile device strategies for accessing work or school
data, protecting against data leakage becomes paramount. Intune's mobile application
management solution for protecting against data leakage is App Protection Policies
(APP). APP are rules that ensure an organization's data remains safe or contained in a
managed app, regardless of whether the device is enrolled. For more information, see
App protection policies overview.
When configuring App Protection Policies, the number of various settings and options
enable organizations to tailor the protection to their specific needs. Due to this
flexibility, it may not be obvious which permutation of policy settings are required to
implement a complete scenario. To help organizations prioritize client endpoint
hardening endeavors, Microsoft has introduced a new taxonomy for security
configurations in Windows 10 , and Intune is leveraging a similar taxonomy for its APP
data protection framework for mobile app management.
The APP data protection configuration framework is organized into three distinct
configuration scenarios:
Microsoft recommends the following deployment ring approach for the APP data
protection framework:
As the above table indicates, all changes to the App Protection Policies should be first
performed in a pre-production environment to understand the policy setting
implications. Once testing is complete, the changes can be moved into production and
applied to a subset of production users, generally, the IT department and other
applicable groups. And finally, the rollout can be completed to the rest of the mobile
user community. Rollout to production may take a longer amount of time depending on
the scale of impact regarding the change. If there is no user impact, the change should
roll out quickly, whereas, if the change results in user impact, rollout may need to go
slower due to the need to communicate changes to the user population.
When testing changes to an APP, be aware of the delivery timing. The status of APP
delivery for a given user can be monitored. For more information, see How to monitor
app protection policies.
Individual APP settings for each app can be validated on devices using Edge and the
URL about:Intunehelp. For more information, see Review client app protection logs and
Use Edge for iOS and Android to access managed app logs.
Administrators can incorporate the below configuration levels within their ring
deployment methodology for testing and production use by importing the sample
Intune App Protection Policy Configuration Framework JSON templates with Intune's
PowerShell scripts .
7 Note
Preview: When using MAM for Windows, see App protection policy settings for
Windows.
See Require approved client apps or app protection policy with mobile devices in
Conditional Access: Require approved client apps or app protection policy for steps to
implement the specific policies. Finally, implement the steps in Block legacy
authentication to block legacy authentication capable iOS and Android apps.
7 Note
These policies leverage the grant controls Require approved client app and
Require app protection policy.
Edge
Excel
Office
OneDrive
OneNote
Outlook
PowerPoint
SharePoint
Teams
To Do
Word
The policies should include other Microsoft apps based on business need, additional
third-party public apps that have integrated the Intune SDK used within the
organization, as well as line-of-business apps that have integrated the Intune SDK (or
have been wrapped).
The policies in level 1 enforce a reasonable data access level while minimizing the
impact to users and mirror the default data protection and access requirements settings
when creating an App Protection Policy within Microsoft Intune.
Data protection
Transfer Android
Data Restrict cut, copy, and paste between apps Any app iOS/iPadOS,
Transfer Android
Functionality Restrict web content transfer with other Any app iOS/iPadOS,
apps Android
Access requirements
length Android
App PIN when device Require iOS/iPadOS, If the device is enrolled in Intune,
PIN is set Android administrators can consider setting this to
"Not required" if they are enforcing a strong
device PIN via a device compliance policy.
Conditional launch
Device Require threat N/A / Block Android This setting ensures that
conditions scan on apps access Google's Verify Apps scan is
turned on for end user devices.
If configured, the end-user will
be blocked from access until
they turn on Google's app
scanning on their Android
device.
The policy settings enforced in level 2 include all the policy settings recommended for
level 1 but only lists those settings below that have been added or changed to
implement more controls and a more sophisticated configuration than level 1. While
these settings may have a slightly higher impact to users or to applications, they enforce
a level of data protection more commensurate with the risks facing users with access to
sensitive information on mobile devices.
Data protection
Policy
managed
apps with OS
sharing is
available
when the
device is also
enrolled with
Setting Setting Value Platform Notes
description
Intune. This
setting allows
data transfer
to other
policy
managed
apps, as well
as file
transfers to
other apps
that have are
managed by
Intune.
Policy
managed
apps with
Open-
In/Share
filtering filters
the OS Open-
in/Share
dialogs to
only display
policy
managed
apps.
For more
information,
see iOS app
protection
policy
settings.
Conditional launch
Device Min patch Format: YYYY- Android Android devices can receive
conditions version MM-DD monthly security patches, but the
Example: 2020- release is dependent on OEMs
01-01 / Block and/or carriers. Organizations
access should ensure that deployed
Android devices do receive
security updates before
implementing this setting. See
Android Security Bulletins for
the latest patch releases.
The policy settings enforced in level 3 include all the policy settings recommended for
level 2 but only lists those settings below that have been added or changed to
implement more controls and a more sophisticated configuration than level 2. These
policy settings can have a potentially significant impact to users or to applications,
enforcing a level of security commensurate with the risks facing targeted organizations.
Data protection
Data Allow users to OneDrive for Business, SharePoint, iOS/iPadOS, For related
transfer open data from Camera, Photo Library Android information,
selected services see Android
app
protection
policy settings
and iOS app
protection
policy
settings.
Access requirements
Conditional launch
Recommended
requirements for
Android's latest
recommendations
Next steps
Administrators can incorporate the above configuration levels within their ring
deployment methodology for testing and production use by importing the sample
Intune App Protection Policy Configuration Framework JSON templates with Intune's
PowerShell scripts .
See also
How to create and deploy app protection policies with Microsoft Intune
Available Android app protection policy settings with Microsoft Intune
Available iOS/iPadOS app protection policy settings with Microsoft Intune
How to create and assign app
protection policies
Article • 06/07/2023
Learn how to create and assign Microsoft Intune app protection policies (APP) for users
of your organization. This topic also describes how to make changes to existing policies.
The choices available in app protection policies (APP) enable organizations to tailor the
protection to their specific needs. For some, it may not be obvious which policy settings
are required to implement a complete scenario. To help organizations prioritize mobile
client endpoint hardening, Microsoft has introduced taxonomy for its APP data
protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels,
with each level building off the previous level:
Enterprise basic data protection (Level 1) ensures that apps are protected with a
PIN and encrypted and performs selective wipe operations. For Android devices,
this level validates Android device attestation. This is an entry level configuration
that provides similar data protection control in Exchange Online mailbox policies
and introduces IT and the user population to APP.
Enterprise enhanced data protection (Level 2) introduces APP data leakage
prevention mechanisms and minimum OS requirements. This is the configuration
that is applicable to most mobile users accessing work or school data.
Enterprise high data protection (Level 3) introduces advanced data protection
mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This
configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum
apps that must be protected, review Data protection framework using app protection
policies.
If you're looking for a list of apps that have integrated the Intune SDK, see Microsoft
Intune protected apps.
2. Select Apps > App protection policies. This selection opens the App protection
policies details, where you create new policies and edit existing policies.
3. Select Create policy and select either iOS/iPadOS or Android. The Create policy
pane is displayed.
Value Description
Value/Option Description
Target policy In the Target policy to dropdown box, choose to target your app
to protection policy to All Apps, Microsoft Apps, or Core Microsoft Apps.
All Apps includes all Microsoft and partner apps that have
integrated the Intune SDK.
Microsoft Apps includes all Microsoft apps that have integrated the
Intune SDK.
Core Microsoft Apps includes the following apps: Edge, Excel, Office,
OneDrive, OneNote, Outlook, PowerPoint, SharePoint, Teams, To Do,
and Word.
Next, you can select View a list of the apps that will be targeted to view a
list of the apps that will be affected by this policy.
Public apps If you do not want to select one of the pre-defined app groups, you can
choose to target individual apps by selecting Selected apps in the Target
policy to dropdown box. Click Select public apps to select public apps to
target.
Custom apps If you do not want to select one of the pre-defined app groups, you can
choose to target individual apps by selecting Selected apps in the Target
policy to dropdown box. Click Select custom apps to select custom apps
to target based on a Bundle ID. You cannot choose a custom app when
targeting all public apps in the same policy.
The app(s) you have selected will appear in the public and custom apps list.
7 Note
Public apps are supported are apps from Microsoft and partners that are
commonly used with Microsoft Intune. These Intune protected apps are
enabled with a rich set of support for mobile application protection policies.
For more information, see Microsoft Intune protected apps. Custom apps are
LOB apps that have been integrated with the Intune SDK or wrapped by the
Intune App Wrapping Tool. For more information see Microsoft Intune App
SDK Overview and Prepare line-of-business apps for app protection policies.
The Assignments page allows you to assign the app protection policy to groups of
users. You must apply the policy to a group of users to have the policy take effect.
10. Click Next: Review + create to review the values and settings you entered for this
app protection policy.
11. When you are done, click Create to create the app protection policy in Intune.
Tip
These policy settings are enforced only when using apps in the work context.
When end users use the app to do a personal task, they aren't affected by
these policies. Note that when you create a new file it is considered a personal
file.
) Important
It can take time for app protection policies to apply to existing devices. End
users will see a notification on the device when the app protection policy is
applied. Apply your app protection policies to devices before applying
condidtional access rules.
End users can download the apps from the App store or Google Play. For more
information, see:
4. The Apps page allows you to choose which apps should be targeted by this policy.
You must add at least one app.
Value/Option Description
Public apps In the Target policy to dropdown box, choose to target your app
protection policy to All public apps, Microsoft Apps, or Core Microsoft
Apps. Next, you can select View a list of the apps that will be targeted to
view a list of the apps that will be affected by this policy.
Custom apps Click Select custom apps to select custom apps to target based on a
Bundle ID.
The app(s) you have selected will appear in the public and custom apps list.
5. Click Review + create to review the apps selected for this policy.
6. When you are done, click Save to update the app protection policy.
4. To add a new user group to the policy, on the Include tab choose Select groups to
include, and select the user group. Choose Select to add the group.
5. To exclude a user group, on the Exclude tab choose Select groups to exclude, and
select the user group. Choose Select to remove the user group.
6. To delete groups that were added previously, on either the Include or Exclude tabs,
select the ellipsis (...) and select Delete.
7. Click Review + create to review the user groups selected for this policy.
8. After your changes to the assignments are ready, select Save to save the
configuration and deploy the policy to the new set of users. If you select Cancel
before you save your configuration, you will discard all changes you've made to
the Include and Exclude tabs.
3. Next to the section corresponding to the settings you want to change, select Edit.
Then change the settings to new values.
4. Click Review + create to review the updated settings for this policy.
5. Select the Save to save your changes. Repeat the process to select a settings area
and modify and then save your changes, until all your changes are complete. You
can then close the Intune App Protection - Properties pane.
Because Intune app protection policies target a user's identity, the protection settings
for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no
MDM). Therefore, you can target an Intune app protection policy to either Intune
enrolled or unenrolled iOS/iPadOS and Android devices using filters. For more
information on creating filters see, Use filters when assigning policies . You can have one
protection policy for unmanaged devices in which strict data loss prevention (DLP)
controls are in place, and a separate protection policy for MDM managed devices, where
the DLP controls may be a little more relaxed. For more information how this works on
personal Android Enterprise devices, see App protection policies and work profiles.
To use these filters when assigning policies, browse to Apps > App protection policies
in the Intune admin center, and then select Create policy. You can also edit an existing
app protection policy. Navigate to the Assignments page and select Edit filter to
include or exclude filters for the assigned group.
On Android, Android devices will prompt to install the Intune Company Portal app
regardless of which Device Management type is chosen. For example, if you select
'Android Enterprise' then users with unmanaged Android devices will still be prompted.
For iOS/iPadOS, for the Device Management type to be enforced to Intune managed
devices, additional app configuration settings are required. These configurations will
communicate to the APP service that a particular app is managed—and that APP
settings will not apply:
Policy settings
To see a full list of the policy settings for iOS/iPadOS and Android, select one of the
following links:
iOS/iPadOS policies
Android policies
Next steps
Monitor compliance and user status
See also
Where to find work or school apps for Android (user help)
This article describes the app protection policy settings for Android devices. The policy
settings that are described can be configured for an app protection policy on the
Settings pane in the portal. There are three categories of policy settings: data protection
settings, access requirements, and conditional launch. In this article, the term policy-
managed apps refers to apps that are configured with app protection policies.
) Important
The Intune Company Portal is required on the device to receive App Protection
Policies for Android devices.
The Intune Managed Browser has been retired. Use Microsoft Edge for your
protected Intune browser experience.
Data protection
Data Transfer
Backup org data to Select Block to prevent this app from backing up work Allow
Android backup services or school data to the Android Backup Service .
Send org data to other Specify what apps can receive data from this app: All apps
apps Policy managed apps: Allow transfer only to other
policy-managed apps.
All apps: Allow transfer to any app.
None: Do not allow data transfer to any app,
including other policy-managed apps.
7 Note
Select apps to This option is available when you select Policy managed
exempt apps for the previous option.
Save copies of org Choose Block to disable the use of the Save As option in Allow
data this app. Choose Allow if you want to allow the use of
Save As. When set to Block, you can configure the
setting Allow user to save copies to selected services.
Note:
Allow user to Users can save to the selected services (OneDrive for 0
save copies to Business, SharePoint, Photo Library, Box, and Local selected
selected services Storage). All other services will be blocked.
Setting How to use Default
value
Transfer Typically, when a user selects a hyperlinked phone Any
telecommunications number in an app, a dialer app will open with the phone dialer
data to number prepopulated and ready to call. For this setting, app
choose how to handle this type of content transfer
when it is initiated from a policy-managed app:
None, do not transfer this data between apps:
Do not transfer communication data when a
phone number is detected.
A specific dialer app: Allow a specific dialer app
to initiate contact when a phone number is
detected.
Any policy-managed dialer app: Allow any policy
managed dialer app to initiate contact when a
phone number is detected.
Any dialer app: Allow any dialer app to be used to
initiate contact when a phone number is detected.
Dialer App When a specific dialer app has been selected, you must Blank
Package ID provide the app package ID.
Dialer App Name When a specific dialer app has been selected, you must Blank
provide the name of the dialer app.
Receive data from other Specify what apps can transfer data to this app: All apps
apps Policy managed apps: Allow transfer only from
other policy-managed apps.
All apps: Allow data transfer from any app.
None: Do not allow data transfer from any app,
including other policy-managed apps.
Open data into Org Select Block to disable the use of the Open option or
documents other options to share data between accounts in this
app. Select Allow if you want to allow the use of Open. Allow
Note:
Allow users to Select the application storage services that users can All
open data from open data from. All other services are blocked. Selecting selected
selected services no services will prevent users from opening data.
Supported services:
Restrict cut, copy and Specify when cut, copy, and paste actions can be used Any app
paste between other apps with this app. Choose from:
Blocked: Do not allow cut, copy, and paste actions
between this app and any other app.
Policy managed apps: Allow cut, copy, and paste
actions between this app and other policy-
managed apps.
Policy managed with paste in: Allow cut or copy
between this app and other policy-managed apps.
Allow data from any app to be pasted into this
app.
Any app: No restrictions for cut, copy, and paste
to and from this app.
Cut and copy Specify the number of characters that may be cut or 0
character limit for copied from org data and accounts. This will allow
Setting How to use Default
value
Screen capture and Select Block to block screen capture and block Google Block
Google Assistant Assistant accessing org data on the device when using
this app. Choosing Block will also blur the App-switcher
preview image when using this app with a work or
school account.
Approved keyboards Select Require and then specify a list of approved Not
keyboards for this policy. required
Select keyboards to This option is available when you select Require for the
approve previous option. Choose Select to manage the list of
keyboards and input methods that can be used with
apps protected by this policy. You can add additional
keyboards to the list, and remove any of the default
options. You must have at least one approved keyboard
to save the setting. Over time, Microsoft may add
additional keyboards to the list for new App Protection
Policies, which will require administrators to review and
update existing policies as needed.
Encryption
Encrypt org data Choose Require to enable encryption of work or school data in Require
this app. Intune uses a wolfSSL, 256-bit AES encryption scheme
along with the Android Keystore system to securely encrypt app
data. Data is encrypted synchronously during file I/O tasks.
Content on the device storage is always encrypted. New files will
be encrypted with 256-bit keys. Existing 128-bit encrypted files will
undergo a migration attempt to 256-bit keys, but the process is
not guaranteed. Files encrypted with 128-bit keys will remain
readable.
Encrypt Select Require to enforce encrypting org data with Intune app Require
org data layer encryption on all devices. Select Not required to not enforce
on encrypting org data with Intune app layer encryption on enrolled
enrolled devices.
devices
Functionality
Sync policy managed Choose Block to prevent policy managed apps from saving Allow
app data with native data to the device's native apps (Contacts, Calendar and
apps or add-ins widgets) and to prevent the use of add-ins within the
policy managed apps. If not supported by the application,
saving data to native apps and using add-ins will be
allowed.
Setting How to use Default
value
If you choose Allow, the policy managed app can save data
to the native apps or use add-ins, if those features are
supported and enabled within the policy managed app.
Printing Org data Choose Block to prevent the app from printing work or Allow
school data. If you leave this setting to Allow, the default
value, users will be able to export and print all Org data.
Restrict web content Specify how web content (http/https links) is opened from Not
transfer with other policy-managed applications. Choose from: configured
apps Any app: Allow web links in any app.
Intune Managed Browser: Allow web content to
open only in the Intune Managed Browser. This
browser is a policy-managed browser.
Microsoft Edge: Allow web content to open only in
the Microsoft Edge. This browser is a policy-
managed browser.
Unmanaged browser: Allow web content to open
only in the unmanaged browser defined by
Unmanaged browser protocol setting. The web
content will be unmanaged in the target browser.
Note: Requires Intune Company Portal version
5.0.4415.0 or later.
Policy-managed browsers
On Android, your end users can choose from other
policy-managed apps that support http/https links if
neither Intune Managed Browser nor Microsoft Edge
is installed.
Setting How to use Default
value
Unmanaged Enter the application ID for a single browser. Web content Blank
Browser ID (http/https links) from policy managed applications will
open in the specified browser. The web content will be
unmanaged in the target browser.
Unmanaged Enter the application name for browser associated with the Blank
Browser Name Unmanaged Browser ID. This name will be displayed to
users if the specified browser is not installed.
Org data Specify how much org data is shared via OS notifications Allow
notifications for org accounts. This policy setting will impact the local
device and any connected devices such as wearables and
smart speakers. Apps may provide additional controls to
customize notification behavior or may choose to not
honor all values. Select from:
Setting How to use Default
value
Full exemptions
These apps and services are fully allowed for data transfer to and from Intune-managed
apps.
Conditional exemptions
These apps and services are only allowed for data transfer to and from Intune-managed
apps under certain conditions.
For more information, see Data transfer policy exceptions for apps.
Access requirements
Setting How to use
PIN for access Select Require to require a PIN to use this app. The user is prompted to
set up this PIN the first time they run the app in a work or school context.
You can configure the PIN strength using the settings available under the
PIN for access section.
Simple PIN Select Allow to allow users to use simple PIN sequences like 1234, 1111,
abcd or aaaa. Select Blocks to prevent them from using simple
sequences. Simple sequences are checked in 3 character sliding windows.
If Block is configured, 1235 or 1112 would not be accepted as PIN set by
the end user, but 1122 would be allowed.
Note: If Passcode type PIN is configured, and Simple PIN is set to Allow,
the user needs at least one letter or at least one special character in their
PIN. If Passcode type PIN is configured, and Simple PIN is set to Block,
the user needs at least one number and one letter and at least one
special character in their PIN.
Biometrics Select Allow to allow the user to use biometrics to authenticate users on
instead of PIN Android devices. If allowed, biometrics is used to access the app on
for access Android 10 or higher devices.
Override To use this setting, select Require and then configure an inactivity
biometric with timeout.
PIN after
timeout Default value = Require
Setting How to use
Timeout Specify a time in minutes after which either a passcode or numeric (as
(minutes of configured) PIN will override the use of a biometric. This timeout value
inactivity) should be greater than the value specified under 'Recheck the access
requirements after (minutes of inactivity)'.
Default value = 30
Class 3 Select Require to require the user to sign in with class 3 biometrics. For
biometrics more information on class 3 biometrics, see Biometrics in Google's
(Android 9.0+) documentation.
Override Select Require to override the use of biometrics with PIN when a change
biometrics in biometrics is detected.
with PIN after
biometric NOTE:
updates This setting only takes effect once a biometric has been used to access
the app. Depending on the Android device manufacturer, not all forms of
biometrics may be supported for cryptographic operations. Currently,
cryptographic operations are supported for any biometric (e.g.,
fingerprint, iris, or face) on the device that meets or exceeds the
requirements for Class 3 biometrics, as defined in the Android
documentation. See the BIOMETRIC_STRONG constant of the
BiometricManager.Authenticators interface and the authenticate
method of the BiometricPrompt class. You may need to contact your
device manufacturer to understand the device-specific limitations.
PIN reset after Select Yes to require users to change their app PIN after a set period of
number of time, in days.
days
When set to Yes, you then configure the number of days before the PIN
reset is required.
Default value = No
Number of Configure the number of days before the PIN reset is required.
days
Default value = 90
Select number This setting specifies the number of previous PINs that Intune will
of previous maintain. Any new PINs must be different from those that Intune is
PIN values to maintaining.
maintain
Default value = 0
App PIN when Select Not required to disable the app PIN when a device lock is
device PIN is detected on an enrolled device with Company Portal configured.
set
Setting How to use
Work or school Choose Require to require the user to sign in with their work or school
account credentials account instead of entering a PIN for app access. When set to Require,
for access and PIN or biometric prompts are turned on, both corporate credentials
and either the PIN or biometric prompts are shown.
7 Note
To learn more about how multiple Intune app protection settings configured in the
Access section to the same set of apps and users work on Android, see Intune
MAM frequently asked questions and Selectively wipe data using app protection
policy access actions in Intune.
Conditional launch
Configure conditional launch settings to set sign-in security requirements for your app
protection policy.
By default, several settings are provided with pre-configured values and actions. You can
delete some settings, like the Min OS version. You can also select additional settings
from the Select one dropdown.
App conditions
Max PIN Specify the number of tries the user has to successfully enter their PIN before the
attempts configured action is taken. If the user fails to successfully enter their PIN after the
maximum PIN attempts, the user must reset their pin after successfully logging into
their account and completing a Multi-Factor Authentication (MFA) challenge if
required. This policy setting format supports a positive whole number. Actions
include:
Wipe data - The user account that is associated with the application is wiped
from the device.
Default value = 5
Offline The number of minutes that MAM apps can run offline. Specify the time (in minutes)
grace before the access requirements for the app are rechecked. Actions include:
period
Block access (minutes) - The number of minutes that MAM apps can run
offline. Specify the time (in minutes) before the access requirements for the
app are rechecked. After this period expires, the app requires user
authentication to Azure Active Directory (Azure AD) so that the app can
continue to run.
Note: Configuring the Offline grace period timer for blocking access to be less
than the default value may result in more frequent user interruptions as policy
is refreshed. Choosing a value of less than 30 mins is not recommended as it
may result in user interruptions at each application launch or resume.
Wipe data (days) - After this many days (defined by the admin) of running
offline, the app will require the user to connect to the network and
reauthenticate. If the user successfully authenticates, they can continue to
access their data and the offline interval will reset. If the user fails to
authenticate, the app will perform a selective wipe of the user's account and
data. For more information, see How to wipe only corporate data from Intune-
managed apps. This policy setting format supports a positive whole number.
This entry can appear multiple times, with each instance supporting a different action.
Min app Specify a value for the minimum application version value. Actions include:
version
Warn - The user sees a notification if the app version on the device doesn't
meet the requirement. This notification can be dismissed.
Block access - The user is blocked from access if the app version on the device
does not meet the requirement.
Wipe data - The user account that is associated with the application is wiped
from the device.
As apps often have distinct versioning schemes between them, create a policy with
one minimum app version targeting one app (for example, Outlook version policy).
This entry can appear multiple times, with each instance supporting a different action.
Additionally, you can configure where your end users can get an updated version of
a line-of-business (LOB) app. End users will see this in the min app version
conditional launch dialog, which will prompt end users to update to a minimum
version of the LOB app. On Android, this feature uses the Company Portal. To
configure where an end user should update a LOB app, the app needs a managed
app configuration policy sent to it with the key, com.microsoft.intune.myappstore .
The value sent will define which store the end user will download the app from. If the
app is deployed via the Company Portal, the value must be CompanyPortal . For any
other store, you must enter a complete URL.
Device conditions
Jailbroken/rooted Specify whether to block access to the device or wipe the device data for
devices jailbroken/rooted devices. Actions include:
tasks, but will have to use a different device to access work or school
data in this app.
Wipe data - The user account that is associated with the application is
wiped from the device.
Min OS version Specify a minimum Android operating system that is required to use this
app. OS versions below the specified Min OS version will trigger the actions.
Actions include:
Warn - The user will see a notification if the Android version on the
device doesn't meet the requirement. This notification can be
dismissed.
Block access - The user will be blocked from access if the Android
version on the device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is
wiped from the device.
Max OS version Specify a maximum Android operating system that is required to use this
app. OS versions below the specified Max OS version will trigger the
actions. Actions include:
Warn - The user will see a notification if the Android version on the
device doesn't meet the requirement. This notification can be
dismissed.
Block access - The user will be blocked from access if the Android
version on the device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is
wiped from the device.
Min patch version Require devices have a minimum Android security patch released by Google.
Warn - The user will see a notification if the Android version on the
device doesn't meet the requirement. This notification can be
dismissed.
Block access - The user will be blocked from access if the Android
version on the device doesn't meet this requirement.
Setting How to use
Wipe data - The user account that is associated with the application is
wiped from the device.
Device Specify a semicolon separated list of manufacturer(s). These values are not
manufacturer(s) case sensitive. Actions include:
For more information on using this setting, see Conditional Launch actions.
SafetyNet device App protection policies support some of Google Play Protect's APIs. This
attestation setting in particular configures Google's SafetyNet Attestation on end
user devices to validate the integrity of those devices. Specify either Basic
integrity or Basic integrity and certified devices.
Basic integrity tells you about the general integrity of the device. Rooted
devices, emulators, virtual devices, and devices with signs of tampering fail
basic integrity. Basic integrity & certified devices tells you about the
compatibility of the device with Google's services. Only unmodified devices
that have been certified by Google can pass this check.
Important: Devices that do not support this evaluation type will be blocked
or wiped based on the SafetyNet device attestation action. Organizations
that would like to use this functionality will need to ensure users have
supported devices. For more information on Google’s recommended
devices, see Android Enterprise Recommended requirements .
Setting How to use
Actions include:
Warn - The user sees a notification if the device does not meet
Google's SafetyNet Attestation scan based on the value configured.
This notification can be dismissed.
Block access - The user is blocked from access if the device does not
meet Google's SafetyNet Attestation scan based on the value
configured.
Wipe data - The user account that is associated with the application is
wiped from the device.
For commonly asked questions related to this setting, see Frequently asked
questions about MAM and app protection.
Require threat App protection policies support some of Google Play Protect's APIs. This
scan on apps setting in particular ensures that Google's Verify Apps scan is turned on for
end user devices. If configured, the end user will be blocked from access
until they turn on Google's app scanning on their Android device. Actions
include:
Warn - The user sees a notification if Google's Verify Apps scan on the
device is not turned on. This notification can be dismissed.
Block access - The user is blocked from access if Google's Verify Apps
scan on the device is not turned on.
Results from Google's Verify Apps scan are surfaced in the Potentially
Harmful Apps report in the console.
Require device This setting determines whether the Android device has a device PIN that
lock meets the minimum password requirement. The App protection policy can
take action if the device lock doesn’t meet the minimum password
requirement.
Values include:
Low Complexity
Medium Complexity
High Complexity
getPasswordComplexity , PASSWORD_COMPLEXITY_LOW ,
PASSWORD_COMPLEXITY_MEDIUM , and
PASSWORD_COMPLEXITY_HIGH .
Actions include:
Warn - The user sees a notification if the device lock doesn’t meet the
minimum password requirement. The notification can be dismissed.
Block access - The user will be blocked from access if the device lock
doesn’t meet the minimum password requirement.
Wipe data - The user account that is associated with the application is
wiped from the device if the device lock doesn’t meet the minimum
password requirement.
Min Company By using the Min Company Portal version, you can specify a specific
Portal version minimum defined version of the Company Portal that is enforced on an end
user device. This conditional launch setting allows you to set values to Block
access, Wipe data, and Warn as possible actions when each value is not
met. The possible formats for this value follow the pattern [Major].[Minor],
[Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. Given that some
end users may not prefer a forced update of apps on the spot, the 'warn'
option may be ideal when configuring this setting. The Google Play Store
does a good job of only sending the delta bytes for app updates, but this
can still be a large amount of data that the user may not want to utilize if
they are on data at the time of the update. Forcing an update and thereby
downloading an updated app could result in unexpected data charges at the
time of the update. For more information, see Android policy settings.
Max Company You can set a maximum number of days as the age of the Company Portal
Portal version age (CP) version for Android devices. This setting ensures that end users are
(days) within a certain range of CP releases (in days). The value must be between 0
and 365 days. When the setting for the devices is not met, the action for this
setting is triggered. Actions include Block access, Wipe data, or Warn. For
related information, see Android policy settings. Note: The age of the
Company Portal build is determined by Google Play on the end user
device.
Samsung Knox Specify if the Samsung Knox device attestation check is required. Only
device attestation unmodified devices that have been verified by Samsung can pass this check.
For the list of supported devices, see devices with Knox version 3.6+ on
samsungknox.com .
By using this setting, Microsoft Intune will also verify communication from
the Company Portal to the Intune Service was sent from a healthy device.
Actions include:
Setting How to use
Warn - The user sees a notification if the device does not meet
Samsung Knox device attestation check. This notification can be
dismissed.
Block access - The user account is blocked from access if the device
does not meet Samsung's Knox device attestation check.
Wipe data - The user account that is associated with the application is
wiped from the device.
Note: The user must accept the Samsung Knox terms before the device
attestation check can be performed. If the user does not accept the
Samsung Knox terms, the specified action will occur.
Max allowed App protection policies can take advantage of the Intune-MTD connector.
device threat level Specify a maximum threat level acceptable to use this app. Threats are
determined by your chosen Mobile Threat Defense (MTD) vendor app on
the end user device. Specify either Secured, Low, Medium, or High. Secured
requires no threats on the device and is the most restrictive configurable
value, while High essentially requires an active Intune-to-MTD connection.
Actions include:
Block access - The user will be blocked from access if the threat level
determined by your chosen Mobile Threat Defense (MTD) vendor app
on the end user device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is
wiped from the device.
For more information on using this setting, see Enable the Mobile Threat
Defense connector in Intune for unenrolled devices.
Primary MTD If you have configured multiple Intune-MTD connectors, specify the primary
service MTD vendor app that should be used on the end user device.
Values include:
You must configure the setting “Max allowed device threat level” to use this
setting.
This article describes the app protection policy settings for iOS/iPadOS devices. The policy
settings that are described can be configured for an app protection policy on the Settings
pane in the portal when you make a new policy.
There are three categories of policy settings: Data relocation, Access requirements, and
Conditional launch. In this article, the term policy-managed apps refers to apps that are
configured with app protection policies.
) Important
The Intune Managed Browser has been retired. Use Microsoft Edge for your protected
Intune browser experience.
Data protection
Data Transfer
Backup Org data to Select Block to prevent this app from backing up work or school data to Allow
iTunes and iCloud iTunes and iCloud. Select Allow to allow this app to back up of work or
backups school data to iTunes and iCloud.
Send Org data to other Specify what apps can receive data from this app: All apps
apps All apps: Allow transfer to any app. The receiving app will have the
ability to read and edit the data.
None: Do not allow data transfer to any app, including other
policy-managed apps. If the user performs a managed open-in
function and transfers a document, the data will be encrypted and
unreadable.
Policy managed apps: Allow transfer only to other policy-
managed apps.
This policy can also apply to iOS/iPadOS Universal Links. General web
links are managed by the Open app links in Intune Managed Browser
policy setting.
There are some exempt apps and services to which Intune may allow
data transfer by default. In addition, you can create your own exemptions
if you need to allow data to transfer to an app that doesn't support
Intune APP. See data transfer exemptions for more information.
Select apps to This option is available when you select Policy managed apps for the
exempt previous option.
Select universal Specify which iOS/iPadOS Universal Links should open in the specified
links to exempt unmanaged application instead of the protected browser specified by
the Restrict web content transfer with other apps setting. You must
contact the application developer to determine the correct universal link
format for each application.
Setting How to use Default
value
Select managed Specify which iOS/iPadOS Universal Links should open in the specified
universal links managed application instead of the protected browser specified by the
Restrict web content transfer with other apps setting. You must contact
the application developer to determine the correct universal link format
for each application.
Save copies of org Choose Block to disable the use of the Save As option in this app. Allow
data Choose Allow if you want to allow the use of Save As. When set to Block,
you can configure the setting Allow user to save copies to selected
services.
Note:
Allow user to Users can save to the selected services (OneDrive for Business, 0
save copies to SharePoint, Photo Library, and Local Storage). All other services are selected
selected blocked. OneDrive for Business: you can save files to OneDrive for
services Business and SharePoint Online. SharePoint: you can save files to on-
premises SharePoint. Photo Library: You can save files to photo library
locally. Local Storage: managed apps can save copies of org data locally.
This does NOT include saving files to the local unmanaged locations such
as the Files app on the device.
Setting How to use Default
value
Transfer Typically, when a user selects a hyperlinked phone number in an app, a Any
telecommunication dialer app will open with the phone number prepopulated and ready to dialer
data to call. For this setting, choose how to handle this type of content transfer app
when it is initiated from a policy-managed app:
None, do not transfer this data between apps: Do not transfer
communication data when a phone number is detected.
A specific dialer app: Allow a specific dialer app to initiate contact
when a phone number is detected.
Any dialer app: Allow any dialer app to be used to initiate contact
when a phone number is detected.
Note: This setting requires Intune SDK 12.7.0 and later. If your apps rely on
dialer functionality and are not using the correct Intune SDK version, as a
workaround, consider adding "tel;telprompt" as a data transfer exemption.
Once the apps support the correct Intune SDK version, the exemption can
be removed.
Dialer App URL When a specific dialer app has been selected, you must provide the Blank
Scheme dialer app URL scheme that is used to launch the dialer app on iOS
devices. For more information, see Apple's documentation about Phone
Links .
Receive data from other Specify what apps can transfer data to this app: All apps
apps All apps: Allow data transfer from any app.
None: Do not allow data transfer from any app, including other
policy-managed apps.
Policy managed apps: Allow transfer only from other policy-
managed apps.
All apps with incoming Org data: Allow data transfer from any
app. Treat all incoming data without a user identity as data from
your organization. The data will be marked with the MDM enrolled
user's identity as defined by the IntuneMAMUPN setting.
Note: The All apps with incoming Org data value is applicable to
MDM enrolled devices only. If this setting is targeted to a user on an
unenrolled device, the behavior of the Any apps value applies.
Open data into Select Block to disable the use of the Open option or other options to Allow
Org documents share data between accounts in this app. Select Allow if you want to
allow the use of Open.
When set to Block you can configure the Allow user to open data from
selected services to specific which services are allowed for Org data
locations.
Note:
This setting is only configurable when the setting Receive data from
other apps is set to Policy managed apps.
This setting will be "Allow" when the setting Receive data from
other apps is set to All apps or All apps with incoming Org data.
This setting will be "Block" with no allowed service locations when
the setting Receive data from other apps is set to None.
The following apps support this setting:
OneDrive 11.45.3 or later.
Outlook for iOS 4.60.0 or later.
Teams for iOS 3.17.0 or later.
Allow users to Select the application storage services that users can open data from. All All
open data from other services are blocked. Selecting no services will prevent users from selected
selected opening data from external locations.
services
Supported services:
Note: Camera does not include Photos or Photo Gallery access. When
selecting Photo Library in the Allow users to open data from selected
services setting within Intune, you can allow managed accounts to allow
incoming data from their device's photo library to their managed apps.
Restrict cut, copy and Specify when cut, copy, and paste actions can be used with this app. Any app
paste between other Select from:
apps Blocked: Don't allow cut, copy, and paste actions between this app
and any other app.
Policy managed apps: Allow cut, copy, and paste actions between
this app and other policy-managed apps.
Policy managed with paste in: Allow cut or copy between this app
and other policy-managed apps. Allow data from any app to be
pasted into this app.
Any app: No restrictions for cut, copy, and paste to and from this
app.
Setting How to use Default
value
Cut and copy Specify the number of characters that may be cut or copied from Org 0
character limit for data and accounts. This will allow sharing of the specified number of
any app characters to any application, regardless of the Restrict cut, copy, and
paste with other apps setting.
Default Value = 0
Third party keyboards Choose Block to prevent the use of third-party keyboards in managed Allow
applications.
Note: This feature requires the app to use Intune SDK version 12.0.16 or
later. Apps with SDK versions from 8.0.14 to, and including, 12.0.15, will
not have this feature correctly apply for multi-identity apps. For more
details, see Known issue: Third party keyboards are not blocked in
iOS/iPadOS for personal accounts .
7 Note
An app protection policy is required with IntuneMAMUPN for managed devices. This
applies for any setting that requires enrolled devices as well.
Encryption
Encrypt Choose Require to enable encryption of work or school data in this app. Intune Require
Org enforces iOS/iPadOS device-level encryption to protect app data while the device is
data locked. In addition, applications may optionally encrypt app data using Intune APP
SDK encryption. Intune APP SDK uses iOS/iPadOS cryptography methods to apply
256-bit AES encryption to app data.
When you enable this setting, the user may be required to set up and use a device
PIN to access their device. If there's no device PIN and encryption is required, the
user is prompted to set a PIN with the message "Your organization has required you
to first enable a device PIN to access this app."
Go to the official Apple documentation to read more about their Data Protection
Classes, as part of their Apple Platform Security.
Functionality
Sync policy Choose Block to prevent policy managed apps from saving data to Allow
managed app the device's native apps (Contacts, Calendar and widgets) and to
data with native prevent the use of add-ins within the policy managed apps. If not
apps or add-ins supported by the application, saving data to native apps and using
add-ins will be allowed.
If you choose Allow, the policy managed app can save data to the
native apps or use add-ins, if those features are supported and
enabled within the policy managed app.
Outlook for iOS see Deploying Outlook for iOS and Android app
configuration settings
Printing Org data Select Block to prevent the app from printing work or school data. If Allow
you leave this setting to Allow, the default value, users will be able to
export and print all Org data.
Setting How to use Default
value
Restrict web Specify how web content (http/https links) is opened from policy- Not
content transfer managed applications. Choose from: configured
with other apps Any app: Allow web links in any app.
If you are using Intune to manage your devices, see Manage Internet
access using managed browser policies with Microsoft Intune.
Unmanaged Enter the protocol for a single unmanaged browser. Web content Blank
Browser (http/https links) from policy managed applications will open in any
Protocol app that supports this protocol. The web content will be unmanaged
in the target browser.
Note: Include only the protocol prefix. If your browser requires links of
the form mybrowser://www.microsoft.com , enter mybrowser .
Org data Specify how Org data is shared via OS notifications for Org accounts. Allow
notifications This policy setting will impact the local device and any connected
devices such as wearables and smart speakers. Apps may provide
additional controls to customize notification behavior or may choose
to not honor all values. Select from:
Blocked: Do not share notifications.
If not supported by the application, notifications will be
allowed.
Block org Data: Do not share Org data in notifications, for
example.
"You have new mail"; "You have a meeting".
If not supported by the application, notifications will be
allowed.
Allow: Shares Org data in the notifications.
7 Note
None of the data protection settings control the Apple managed open-in feature on
iOS/iPadOS devices. To use manage Apple open-in, see Manage data transfer between
iOS/iPadOS apps with Microsoft Intune.
Third party unmanaged apps can be added to the exemptions list which can allow data
transfer exceptions. For additional details and examples, see How to create exceptions to the
Intune App Protection Policy (APP) data transfer policy. The exempt unmanaged app must be
invoked based on iOS URL protocol. For example, when data transfer exemption is added for
an unmanaged app, it would still prevent users from cut, copy, and paste operations, if
restricted by policy. This type of exemption would also still prevent users from using Open-in
action within a managed app to share or save data to exempt app since it is not based on iOS
URL protocol. For more information about Open-in, see Use app protection with iOS apps.
skype Skype
) Important
App Protection policies created before June 15, 2020 include tel and telprompt URL
scheme as part of the default data transfer exemptions. These URL schemes allow
managed apps to initiate the dialer. The App Protection policy setting Transfer
telecommunication data to has replaced this functionality. Administrators should remove
tel;telprompt; from the data transfer exemptions and rely on the App Protection policy
setting, provided the managed apps that initiate dialer functionality include the Intune
SDK 12.7.0 or later.
) Important
In Intune SDK 14.5.0 or later, including sms and mailto URL schemes in the data transfer
exemptions will also allow sharing of Org data to the MFMessageCompose (for sms) and
MFMailCompose (for mailto) view controllers within policy managed applications.
Universal Links
Universal links allow the user to directly launch an application associated with the link instead
of a protected browser specified by the Restrict web content transfer with other apps setting.
You must contact the application developer to determine correct universal link format for each
application.
U Caution
The target applications for these Universal Links are unmanaged and adding an
exemption may result in data security leaks.
If you don't want to allow the default Universal Link exemptions, you can delete them. You can
also add Universal Links for third party or LOB apps. The exempted universal links allow for
wildcards such as http://*.sharepoint-df.com/* .
If you don't want to allow the default managed Universal Links, you can delete them. You can
also add Universal Links for third party or LOB apps.
Access requirements
Setting How to use Default
value
PIN for access Select Require to require a PIN to use this app. The user is Require
prompted to set up this PIN the first time they run the app in a work
or school context. The PIN is applied when working either online or
offline.
You can configure the PIN strength using the settings available
under the PIN for access section.
PIN type Set a requirement for either numeric or passcode type PINs before Numeric
accessing an app that has app protection policies applied. Numeric
requirements involve only numbers, while a passcode can be
defined with at least 1 alphabetical letter or at least 1 special
character.
Simple PIN Select Allow to allow users to use simple PIN sequences like 1234, Allow
1111, abcd or aaaa. Select Block to prevent them from using simple
sequences. Simple sequences are checked in 3 character sliding
windows. If Block is configured, 1235 or 1112 would not be
accepted as PIN set by the end user, but 1122 would be allowed.
Note: If Passcode type PIN is configured, and Allow simple PIN is set
to Yes, the user needs at least 1 letter or at least 1 special character in
their PIN. If Passcode type PIN is configured, and Allow simple PIN is
set to No, the user needs at least 1 number and 1 letter and at least 1
special character in their PIN.
Touch ID Select Allow to allow the user to use Touch ID instead of a PIN for Allow
instead of PIN app access.
for access (iOS
8+)
Override To use this setting, select Require and then configure an inactivity Require
Touch ID timeout.
with PIN
after
timeout
Face ID Select Allow to allow the user to use facial recognition technology Allow
instead of to authenticate users on iOS/iPadOS devices. If allowed, Face ID
PIN for must be used to access the app on a Face ID capable device.
access (iOS
11+)
PIN reset after Select Yes to require users to change their app PIN after a set period No
number of days of time, in days.
When set to Yes, you then configure the number of days before the
PIN reset is required.
Number of Configure the number of days before the PIN reset is required. 90
days
Setting How to use Default
value
App PIN when Select Disable to disable the app PIN when a device lock is detected Enable
device PIN is on an enrolled device with Company Portal configured.
set
Note: Requires app to have Intune SDK version 7.0.1 or above. The
IntuneMAMUPN setting must be configured for applications to detect
the enrollment state.
On iOS/iPadOS devices, you can let the user prove their identity by
using Touch ID or Face ID instead of a PIN. Intune uses the
LocalAuthentication API to authenticate users using Touch ID and
Face ID. To learn more about Touch ID and Face ID, see the iOS
Security Guide .
When the user tries to use this app with their work or school
account, they're prompted to provide their fingerprint identity or
face identity instead of entering a PIN. When this setting is enabled,
the App-switcher preview image will be blurred while using a work
or school account. If there is any change to the device's biometric
database, Intune prompts the user for a PIN when the next inactivity
timeout value is met. Changes to biometric data include the
addition or removal of a fingerprint or face for authentication. If the
Intune user does not have a PIN set, they are led to set up an Intune
PIN.
Work or school Select Require to require the user to sign in with their work or Not
account credentials school account instead of entering a PIN for app access. If you set required
for access this to Require, and PIN or biometric prompts are turned on, both
corporate credentials and either the PIN or biometric prompts are
shown.
Recheck the access Configure the number of minutes of inactivity that must pass before 30
requirements after the app requires the user to again specify the access requirements.
(minutes of inactivity)
For example, an admin turns on PIN and Blocks rooted devices in
the policy, a user opens an Intune-managed app, must enter a PIN,
and must be using the app on a non-rooted device. When using this
setting, the user would not have to enter a PIN or undergo another
root-detection check on any Intune-managed app for a period of
time equal to the configured value.
7 Note
To learn more about how multiple Intune app protection settings configured in the
Access section to the same set of apps and users work on iOS/iPadOS, see Intune MAM
frequently asked questions and Selectively wipe data using app protection policy
access actions in Intune.
Conditional launch
Configure conditional launch settings to set sign-in security requirements for your access
protection policy.
By default, several settings are provided with pre-configured values and actions. You can
delete some of these, like the Min OS version. You can also select additional settings from the
Select one dropdown.
Max OS version Specify a maximum iOS/iPadOS operating system to use this app. Actions include:
Warn - The user will see a notification if the iOS/iPadOS version on the device
doesn't meet the requirement. This notification can be dismissed.
Block access - The user will be blocked from access if the iOS/iPadOS version
on the device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is wiped
from the device.
This entry can appear multiple times, with each instance supporting a different
action.
Min OS version Specify a minimum iOS/iPadOS operating system to use this app. Actions include:
Warn - The user will see a notification if the iOS/iPadOS version on the device
doesn't meet the requirement. This notification can be dismissed.
Block access - The user will be blocked from access if the iOS/iPadOS version
on the device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is wiped
from the device.
This entry can appear multiple times, with each instance supporting a different
action.
Max PIN Specify the number of tries the user has to successfully enter their PIN before the
attempts configured action is taken. If the user fails to successfully enter their PIN after the
maximum PIN attempts, the user must reset their pin after successfully logging into
their account and completing a multi-factor authentication (MFA) challenge if
required. This policy setting format supports a positive whole number. Actions
include:
Wipe data - The user account that is associated with the application is wiped
from the device.
Default value = 5
Setting How to use
Offline grace The number of minutes that policy-managed apps can run offline. Specify the time
period (in minutes) before the access requirements for the app are rechecked. Actions
include:
Note: Configuring the Offline grace period timer for blocking access to be less
than the default value may result in more frequent user interruptions as policy
is refreshed. Choosing a value of less than 30 mins is not recommended as it
may result in user interruptions at each application launch or resume.
Wipe data (days) - After this many days (defined by the admin) of running
offline, the app will require the user to connect to the network and
reauthenticate. If the user successfully authenticates, they can continue to
access their data and the offline interval will reset. If the user fails to
authenticate, the app will perform a selective wipe of the users' account and
data. See How to wipe only corporate data from Intune-managed apps for
more information on what data is removed with a selective wipe. The Offline
grace period timer for wiping data is calculated individually for each app
based on last check-in with the Intune service. This policy setting format
supports a positive whole number.
This entry can appear multiple times, with each instance supporting a different
action.
devices
Block access - Prevent this app from running on jailbroken or rooted devices.
The user continues to be able to use this app for personal tasks, but must use
a different device to access work or school data in this app.
Wipe data - The user account that is associated with the application is wiped
from the device.
Setting How to use
Disabled account There is no value to set for this setting. Actions include:
Block access - When we have confirmed the user has been disabled in Azure
Active Directory, the app blocks access to work or school data.
Wipe data - When we have confirmed the user has been disabled in Azure
Active Directory, the app will perform a selective wipe of the users' account
and data.
Min app version Specify a value for the minimum application version value. Actions include:
Warn - The user sees a notification if the app version on the device doesn't
meet the requirement. This notification can be dismissed.
Block access - The user is blocked from access if the app version on the
device doesn't meet the requirement.
Wipe data - The user account that is associated with the application is wiped
from the device.
As apps often have distinct versioning schemes between them, create a policy with
one minimum app version targeting one app (for example, Outlook version policy).
This entry can appear multiple times, with each instance supporting a different
action.
This policy setting supports matching iOS app bundle version formats (major.minor
or major.minor.patch).
Additionally, you can configure where your end users can get an updated version of
a line-of-business (LOB) app. End users will see this in the min app version
conditional launch dialog, which will prompt end users to update to a minimum
version of the LOB app. On iOS/iPadOS, this feature requires the app to be
integrated (or wrapped using the wrapping tool) with the Intune SDK for iOS v.
10.0.7 or above. To configure where an end user should update a LOB app, the app
needs a managed app configuration policy sent to it with the key,
com.microsoft.intune.myappstore . The value sent will define which store the end
user will download the app from. If the app is deployed via the Company Portal, the
value must be CompanyPortal . For any other store, you must enter a complete URL.
Setting How to use
Min SDK version Specify a minimum value for the Intune SDK version. Actions include:
Block access - The user is blocked from access if the app's Intune app
protection policy SDK version doesn't meet the requirement.
Wipe data - The user account that is associated with the application is wiped
from the device.
To learn more about the Intune app protection policy SDK, see Intune App SDK
overview. As apps often have distinct Intune SDK version between them, create a
policy with one min Intune SDK version targeting one app (for example, Intune SDK
version policy for Outlook).
This entry can appear multiple times, with each instance supporting a different
action.
Device model(s) Specify a semi-colon separated list of model identifier(s). These values are not case
sensitive. Actions include:
Allow specified (Block non-specified) - Only devices that match the specified
device model can use the app. All other device models are blocked.
For more information on using this setting, see Conditional Launch actions.
Max allowed App protection policies can take advantage of the Intune-MTD connector. Specify a
device threat maximum threat level acceptable to use this app. Threats are determined by your
level chosen Mobile Threat Defense (MTD) vendor app on the end user device. Specify
either Secured, Low, Medium, or High. Secured requires no threats on the device and
is the most restrictive configurable value, while High essentially requires an active
Intune-to-MTD connection. Actions include:
Block access - The user will be blocked from access if the threat level
determined by your chosen Mobile Threat Defense (MTD) vendor app on the
end user device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is wiped
from the device.
For more information on using this setting, see Enable MTD for unenrolled devices.
Setting How to use
Primary MTD If you have configured multiple Intune-MTD connectors, specify the primary MTD
service vendor app that should be used on the end user device.
Values include:
You must configure the setting “Max allowed device threat level” to use this setting.
Learn more
Learn about LinkedIn information and features in your Microsoft apps .
Learn about LinkedIn account connections release on the Microsoft 365 Roadmap
page .
Learn about Configuring LinkedIn account connections.
For more information about data that is shared between users' LinkedIn and Microsoft
work or school accounts, see LinkedIn in Microsoft applications at your work or school .
Preview: App protection policy settings
for Windows
Article • 06/19/2023
This article describes app protection policy (APP) settings for Windows. The policy
settings that are described can be configured for an app protection policy on the
Settings pane in the Intune admin center (portal) when you make a new policy.
There are two categories of policy settings: Data protection and Health Checks. In this
article, the term policy-managed app refers to apps that are configured with app
protection policies.
Data protection
The Data protection settings impact the org data and context. As the admin, you can
control the movement of data into and out of the context of org protection. The org
context is defined by documents, services, and sites accessed by the specified org
account. The following policy settings help control external data received into the org
context and org data sent out of the org context.
Data Transfer
Receive Select one of the following options to specify the sources org users can All sources
data receive data from:
from
All sources: Org users can open data from any account,
document, location, or application into the org context.
No sources: Org users cannot open data from external accounts,
documents, locations, or applications into the org context. NOTE:
For Microsoft Edge, No sources controls file upload behavior
either via drag and drop or the file open dialog. Local file viewing
and sharing files between sites/tabs will be blocked.
Setting How to use Default
value
Send Select one of the following options to specify the destinations org users All
org can send data to:
destinations
data to
All destinations: Org users can send org data to any account,
document, location, or application.
No destinations: Org users cannot send org data to external
accounts, documents, locations, or applications from the org
context. NOTE: For Microsoft Edge, No destinations controls file
download, Share, and Add to Collections only. This means sharing
files between sites/tabs will be blocked.
Allow Select one of the following options to specify the sources and Any
cut, destinations org users can cut or copy or paste org data:
destination
copy, and any
and Any destination and any source: Org users can paste data from source
paste and cut/copy data to any account, document, location, or
for application.
No destination or source: Org users cannot cut, copy or paste
data to or from external accounts, documents, locations or
applications from or into the org context. NOTE: For Microsoft
Edge, No destination or source blocks cut, copy, and paste
behavior within the web content only. Cut, copy, and paste are
disabled from all web content, but not application controls,
including the address bar.
Functionality
Printing Select Block to prevent printing of org data. Select Allow to permit printing Allow
Org of org data. Personal or unmanaged data is not affected.
data
Health Checks
Set the health check conditions for your app protection policy. Select a Setting and
enter the Value that users must meet to access your org data. Then select the Action
you want to take if users do not meet your conditionals. In some cases, multiple actions
can be configured for a single setting. For more information, see Health Check Actions.
App conditions
Configure the following health check settings to verify the application configuration
before allowing access to org accounts and data.
Offline The number of minutes that policy-managed app can run offline. Specify Block
grace the time (in minutes) before the access requirements for the app are access
period rechecked. Actions include:
(minutes):
720
Block access (minutes): The number of minutes that policy- minutes
managed apps can run offline. Specify the time (in minutes) before (12
the access requirements for the app are rechecked. After the hours)
configured period expires, the app blocks access to work or school
data until network access is available. The Offline grace period Wipe
timer for blocking data access is calculated based on last check-in data
with the Intune service. This policy-setting format supports a (days): 90
positive whole number. days
Wipe data (days): After this many days (defined by the admin) of
running offline, the app will require the user to connect to the
network and reauthenticate. If the user successfully authenticates,
they can continue to access their data and the offline interval will
reset. If the user fails to authenticate, the app will perform a
selective wipe of the users' account and data. See How to wipe only
corporate data from Intune-managed apps for more information on
what data is removed with a selective wipe. The Offline grace
period timer for wiping data is calculated by the app based on last
check-in with the Intune service. This policy setting format supports
a positive whole number.
This entry can appear multiple times, with each instance supporting a
different action.
Min app Specify a value for the minimum application version value. Actions No
version include:
default
value
Warn - The user sees a notification if the app version on the device
doesn't meet the requirement. This notification can be dismissed.
Block access - The user is blocked from access if the app version on
the device doesn't meet the requirement.
This entry can appear multiple times, with each instance supporting a
different action.
Min SDK Specify a minimum value for the Intune SDK version. Actions include: No
version default
Block access - The user is blocked from access if the app's Intune value
app protection policy SDK version doesn't meet the requirement.
This entry can appear multiple times, with each instance supporting a
different action.
Disabled Specify an automated action if the AAD account for the user is disabled. No
account Admin may specify only one Action. There is no value to set for this default
setting. Actions include:
value
Block access - When we have confirmed the user has been disabled
in Azure Active Directory, the app blocks access to work or school
data.
Wipe data - When we have confirmed the user has been disabled
in Azure Active Directory, the app will perform a selective wipe of
the users' account and data.
Device conditions
Configure the following health check settings to verify the device configuration before
allowing access to org accounts and data.
Similar device based settings can be
configured for enrolled devices. Learn more about configuring device compliance
settings for enrolled devices.
Min OS Specify a minimum Windows operating system to use this app. Actions
version include:
Warn - The user will see a notification if the Windows version on the
device doesn't meet the requirement. This notification can be
dismissed.
Block access - The user will be blocked from access if the Windows
version on the device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is
wiped from the device.
This entry can appear multiple times, with each instance supporting a
different action.
Max OS Specify a maximum Windows operating system to use this app. Actions
version include:
Warn - The user will see a notification if the Windows version on the
device doesn't meet the requirement. This notification can be
dismissed.
Block access - The user will be blocked from access if the Windows
version on the device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is
wiped from the device.
This entry can appear multiple times, with each instance supporting a
different action.
Max App protection policies can take advantage of the Intune-MTD connector.
allowed Specify a maximum threat level acceptable to use this app. Threats are
device determined by your chosen Mobile Threat Defense (MTD) vendor app on the
threat end user device. Specify either Secured, Low, Medium, or High. Secured
level requires no threats on the device and is the most restrictive configurable
value, while High essentially requires an active Intune-to-MTD connection.
Actions include:
Block access - The user will be blocked from access if the threat level
determined by your chosen Mobile Threat Defense (MTD) vendor app
on the end user device doesn't meet this requirement.
Wipe data - The user account that is associated with the application is
wiped from the device.
For more information on using this setting, see Enable MTD for unenrolled
devices.
Selectively wipe data using app
protection policy conditional launch
actions in Intune
Article • 03/31/2023
Conditional launch actions within Intune app protection policies provide organizations
the ability to block access or wipe org data when certain device or app conditions aren't
met.
You can explicitly choose to wipe your company's corporate data from the end user's
device as an action to take for non-compliance by using these settings. For some
settings, you'll be able to configure multiple actions, such as block access and wipe data
based on different specified values.
3. Click Create policy and select the platform of the device for your policy.
5. By scrolling down in the Settings pane, you'll see a section titled Conditional
launch with an editable table.
6. Select a Setting and enter the Value that users must meet to sign in to your
company app.
7. Select the Action you want to take if users don't meet your requirements. In some
cases, multiple actions can be configured for a single setting. For more
information, see How to create and assign app protection policies.
Policy settings
The app protection policy settings table has columns for Setting, Value, and Action.
To use the Device model(s) setting, input a semi-colon separated list of iOS/iPadOS
model identifiers. These values aren't case-sensitive. Besides within Intune Reporting for
the 'Device model(s)' input, you can find an iOS/iPadOS model identifier in this 3rd party
GitHub repository .
On end-user devices, the Intune client would take action based on a simple matching of
device model strings specified in Intune for Application Protection Policies. Matching
depends entirely on what the device reports. You (the IT administrator) are encouraged
to ensure that the intended behavior occurs by testing this setting based on a variety of
device manufacturers and models, and targeted to a small user group. The default value
is Not configured.
What happens if the IT admin inputs a different list of iOS/iPadOS model identifier(s)
between policies targeted to the same apps for the same Intune user?
When conflicts arise between two app protection policies for configured values, Intune
typically takes the most restrictive approach. Thus, the resultant policy sent down to the
targeted app being opened by the targeted Intune user would be an intersection of the
listed iOS/iPadOS model identifier(s) in Policy A and Policy B targeted to the same
app/user combination. For example, Policy A specifies "iPhone5,2;iPhone5,3", while
Policy B specifies "iPhone5,3", the resultant policy that the Intune user targeted by both
Policy A and Policy B will be "iPhone5,3".
By using the Min Company Portal version, you can specify a specific minimum defined
version of the Company Portal that is enforced on an end user device. This conditional
launch setting allows you to set values to Block access, Wipe data, and Warn as
possible actions when each value isn't met. The possible formats for this value follow the
pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. Given
that some end users may not prefer a forced update of apps on the spot, the 'warn'
option may be ideal when configuring this setting. The Google Play Store does a good
job of only sending the delta bytes for app updates, but this can still be a large amount
of data that the user may not want to utilize if they are on data at the time of the
update. Forcing an update and thereby downloading an updated app could result in
unexpected data charges at the time of the update. The Min Company Portal version
setting, if configured, will affect any end user who gets version 5.0.4560.0 of the
Company Portal and any future versions of the Company Portal. This setting will have no
effect on users using a version of Company Portal that is older than the version that this
feature is released with. End users using app auto-updates on their device will likely not
see any dialogs from this feature, given that they'll likely be on the latest Company
Portal version. This setting is Android only with app protection for enrolled and
unenrolled devices.
To use the Device manufacturer(s) setting, input a semi-colon separated list of Android
manufacturers. These values aren't case-sensitive. Besides Intune Reporting, you can find
the Android manufacturer of a device under the device settings.
7 Note
These are some common manufacturers reported from devices using Intune, and
can be used as input: Asus;Blackberry;Bq;Gionee;Google;Hmd
global;Htc;Huawei;Infinix;Kyocera;Lemobile;Lenovo;Lge;Motorola;Oneplus;Oppo;Sa
msung;Sharp;Sony;Tecno;Vivo;Vodafone;Xiaomi;Zte;Zuk
On end-user devices, the Intune client would take action based on a simple matching of
device model strings specified in Intune for Application Protection Policies. Matching
depends entirely on what the device reports. You (the IT administrator) are encouraged
to ensure that the intended behavior occurs by testing this setting based on a variety of
device manufacturers and models, and targeted to a small user group. The default value
is Not configured.
When conflicts arise between two app protection policies for configured values, Intune
typically takes the most restrictive approach. Thus, the resultant policy sent down to the
targeted app being opened by the targeted Intune user would be an intersection of the
listed Android manufacturers in Policy A and Policy B targeted to the same app/user
combination. For example, Policy A specifies "Google;Samsung", while Policy B specifies
"Google", the resultant policy that the Intune user targeted by both Policy A and Policy B
will be "Google".
To configure a setting, select a setting from the dropdown under the Setting column.
Once a setting is selected, the editable text box will become enabled under the Value
column in the same row, if a value is required to be set. Also, the dropdown will become
enabled under the Action column with the set of conditional launch actions applicable
to the setting.
Block access – Block the end user from accessing the corporate app.
Wipe data – Wipe the corporate data from the end user's device.
Warn – Provide dialog to end user as a warning message.
In some cases, such as the Min OS version setting, you can configure the setting to
perform all applicable actions based on different version numbers.
Once a setting is fully configured, the row will appear in a read-only view and be
available to be edited at any time. In addition, the row will appear to have a dropdown
available for selection in the Setting column. Settings that have already been configured
and don't allow multiple actions won't be available for selection in the dropdown.
Next steps
Learn more information on Intune app protection policies, see:
As an administrator, you can create exceptions to the Intune App Protection Policy (APP)
data transfer policy. An exception allows you to specifically choose which unmanaged
apps can transfer data to and from managed apps. Your IT must trust the unmanaged
apps that you include in the exception list.
2 Warning
You are responsible for making changes to the data transfer exception policy.
Additions to this policy allow unmanaged apps (apps that are not managed by
Intune) to access data protected by managed apps. This access to protected data
may result in data security leaks. Only add data transfer exceptions for apps that
your organization must use, but that do not support Intune APP (Application
Protection Policies). Additionally, only add exceptions for apps that you do not
consider to be data leak risks.
Within an Intune Application Protection Policy, setting Allow app to transfer data to
other apps to Policy managed apps means that the app can transfer data only to apps
managed by Intune. If you need to allow data to be transferred to specific apps that
don't support Intune APP, you can create exceptions to this policy by using Select apps
to exempt. Exemptions allow applications managed by Intune to invoke unmanaged
applications based on URL protocol (iOS/iPadOS) or package name (Android). By
default, Intune adds vital native applications to this list of exceptions.
7 Note
Modifying or adding to the data transfer policy exceptions doesn't impact other
App Protection Policies, such as cut, copy, and paste restrictions.
7 Note
Microsoft does not have a method to manually find the URL protocol for creating
app exceptions for third-party applications.
Tip
You can find the package ID of an app by browsing to the app on the Google Play
store. The package ID is contained in the URL of the app's page. For example, the
package ID of the Microsoft Word app is com.microsoft.office.word.
Example
By adding the Webex package as an exception to the MAM data transfer policy, Webex
links inside a managed Outlook email message are allowed to open directly in the
Webex application. Data transfer is still restricted in other unmanaged apps.
com.android.mms
com.samsung.android.messaging
Next steps
Create and deploy app protection policies
iOS/iPadOS app protection policy settings - Data transfer exemptions
Android app protection policy settings - Data transfer exemptions
How to validate your app protection
policy setup in Microsoft Intune
Article • 03/31/2023
Validate that your app protection policy is correctly set up and working. This guidance
applies to app protection policies in the portal.
What to check
If testing shows that your app protection policy behavior isn't functioning as expected,
check these items:
If the user isn't licensed for app protection, assign an Intune license to the user.
If the user isn't licensed for Microsoft 365, get a license for the user.
If a user's app is listed as Not checked in, check if you've correctly configured an
app protection policy for that app.
Ensure that these conditions apply across all users to which you want app
protection policies to apply.
See also
What is Intune app protection policy?
Licenses that include Intune
Assign licenses to users so they can enroll devices in Intune
How to validate your app protection policy setup
How to monitor app protection policies
Understand App Protection Policy
delivery timing
Article • 03/31/2023
Learn the different deployment windows for app protection policies to understand when
changes should appear on your end-user devices.
User State App Protection Retry Interval (see note) Why does this
behavior happen?
User Not Licensed Wait for next 12 hours - However, on Android Occurs when you
retry interval. devices this interval requires haven't licensed the
App Protection Intune APP SDK version 5.6.0 or user for Intune.
isn't active for later. Otherwise for Android
the user. devices, the interval is 24 hours.
User Not Assigned Wait for next 12 hours Occurs when you
App Protection retry interval. haven't assigned
Policies App Protection APP settings to the
isn't active for user.
the user.
User Successfully App Protection is Intune Service defined based on Occurs when the
Registered for applied per user load. Typically 30 mins. user has
Intune MAM policy settings. successfully
Updates occur registered with the
based on retry Intune service for
interval APP configuration.
7 Note
Retry intervals may require active app use to occur, meaning the app is launched
and in use. If the retry interval is 24 hours and the user waits 48 hours to launch the
app, the Intune APP SDK will retry at 48 hours.
Next steps
Assign licenses to users so they can enroll devices in Intune
Protecting application extensions
Article • 03/31/2023
This article describes app protection policies for extensions in Microsoft Intune.
If you want to stop your end users from accessing and installing Outlook add-ins (this
affects all Outlook clients), make sure you have the following changes to roles in the
Exchange admin center:
To prevent users from installing Office Store add-ins, remove the My Marketplace
role from them.
To prevent users from side loading add-ins, remove the My Custom Apps role from
them.
To prevent users from installing all add-ins, remove both, My Custom Apps and My
Marketplace roles from them.
These instructions apply to Microsoft 365, Exchange 2016, Exchange 2013 across
Outlook on the web, Windows, Mac, and mobile.
The Intune SDK and Intune app protection policies don't include support for managing
LinkedIn account connections, but there are other ways to manage them. You can
disable LinkedIn account connections for your entire organization, or you can enable
LinkedIn account connections for selected user groups in your organization. These
settings affect LinkedIn connections across Microsoft 365 apps on all platforms (web,
mobile, and desktop). You can:
Enable or disable LinkedIn account connections for your tenant in the portal.
Enable or disable LinkedIn account connections for your organization's Office 2016
apps using Group Policy.
If LinkedIn integration is enabled for your tenant, when users in your organization
connect their LinkedIn and Microsoft work or school accounts, they have two options:
They can give permission to share data between both accounts. This means that
they give permission for their LinkedIn account to share data with their Microsoft
work or school account, as well as their Microsoft work or school account to share
data with their LinkedIn account. Data that is shared with LinkedIn leaves the
online services.
They can give permission to share data only from their LinkedIn account to their
Microsoft work and school account
If a user consents to sharing data between accounts, as with Office add-ins, LinkedIn
integration uses existing Microsoft Graph APIs. LinkedIn integration uses only a subset
of the APIs available to Office add-ins and supports various exclusions.
Microsoft Description
Graph
permissions
Read Allows the app to read a scored list of people relevant to the signed-in user. The
permissions list can include local contacts, contacts from social networking or your
for People organization's directory, and people from recent communications (such as email
and Skype).
Microsoft Description
Graph
permissions
Read Allows the app to read events in user calendars. Includes the meetings in signed-
permissions in user calendars, their times, locations, and attendees.
for Calendars
Read Allows users to sign in to the app, and allows the app to read the profile of
permissions signed-in users. It also allows the app to read basic company information for
for User signed-in users.
Profile
Subscriptions This scope isn't available and not yet in use. It includes subscriptions provided by
the user's organization to Microsoft apps and services, such as Microsoft 365.
Insights This scope isn't available and not yet in use. It includes the interests associated
with the signed-in user's account based on their use of Microsoft services.
Learn more
Learn about LinkedIn information and features in your Microsoft apps .
Learn about LinkedIn account connections release on the Microsoft 365 Roadmap
page .
Learn about Configuring LinkedIn account connections.
For more information about data that is shared between users' LinkedIn and
Microsoft work or school accounts, see LinkedIn in Microsoft applications at your
work or school .
How to monitor app protection policies
Article • 07/26/2023
You can monitor the status of the app protection policies that you've applied to users
from the Intune app protection pane in Intune. Additionally, you can find information
about the users affected by app protection policies, policy compliance status, and any
issues that your users might be experiencing.
App protection data is retained for a minimum of 90 days. Any app instances that have
checked in to the Intune service within the past 90 days is included in the app protection
status report.
7 Note
For iOS 16 and later devices, the Device Name value in all app protection reports
will be a generic device name. For related information, see Apple Developer
documentation .
7 Note
The Last Sync column represents the same value in both the in-console User status
report and the App Protection Policy exportable .csv report. The difference is a
small delay in synchronization between the value in the two reports.
The time referenced in Last Sync is when Intune last saw the app instance. When a
user launches an app, it might notify the Intune App Protection service at that
launch time, depending on when it last checked in. See the retry interval times for
App Protection Policy check-in. If a user hasn't used that particular app in the last
check-in interval (which is usually 30 minutes for active usage), and they launch the
app, then:
The App Protection Policy exportable .csv report has the newest time, within 1
minute (minimum) to 30 minutes (maximum).
The User status report has the newest time instantly.
For example, consider a targeted and licensed user who launches a protected app
at 12:00 PM:
If this is a sign in for the first time, that means the user was signed out before,
and doesn't have an app instance registration with Intune. After the user signs
in, the user gets a new app instance registration, and can be checked-in
immediately (with the same time delays listed previously for future check-ins).
Thus, the Last Sync time is 12:00 PM in the User status report, and 12:01 PM
(or 12:30 PM at latest) in the App Protection Policy report.
If the user is just launching the app, the Last Sync time reported depends on
when the user last checked in.
See also
How to create and assign app protection policies
Intune reports
Get ready for Windows Information
Protection in Windows 10/11
Article • 03/31/2023
Enable mobile application management (MAM) for Windows 10/11 by setting the MAM
provider in Azure AD. Setting a MAM provider in Azure AD allows you to define the
enrollment state when creating a new Windows Information Protection (WIP) policy with
Intune. The enrollment state can be either MAM or mobile device management (MDM).
) Important
2. Select All services and choose M365 Azure Active Directory to switch dashboards.
6. Configure the settings in the Restore default MAM URLs group on the Configure
pane.
None
Select Azure AD groups that contain users who will be enrolled in MAM.
All
The MAM terms of use URL is not supported for Microsoft Intune. This input box
must be left blank for protection policies to apply.
The URL of the enrollment endpoint of the MAM service. The enrollment endpoint
is used to enroll devices for management with the MAM service.
The MAM compliance URL is not supported for Microsoft Intune. This input box
must be left blank for protection policies to apply.
7. Click Save.
Next steps
Create a WIP policy
Create and deploy Windows
Information Protection (WIP) policy with
Intune
Article • 05/01/2023
7 Note
For more information, see End of support guidance for Windows Information
Protection .
You can use Windows Information Protection (WIP) policies with Windows 10 apps to
protect apps without device enrollment.
Exempt apps: These apps are exempt from this policy and can access corporate
data without restrictions.
Types of apps
Recommended apps: A pre-populated list of (mostly Microsoft Office) apps that
allow you to easily import into the policy.
Store apps: You can add any app from the Windows store to the policy.
Windows desktop apps: You can add any traditional Windows desktop apps to the
policy (for example, .exe, .dll)
Prerequisites
You must configure the MAM provider before you can create a WIP policy. Learn more
about how to configure your MAM provider with Intune.
) Important
WIP does not support multi-identity, only one managed identity can exist at a time.
For more information about the capabilities and limitations of WIP, see Protect
your enterprise data using Windows Information Protection (WIP).
) Important
Tip
For related information about creating WIP policies for Intune, including available
settings and how to configure them, see Create a Windows Information Protection
(WIP) policy with MAM using the portal for Microsoft Intune in the Windows
Security documentation library.
4. Choose Create. The policy is created and appears in the table on the App
protection policies pane.
WIP Learning
After you add the apps you want to protect with WIP, you need to apply a protection
mode by using WIP Learning.
In addition to viewing information about WIP-enabled apps, you can view a summary of
the devices that have shared work data with websites. With this information, you can
determine which websites should be added to group and user WIP policies. The
summary shows which website URLs are accessed by WIP-enabled apps.
When working with WIP-enabled apps and WIP-unknown apps, we recommend that
you start with Silent or Allow Overrides while verifying with a small group that you have
the right apps on your protected apps list. After you're done, you can change to your
final enforcement policy, Block.
What are the protection modes?
Block
WIP looks for inappropriate data sharing practices and stops the user from completing
the action. Blocked actions can include sharing info across non-corporate-protected
apps, and sharing corporate data between other people and devices outside of your
organization.
Allow Overrides
WIP looks for inappropriate data sharing, warning users when they do something
deemed potentially unsafe. However, this mode lets the user override the policy and
share the data, logging the action to your audit log.
Silent
WIP runs silently, logging inappropriate data sharing, without blocking anything that
would have been prompted for employee interaction while in Allow Override mode.
Unallowed actions, like apps inappropriately trying to access a network resource or WIP-
protected data, are still stopped.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the
locally attached drives. Note that previous decryption and policy info isn't automatically
reapplied if you turn WIP protection back on.
This app protection policy option is in the Advanced settings of the Windows
Information Protection policy. The app protection policy must be set to the Windows 10
platform and the app policy Enrollment state must be set to With enrollment.
When the policy is enabled, WIP protected items are indexed and the metadata about
them are stored in an unencrypted location. The metadata includes things like file path
and date modified.
When the policy is disabled, the WIP protected items are not indexed and do not show
up in the results in Cortana or file explorer. There may also be a performance impact on
photos and Groove apps if there are many WIP protected media files on the device.
) Important
After you created your WIP app protection policy, you need to deploy it to your
organization using MAM.
1. On the App policy pane, choose your newly created app protection policy, choose
User groups > Add user group.
A list of user groups, made up of all the security groups in your Azure Active
Directory, opens in the Add user group pane.
2. Choose the group you want your policy to apply to, then choose Select to deploy
the policy.
Next steps
Learn more about Windows Information Protection, see Protect your enterprise data
using Windows Information Protection (WIP).
How to manage data transfer between
iOS apps in Microsoft Intune
Article • 03/06/2023
To help protect company data, restrict file transfers to only the apps that you manage.
You can manage iOS apps in the following ways:
Protect Org data for work or school accounts by configuring an app protection
policy for the apps. which we call policy managed apps. See Microsoft Intune
protected apps.
Deploy and manage the apps through iOS device management, which requires
devices to enroll in a Mobile Device Management (MDM) solution. The apps you
deploy can be policy managed apps or other iOS managed apps.
The Open-in management feature for enrolled iOS devices can limit file transfers
between iOS managed apps. Set Open-in management restrictions using an app
protection policy that sets Send org data to other apps to the Policy managed apps
with Open-In/Share filtering value and then deploy the policy using Intune. When a
user installs the deployed app, the restrictions you set are applied based on the
assigned policy.
Devices not managed by any MDM solution: You can set the app protection
policy settings to control sharing of data with other applications via Open-in or
Share extensions. To do so, configure the Send org data to other apps setting to
Policy managed apps with Open-In/Share filtering value. The Open-in/Share
behavior in the policy managed app presents only other policy managed apps as
options for sharing. For related information, see App protection policies for
iOS/iPadOS and Android apps, Data Transfer, and iOS share extension.
1. In the Microsoft Intune admin center , create and assign an app protection policy
for iOS/iPadOS. Configure policy settings per your company requirements and
select the iOS apps that should have this policy.
2. Deploy the apps and the email profile that you want managed through Intune or
your third-party MDM solution using the following generalized steps. This
experience is also covered by Example 1.
3. Deploy the app with the following app configuration settings to the managed
device:
7 Note
7 Note
Deploy IntuneMAMUPN app configuration settings to the target managed
app which sends data. Adding the app configuration key to the receiving app
is optional.
7 Note
4. Deploy the Open-in management policy using Intune or your third-party MDM
provider to enrolled devices.
2. In the Application Configuration section, enter the following setting for each policy
managed app that will transfer data to iOS managed apps:
The exact syntax of the key/value pair may differ based on your third-party MDM
provider. The following table shows examples of third-party MDM providers and
the exact values you should enter for the key/value pair.
For Outlook for iOS/iPadOS, if you deploy a managed devices App Configuration
Policy with the option "Using configuration designer" and enable Allow only work
or school accounts, the configuration key IntuneMAMUPN is configured
automatically behind the scenes for the policy. More details can be found in the
FAQ section in New Outlook for iOS and Android App Configuration Policy
Experience – General App Configuration .
1. A user opens the Microsoft OneDrive app on an enrolled iOS device and signs-in
to their work account. The account the user enters must match the account UPN
you specified in the app configuration settings for the Microsoft OneDrive app.
2. After sign-in, your Administrator configured APP settings apply to the user account
in Microsoft OneDrive. This includes configuring the Send Org data to other apps
setting to the Policy managed apps with OS sharing value.
3. The user previews a work file and attempts to share via Open-in to iOS managed
app.
4. The data transfer succeeds and data is now protected by Open-in management in
the iOS managed app. Intune APP does not apply to applications that are not
policy managed apps.
Sharing from a iOS managed app to a policy managed app with incoming Org data
1. A user opens native Mail on an enrolled iOS device with a Managed email profile.
2. The user opens a work document attachment from native Mail to Microsoft Word.
The user is signed-in to their work account that matches the account UPN
you specified in the app configuration settings for the Microsoft Word
app.
Your Administrator configured APP settings apply to the user account in
Microsoft Word. This includes configuring the Receive data from other
apps setting to the All apps with incoming Org data value.
The data transfer succeeds and the document is tagged with the work
identity in the app. Intune APP protects the user actions for the document.
7 Note
The user can add and use their personal accounts with Word. App protection
policies don't apply when the user uses Word outside of a work-context.
For example, the Require app PIN policy setting is easy to test. When the policy setting
equals Require, the user should see a prompt to set or enter a PIN before they can
access company data.
First, create and assign an app protection policy to the iOS app. For more information
on how to test app protection policy, See Validate app protection policies.
See also
What is Intune app protection policy
Review client app protection logs
Article • 08/17/2023
Learn about the settings you can review in the app protection logs. Access logs by enabling Intune
Diagnostics on a mobile client.
iOS/iPadOS devices - Use Microsoft Edge for iOS/iPadOS to collect logs. For details, see Use
Edge for iOS and Android to access managed app logs.
Windows 10/11 devices - Use MDMDiag and event logs. See, Diagnose MDM failures in
Windows 10 in the Windows client management content, and the blog Troubleshooting
Windows 10 Intune Policy Failures.
Android devices - Use Microsoft Edge for Android to collect logs. For details, see Use Edge for
iOS and Android to access managed app logs.
7 Note
On Android Fully Managed devices, in certain instances the Intune Company Portal app
may be visible under all apps. This may happen when an app associated with an app
protection policy is either not installed or not launched.
The following tables list the App protection policy setting name and supported values that are
recorded in the log. In addition, each setting identifies the policy setting found within Microsoft
Intune admin center. For detailed information on each setting, see iOS/iPadOS app protection policy
settings and Android app protection policy settings in Microsoft Intune.
app
3 = Any dialer app
SharePoint
35 = Local Storage,
OneDrive & SharePoint
36 = Local Storage &
Box
37 = Local Storage,
OneDrive & Box
38 = Local Storage,
SharePoint & Box
39 = Local Storage,
OneDrive, SharePoint
& Box
128 = Photo Library
129 = Photo Library &
OneDrive
130 = Photo Library &
SharePoint
131 = Photo Library,
OneDrive & SharePoint
132 = Photo Library &
Box
133 = Photo Library,
OneDrive & Box
134 = Photo Library,
SharePoint & Box
135 = Photo Library,
OneDrive, SharePoint
& Box
160 = Photo Library,
Local Storage
161 = Photo Library,
Local Storage &
OneDrive
162 = Photo Library,
Local Storage &
SharePoint
163 = Photo Library,
Local Storage,
OneDrive & SharePoint
164 = Photo Library,
Local Storage & Box
165 = Photo Library,
Local Storage,
OneDrive & Box
166 = Photo Library,
Local Storage,
SharePoint & Box
167 = Photo Library,
Local Storage,
OneDrive, SharePoint
& Box
Name Value details Setting in Microsoft Intune App
Protection Policy
11 = Local Storage,
OneDrive & SharePoint
12 = Local Storage &
Camera
13 = Local Storage,
OneDrive & Camera
14 = Local Storage,
SharePoint & Camera
15 = Local Storage,
OneDrive, SharePoint
& Camera
16 = Photo Library
17 = Photo Library &
OneDrive
18 = Photo Library &
SharePoint
19 = Photo Library,
OneDrive & SharePoint
20 = Photo Library &
Camera
21 = Photo Library,
OneDrive & Camera
22 = Photo Library,
SharePoint & Camera
23 = Photo Library,
OneDrive, SharePoint
& Camera
24 = Photo Library &
Local Storage
25 = Photo Library,
Local Storage &
OneDrive
26 = Photo Library,
Local Storage &
SharePoint
27 = Photo Library,
Local Storage,
OneDrive & SharePoint
28 = Photo Library,
Local Storage &
Camera
29 = Photo Library,
Local Storage,
OneDrive & Camera
30 = Photo Library,
Local Storage,
SharePoint & Camera
31 = Photo Library,
Local Storage,
OneDrive, SharePoint
& Camera
Name Value details Setting in Microsoft Intune App
Protection Policy
manufacturers with
action Allow
specified (Wipe
non-specified)
paste between
other apps
Setting: Save
copies of org data
Setting: Select
number of
previous PIN
values to maintain
Unmanaged
Browser name
Next steps
To learn more about app protection policies, see What are app protection policies?
Intune offers a number of tools to help you troubleshoot issues in your environment. For more
information, see Use the troubleshooting portal to help users.
Policies for Office apps
Article • 05/24/2023
Intune provides policies specifically for Microsoft Office apps. You can select specific
options to create mobile app management policies for Office mobile apps that connect
to Microsoft 365 services. There are many policies for Office apps that you can add to
Microsoft Intune and apply to groups of end users.
Examples of just a few of the Office app policies include the following:
Microsoft Word: Turn off Protected View for attachments opened from Outlook
Microsoft Visio: Block macros from running in Office files from the Internet
Microsoft Project: Allow Trusted Locations on the network
Microsoft Publisher: Publisher Automation Security Level
Microsoft PowerPoint: Turn off Protected View for attachments opened from Outlook
7 Note
When you select to configure each specific app policy, additional policy details are
provided. You can filter the Office policy list to quickly select the recommended
Security Baseline policies.
You can also protect access to Exchange on-premises mailboxes by creating Intune app
protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid Modern
Authentication. Before using this feature, you must meet the requirements for using the
Office cloud policy service. App protection policies are not supported for other apps
that connect to on-premises Exchange or SharePoint services. For related information,
see Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise.
Prerequisites
You must meet the requirements to use policies for Office apps. For more information,
see Requirements for using the Office cloud policy service.
4. Select Create. The policy is created and appears in the table on the Policy
configurations pane.
Tip
The Policy configurations pane provides the Health status for each policy.
Additional information
Overview of the Office cloud policy service for Microsoft 365 Apps for enterprise
Use policy settings to manage privacy controls for Microsoft 365 Apps for
enterprise
Use preferences to manage privacy controls for Office for Mac
Use preferences to manage privacy controls for Office on iOS devices
Use policy settings to manage privacy controls for Office on Android devices
Next steps
Monitor app information and assignments with Microsoft Intune
Quiet time policies for iOS/iPadOS and
Android apps
Article • 05/24/2023
The global quiet time settings allow you to create policies to schedule quiet time for
your end users. These settings automatically mute Microsoft Outlook email and Teams
notifications on iOS/iPadOS and Android platforms. These policies can be used to limit
end user notifications received after work hours.
Policy Description
Type
Date Select this option to automatically mute Microsoft Outlook email and Teams notifications
Range on iOS/iPadOS and Android platforms during the specified range.
Days Select this option to automatically mute Microsoft Outlook email and Teams notifications
of the on iOS/iPadOS and Android platforms during certain hours or all day on selected days of
week the week.
1. In the Quiet Time > Policies pane, select the policy you want to change.
2. Next to the section titled Assignments, select Edit.
3. To add a new user group to the policy, under the Included groups section, choose
Add groups. Then, find and select the user group. Choose Select to add the group.
4. To exclude a user group, under the Excluded groups section, choose Add groups.
Then, find and select the user group.Choose Select to exclude the user group.
5. To delete groups that were previously added, in either the Included groups or
Excluded groups section, select Remove.
6. Select Review + save to review the user groups selected for this policy.
7. After your changes to the assignments are ready, select Save to save the
configuration and deploy the policy to the new set of users. If you select Cancel
before you save your configuration, you'll discard all changes you have made to
the Included groups and Excluded groups sections.
1. In the Quiet Time > Policies pane, select the policy you want to change.
2. Next to the section titled Configuration settings, select Edit. Then change the
settings to new values.
3. Select Review + save to review the updated settings for this policy.
4. Select Save to save your changes. If you select Cancel before you save your
configuration, you'll discard all changes you have made to the Configuration
settings pane.
Allday section:
Mute Set to Require to enable muting notifications for a full 24 hours on specific
notifications all days of the week.
day
Days of the Set to Configured and then select one or more days of the week that
week notifications must be muted for a full 24 hours.
Certain Hours section:
Mute Set to Require to enable muting notifications for certain hours on specific days
notifications of the week.
daily
Start time Set the start time for muting notifications for certain hours on specific days of
the week.
End time Set the end time for muting notifications for certain hours on specific days of
the week.
Days of the Set to Configured and then select one or more days of the week that
week notifications must be muted for certain hours.
Policy Description
setting
Allow user Select Yes to allow end users to make changes to this setting by editing their global
to change quiet time settings. Select No to disallow end users from changing this setting by
settings editing their global quiet time settings.
Use the troubleshooting dashboard to
help users at your company
Article • 07/21/2023
The troubleshooting pane lets help desk operators and Intune administrators view user
information to address user help requests. Organizations that include a help desk can
assign the Help desk operator role to a group of Intune users. The help desk operator
role can use the Troubleshooting + support pane help end users.
Details about the issue and suggested remediation steps can help administrators and
help desk operators troubleshoot problems. Certain enrollment issues aren't captured
and some errors might not have remediation suggestions.
7 Note
For steps on adding a help desk operator role, see Role-based administration
control (RBAC) with Intune
When a user contacts support with a technical issue with Intune, the help desk operator
enters and finds the user's name. Additionally, the help desk operator can filter by
device if the user has multiple managed devices.
The Troubleshooting pane provides the following tabs to quickly narrow the
troubleshooting focus:
Column Description
Policy The status of the policies available for the user or device.
Role and scope The role and scope for the user.
Devices
The Devices tab provides details for devices, such as OS, OS Version, Intune compliance,
and last check-in.
Column Description
Managed Identifies how the device is managed. For more information, see Available details
by by management type.
Column Description
Intune Identifies whether the device is compliant with Intune. Should be Yes. If No is
compliant shown, there may be an issue with compliance policies, or the device isn't
connecting to the Intune service. For example, the device may be turned off, or
may not have a network connection. Eventually, the device becomes non-
compliant, possibly after 30 days. For more information, see Use compliance
policies to set rules for devices you manage with Intune.
AAD Identifies whether the device is compliant with Azure Active Directory (AAD).
compliant Should be Yes. If No is shown, there may be an issue with compliance policies, or
the device isn't connecting to the Intune service. For example, the device may be
turned off, or may not have a network connection. Eventually, the device becomes
non-compliant, possibly after 30 days. For more information, see Use compliance
policies to set rules for devices you manage with Intune.
App Denotes whether an app install failure or success has occurred on the individual
lifecycle device.
status
Last check- The timestamp of the last time the device checked in.
in
Groups
The Groups tab provides the group membership of all Azure AD groups for a specific
managed device. For related information, see Device group membership report.
Column Description
Object ID The Object ID is used by Azure Active Directory. Intune commonly refers to them
as Group ID.
Membership Provides how you assign and add users. Assigned denotes you manually assign
type users or devices to the group, and manually remove users or devices. Dynamic
User denotes you create membership rules to automatically add and remove
members. Dynamic Device denotes you create dynamic group rules to
automatically add and remove devices.
Column Description
Last Modified The timestamp of the last time the device synchronized with Intune.
Applications
The Applications tab provides managed app install status, assigned, platform, type, and
last modified.
Column Description
Type You can choose an assignment type for each app. Available denotes that users install
the app from the Company Portal app or website. Not Applicable denotes that the
app is not installed or shown in the Company Portal. Uninstall denotes that the app
is uninstalled from devices in the selected groups. Available with or without
enrollment denotes that this app is assigned to groups of users whose devices are
not enrolled with Intune.
Last The timestamp of the last time the device synchronized with Intune.
modified
Column Description
Updates
The Updates tab provides an overall view of updates that are deployed to users. This
information also provides filtering, searching, paging, and sorting.
Column Description
Enrollment restrictions
The Enrollment restrictions tab provides the policy type, name, platform, and device
limit. Enrollment restrictions are use to prevent (block) personally owned devices from
enrolling, you will need to add the devices using corporate device identifiers, prior to
enrollment.
Properties
Column Description
Device The enrollment restriction to limit the number of devices a user can enroll in
limit Microsoft Intune.
Diagnostics
The Diagnostics tab provides the device name or application, platform, created date,
and diagnostic log.
7 Note
To collect and access diagnostics you must have the Collect diagnostics permission
added to your role. For more information, see Role-based administration control
(RBAC) with Intune.
Column Text
Next steps
You can learn more about Role-based administration control (RBAC) to define roles in
your organizational device, mobile application management, data protection tasks. For
more information, see Role-based administration control (RBAC) with Intune.
Learn about any known issues in Microsoft Intune. For more information, see Known
issues in Microsoft Intune .
Learn how to create a support ticket a get help when you need it. Get support.
Troubleshooting Intune app installation
issues
Article • 05/27/2023
This article gives troubleshooting guidance for when app installations fail for Microsoft
Intune-managed apps. The Intune Troubleshoot pane provides failure details, including
details about managed apps, to help you address user help requests. For detailed
information, see Use the troubleshooting portal to help users at your company. In the
Managed Apps pane, you can find information about the end-to-end lifecycle of an app
for each individual device. You can view installation issues, such as when the app was
created, modified, targeted, and delivered to a device.
7 Note
For specific app installation error code information, see Intune app installation
error reference.
4. Type the name or email address of the user you want to troubleshoot, and then
click Select at the bottom of the pane. The troubleshooting information for the
user is displayed in the Troubleshoot pane.
5. Select the device that you want to troubleshoot from the Devices list.
6. Select Managed Apps from selected device pane. A list of managed apps is
displayed.
7. Select an app from the list where Installation Status indicates a failure.
7 Note
The same app could be assigned to multiple groups but with different
intended actions (intents) for the app. For instance, a resolved intent for an
app will show excluded if the app is excluded for a user during app
assignment. For more information, see How conflicts between app intents
are resolved.
If an installation failure occurs for a required app, either you or your help desk
will be able to sync the device and retry the app install.
The app installation error details will indicate the problem. You can use these details to
determine the best action to take to resolve the problem. For more information about
troubleshooting app installation issues, see Android app installation errors and iOS app
installation errors.
7 Note
You can also access the Troubleshoot directly in your browser with this URL:
https://aka.ms/intunetroubleshooting .
If the app does not display in the Company Portal, ensure the app is deployed with
Available intent and that the user is accessing the Company Portal with the device
type supported by the app.
For Windows BYOD devices, the user needs to add a Work account to the device.
Check if the user is over the Azure Active Directory (Azure AD) device limit:
For iOS/iPadOS ADE devices, ensure that the user is listed as Enrolled by User in
the Intune devices Overview pane. If it shows NA, then deploy a config policy for
the Intune Company Portal. For more information, see Configure the Company
Portal app.
7 Note
To better recognize ARM64 apps in the Company Portal, consider adding ARM64
to the name of your ARM64 apps.
Feedback
Was this page helpful? ツ Yes ト No
This article lists common app installation errors for Android, iOS, and other scenarios.
Use the following reference to troubleshoot application errors and to get more
information about specific app errors based on returned error codes.
0xC7D14FB5 -942583883 The app failed This error message is displayed when Intune
to install. cannot determine the root cause of the Android
app installation error. No information was
provided by Android during the failure. This
error is returned when the APK download
succeeded, but the app installation failed. This
error may occur more commonly due to a bad
APK file that cannot be installed onto the device.
A possible cause can be when Google Play
Protect blocks the install of the app due to
security concerns. Another possible cause of this
error is when a device does not support the app.
For example, if the app requires API version 21+
and the device currently has API version 19.
Intune returns this error for both DA and KNOX
devices and although there may be a notification
that users can click to retry, if there is an issue
with the APK, it will never continue to fail. If the
app is an available app, the notification can be
dismissed. However, if the app is required, it
cannot be dismissed.
Error code Error code Error Description
(Hex) (Dec) message/code
0xC7D14FBA -942583878 The app The download of the APK succeeded, but before
installation was the user installed the app the file was removed
canceled from the device. This could happen if there was
because the a large time difference between download and
installation install. For example, the user canceled the
(APK) file was original install, waited, and then clicked the
deleted after notification to try again. This error message is
download, but returned this for only DA scenarios. KNOX
before scenarios can be done silently. We do present a
installation. notification to retry so the user can accept
instead of cancel. If the app is an available app,
the notification can be dismissed. However, if
the app is required, it cannot be dismissed.
0xC7D14FBB -942583877 The app The device was rebooted during the APK
installation was installation process, resulting in a canceled
canceled installation. This error message is returned for
because the both DA and KNOX devices. Intune presents a
process was notification that users can click to retry. If the
restarted app is an available app, the notification can be
during dismissed. However, if the app is required, it
installation. cannot be dismissed.
0x87D1041C -2016345060 The application The user explicitly uninstalled the app. This error
was not is not returned from the client. It is an error
detected after produced when the app was installed at one
installation point, but then the user uninstalled it. This error
completed should only occur for required applications.
successfully. Users can uninstall non-required apps. This error
can only happen in DA. KNOX blocks the
uninstall of managed apps. The next sync will
repost the notification on the device for the user
to install. The user can ignore the notification.
This error will continue to be reported until the
user installs the app.
0xC7D14FB2 -942583886 The download This error occurs when the download fails. This
failed because error can commonly occur due to Wi-Fi issues or
of an unknown slow connections. This error is returned for only
error. DA scenarios. For KNOX scenarios, the user is
not prompted to install, this can be done silently.
Intune presents a notification that users can click
to retry. If the app is an available app, the
notification can be dismissed. However, if the
app is required, it cannot be dismissed.
Error code Error code Error Description
(Hex) (Dec) message/code
0xC7D15078 -942583688 The download This error occurs when the download fails. This
failed because error can commonly occur due to Wi-Fi issues or
of an unknown slow connections. This error is returned for only
error. The DA scenarios. For KNOX scenarios, the user is
policy will be not prompted to install, this can be done silently.
retried the next
time the device
syncs.
0xC7D14FB1 -942583887 The end user The user explicitly uninstalled the app. This error
canceled the is returned when the Android OS install activity
app was canceled by the user. The user pressed the
installation. cancel button when the OS install prompt was
presented or clicked away from the prompt. This
error is returned for only DA scenarios. For
KNOX scenarios, the user is not prompted to
install, this can be done silently. Intune presents
a notification that users can click to retry. If the
app is an available app, the notification can be
dismissed. However, if the app is required, it
cannot be dismissed. Ask the user not to cancel
the install.
0xC7D15015 -942583787 The file The OS stopped the download process before it
download was complete. This error can occur when the
process was device has low battery or the download is taking
unexpectedly too long. This error is returned for only DA
stopped. scenarios. For KNOX scenarios, the user is not
prompted to install, this can be done silently.
Intune presents a notification that users can click
to retry. If the app is an available app, the
notification can be dismissed. However, if the
app is required, it cannot be dismissed. Ensure
the device has a reliable network connection.
0xC7D1507C -942583684 The file The OS ended the download process before it
download was completed. This error can occur when the
service was device has low battery or the download is taking
unexpectedly too long. This error is returned for only DA
stopped. The scenarios. For KNOX scenarios, the user is not
policy will be prompted to install, this can be done silently.
retried the next Manually sync the device or wait for 24 hours
time the device and check the status.
syncs.
Error code Error code Error Description
(Hex) (Dec) message/code
0xc7d14fb8 -942583880 The app failed This error is a generic uninstall failure. The OS
to uninstall. did not specify why the app failed to uninstall.
Some admin apps cannot simply be uninstalled.
Check to ensure the app can be uninstalled
manually and collect the Company Portal logs if
the uninstall fails.
0xc7d14fb7 -942583881 The app Android OS has the limitation of requiring the
installation signing cert for the upgrade version to be
APK file used exactly the same as the cert used to sign the
for the existing version. If the developer cannot use the
upgrade does same cert to sign the new version, you will need
not match the to uninstall the existing app and re-deploy the
signature for new app rather than upgrade the existing app.
the current
app on the
device.
0xc7d14fb9 -942583879 The end user Educate the user to accept the Intune deployed
canceled the app and install the app when prompted.
app
installation.
0xc7d14fbc -942583876 Uninstall of the The app install process was terminated by the
app was OS or the device was restarted. Retry the install
canceled and collect Company Portal logs if this error
because the occurs again.
process was
restarted
during
installation.
0xC7D14FB1 -942583887 The end user The user explicitly uninstalled the app. This error
canceled the is returned when the Android OS install activity
app was canceled by the user. The user pressed the
installation. cancel button when the OS install prompt was
presented or clicked away from the prompt. This
error is returned for only DA scenarios. For
KNOX scenarios, the user is not prompted to
install, this can be done silently. Intune presents
a notification that users can click to retry. If the
app is an available app, the notification can be
dismissed. However, if the app is required, it
cannot be dismissed. Ask the user not to cancel
the install.
0xC7D14FB9 -942583879 The end user Educate the user to accept the Intune deployed
canceled the app and install the app when prompted.
app
installation. (At
the accept
prompt)
0x87D12906 -2016335610 Apple MDM Agent error: App Apple MDM Agent returned
installation command failed with that the installation command
no error reason specified. Retry failed.
app installation.
0x87D1313C -2016333508 Network connection on the client The network connection was
was lost or interrupted. Later lost while the updated
attempts should succeed in a download service URL was
better network environment. sent to the device. Specifically,
a server with the specified
hostname could not be found.
Error code Error code Error message/code Description/Troubleshooting
(Hex) (Dec) tips
0x87D1313D -2016333507 Could not retrieve license for the Sync the associated VPP
app with iTunes Store ID token, then sync the device
with Intune. If the issue
persists, remove group
assignment and reassign the
VPP app as device-licensed. If
the issue still persists, revoke
the app license from the
device by navigating to Apps
> iOS > select VPP app > App
licenses > select device. Then,
revoke license and try re-
assigning the app to the user
group or device group. If the
issue still persists, revoke all
VPP licenses for the device by
going to Devices > iOS >
select device > Overview >
Revoke licenses, then retire
the device and re-enroll to
Intune.
0x87D13B64 -2016330908 The app installation has failed. An app installation failure
occurred. iOS/iPadOS Console
logs are needed to
troubleshoot this error.
0x87D13B66 -2016330906 The app is managed, but has Either the user explicitly
expired or been removed by the uninstalled the app, or the app
user. is expired but failed to
download, or the app
detection does not match the
response from the device.
Additionally, this error could
occur based on an iOS/iPadOS
9.2.2 platform bug.
0x87D13B60 -2016330912 The app is scheduled for This error typically occurs with
installation, but needs a iOS Store apps which are paid
redemption code to complete the apps.
transaction.
Error code Error code Error message/code Description/Troubleshooting
(Hex) (Dec) tips
0x87D1041C -2016345060 The application was not detected The app detection process did
after installation completed not match with the response
successfully. from the device.
0x87D13B62 -2016330910 The user rejected the offer to During initial app install, the
install the app. user clicked cancel. Ask the
user to accept the install
request the next time.
0x87D13B63 -2016330909 The user rejected the offer to The end user clicked cancel
update the app. during the update process.
Deploy as required or educate
the user to accept the
upgrade prompt.
0x87D13B93 -2016330861 Can only install VPP apps on The apps must be obtained
Shared iPad. using Apple Volume Purchase
Program to install on a Shared
iPad.
0x87D13B94 -2016330860 Can't install apps when App Store The App Store must be
is disabled. enabled for the user to install
the app.
0x87D13B95 -2016330859 Can't find VPP license for app. Try revoking and reassigning
the app license.
Error code Error code Error message/code Description/Troubleshooting
(Hex) (Dec) tips
0x87D13B96 -2016330858 Can't install system apps with your Installing apps that are pre-
MDM provider. installed by the iOS/iPadOS
operating system is not a
supported scenario.
0x87D13B97 -2016330857 Can't install apps when device is All use of the device is
in Lost Mode. blocked in Lost Mode. Disable
Lost Mode to install apps.
0x87D13B98 -2016330856 Can't install apps when device is Try adding this device to an
in kiosk mode. exclude group for kiosk mode
configuration policy to install
apps.
0x87D13B9C -2016330852 Can't install 32-bit apps on this The device doesn't support
device. installing 32-bit apps. Try
deploying the 64-bit version
of the app.
0x87D13B99 -2016330855 User must sign in to the App The user needs to sign in to
Store. the App Store before the app
can be installed.
0x87D13B9A -2016330854 Unknown problem. Please try The app installation failed due
again. to an unknown reason. Try
again later.
0x87D13B9B -2016330853 The app installation failed. Intune The app installation
will try again the next time the encountered a device error.
device syncs. Sync the device to try
installing the app again.
0x87d13b7f -2016330881 Needed app configuration policy App requires app config but
not present, ensure policy is no app config is targeted.
targeted to same groups. Admin should make sure the
groups the app is targeted to
also has the required app
config targeted to the groups.
0x87d13b8f -2016330865 The application is installed on the This error only happens to
device but is unmanaged. LOB apps. The app was
installed outside of Intune. To
address this error, uninstall the
app from the device. The next
time the device sync happens,
the device should install the
app from Intune.
0x87d13b68 -2016330904 User declined app management Ask the user to accept app
management.
0x87D13B9D -2016330851 The latest version of the app This error message is
failed to update from an earlier displayed if the app is installed
version. and managed but with the
incorrect version on the
device. This situation includes
when a device has received a
command to update an app
but the new version has not
yet been installed and
reported back. This error will
be reported for the first check-
in of a device after the
upgrade has been deployed,
and will occur until the device
reports that the new version is
installed, or fails due to a
different error.
Error code Error code Error message/code Description/Troubleshooting
(Hex) (Dec) tips
0x87D13B6F -2016330897 Your connection to Intune timed App Manifest validation failure
out. due to network
connectivity(timeout)
0x87D13B70 -2016330896 You lost connection to the App Manifest validation failure
Internet. due to network
connectivity(Cannot Find Host)
0x87D13B72 -2016330894 You lost connection to the App Manifest validation failure
Internet. due to network
connectivity(Connection Lost)
0x87D13B73 -2016330893 You lost connection to the App Manifest validation failure
Internet. due to network
connectivity(Not Connected to
internet)
0x87D13B77 -2016330889 The secure connection failed. App Manifest validation failure
due to network
connectivity(Secure
Connection Failed)
0x87D13B9F -2016330849 The VPP App has an update This code is returned when a
available VPP app is installed but there
is a newer version available.
0x87D13B9E 2016330850 Can't enforce app uninstall The app is already installed on
setting. Retry installing the app. the device but the "uninstall
on retire" setting does not
match the configured value.
Advise the user to request the
app-install from Company
Portal to attempt applying the
"uninstall on retire" setting
again.
0x80073CFF -2147009281 (client error) To install this app, you must have
a sideloading-enabled system.
Make sure that the app package
is signed with a trusted signature
and installed on a domain-joined
device that has the
AllowAllTrustedApps policy
enabled, or a device that has a
Windows Sideloading license
with the AllowAllTrustedApps
policy enabled. For more
information, see Troubleshooting
packaging, deployment, and
query of Windows Store apps.
0x80CF201C -2133909476 (client error) To install this app, you must have
a sideloading-enabled system.
Make sure that the app package
is signed with a trusted signature
and installed on a domain-joined
device that has the
AllowAllTrustedApps policy
enabled, or a device that has a
Windows Sideloading license
with the AllowAllTrustedApps
policy enabled. For more
information, see Troubleshooting
packaging, deployment, and
query of Windows Store apps.
0x80073CF0 -2147009296 The package is unsigned. The The package could not be
publisher name does not opened.
match the signing certificate
subject. Check the
AppxPackagingOM event log
for information. For more
information, see
Troubleshooting packaging,
deployment, and query of
Windows Store apps.
Error code Error code Error message/code Description
(Hex) (Dec)
0x80073CFB -2147009285 Increment the version number The provided package is already
of the app, then rebuild and installed, and reinstallation of the
re-sign the package. Remove package is blocked. You could
the old package for every user receive this error if you are
on the system before you installing a package that is not
install the new package. For identical to the package that is
more information, see already installed. Confirm the
Troubleshooting packaging, digital signature is also part of
deployment, and query of the package. When a package is
Windows Store apps. rebuilt or re-signed, that package
is no longer bitwise identical to
the previously installed package.
Two possible options to fix this
error are as follows:
Feedback
Was this page helpful? ツ Yes ト No
This article provides solutions to common user issues and error messages related to
Intune app protection policies. It provides an explanation and solution, when available,
for user issues in the following categories:
Common usage scenarios: A user might experience these scenarios on apps that
have an Intune app protection policy. They are not actual issues, but may be
perceived as bugs or errors.
Common usage dialogs: Usage dialogs a user might see in apps that have an
Intune app protection policy. These messages and dialogs do not indicate an error
or bug.
Error messages and dialogs on iOS, Error messages and dialogs on Android: Error
messages and dialogs a user might see on apps that have an Intune app
protection policy. They often indicate an error was made by the IT administrator or
a bug with the app protection policy.
iOS The user can use the Intune app protection policy can't control the
iOS/iPadOS share iOS/iPadOS share extension without managing the
extension to open work or device. Therefore, Intune encrypts "corporate" data
school data in unmanaged before sharing it outside the app. You can validate it
apps, even with the data by attempting to open the "corporate" file outside of
transfer policy set to the managed app. The file should be encrypted and
Managed apps only or No unable to be opened outside the managed app.
apps. Will this leak data?
iOS The user is prompted to It is needed when App Based Conditional Access is
install the Microsoft applied, see Require approved client app.
Authenticator app.
Platform Scenario Explanation
iOS/Android App protection policy not Since Outlook supports both corporate and personal
applied on draft email in context, it does not enforce MAM on draft email.
the Outlook app
iOS/Android App protection policy not Since WXP supports both corporate and personal
applied on new documents context, it does not enforce MAM on new
in WXP (Word, Excel, documents until they are saved in an identified
PowerPoint) corporate location like OneDrive.
iOS/Android Apps not allowing Save As The App behavior for this setting is controlled by the
to Local Storage when App Developer.
policy is enabled
Android Android has more Android is an open platform and the native app
restrictions than association can be changed by the end user to
iOS/iPadOS on what potentially unsafe apps. Apply Data transfer policy
"native" apps can access exceptions to exempt specific apps.
MAM protected content
Android Azure Information AIP honors the MAM policy for 'Disable printing'
Protection (AIP) can Save when Save as PDF is used.
as PDF when Save As is
prevented
iOS Opening PDF attachments This issue can occur if the user has not authenticated
in Outlook app fails with to Acrobat Reader for Intune, or has used
Action Not Allowed thumbprint to authenticate to their organization.
Open Acrobat Reader beforehand and authenticate
using UPN credentials.
iOS, Sign-in: To protect its data, The end user must sign in with their work or school
Android your organization needs to account in order to use this app, which requires an app
manage this app. To protection policy. In order for the policy to apply, the
complete this action, sign user must authenticate against Azure Active Directory.
in with your work or school
account.
iOS, Restart Required: Your The app has just received an Intune app protection
Android organization is now policy and must restart in order for the policy to apply.
protecting its data in this
app. You need to restart the
app to continue.
iOS, Action Not Allowed: Your The IT administrator has set the Allow app to receive
Android organization only allows data from other apps to Managed apps only.
you to open work or school Therefore, the end user can only transfer data into this
data in this app. app from other apps that have an app protection
policy.
iOS, Action Not Allowed: Your The IT administrator has set the Allow app to transfer
Android organization only allows data to other apps to Managed apps only. Therefore,
you to transfer its data to the end user can only transfer data out of this app to
other managed apps. other apps that have an app protection policy.
iOS, Wipe Alert: Your The IT administrator has initiated an app wipe using
Android organization has removed Intune app protection.
its data associated with this
app. To continue, restart
the app.
App Not Set Up: This app has not Failure to detect a required app Make sure an iOS app
been set up for you to use. Contact protection policy for the app. protection policy is
your IT administrator for help. deployed to the user's
security group and
targets this app.
Error message or dialog Cause Remediation
Welcome to the Intune Managed Failure to detect a required app Make sure an iOS app
Browser: This app works best when protection policy for the Intune protection policy is
managed by Microsoft Intune. You Managed Browser app.
deployed to the user's
can always use this app to browse security group and
the web, and when it is managed by The user can still use the app to targets the Intune
Microsoft Intune you gain access to browse the web, but the app is Managed Browser
additional data protection features. not managed by Intune. app.
Sign-in Failed: We can't sign you in Failure to enroll the user with the Make sure an iOS app
right now. Please try again later. MAM service after the user protection policy is
attempts to sign in with their deployed to the user's
work or school account. security group and
targets this app.
Account Not Set Up: Your The user account does not have Make sure the user's
organization has not set up your an Intune A Direct license. account has an Intune
account to access work or school license assigned in the
data. Contact your IT administrator Microsoft 365 admin
for help. center .
Device Non-Compliant: This app Intune detected the user is on a Reset the device to
cannot be used because you are jailbroken device. default factory
using a jailbroken device. Contact settings. Follow these
your IT administrator for help. instructions from
the Apple support
site.
Internet Connection Required: You The device is not connected to Connect the device to
must be connected to the Internet the Internet. a WiFi or Data
to verify that you can use this app. network.
Unknown Failure: Try restarting this An unknown failure occurred. Wait a while and try
app. If the problem persists, contact again. If the error
your IT administrator for help. persists, create a
support ticket with
Intune.
Error message or dialog Cause Remediation
Accessing Your Organization's Data: Intune detects the user Have the user sign in
The work or school account you attempted to sign in with second with the account
specified does not have access to work or school account that is whose username is
this app. You may have to sign in different from the MAM enrolled pre-populated by the
with a different account. Contact account for the device. Only one sign-in screen. You
your IT administrator for help. work or school account can be may need to
managed by MAM at a time per configure the user
device. UPN setting for
Intune.
Alert: This app can no longer be Failure to validate the app's Make sure the app
used. Contact your IT administrator certificate. version is up to date.
Error: This app has encountered a Failure to read the MAM app PIN Restart the device.
problem and must close. If this error from the Apple iOS Keychain. Make sure the app
persists, please contact your IT version is up to date.
administrator.
Reinstall the app.
App not set up: This app has Failure to detect a Make sure an Android app
not been set up for you to required app protection protection policy is deployed to the
use. Contact your IT policy for the app. user's security group and targets
administrator for help. this app.
Dialog/Error message Cause Remediation
Failed app launch: There was Intune detected valid app Make sure the app version is up to
an issue launching your app. protection policy for the date.
No apps found: There are no The user tried to open Make sure an Android app
apps on this device that your work or school data with protection policy is deployed to the
organization allows to open another app, but Intune user's security group and targets at
this content. Contact your IT cannot find any other least one other MAM-enabled app
administrator for help. managed apps that are that can open the data in question.
allowed to open the data.
Sign-in failed: Try to sign in Failure to authenticate the Make sure the user signs in with
again. If this problem persists, account with which the the work or school account that is
contact your IT administrator user attempted to sign in. already enrolled with the Intune
for help. MAM service (the first work or
school account that was
successfully signed into in this app).
Internet connection required: The device is not Connect the device to a WiFi or
You must be connected to the connected to the Internet. Data network.
Internet to verify that you can
use this app.
Device noncompliant: This Intune detected the user Reset the device to default factory
app can't be used because is on a rooted device. settings.
you are using a rooted device.
Contact your IT administrator
for help.
Dialog/Error message Cause Remediation
Account not set up: This app The user account does Make sure the user's account has
must be managed by not have an Intune A an Intune license assigned in the
Microsoft Intune, but your Direct license. Microsoft 365 admin center .
account has not been set up.
Contact your IT administrator
for help.
Unable to register the app: Failure to automatically Clear the app's data.
Feedback
Was this page helpful? ツ Yes ト No
Learn about the settings you can review in the app protection logs. Access logs by enabling Intune
Diagnostics on a mobile client.
iOS/iPadOS devices - Use Microsoft Edge for iOS/iPadOS to collect logs. For details, see Use
Edge for iOS and Android to access managed app logs.
Windows 10/11 devices - Use MDMDiag and event logs. See, Diagnose MDM failures in
Windows 10 in the Windows client management content, and the blog Troubleshooting
Windows 10 Intune Policy Failures.
Android devices - Use Microsoft Edge for Android to collect logs. For details, see Use Edge for
iOS and Android to access managed app logs.
7 Note
On Android Fully Managed devices, in certain instances the Intune Company Portal app
may be visible under all apps. This may happen when an app associated with an app
protection policy is either not installed or not launched.
The following tables list the App protection policy setting name and supported values that are
recorded in the log. In addition, each setting identifies the policy setting found within Microsoft
Intune admin center. For detailed information on each setting, see iOS/iPadOS app protection policy
settings and Android app protection policy settings in Microsoft Intune.
app
3 = Any dialer app
SharePoint
35 = Local Storage,
OneDrive & SharePoint
36 = Local Storage &
Box
37 = Local Storage,
OneDrive & Box
38 = Local Storage,
SharePoint & Box
39 = Local Storage,
OneDrive, SharePoint
& Box
128 = Photo Library
129 = Photo Library &
OneDrive
130 = Photo Library &
SharePoint
131 = Photo Library,
OneDrive & SharePoint
132 = Photo Library &
Box
133 = Photo Library,
OneDrive & Box
134 = Photo Library,
SharePoint & Box
135 = Photo Library,
OneDrive, SharePoint
& Box
160 = Photo Library,
Local Storage
161 = Photo Library,
Local Storage &
OneDrive
162 = Photo Library,
Local Storage &
SharePoint
163 = Photo Library,
Local Storage,
OneDrive & SharePoint
164 = Photo Library,
Local Storage & Box
165 = Photo Library,
Local Storage,
OneDrive & Box
166 = Photo Library,
Local Storage,
SharePoint & Box
167 = Photo Library,
Local Storage,
OneDrive, SharePoint
& Box
Name Value details Setting in Microsoft Intune App
Protection Policy
11 = Local Storage,
OneDrive & SharePoint
12 = Local Storage &
Camera
13 = Local Storage,
OneDrive & Camera
14 = Local Storage,
SharePoint & Camera
15 = Local Storage,
OneDrive, SharePoint
& Camera
16 = Photo Library
17 = Photo Library &
OneDrive
18 = Photo Library &
SharePoint
19 = Photo Library,
OneDrive & SharePoint
20 = Photo Library &
Camera
21 = Photo Library,
OneDrive & Camera
22 = Photo Library,
SharePoint & Camera
23 = Photo Library,
OneDrive, SharePoint
& Camera
24 = Photo Library &
Local Storage
25 = Photo Library,
Local Storage &
OneDrive
26 = Photo Library,
Local Storage &
SharePoint
27 = Photo Library,
Local Storage,
OneDrive & SharePoint
28 = Photo Library,
Local Storage &
Camera
29 = Photo Library,
Local Storage,
OneDrive & Camera
30 = Photo Library,
Local Storage,
SharePoint & Camera
31 = Photo Library,
Local Storage,
OneDrive, SharePoint
& Camera
Name Value details Setting in Microsoft Intune App
Protection Policy
manufacturers with
action Allow
specified (Wipe
non-specified)
paste between
other apps
Setting: Save
copies of org data
Setting: Select
number of
previous PIN
values to maintain
Unmanaged
Browser name
Next steps
To learn more about app protection policies, see What are app protection policies?
Intune offers a number of tools to help you troubleshoot issues in your environment. For more
information, see Use the troubleshooting portal to help users.
Troubleshooting app protection policy
deployment in Intune
Article • 05/27/2023
This article helps IT Admins understand and troubleshoot problems when you apply app
protection policies (APP) in Microsoft Intune. Follow the instructions in the sections that
apply to your situation. Browse the guide for additional APP-related troubleshooting
guidance, such as Troubleshooting app protection policy user issues and Troubleshoot
data transfer between apps.
1. Verify you have met the prerequisites for deploying app protection policies.
2. Check app protection policy status and check targeting.
3. Verify that the user is targeted.
4. Verify that the managed app is targeted.
5. Verify that the user signed in to the affected application using their targeted
corporate account.
6. Collect device data.
The user must belong to a security group that is targeted by an app protection
policy. The same app protection policy must target the specific app that's used.
For Android devices, the Company Portal app is required to receive app protection
policies.
7 Note
The Office mobile apps currently support only SharePoint Online and not
SharePoint on-premises.
If you use Intune app protection policies together with on-premises resources
(Microsoft Skype for Business and Microsoft Exchange Server), you must enable
Hybrid Modern Authentication for Skype for Business and Exchange.
7 Note
App protection policies are applied only when apps are used in the work context.
For example, when the user is accessing apps by using a work account.
For more information, see How to validate your app protection policy setup in Microsoft
Intune.
To verify that the policy is applied to the targeted user, follow these steps:
1. Sign in to the Microsoft Intune admin center .
2. Select Apps > Monitor > App protection status, and then select the User status
tile (based on device OS platform).
On the App reporting pane that opens, select
Select user to search for a user.
3. Select the user from the list. You can see the details for that user. Note it can take
up to 24 hours for a newly targeted user to show up in reports.
When you assign the policy to a user group, make sure that the user is in the user
group. To do this, follow these steps:
) Important
The Intune app protection policy must be assigned to user groups and not
device groups.
If the affected device uses Android Enterprise, only personally-owned work
profiles will support app protection policies.
If the affected device uses Apple's Automated Device Enrollment (ADE), make
sure that User Affinity is enabled. User Affinity is required for any app that
requires user authentication under ADE. For more information on iOS/iPadOS
ADE enrollment, see Automatically enroll iOS/iPadOS devices.
Make sure that the targeted app is listed in Microsoft Intune protected apps. For LOB or
custom apps, verify that the apps use the latest version of Intune App SDK.
For iOS, this practice is important because each version contains fixes that affect how
these policies are applied and how they function. For more information, see Intune App
SDK iOS releases . Android users should have the latest version of the Company Portal
app installed because the app works as the policy broker agent.
In most scenarios, users sign in to their accounts with their user principal name (UPN).
However, in some environments (such as on-premises scenarios), users might use some
other form of sign-in credentials. In these cases, you might find that the UPN that's used
in the app doesn't match the UPN object in Azure AD. When this issue occurs, app
protection policies aren't applied as expected.
Microsoft's recommended best practices are to match the UPN to the primary SMTP
address. This practice enables users to log in to managed apps, Intune app protection,
and other Azure AD resources by having a consistent identity. For more information, see
Azure AD UserPrincipalName population.
The only way to guarantee this consistency is through modern authentication. There are
scenarios in which apps may work in an on-premises configuration without modern
authentication. However, the outcomes are not consistent or guaranteed.
Users with Microsoft Edge installed on their iOS or Android device can view the
management status of all Microsoft published apps. They can use the following steps to
send logs to help with troubleshooting.
From this screen, you will be presented with two options and data about the device.
Select View Intune App Status to see a list of apps. If you select a specific app, it will
show the APP settings associated with that app that are currently active on the device.
If the information displayed for a specific app is limited to the app version and bundle
with the policy check-in timestamp, it means no policy is currently applied to that app
on the device.
The Get Started option allows you to collect logs about the APP enabled applications. If
you open a support ticket with Microsoft for app protection policies, you should always
provide these logs from an affected device if possible. For Android-specific instructions,
see Upload and email logs.
For a list of the settings stored in the Intune Diagnostics (APP) logs, see Review client
app protection logs.
Intune app protection policy relies on user identity. Therefore, a valid login that uses a
work or school account to the app and a consistent connection to the service are
required. If the user hasn't signed in to the app, or the Company Portal app has been
removed from the device, policies updates won't apply.
) Important
The Intune App SDK checks every 30 minutes for selective wipe. However, changes
to existing policy for users who are already signed in may not appear for up to 8
hours. To speed up this process, have the user log out of the app and then log back
in or restart their device.
Intune app protection policies include multi-identity support. Intune can apply app
protection policies to only the work or school account that's signed in to the app.
However, only one work or school account per device is supported.
7 Note
To specify the app types, set Target to all app types to No, and then select from
the App types list.
If you are targeting only iOS Intune-managed devices, the following additional app
configuration settings are required to be targeted alongside your app protection policy:
IntuneMAMUPN must be configured for all MDM (Intune or a third-party EMM)-
managed applications. For more information, see Configure user UPN setting for
Microsoft Intune or third-party EMM.
IntuneMAMDeviceID must be configured for all third-party and LOB MDM-
managed applications.
IntuneMAMDeviceID must be configured as the device ID token. For example,
key=IntuneMAMDeviceID, value={{deviceID}}. For more information, see Add app
configuration policies for managed iOS devices.
If only the IntuneMAMDeviceID value is configured, Intune APP will consider the
device as unmanaged.
Next steps
Troubleshooting app protection policy user issues
Frequently asked questions about MAM and app protection
Validate your app protection policy setup in Microsoft Intune
Feedback
Was this page helpful? ツ Yes ト No
Microsoft Intune can help you keep your managed devices secure and up to date while
helping you to protect your organization’s data from compromised devices. Data
protection includes controlling what users do with an organization’s data on both
managed and unmanaged devices. Data protection also extends to blocking access to
data from devices that might be compromised.
This article highlights many of Intune’s built-in capabilities and partner technologies you
can integrate with Intune. As you learn more about them, you can bring several together
for more comprehensive solutions on your journey towards a zero-trust environment.
From the Microsoft Intune admin center, Intune supports managed devices that run
Android, iOS/iPad, macOS, and Windows 10.
When you use Configuration Manager to manage on-premises devices, you can extend
Intune policies to those devices by configuring tenant attach or co-management.
Intune can also work with information from devices that you manage with third-party
products that provide device compliance and mobile threat protection.
With device configuration policies, manage profiles that define the settings and
features that devices use in your organization. Configure devices for endpoint
protection, provision certificates for authentication, set software update behaviors,
and more.
With device compliance policies, you create profiles for different device platforms
that establish device requirements. Requirements can include operating system
versions, the use of disk encryption, or being at or under specific threat levels as
defined by threat management software.
Intune can safeguard devices that aren't compliant with your policies and alert the
device user so they can bring the device into compliance.
When you add Conditional Access to the mix, configure policies that allow only
compliant devices to access your network and organization’s resources. Access
restrictions can include file shares and company email. Conditional Access policies
also work with the device state data reported by third-party device compliance
partners you integrate with Intune.
Following are a few of the security settings and tasks you can manage through device
policy:
Virtual private networks (VPNs) – With VPN profiles, assign VPN settings to
devices so they can easily connect to your organization’s network. Intune supports
several VPN connection types and apps, that include both built-in capabilities for
some platforms and both first and third-party VPN apps for devices.
Software updates – Manage how and when devices get software updates.
For iOS, manage device operating system versions, and when devices check for
and install updates.
For Windows 10, you can manage the Windows Update experience for devices.
You can configure when devices scan or install updates, hold a set of your
managed devices at specific feature versions, and more.
Intune-managed apps (or managed apps for short), are apps that have been
integrated with the Intune App SDK or wrapped by the Intune App Wrapping Tool.
These apps can be managed using Intune app protection policies. To view a list of
publicly available managed apps, see Intune protected apps.
Users can use managed apps to work with both your organization’s data, and their
own personal data. However, when app protection policies require the use of a
managed app, the managed app is the only app that can be used to access your
organization’s data. App protection rules don’t apply to a user’s personal data.
App protection policies are rules that ensure an organization's data remains safe
or contained in a managed app. The rules identify the managed app that must be
used and define what can be done with the data while the app is in use.
The following are examples of protections and restrictions you can set with app
protection policies and managed apps:
Device actions aren't policy and take effect a single time when invoked. They apply
either immediately if the device is accessible on-line, or when the device next boots up
or checks in with Intune. Considered these actions as supplemental to the use of policies
that configure and maintain security configurations for a population of devices.
Following are examples of actions you can run that help secure devices and data:
Devices managed by Intune:
Retire
Wipe
Sync (force a device to immediately check in with Intune to find new policies or
pending actions)
Partner Technologies
Intune can use data from integrated compliance partners and mobile threat defense
partners:
Compliance partners – Learn about device compliance partners with Intune. When
you manage a device with a mobile device management partner other than Intune,
you can integrate that compliance data with Azure Active Directory. When
integrated, the partner data can be used by Conditional Access policies along-side
compliance data from Intune.
Mobile Threat defense – Mobile threat defense apps can scan devices for threats
and help you identify the risk of allowing the device to access your organization’s
resources and data. You can then use that risk level in various policies, like
Conditional Access policies, to help gate access to those resources.
Configuration Manager
You can use many Intune policies and device actions to protect the devices you manage
with Configuration Manager. To support those devices, configure co-management or
tenant attach. You can also use both together with Intune.
Use threat-level data with policies for device compliance, app protection, and
Conditional Access. These policies use the data to help block non-compliant devices
from accessing your organization’s resources.
For devices that don't enroll with Intune but run an MTD app that's integrated with
Intune, use their threat level data with your app protection policies to help block
access to your organization’s data.
Security tasks – With security tasks, Intune admins can take advantage of
Microsoft Defender for Endpoint's threat and vulnerability management
capabilities. How it works:
Your Defender for Endpoint team identifies at-risk-devices and create the
security tasks for Intune in the Defender for Endpoint security center.
Those tasks show up in Intune with mitigation advice that Intune admins can
use to mitigate the risk.
When a task is resolved in Intune, that status passes back to the Defender for
Endpoint security center where the results of the mitigation can be evaluated.
Antivirus policy - Manage the settings for Microsoft Defender Antivirus and the
Windows Security experience on supported devices, like Windows 10 and
macOS.
Endpoint detection and response policy – Use this policy to configure endpoint
detection and response (EDR), which is a capability of Microsoft Defender for
Endpoint.
Conditional Access
Conditional Access is an Azure Active Directory (Azure AD) capability that works with
Intune to help protect devices. For devices that register with Azure AD, Conditional
Access policies can use device and compliance details from Intune to enforce access
decisions for users and devices.
App protection policies can add a security layer that ensures only client apps that
support Intune app protection policies can access your online resources, like
Exchange or other Microsoft 365 services.
Conditional Access also works with the following to help you keep devices secure:
Next steps
Plan to use Intune's capabilities to support your journey towards a zero-trust
environment by protecting your data and securing devices. Beyond the previous in-line
links to learn more about those capabilities, learn about data security and sharing in
Intune.
Use compliance policies to set rules for
devices you manage with Intune
Article • 06/23/2023
Mobile device management (MDM) solutions like Intune can help protect organizational
data by requiring users and devices to meet some requirements. In Intune, this feature is
called compliance policies.
Define the rules and settings that users and devices must meet to be compliant.
Include actions that apply to devices that are noncompliant. Actions for
noncompliance can alert users to the conditions of noncompliance and safeguard
data on noncompliant devices.
Can be combined with Conditional Access, which can then block users and devices
that don't meet the rules.
Can override the configuration of settings that you also manage through device
configuration policies. To learn more about conflict resolution for policies, see
Compliance and device configuration policies that conflict.
Like other Intune policies, compliance policy evaluations for a device depend on when
the device checks-in with Intune, and policy and profile refresh cycles.
This setting determines how Intune treats devices that haven't been assigned a
device compliance policy. This setting has two values:
Compliant (default): This security feature is off. Devices that aren’t sent a device
compliance policy are considered compliant.
Not compliant: This security feature is on. Devices that haven’t received a
device compliance policy are considered noncompliant.
If you use Conditional Access with your device compliance policies, change this
setting to Not compliant to ensure that only devices that are confirmed as
compliant can access your resources.
If an end user isn't compliant because a policy isn't assigned to them, then the
Company Portal app shows No compliance policies have been assigned.
Specify a period in which devices must successfully report on all their received
compliance policies. If a device fails to report its compliance status for a policy
before the validity period expires, the device is treated as noncompliant.
By default, the period is set to 30 days. You can configure a period from 1 to 120
days.
You can view details about a devices compliance to the validity period setting. Sign
in to Microsoft Intune admin center and go to Devices > Monitor > Setting
compliance. This setting has a name of Is active in the Setting column. For more
information about this and related compliance status views, see Monitor device
compliance.
Define the rules and settings that users and managed devices must meet to be
compliant. Examples of rules include requiring devices run a minimum OS version,
not being jail-broken or rooted, and being at or under a threat level as specified by
threat management software you’ve integrated with Intune.
Support actions that apply to devices that don’t meet your compliance rules.
Examples of actions include being remotely locked, or sending a device user email
about the device status so they can fix it.
Deploy to users in user groups or devices in device groups. When a compliance
policy is deployed to a user, all the user's devices are checked for compliance.
Using device groups in this scenario helps with compliance reporting.
If you use Conditional Access, your Conditional Access policies can use your device
compliance results to block access to resources from noncompliant devices.
The available settings you can specify in a device compliance policy depend on the
platform type you select when you create a policy. Different device platforms support
different settings, and each platform type requires a separate policy.
The following subjects link to dedicated articles for different aspects of device
configuration policy.
Actions for noncompliance - Each device compliance policy includes one or more
actions for noncompliance. These actions are rules that get applied to devices that
don’t meet the conditions you set in the policy.
By default, each device compliance policy includes the action to mark a device as
noncompliant if it fails to meet a policy rule. The policy then applies to the device
any additional actions for noncompliance that you’ve configured, based on the
schedules you set for those actions.
Actions for noncompliance can help alert users when their device isn’t compliant,
or safeguard data that might be on a device. Examples of actions include:
Sending email alerts to users and groups with details about the noncompliant
device. You might configure the policy to send an email immediately upon
being marked as noncompliant, and then again, periodically, until the device
becomes compliant.
Remotely lock devices that have been noncompliant for some time.
Retire devices after they’ve been noncompliant for some time. This action
marks a qualifying device as ready to be retired. An admin can then view a list of
devices marked for retirement and must take an explicit action to retire one or
more devices. Retiring a device removes the device from Intune management
and removes all company data from the device. For more information about this
action, see Available actions for noncompliance.
Create a policy – With the information in this article, you can review prerequisites,
work through the options to configure rules, specify actions for noncompliance,
and assign the policy to groups. This article also includes information about policy
refresh times.
View the device compliance settings for the different device platforms:
Android device administrator
Android Enterprise
Android Open Source Project (AOSP)
iOS
Linux
macOS
Windows Holographic for Business
Windows 8.1 and later
) Important
On October 22, 2022, Microsoft Intune ended support for devices running
Windows 8.1. Technical assistance and automatic updates on these devices
aren't available.
Windows 10/11
Custom compliance settings – With custom compliance settings you can expand
on Intune’s built-in device compliance options. Custom settings provide flexibility
to base compliance on the settings that are available on a device without having to
wait for Intune to add those settings.
You can use custom compliance settings with the following platforms:
Linux – Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
Windows 10/11
When a device enrolls in Intune it registers in Azure AD. The compliance status for
devices is reported to Azure AD. If your Conditional Access policies have Access controls
set to Require device to be marked as compliant, Conditional access uses that compliance
status to determine whether to grant or block access to email and other organization
resources.
If you’ll use device compliance status with Conditional Access policies, review how your
tenant has configured Mark devices with no compliance policy assigned as, which you
manage under Compliance policy settings.
For more information about using Conditional Access with your device compliance
policies, see Device-based Conditional Access
Remediated: The device operating system enforces compliance. For example, the
user is forced to set a PIN.
- Linux: Quarantined
Jailbroken or rooted device - Android 4.0 and later: Quarantined (not a setting)
- Linux: Quarantined
7 Note
The Company Portal app enters the enrollment remediation flow when the user
signs into the app and the device has not successfully checked in with Intune for 30
days or more (or the device is non-compliant due to a Lost contact compliance
reason). In this flow, we attempt to initiate a check-in one more time. If that still
does not succeed, we issue a retire command to allow the user to re-enroll the
device manually.
Next steps
Create and deploy policy and review prerequisites
Monitor device compliance
Common questions, issues, and resolutions with device policies and profiles in
Microsoft Intune
Reference for policy entities has information about the Intune Data Warehouse
policy entities
Create a compliance policy in Microsoft
Intune
Article • 03/09/2023
Device compliance policies are a key feature when using Intune to protect your
organization's resources. In Intune, you can create rules and settings that devices must
meet to be considered compliant, such as a minimum OS version. If the device isn't
compliant, you can then block access to data and resources using Conditional Access.
You can also take actions for non-compliance, such as sending a notification email to
the user. For an overview of what compliance policies do, and how they're used, see get
started with device compliance.
This article:
In addition to compliance settings that are built in to Intune, the following platforms
support adding custom compliance settings to compliance policies:
Before you can add custom settings, you must prepare a custom JSON file that defines
the settings you want to base your custom compliance on, and a script that runs on
devices to detect the settings defined in the JSON.
For more information about using custom compliance settings, including supported
platforms, prerequisites, and how to configure the Custom Compliance category while
creating a policy, see Use custom compliance settings.
2. Select Devices > Compliance policies > Policies > Create Policy.
Fully Managed
Dedicated
Corporate-Owned Work Profile
Personally Owned Work Profile
5. On the Compliance settings tab, expand the available categories, and configure
settings for your policy. The following articles describe the available compliance
settings for each platform:
Tip
This is an optional step that’s supported only for the following platforms:
For Windows:
a. On the Compliance settings page, expand Custom Compliance and set Custom
compliance to Require.
b. For Select your discovery script, select Click to select, and then specify a script
that’s been previously added to the Microsoft Intune admin center. This script
must have been uploaded before you begin to create the policy.
c. For Upload and validate the JSON file with your custom compliance settings,
select the folder icon and then locate and add the JSON file for Windows that
you want to use with this policy. For assistance with the JSON, see Create a
JSON for custom compliance settings.
For Linux:
a. On the Compliance settings page, select Add settings to open the Settings picker
pane.
b. Select Custom Compliance, and then select 8.
c. Back on the Compliance settings page, select the toggle for Require Custom
Compliance to change it to be True.
d. For Select your discovery script, select Set reusable settings, and then specify a
script that’s been previously added to the Microsoft Intune admin center. This
script must have been uploaded before you begin to create the policy.
e. For Select your rules file, select the folder icon and then locate and add the
JSON file for Linux that you want to use with this policy. For assistance with the
JSON, see Create a JSON for custom compliance settings.
The JSON you enter is validated and any problems are displayed. After validation
of the JSON contents, the rules from the JSON are displayed in table format.
You can add multiple actions and configure schedules and additional details for
some actions. For example, you might change the schedule of the default action
Mark device noncompliant to occur after one day. You can then add an action to
send an email to the user when the device isn't compliant to warn them of that
status. You can also add actions that lock or retire devices that remain
noncompliant.
For information about the actions you can configure, see Add actions for
noncompliant devices, including how to create notification emails to send to your
users.
Another example includes the use of Locations where you add at least one location
to a compliance policy. In this case, the default action for noncompliance applies
when you select at least one location. If the device isn't connected to any of the
selected locations, it's considered not compliant. You can configure the schedule to
give your users a grace period, such as one day.
8. On the Scope tags tab, select tags to help filter policies to specific groups, such as
US-NC IT Team or JohnGlenn_ITDepartment . After you add the settings, you can also
For information on using scope tags, see Use scope tags to filter policies.
Policies for Linux don't support user-based assignments and can only be assigned
to device groups.
10. On the Review + create tab, review the settings and select Create when ready to
save the compliance policy.
The users or devices targeted by your policy are evaluated for compliance when
they check in with Intune.
At any time, users can open the Company Portal app, and sync the device to
immediately check for policy updates.
The device has no grace period assigned to it, then the assigned value for the
compliance policy is NonCompliant
The device has a grace period that's expired, then the assigned value for the
compliance policy is NonCompliant
The device has a grace period that's in the future, then the assigned value for the
compliance policy is InGracePeriod
Actual compliance status Value of assigned grace period Effective compliance status
For more information about monitoring device compliance policies, see Monitor Intune
Device compliance policies.
Status Severity
Unknown 1
NotApplicable 2
Compliant 3
InGracePeriod 4
NonCompliant 5
Error 6
When a device has multiple compliance policies, then the highest severity level of all the
policies is assigned to that device.
For example, a device has three compliance policies assigned to it: one Unknown status
(severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity
= 4). The InGracePeriod status has the highest severity level. So, all three policies have
the InGracePeriod compliance status.
Next steps
Monitor your policies.
Use custom compliance policies and
settings for Linux and Windows devices
with Microsoft Intune
Article • 02/22/2023
Expanding on Intune’s built-in device compliance options, use policies for custom
compliance settings for managed Linux and Windows devices. Custom settings provide
flexibility to base compliance on the settings that are available on a device without
having to wait for Intune to add these settings.
Before you can add custom settings to a policy, you’ll need to prepare a JSON file, and a
detection script for use with each supported platform. Both the script and JSON become
part of the compliance policy. Each compliance policy supports a single script, and each
script can detect multiple settings:
The JSON file defines the custom settings and the values that are considered as
compliant. You can also configure messages for users to tell them how to restore
compliance for each setting. You add your JSON file while creating a compliance
policy, just after you select a discovery script for that policy.
Scripts are specific to different platforms and delivered to devices through the
compliance policy. When policy is evaluated, the script detects the settings from
the JSON file, and then reports the results to Intune. Windows uses a PowerShell
script and Linux uses a POSIX-compliant shell script.
The scripts must be uploaded to the Microsoft Intune admin center before you
create a compliance policy. You select the script when you’re configuring a policy
to support custom settings.
After you’ve deployed custom compliance settings and devices have reported back,
you'll be able to view the results alongside the built-in compliance setting details in the
Microsoft Intune admin center. Custom compliance settings can be used for conditional
access decisions, the same way built-in compliance settings are. Together they form a
compound rule set, equally affecting the device compliance state.
Prerequisites
Azure Active Directory (Azure AD) joined devices, including hybrid Azure AD-
joined devices.
Hybrid Azure AD-joined devices are devices that are joined to Azure AD and also
joined to on-premises Active Directory. For more information, see Plan your hybrid
Azure AD join implementation.
On WPJ devices, device context PowerShell scripts work, but user context
PowerShell scripts are ignored.
To create a custom compliance script, see Custom compliance discovery scripts for
Microsoft Intune.
JSON file - The JSON file defines the custom settings and the value that is to be
considered as compliant and can contain messages for users on how to restore the
device to compliance for the setting. For guidance on creating a JSON for custom
compliance, see Custom compliance JSON files.
You must first upload an applicable discovery script to Intune, and have a ready JSON to
add while creating the policy.
When ready, use the normal procedure to create a compliance policy, which includes
platform specific instructions for adding custom settings to the policy. Custom settings
are added while on the Configuration settings page by configuring the option for
Custom Compliance.
7 Note
For both Linux and Windows devices, you can view per-setting device compliance
details for custom compliance settings in the Microsoft Intune admin center.
In the admin center go to Reports > Device compliance, and then select the
Reports tab. Select the tile for Noncompliant devices and settings, and then use
the drop-down menus to configure the report. Be sure to select a platform for the
OS, and then select Generate report.
On a Linux device, you can open the Intune app to view the device’s status:
Compliant – Your device is compliant with your organization’s policies and
should be able to access organizational resources.
Checking status – Intune is currently evaluating the devices compliance to your
organization’s policies.
Not compliant – The device doesn’t meet your organization’s device and
security requirements and might not have access to your organization’s
resources.
When the device status is Not compliant, select View issues to see details about
issues that must be addressed to bring that device into compliance. For
information on resolving common issues, see Additional troubleshooting for Linux
devices.
On Windows you can add the following line at the end of the PowerShell script to return
errors related to the PowerShell script, ensure the following line is at the end of the
PowerShell script file: return $hash | ConvertTo-Json -Compress
On Linux, a user can open the Microsoft Intune app and select Refresh on either the
device details page or the compliance issues page to start a new check-in with
Intune.
In the Microsoft Intune admin center , you can identify devices that aren't
compliant with policy. Navigate to Reports > Device compliance, select the
Reports tab, and then select the tile for Noncompliant devices and settings. Use
the drop-downs to configure the report you want, and then select Generate report.
The admin center displays a separate line for each setting that isn’t compliant on a
device.
On the Linux device, open the Microsoft Intune app and view the Update device
settings page.
The following sections discuss common issues and resolutions for issues that users of
Linux devices might encounter.
To be compliant with the Allowed Distros setting, devices Linux distribution and version
must meet minimum, maximum, and type requirements. If necessary, install a different
version or distribution of Linux to bring the device into compliance.
Password complexity
Users of devices that don’t meet the device compliance configuration for password
complexity requirements might receive a message that indicates they must use a strong
password.
To be compliant with Password Policy settings, configure the Linux system to use
passwords that meet those requirements. Common organization requirements include:
Device encryption
Users of devices that don’t meet compliance settings for disk and partition encryption
might receive a message that they must encrypt the device drives.
There are several options for disk and partition encryption on Linux operating systems.
Intune recognizes any encryption system that uses the underlying dm-crypt subsystem.
This subsystem has been standard on Linux systems for some time. The preferred
method of setting up dm-crypt is to use the LUKS format with the cryptsetup tool.
Encrypting Linux system volumes after installation is possible, but potentially time
consuming. We recommend setting up disk encryption while installing the
operating system.
Not all filesystem partitions need to be encrypted for a device to meet
organizational standards. The following aren't evaluated by the built-in device
encryption settings:
Read-only partitions
Pseudo-filesystems, like /proc or tmpfs
The /boot or /boot/efi partitions
Refresh your compliance status on Linux devices
After making changes to a device to bring it into compliance, refresh the device status
with Intune:
If the Microsoft Intune app is still running, select Refresh on the device details
page, or on the compliance issues page to start a new check-in with Intune.
If the Microsoft Intune app isn't running, sign into the app, which will start a new
check-in.
After installation, the Microsoft Intune app periodically checks-in with Intune on its
own, so long as the device is on, and a user is signed in to it.
Next steps
Create a compliance policy
Custom compliance JSON files for
Microsoft Intune
Article • 02/21/2023
To support custom settings for compliance for Microsoft Intune, you create a JSON file
that identifies the settings and value pairs that you want to use for custom compliance.
The JSON defines what a discovery script will evaluate for compliance on the device.
You’ll upload the JSON file when you create a compliance policy that includes custom
compliance settings.
SettingName - The name of the custom setting to use for base compliance.
Operator - Represents a specific action that is used to build a compliance rule. For
options, see the following list of supported operators.
DataType - The type of data that you can use to build your compliance rule. For
options, see the following list of supported DataTypes.
Operand - Represent the values that the operator works on.
MoreInfoURL - A URL that’s shown to device users so they can learn more about
the compliance requirement when their device is noncompliant for a setting. You
can also use this to link to instructions to help users bring their device into
compliance for this setting.
RemediationStrings - Information that gets displayed in the Company Portal when
a device is noncompliant to a setting. This information is intended to help users
understand the remediation options to bring a device to a compliant state.
You may include as many settings as you'd like in the JSON file, but the file must be no
larger than 1 megabyte (MB).
Supported operators:
IsEquals
NotEquals
GreaterThan
GreaterEquals
LessThan
LessEquals
Supported DataTypes:
Boolean
Int64
Double
String
DateTime
Version
Supported Languages:
cs_CZ
da_DK
de_DE
el_GR
en_US
es_ES
fi_FI
fr_FR
hu_HU
it_IT
ja_JP
ko_KR
nb_NO
nl_NL
pl_PL
pt_BR
ro_RO
ru_RU
sv_SE
tr_TR
zh_CN
zh_TW
"Rules":[
"SettingName":"BiosVersion",
"Operator":"GreaterEquals",
"DataType":"Version",
"Operand":"2.3",
"MoreInfoUrl":"https://bing.com",
"RemediationStrings":[
"Language":"en_US",
},
"SettingName":"TPMChipPresent",
"Operator":"IsEquals",
"DataType":"Boolean",
"Operand":true,
"MoreInfoUrl":"https://bing.com",
"RemediationStrings":[
"Language": "en_US",
},
"SettingName":"ModelName",
"Operator":"IsEquals",
"DataType":"String",
"Operand":"Inspiron",
"MoreInfoUrl":"https://bing.com",
"RemediationStrings":[
"Language": "en_US",
Next steps
Use custom compliance settings
Create a PowerShell script for discovery of custom compliance settings
Create a compliance policy
Custom compliance discovery scripts for
Microsoft Intune
Article • 08/02/2023
Before you can use custom settings for compliance with Microsoft Intune, you must
define a script for discovery of custom compliance settings on devices. The script you
use depends on the platform:
The script deploys to devices as part of your custom compliance policies. When
compliance runs, the script discovers the settings that are defined by the JSON file that
you also provide through custom compliance policy.
Are added to Intune before you create a compliance policy. After being added,
scripts are available to select when you create a compliance policy with custom
settings.
Each discovery script can only be used with one compliance policy, and each
compliance policy can only include one discovery script.
Discovery scripts that have been assigned to a compliance policy can't be
deleted until the script has been unassigned from the policy.
Run on a device that receives the compliance policy. The script evaluates the
conditions of the JSON file you upload when creating a custom compliance policy.
Identify one or more settings, as defined in the JSON, and return a list of
discovered values for those settings. A single script can be assigned to each policy,
and supports discovery of multiple settings.
Must include the following line at the end of the script: return $hash | ConvertTo-
Json -Compress
Limits
The scripts you write must be within the following limits in order to successfully return
compliance data to Intune:
PowerShell
PowerShell
PS C:\Users\apervaiz\Documents> .\sample.ps1
{"ModelName": "Dell","BiosVersion": 1.24,"TPMChipPresent": true}
7 Note
Discovery scripts in Linux are run in the User's context and as such they cannot
check for System level settings that require elevation. An example of this is the
state/hash of the /etc/sudoers file.
Discovery scripts for Linux can call any interpeter that meets your requirements. Ensure
that the chosen interpreter is properly installed and configured on the targeted device
before the script is deployed. To specify the intepreter for a script, include a shebang
line at the top of the script, indicating the path to the interpreter binary.
For example, if your script should use the Bash shell as the interpreter, add the following
line at the top of your script:
[ !/bin/bash ]
If you want to use Python for your script, indicate where the interpreter is installed. For
example, add the following to the top of your script: [ !/usr/bin/python3 ] or [
!/usr/bin/env python ]
1. Sign into Microsoft Intune admin center and go to Endpoint security > Device
compliance > Scripts > Add > (choose your platform).
3. On Settings, add your script to Detection script. Review your script carefully. Intune
doesn’t validate the script for syntax or programmatic errors.
4. For Windows only - On Settings, configure the following behavior for the
PowerShell script:
Run this script using the logged on credentials – By default, the script runs
in the System context on the device. Set this value to Yes to have it run in the
context of the logged-on user. If the user isn’t logged in, the script defaults
back to the System context.
Enforce script signature check – For more information, see about_Signing in
the PowerShell documentation.
Run script in 64 bit PowerShell Host – By default, the script runs using the
32-bit PowerShell host. Set this value to Yes to force the script to run using
the 64-bit host instead.
5. Complete the script creation process. The script is now visible in the Scripts pane of
the Microsoft Intune admin center and is available to select when configuring
compliance policies.
Also, note that the workflow for uploading these scripts to the Microsoft Intune admin
center does not support scope tags at this time. You must be targeted with the default
scope tag to create, edit, or see custom compliance discovery scripts.
Next steps
Use custom compliance settings
Create a JSON for custom compliance
Create a compliance policy
Configure actions for noncompliant
devices in Intune
Article • 02/22/2023
As part of a compliance policy that protects your organizations resources from devices
that don't meet your security requirements, compliance policies also include Actions for
noncompliance. Actions for noncompliance are one or more time-ordered actions that
are taken by a policy to help protect devices and your organization. As an example, an
action for noncompliance can remotely lock a device to ensure it's protected, or send a
notification to devices or users to help them understand and resolve the noncompliant
status.
Overview
By default, each compliance policy includes the action for noncompliance of Mark
device noncompliant with a schedule of zero days (0). The result of this default is when
Intune detects a device isn't compliant, Intune immediately marks the device as
noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD)
Conditional Access can block the device.
For each action you set, you can configure a schedule that determines when that action
takes effect. The schedule is a number of days after the device is marked as
noncompliant. You can also configure multiple instances of an action. When you set
multiple instances of an action in a policy, the action runs again at that later scheduled
time if the device remains non-compliant.
7 Note
The Microsoft Intune admin center displays the schedule (days after noncompliance)
in days. However it is possible to specify a more granular interval (hours), using
decimal fractions such as 0.25 (6 hours), 0.5 (12 hours), 1.5 (36 hours), and so on.
While other values are possible, they can only be configured using Microsoft Graph
and not via the admin center. Attempting to use other values in the admin center,
such as 0.33 (8 hours) will result in an error when attempting to save the policy.
Available actions for noncompliance
Following are the available actions for noncompliance:
Mark device non-compliant: By default, this action is set for each compliance
policy and has a schedule of zero (0) days, marking devices as noncompliant
immediately.
When you change the default schedule, you provide a grace period in which a user
can remediate issues or become compliant without being marked as non-
compliant.
Send email to end user: This action sends an email notification to the user.
When
you enable this action:
Select a Notification message template that this action sends. You Create a
notification message template before you can assign one to this action. When
you create the custom notification, you customize the message locale, subject,
message body, and can include the company logo, company name, and other
contact information.
Choose to send the message to more recipients by selecting one or more of
your Azure AD Groups.
Intune uses the email address defined in the end user's profile and not their user
principal name (UPN). If there's no defined email address defined in the user's
profile, then Intune doesn't send a notification email. When the email is sent,
Intune includes details about the noncompliant device in the email notification.
7 Note
Ensure you do not have any mailbox policies that would prevent delivery of
emails from these addresses, otherwise end users may not receive the email
notification.
Remotely lock the noncompliant device: Use this action to issue a remote lock of
a device. The user is then prompted for a PIN or password to unlock the device.
More on the Remote Lock feature.
Retire the noncompliant device: This action removes all company data off the
device and removes the device from Intune management.
When this action applies to a device, that device is added to a list of devices in the
Microsoft Intune admin center at Devices > Compliance policies > Retire
Noncompliant Devices. The device isn't retired until an admin takes explicit action
to retire the device.
7 Note
Only devices to which the Retire the noncompliant device action has been
triggered appear in the Retire Selected Devices view. To see a list of all
devices that are not compliant, see the Noncompliant devices report
mentioned in Monitor device compliance policy.
To retire one or more devices from the list, select devices to retire and then select
Retire Selected Devices. When you choose an action that retires devices, you're
then presented with a dialog box to confirm the action. It's only after confirming
the intent to retire the devices that they're cleared of company data and removed
from Intune management.
Other options include Retire All Devices, Clear All Devices Retire State, and Clear
Selected Devices Retire State. Clearing the retire state for a device removes the
device from the list of devices that can be retired until the action to Retire the
noncompliant device is applied to that device again.
Send push notification to end user: Configure this action to send a push
notification about non-compliance to a device through the Company Portal app or
Intune App on the device.
The push notification is sent the first time a device checks in with Intune and is
found to be non-compliant to the compliance policy. When a user selects the
notification, the Company Portal app or Intune app opens and displays information
about why they're non-compliant. The user can then take action to resolve the
issue. The message details about non-compliance are generated by Intune and
can't be customized.
) Important
Intune, the Company Portal app, and the Microsoft Intune app, can't
guarantee delivery of a push notification. Notifications might show up after
several hours of delay, if at all. This includes when users have turned off push
notifications.
Do not rely on this notification method for urgent messages.
Each instance of the action sends a notification a single time. To send the same
notification again from a policy, configure more instances of the action in that
policy, each with a different schedule.
For example, you might schedule the first action for zero days and then add a
second instance of the action set to three days. This delay before the second
notification gives the user a few days to resolve the issue, and avoid the second
notification.
To avoid spamming users with too many duplicate messages, review and
streamline which compliance policies include a push notification for non-
compliance, and review the schedules to avoid repeat notifications for the same
too often.
Consider:
For a single policy that includes multiple instances of a push notification set for
the same day, only a single notification is sent for that day.
7 Note
The following actions for noncompliance are not supported for devices that are
managed by a device compliance management partner:
To use device compliance policies to block devices from corporate resources, Azure AD
Conditional Access must be set up. See Conditional Access in Azure Active Directory or
common ways to use Conditional Access with Intune for guidance.
Android
Android (AOSP)
Android work profiles
iOS
macOS
Windows
A notification message template can include multiple messages that are each specified
for a different locale. One local must be specified as the default.
When you specify multiple messages and locales, non-compliant end users receive the
appropriate localized message based on their O365 preferred language. Intune sends
the default message to users that haven’t set a preferred language or when the
template doesn’t include a specific message for their locale.
2. Select Endpoint security > Device compliance > Notifications > Create
notification.
Name - Give the template a friendly name to help you identify it.
Email header – Include company logo (default = Enable) - The logo you
upload as part of the Company Portal branding is used for email templates.
For more information about Company Portal branding, see Company identity
branding customization.
Email footer – Include company name (default = Enable)
Email footer – Include contact information (default = Enable)
Company Portal Website Link (default = Disable) - When set to Enable, the
email includes a link to the Company Portal website.
Locale
Subject
Message body text
7 Note
The maximum number of characters for the Subject is 78, and the maximum
number of characters for the message body text is 2000.
Before continuing, you must select the checkbox for Is Default for one of the
messages. Only one message can be set as default. To delete a message, select the
ellipsis (...) and then Delete.
Select Next to continue.
Select Send preview email to send a preview of the notification email to the
account you've used to sign in to Intune.
To successfully send the preview email, your account must have permissions equal
to those of the following Azure AD groups or Intune roles: Azure AD Global
Administrator, Intune Administrator (Intune Azure AD Intune Service Administrator),
or Intune Policy and Profile Manager.
You can add optional actions when you create a compliance policy, or update an
existing policy.
2. Select Devices > Compliance policies > Policies, select one of your policies, and
then select Properties.
Don't have a policy yet? Create an Android, iOS, Windows, or other platform policy.
7 Note
Send email to end users: When the device is noncompliant, choose to email
the user. Also:
Choose the Message template you previously created
Enter any Additional recipients by selecting groups
Send push notification to end user: Configure this action to send a push
notification about non-compliance to a device through the Company Portal
app or Intune App on the device.
5. Configure a Schedule: Enter the number of days (0 to 365) after noncompliance to
trigger the action on users' devices. After this grace period, you can enforce a
conditional access policy. If you enter 0 (zero) number of days, then conditional
access takes effect immediately. For example, if a device is noncompliant, use
conditional access to block access to email, SharePoint, and other organization
resources immediately.
When you create a compliance policy, the Mark device noncompliant action is
automatically created, and automatically set to 0 days (immediately). With this
action, when the device checks-in with Intune and evaluates the policy, if it isn't
compliant to that policy Intune immediately marks that device as noncompliant. If
the client checks-in at a later time after remediating the issues that lead to
noncompliance, its status will update to its new compliance status. If you use
Conditional Access, those policies also apply as soon as a device is marked as
noncompliant. To set a grace period to allow for a condition of noncompliance to
be remediated before the device is marked as noncompliant, change the Schedule
on the Mark device noncompliant action.
In your compliance policy, for example, you also want to notify the user. You can
add the Send email to end user action. On this Send email action, you set the
Schedule to two days. If the device or end user is still evaluated as non-compliant
on day two, then your email is sent on day two. If you want to email the user again
on day five of noncompliance, then add another action, and set the Schedule to
five days.
For more information on compliance, and the built-in actions, see the compliance
overview.
Next steps
Monitor your policies.
Monitor results of your Intune Device
compliance policies
Article • 08/21/2023
Compliance reports help you understand when devices fail to meet your compliance
policies and can help you identify compliance-related issues in your organization. Using
these reports, you can view information on:
Intune includes the following options for reviewing device compliance details:
Intune follows the device check-in schedule for all compliance evaluations on the
device. Learn more about the device check-in schedule.
The tenant-wide compliance policy settings include the setting Mark devices with
no compliance policy assigned as. By default, this setting marks the devices that
haven't been assigned a compliance policy as Compliant. If it's important for your
organization to identify devices that aren't assigned a compliance policy, consider
editing this setting.
At times a device might send a compliance report back to Intune that shows
System Account as the user principal name. This result can happen when a
compliance policy targets a group of users or devices and is evaluated at a time
when there's no user is signed into the device.
When there are multiple users signed into the same device, and that device is
assigned a compliance policy that is scoped to all users that are currently signed in
the device, compliance runs for each of those users. This can result in compliance
reports showing multiple entries for the device where each entry indicates a
different user name.
Users of a device type who are assigned a compliance policy for a different device
type than they use aren't shown in reports. For example, if you've assigned a
Windows compliance policy to a user with an Android device, that compliance
policy doesn't run on the user's Android device and the devices previous
compliance state remains unchanged.
The tile displays a count of devices for each of the following categories:
Compliant: The device successfully applied one or more device compliance policy
settings.
In-grace period: The device is targeted with one or more device compliance policy
settings but isn't yet compliant to all of them. Often this is due to users not
applying compliant configurations, like meeting password complexity
requirements. Devices with this status are noncompliant, but in the grace period
defined by the admin.
Not evaluated: An initial state for newly enrolled devices. Other possible reasons
for this state include:
Devices that aren't assigned a compliance policy and don't have a trigger to
check for compliance.
Devices that haven't checked in since the compliance policy was last updated.
Devices not associated to a specific user, such as:
iOS/iPadOS devices purchased through Apple's Device Enrollment Program
(DEP) that don't have user affinity.
Android kiosk or Android Enterprise dedicated devices.
Devices enrolled with a device enrollment manager (DEM) account.
Not compliant: The device failed to apply one or more device compliance policy
settings, or the user hasn't complied with the policies.
Policy compliance
The Policy compliance tile displays the list of compliance policies that are assigned to
devices, and the count of compliant and noncompliant devices for each policy.
You can select a policy from this tile to open a Policy Compliance view that provides
more details about that policy.
Tip
We recommend using the newer Policy compliance (preview) report that replaces
this view and includes improved capabilities. Eventually, the older report version
will be retired.
Tip
Intune includes an organizational report that identifies all devices in your tenant
that have not been assigned a compliance policy. See Devices without compliance
policy (Organizational).
Setting compliance
The Setting compliance tile displays all the device compliance policy settings from all
compliance policies, the platforms the policy settings apply to, and the number of
noncompliant devices. At least one device must report a status for a setting before the
setting is visible in this view.
Screenshot that shows the list of policies and how many devices are compliant or
noncompliant for each policy
You can select an individual setting to open a setting detail view that provides more
information about devices that report status for that setting.
Tip
We recommend using the newer Setting compliance (preview) report that replaces
this report and includes improved capabilities. Eventually, this older report version
will be retired.
By default, when you select a policy Intune opens the Monitor tab for that policy, where
Intune displays:
Device status - A simple bar chart that identifies the basic compliance status for
devices that receive this policy.
View report - A button you can select that opens the device status report where
you can view deeper details about device compliance to this policy.
Per-setting status - A tile you can select that opens the per-setting status report
for this policy.
Tip
After navigating to the Monitor tab of the Compliance policies > Policies node, you
can select the Properties tab.
On the Properties tab you’ll see essential details about the policy like the policies
name and platform type, as well as the configuration of each setting in that policy.
On this tab you can choose to edit different details for the policy including the
settings configurations, policy assignments, and more.
Device status
The Device status summary is the default view that’s available when you select a
compliance policy. This summary is a simple chart that presents a count of devices that
report a specific device compliance status. The horizontal bar is divided into colors from
the available categories in proportion to the count of devices in each category. In the
preceding screen capture, all devices are compliant. As a result, the representational bar
is entirely green.
Before a device is represented in this chart view, the device must check in with Intune to
receive the policy, process it, and successfully report back its status. This process can
take up to 24 hours when the device is online.
Compliant - The device successfully applied one or more device compliance policy
settings.
Noncompliant - The device configuration has failed to meet one or more device
compliance policy settings.
Others - The device is in a state that is neither compliant or noncompliant with the
settings in this policy, such as Error or Not evaluated.
Total - The total number of devices that have received this policy and reported in.
To view more details, you can select the View report button.
View report
When you select the View report button on the device status view of a policy, Intune
displays a more detailed view of the device status for that policy.
By default, the report view displays details for the following, though you can add more
columns of detail can to the view:
Device name - The name of the device as it appears when viewing Devices and
creating groups.
Logged in user
Policy compliance status - This status identifies if the device is compliant to this
policy, but doesn't represent a device's compliance for any other compliance
policies. A device could still be considered noncompliant by Intune should it be
noncompliant to a different policy.
Device Id - The device's Intune Device ID.
OS - The operating system of the device, like Windows, or Android.
Last contacted - The last day and time that this device made contact with the
Intune service.
For example, in the previous policy report view, when we enter a search string of st1
which appears in both the Device name and Logged in user columns. The resulting view
displays both devices that contain st1 as well as each device associated with the user
with st1 in their user name:
Per-setting status
After selecting a compliance policy, you can select the Per-setting status tile to open the
device compliance per-setting status view for that policy. This view displays the settings
that the policy configures with columns for the various status conditions that can be
reported. For each setting, each status column displays a count of devices that report
that status.
The following image displays a per-setting view of a policy for Android devices. This
policy includes one setting and was deployed to four devices, all of which are compliant
to that setting. In this view, you can sort by selecting a column, or using search:
From the per-setting view, you can select the device count from any status column to
open a view with more details for that specific setting and status. The following image
displays the results of having selected the number 4 from the Compliant devices
column"
In the screenshot we see there are four entries for the selected setting, with each entry
representing a distinct device. This count of devices matches the initial count on the
initial per-status view.
We can also see that one device, which has a name that starts with st1, has been flagged
in the Device compliance column as being Not compliant. This result is worth examining
more closely:
Because this drill-in view doesn’t support a deeper drill through, you must use the other
compliance reports that are available to determine which policy and setting the device is
reporting as noncompliant.
Examples:
A device is initially marked Compliant, but then a setting in one of the compliance
policies targeted to the device reports Error. After three days, compliance
evaluation completes successfully and the setting now reports Not compliant. The
user can continue to use the device to access Conditional Access-protected
resources within the first three days after the setting states changes to Error, but
once the setting returns Not compliant, the device is marked Not compliant and
this access is removed until the device becomes Compliant again.
A device is initially marked Compliant, but then a setting in one of the compliance
policies targeted to the device reports Error. After three days, compliance
evaluation completes successfully, the setting returns Compliant, and the device's
compliance status becomes Compliant. The user is able to continue to access
Conditional Access protected resources without interruption.
A device is initially marked Compliant, but then a setting in one of the compliance
policies targeted to the device reports Error. The user is able to access Conditional
Access protected resources for seven days, but after seven days, the compliance
setting still returns Error. At this point, the device becomes Not compliant
immediately and the user loses access to the protected resources until the device
becomes Compliant, even if there's a grace period set for the applicable
compliance policy.
A device is initially marked Not compliant, but then a setting in one of the
compliance policies targeted to the device reports Error. After three days,
compliance evaluation completes successfully, the setting returns Compliant, and
the device's compliance status becomes Compliant. The user is prevented from
accessing Conditional Access protected resources for the first three days (while the
setting returns Error). Once the setting returns Compliant and the device is marked
Compliant, the user can begin to access protected resources on the device.
To view these reports, open the Intune admin center , go to Reports > Device
compliance, and select the Reports tab.
For more information about these reports, see Device compliance reports in the Intune
reports article.
Noncompliant devices
Setting compliance – This report version remains available but will be deprecated
as there is an updated version with enhanced capabilities. See the updated report
at Setting compliance (preview)
Policy compliance – This report version remains available but will be deprecated as
there is an updated version with enhanced capabilities. Policy compliance (preview)
Policy noncompliance
Windows health attestation report
If you have deployed multiple compliance policies, Intune uses the most secure of
these policies.
To learn more about conflict resolution for policies, see Compliance and device
configuration policies that conflict.
Next steps
Compliance policies overview
Support third-party device compliance
partners in Intune
Article • 02/22/2023
Microsoft Intune can add compliance state data to Azure Active Directory (Azure AD) for
the devices you manage with one or more third-party device compliance partners. With
this configuration, compliance data from those devices can be used with your
conditional access policies.
Supported platforms include Android, iOS/iPadOS, and macOS, with support for a
platform defined by the device compliance partner you use.
By default, Intune is set up to be the Mobile Device Management (MDM) authority for
your devices. When you add a compliance partner to Azure AD and Intune, you're
configuring that partner to be a source of Mobile Device Management (MDM) authority
for the devices you assign to that partner through an Azure AD user group.
To enable use data from device compliance partners, complete the following tasks:
1. Configure Intune to work with the device compliance partner, and then configure
groups of users whose devices are managed by that compliance partner.
With these tasks complete, the device compliance partner sends device state details to
Intune. Intune then adds this information to Azure AD. For example, devices with a state
of non-compliant have that status added to their device record in Azure AD.
The compliance state is then evaluated by conditional access policies, the same as
compliance state data for devices managed by Intune. By default, Intune is a registered
compliance partner for iOS and Android. When you add additional partners, you can set
the priority order to ensure the correct partner manages device to fit your business
needs.
Addigy
BlackBerry UEM
Citrix Workspace device compliance
IBM MaaS360
JAMF Pro
MobileIron Device Compliance Cloud
MobileIron Device Compliance On-prem
SOTI MobiControl
VMware Workspace ONE UEM (formerly AirWatch)
7 Note
If you offer an MDM product and would like to onboard as a device compliance
partner, fill out this Form: Intune partner compliance onboarding.
Prerequisites
A subscription to Microsoft Intune, and access to the Microsoft Intune admin
center .
Review documentation for your compliance partner for supported device platforms
and additional prerequisites.
To use VMware Workspace ONE as the compliance partner for iOS or Android
platforms, select VMware Workspace ONE mobile compliance.
Next, select the drop-down for Platform, and select the platform.
You're limited to a single partner per platform, even if you have added multiple
compliance partners to Azure AD.
4. On Assignments, select the user groups that will have devices managed by this
partner. With this assignment, you'll change the MDM authority for applicable
devices to use this partner. Users who have devices managed by the partner must
also be assigned a license for Intune.
5. On the Review + create page, review your selections, and then select Create to
complete this configuration.
6. This step only applies when you use VMware Workspace ONE:
From within the Workspace ONE UEM console, you must manually synchronize the
changes you saved in the Microsoft Intune admin center. Until you manually sync
changes, Workspace ONE UEM isn’t aware of configuration changes, and users in
new groups you’ve assigned won’t successfully report compliance.
All the changes you’ve made since the initial configuration or the last manual
synchronization are synchronized from Azure Services to UEM.
Sign in to the Azure portal and go to Azure AD > Devices > All devices .
Next steps
Use additional documentation from your third-party partner to create compliance
policies for devices.
Blackberry UEM
Citrix Endpoint Management - Integrate with Azure AD Conditional Access
MobileIron Device Compliance Cloud
VMware Workspace ONE UEM
Manage endpoint security in Microsoft
Intune
Article • 06/20/2023
As a Security Admin, use the Endpoint security node in Intune to configure device
security and to manage security tasks for devices when those devices are at risk. The
Endpoint security policies are designed to help you focus on the security of your devices
and mitigate risk. The available tasks can help you identify at-risk devices, to remediate
those devices, and restore them to a compliant or more secure state.
The Endpoint security node groups the tools that are available through Intune that you’ll
use to keep devices secure:
Review the status of all your managed devices. Use the All devices view where
you can view device compliance from a high level. Then, drill-in to specific devices
to understand which compliance policies aren't met so you can resolve them.
Deploy security baselines that establish best practice security configurations for
devices. Intune includes security baselines for Windows devices and a growing list
of applications, like Microsoft Defender for Endpoint and Microsoft Edge. Security
baselines are pre-configured groups of Windows settings that help you apply a
configuration that's recommended by the relevant security teams.
When you integrate with Azure Active Directory (Azure AD) conditional access
policies to enforce compliance policies, you can gate access to corporate resources
for both managed devices, and devices that aren’t managed yet.
Integrate Intune with your Microsoft Defender for Endpoint team. By integrating
with Microsoft Defender for Endpoint you gain access to security tasks. Security
tasks closely tie Microsoft Defender for Endpoint and Intune together to help your
security team identify devices that are at risk and hand-off detailed remediation
steps to Intune admins who can then act.
7 Note
For additional reporting information about device configuration profiles, see Intune
reports.
The following sections of this article discuss the different tasks you can do from the
endpoint security node of the admin center, and the role-based access control (RBAC)
permissions that are required to use them.
Manage devices
The Endpoint security node includes the All devices view, where you can view a list of all
devices from your Azure AD that are available in Microsoft Intune.
From this view, you can select devices to drill in for more information like which policies
a device isn't compliant with. You can also use access from this view to remediate issues
for a device, including, restarting a device, start a scan for malware, or rotate BitLocker
keys on a Window 10 device.
For more information, see Manage devices with endpoint security in Microsoft Intune.
You can use security baselines to rapidly deploy a best practice configuration of device
and application settings to protect your users and devices. Security baselines are
supported for devices that run Windows 10 version 1809 and later, and Windows 11.
For more information, see Use security baselines to configure Windows devices in
Intune.
Security baselines are one of several methods in Intune to configure settings on devices.
When managing settings, it's important to understand what other methods are in use in
your environment that can configure your devices so you can avoid conflicts. See Avoid
policy conflicts later in this article.
Your Microsoft Defender for Endpoint team determines what devices are at risk
and pass that information to your Intune team as a security task. With a few clicks,
they create a security task for Intune that identifies the devices at risk, the
vulnerability, and provides guidance on how to mitigate that risk.
The Intune Admins review security tasks and then act within Intune to remediate
those tasks. Once mitigated, they set the task to complete, which communicates
that status back to the Microsoft Defender for Endpoint team.
Through Security tasks both teams remain in synch as to which devices are at risk, and
how and when those risks are remediated.
To learn more about using Security tasks, see Use Intune to remediate vulnerabilities
identified by Microsoft Defender for Endpoint.
Endpoint security policies are one of several methods in Intune to configure settings on
devices. When managing settings, it's important to understand what other methods are
in use in your environment that can configure your devices, and avoid conflicts. See
Avoid policy conflicts later in this article.
Also found under Manage are Device compliance and Conditional access policies. These
policies types aren't focused security policies for configuring endpoints, but are
important tools for managing devices and access to your corporate resources.
The available compliance settings depend on the platform you use, but common policy
rules include:
In addition to the policy rules, compliance policies support Actions for non-compliance.
These actions are a time-ordered sequence of actions to apply to non-compliant
devices. Actions include sending email or notifications to alert device users about non-
compliance, remotely locking devices, or even retiring non-compliant devices and
removing any company data that might be on it.
When you integrate Intune with Azure AD conditional access policies to enforce
compliance policies, Conditional access can use the compliance data to gate access to
corporate resources for both managed devices, and from devices that you don't
manage.
To learn more, see Set rules on devices to allow access to resources in your organization
using Intune.
Device compliance policies are one of several methods in Intune to configure settings
on devices. When managing settings, it's important to understand what other methods
are in use in your environment that can configure your devices, and to avoid conflicts.
See Avoid policy conflicts later in this article.
Intune passes the results of your device compliance policies to Azure AD, which then
uses conditional access policies to enforce which devices and apps can access your
corporate resources. Conditional access policies also help to gate access for devices that
aren’t managed by Intune and can use compliance details from Mobile Threat Defense
partners you integrate with Intune.
The following are two common methods of using conditional access with Intune:
To learn more about using conditional access with Intune, see Learn about Conditional
Access and Intune.
While Intune can integrate with several Mobile Threat Defense partners, when you use
Microsoft Defender for Endpoint you gain a tight integration between Microsoft
Defender for Endpoint and Intune with access to deep device protection options,
including:
To learn more about using Microsoft Defender for Endpoint with Intune, see Enforce
compliance for Microsoft Defender for Endpoint with Conditional Access in Intune.
For more information, see Role-based access control (RBAC) with Microsoft Intune
Permissions:
Android FOTA
Read
Android for work
Read
Audit data
Read
Certificate Connector
Read
Corporate device identifiers
Read
Derived Credentials
Read
Device compliance policies
Assign
Create
Delete
Read
Update
View reports
Device configurations
Read
View reports
Device enrollment managers
Read
Endpoint protection reports
Read
Enrollment programs
Read device
Read profile
Read token
Filters
Read
Intune data warehouse
Read
Managed apps
Read
Managed devices
Delete
Read
Set primary user
Update
View reports
Microsoft Defender ATP
Read
Microsoft Store for Business
Read
Mobile Threat Defense
Modify
Read
Mobile apps
Read
Organization
Read
Partner Device Management
Read
PolicySets
Read
Remote assistance connectors
Read
View reports
Remote tasks
Get FileVault key
Initiate Configuration Manger action
Reboot now
Remote lock
Rotate BitLockerKeys (Preview)
Rotate FileVault key
Shut down
Sync devices
Windows defender
Roles
Read
Security baselines
Assign
Create
Delete
Read
Update
Security tasks
Read
Update
Terms and conditions
Read
Windows Enterprise Certificate
Read
For example, the settings found in Endpoint security policies are a subset of the settings
that are found in endpoint protection and device restriction profiles in device
configuration policy, and which are also managed through various security baselines.
One way to avoid conflicts is to not use different baselines, instances of the same
baseline, or different policy types and instances to manage the same settings on a
device. This requires planning which methods you'll use to deploy configurations to
different devices. When you use multiple methods or instances of the same method to
configure the same setting, ensure your different methods either agree or aren't
deployed to the same devices.
If conflicts happen, you can use Intune's built-in tools to identify and resolve the source
of those conflicts. For more information, see:
Next steps
Configure:
Security baselines
Compliance policies
Conditional access policies
Integration with Microsoft Defender for Endpoint
Manage devices with endpoint security
in Microsoft Intune
Article • 02/24/2023
As a security administrator, use the All devices view in the Microsoft Intune admin center
to review and manage your devices. The view displays a list of all your devices from your
Azure Active Directory (Azure AD), including devices managed by:
Intune
Configuration Manager
Co-management (by both Intune and Configuration Manager)
Devices can be in the cloud and from your on-premises infrastructure when integrated
with your Azure AD.
To find the view, open the Microsoft Intune admin center and select Endpoint security
> All devices.
The initial All devices view displays your devices and includes key information about
each:
While viewing device details, you can select a device to drill-in for more information.
Available details by management type
When viewing devices in the Microsoft Intune admin center, consider how the device is
managed. The management source affects the information that’s presented in the
admin center and which actions are available to manage the device.
MDM - These devices are managed by Intune. Compliance data is collected and
reported by Intune to the admin center.
ConfigMgr – These devices appear in the Microsoft Intune admin center when
you use tenant attach to add the devices you manage with Configuration
Manager. To be managed, the device must run the Configuration Manager
client and be:
In a Workgroup (Azure AD joined and otherwise)
Domain Joined
Hybrid Azure AD Joined (joined to the AD and Azure AD)
Compliance status for devices that are managed by Configuration Manager isn't
visible in the Microsoft Intune admin center.
For more information, see Enable tenant attach in the Configuration Manager
documentation.
For example, you can use Intune to configure policies for Antivirus, Firewall, and
Encryption. These policies are all considered policy for Endpoint Protection. To
have a co-managed device use the Intune policies and not the Configuration
Manager policies, set the co-management slider for Endpoint Protection to
either Intune or Pilot Intune. If the slider is set to Configuration Manager, the
device uses the policies and settings from Configuration Manager instead.
Compliance: Compliance is evaluated against the compliance policies that are
assigned to the device. The source of these policies and what information is in the
console depends on how the device is managed; Intune, Configuration Manager,
or co-management. For co-managed devices to report compliance, set the co-
management slider for Device Compliance to Intune or to Pilot Intune.
After compliance is reported to the admin center for a device, you can drill into the
details to view additional details. When a device isn’t compliant, drill into its details
to information about which policies aren't compliant. That information can help
you investigate and help you bring the device into compliance.
Last check-in: This field identifies the last time the device reported its status.
To view the report, select a device and then select Device configuration, which is found
below the Monitor category.
Devices that are managed by Configuration Manager don’t display policy details in the
report. To view additional information for these devices, use the Configuration Manager
console.
Remote actions display across the top of the devices Overview page. Actions that can’t
display because of limited space on your screen are available by selecting the ellipsis on
the right side:
The remote actions that are available depend on how the device is managed:
Intune: All Intune remote actions that apply to the device platform are available.
Configuration Manager: You can use the following Configuration Manager actions:
Sync Machine Policy
Sync User Policy
App Evaluation Cycle
Co-management: You can access both Intune remote actions and Configuration
Manager actions.
Some of the Intune remote actions can help secure devices or safeguard data that might
be on the device. With remote actions you can:
Lock a device
Reset a device
Remove company data
Scan for malware outside of a scheduled run
Rotate BitLocker keys
The following Intune remote actions are of interest to the security admin, and are a
subset of the full list. Not all actions are available for all device platforms. The links go to
content that provides in-depth details for each action.
Synchronize device – Have the device immediately check-in with Intune. When a
device checks in, it receives any pending actions or policies that have been
assigned to it.
Restart – Force a Windows 10/11 device to restart, within five minutes. The device
owner won't automatically be notified of the restart and might lose work.
Quick Scan – Have Defender run a quick scan of the device for malware and then
submit the results to Intune. A quick scan looks at common locations where there
could be malware registered, such as registry keys and known Windows startup
folders.
Full scan – Have Defender run a scan of the device for malware and then submit
the results to Intune. A full scan looks at common locations where there could be
malware registered, and also scans every file and folder on the device.
Update Windows Defender security intelligence – Have the device update its
malware definitions for Microsoft Defender Antivirus. This action doesn’t start a
scan.
BitLocker key rotation – Remotely rotate the BitLocker recovery key of a device that
runs Windows 10 version 1909 or later, or Windows 11.
You can also use Bulk Device Actions to manage some actions like Retire and Wipe for
multiple devices at the same time. Bulk actions are available from the All devices view.
You’ll select the platform, action, and then specify up to 100 devices.
Options you manage for devices don’t take effect until the device checks in with Intune.
Next steps
Manage endpoint security in Intune
Use security baselines to configure
Windows devices in Intune
Article • 05/24/2023
With Microsoft Intune’s security baselines, you can rapidly deploy a recommended
security posture to your managed Windows devices for Windows security baselines to
help you secure and protect your users and devices.
Even though Windows and Windows Server are designed to be secure out-of-the-box,
many organizations still want more granular control over their security configurations.
To navigate the large number of controls, organizations often seek guidance on
configuring various security features. Microsoft provides this guidance in the form of
security baselines.
Each security baseline is a group of preconfigured Windows settings that help you apply
and enforce granular security settings that the relevant security teams recommend. You
can also customize each baseline you deploy to enforce only those settings and values
you require. When you create a security baseline profile in Intune, you're creating a
template that consists of multiple device configuration profiles.
The settings in each baseline are device configuration settings like those found in
various Intune policies. Each setting in a baseline works with the configuration service
provider for the relevant product that is present on a managed windows device.
To learn more about why and when you might want to deploy security baselines, see
Windows security baselines in the Windows security documentation.
7 Note
In May 2023, Intune began rollout of a new security baseline format for each new
baseline release or version update. The new format updates the baseline settings to
directly take their name and configuration options from the configuration service
provider (CSP) that the baseline setting manages.
Intune also introduced a new process to help you migrate an existing security
baseline profile to the newer baseline version. This new behavior is a one-time
process that replaces the normal update behavior when you move from the most
recent version of an older profile to a newer version that became available in May
2023 or later.
You deploy security baselines to groups of users or devices in Intune, and the settings
apply to devices that run Windows 10 or 11. For example, the default configuration of
the MDM Security Baseline automatically enables BitLocker for removable drives,
automatically requires a password to unlock a device, automatically disables basic
authentication, and more. When a default value doesn't work for your environment,
customize the baseline to apply the settings you need.
Security baselines can help you to have an end-to-end secure workflow when working
with Microsoft 365. Some of the benefits include:
By default, each security baseline is configured to meet the best practices and
recommendations for the settings that affect security. Intune partners with the
same Windows security team that creates group policy security baselines. These
recommendations are based on guidance and extensive experience.
If you're new to Intune, and not sure where to start, security baselines give you an
advantage. You can quickly create and deploy a secure profile, knowing that you're
helping protect your organization's resources and data.
If you currently use group policy, migrating to Intune for management is easier
with these baselines. These baselines are natively built into Intune, and include a
modern management experience.
Separate baseline types, like the MDM security baseline for Windows and the baseline
for Microsoft Defender, might include the same settings and use different default values
for those settings. Intune can’t determine which configuration is best for you, or even in
which environment or scenario you might want to use one baselines default
recommendation over another:
It's important to understand the defaults in the baselines you use, and to then
modify each baseline to fit your organizational needs.
By default, each baseline is preconfigured using the recommendations that are
specific to the product it applies to.
In some cases, a configuration that Microsoft Defender recommends might not be
the default configuration for similar settings when recommended by Windows. In
such situations, it’s important to review each setting so you can understand its
intent based on the configuration service provider details, and larger scope of the
two products.
In almost all scenarios, the default settings in the security baselines are the most
restrictive. You should confirm that these settings don't conflict with other policy
settings or features in your environment.
For example, the default settings for firewall configuration might not merge connection
security rules and local policy rules with MDM rules. So, if you're using delivery
optimization, then you should validate these configurations before assigning the
security baseline.
7 Note
(To use this baseline your environment must meet the prerequisites for using
Microsoft Defender for Endpoint).
Version 6
Version 5
Version 4
Version 3
7 Note
The Microsoft Defender for Endpoint security baseline has been optimized for
physical devices and is currently not recommended for use on virtual
machines (VMs) or VDI endpoints. Certain baseline settings can impact
remote interactive sessions on virtualized environments. For more
information, see Increase compliance to the Microsoft Defender for
Endpoint security baseline in the Windows documentation.
When a new version for a profile becomes available, settings in profiles based on the
older versions become read-only. You can continue to use those older profiles. You can
also edit the profile names, description, and assignments, but they don't support a
change to their settings configuration and you can't create new profiles based on the
older versions.
When you're ready to use the more recent baseline version, you can create new profiles
or update your existing profiles to the new version. See Change the baseline version for
a profile in the Manage security baseline profiles article.
You can view the list of available baselines in the Microsoft Intune admin center ,
under Endpoint security > Security baselines. The list includes:
You can choose to change of the version of a baseline that's in use with a given profile.
When you change the version, you don't have to create a new baseline profile to take
advantage of updated versions. Instead you can select a baseline profile and use the
built-in option to change the instance version for that profile to a new one.
Avoid conflicts
You can use one or more of the available baselines in your Intune environment at the
same time. You can also use multiple instances of the same security baselines that have
different customizations.
When you use multiple security baselines, review the settings in each one to identify
when your different baseline configurations introduce conflicting values for the same
setting. Because you can deploy security baselines that are designed for different
intents, and deploy multiple instances of the same baseline that includes customized
settings, you might create configuration conflicts for devices that must be investigated
and resolved.
In addition, security baselines often manage the same settings you might set with device
configuration profiles or other types of policy. Therefore, remain aware of and consider
your other policies and profiles for settings when seeking to avoid or resolve conflicts.
Use the information at the following links to help identify and resolve conflicts:
Q&A
Many customers use the Intune baseline recommendations as a starting point, and then
customize them to meet their IT and security demands. Microsoft's Windows 10 and
later baseline template was the first baseline to release. This baseline is built as a generic
infrastructure that allows customers to eventually import other security baselines based
on CIS, NIST, and other standards.
Migrating from on-premises Active Directory group policies to a pure cloud solution
using Azure Active Directory (AD) with Microsoft Intune is a journey. To help, use the
various tools from the Security Compliance Toolkit that can help you identify cloud-
based options from security baselines that can replace your on-premises GPO
configurations.
Within the Intune security baseline policy UI, Intune provides information text that is
taken from the source CSP and provides a link to that CSP. In some cases, the CSP might
be part of a larger content set that includes proactive guidance that remains beyond the
scope of Intune to include or duplicate in our content. However, Intune does document
the list of settings in each security baseline version and its default configuration.
Next steps
Create security baseline profiles
Create and deploy distinct instances of security baseline profiles to help secure and
protect your users and devices. By default, security baselines are preconfigured groups
of Windows settings that represent the relevant security teams' recommended security
posture. You can deploy a default (unmodified) baseline or create a customized profile
instance to configure devices with the settings that you require for your environment.
When you create a security baseline profile in Intune, you're creating a template that
consists of multiple device configuration settings.
When multiple versions for a security baseline exist, only the most recent version can be
used to create a new instance of that baseline. If you have profile instances of older
versions, you can continue to use them, and change the groups they're assigned to.
However, outdated versions don't support edits to their setting configurations. Instead,
create new baselines that use the latest version, or update your older baselines to that
version if you need to introduce new configurations for settings.
We recommend updating your older baseline versions to the latest version as soon as
it's practical to do so. Each new version can include newer settings that aren't available
in the older versions, retire old settings, and might include updates to the default
configurations for some settings that align to new security recommendations for the
applicable product.
Create a profile – Configure the settings you want to use and assign the baseline
to groups.
Change the profile version – Change the baseline version in use by a profile.
Remove a baseline assignment - Learn what happens when you stop managing
settings with a security baseline.
Prerequisites
To manage baselines in Intune, your account must have the Policy and Profile
Manager built-in role.
Use of some baselines might require you to have an active subscription to the
applicable services, like Microsoft Defender for Endpoint.
2. Select Endpoint security > Security baselines to view the list of available baselines.
3. Select the baseline you'd like to use, and then select Create profile.
Name: Enter a name for your security baselines profile. For example, enter
Standard profile for Defender for Endpoint.
Description: Enter some text that describes what this baseline does. The
description is for you to enter any text you want. It's optional, but
recommended.
Select Next to go to the next tab. After you advance to a new tab, you can select
the tab name to return to a previously viewed tab.
5. On the Configuration settings tab, view the groups of Settings that are available in
the baseline you selected. You can expand a group to view the settings in that
group, and the default values for those settings in the baseline. To find specific
settings:
6. On the Scope tags tab, select Select scope tags to open the Select tags pane to
assign scope tags to the profile.
7. On the Assignments tab, select Select groups to include and then assign the
baseline to one or more groups. Use Select groups to exclude to fine-tune the
assignment.
7 Note
As soon as you create the profile, it's pushed to the assigned group and might
apply immediately.
Tip
If you save a profile without first assigning it to groups, you can later edit the
profile to do so.
9. After you create a profile, edit it by going to Endpoint security > Security
baselines, select the baseline type that you configured, and then select Profiles.
Select the profile from the list of available profiles, and then select Properties. You
can edit settings from all the available configuration tabs, and select Review +
save to commit your changes.
7 Note
In May 2023, Intune began rollout of a new security baseline format for each new
baseline release or update. Intune also introduced a new update process for
migrating an existing security baseline profile to a newly released security baseline.
This new behavior replaces existing behavior when moving to a baseline version
released in May 2023 or later.
The previous behavior remains available for use when updating baselines that have
not yet received a new version that uses the new format. For guidance, see Update
baselines that use the previous format.
After May 2023, when a new version for a baseline is released, plan to update your
existing profiles to the new version. When moving from an older format to the new
baseline format (from a version released prior to May 2023 to one released in May 2023
or later):
All new profiles for the baseline type, like Microsoft Edge, use the new format.
Creating a new baseline that uses an older baseline version isn't supported.
Baseline versions released before May 2023 don’t upgrade to the new format
released in May 2023 and later. Instead, create a new profile that uses the new
format and configure the settings from the old baseline in that new baseline
format. This recreation of the profile is a one-time process that is required to move
a baseline from the old format to the new baseline format.
To assist you in this process Intune can export the old profile to a CSV format that
identifies each setting based on the name of the setting as it appears in the new
profile version, along with its configuration.
After creating a new baseline that can replace your older baseline format and
version, the older profile remains unchanged, and you can continue to use it. You
can continue to deploy, reassign, and edit the settings in the older baseline format.
Tip
Each setting from the older baseline is identified by using the name of the setting
as it appears in the new baseline. While the name of the setting isn't presented
verbatim in the .csv, you will find the path for the setting, which contains part of
the setting name in it.
How each setting in the older baseline was configured.
If the configuration of a setting from the old baseline matches the default
configuration from the new baseline.
With the information from the export, you can rapidly reconfigure the new baseline to
use the same values as the older baseline instance.
1. Sign in the Microsoft Intune admin center , and go to Endpoint security >
Security baselines > select the baseline type, and then select the checkbox for the
baseline profile (instance) that you want to replicate in the new baseline format,
and then select Change Version. Intune displays the Change Version pane.
In the following screenshot, we’ve drilled into the Security Baseline for Microsoft
Edge. We have two profiles at this time. One is a new profile for Microsoft Edge
v112, and the other is an older profile from September 2020. The older profile also
displays an arrow icon to indicate that there's a newer version to replace it.
2. On the Change Version pane, there are instructions for moving the configuration
details from the older baseline to a profile that uses the new format. The pane also
identifies the selected baselines name and version, and what the latest baseline
version is.
a. Select Export Profile Settings to create a .csv file that lists the settings in the
selected baseline along with their current configurations if they aren't set to the
baselines default. When you select the option to export the baseline details,
Intune prepares the export, and then requires you to agree to continue. Select
Yes to download the .CSV file export.
b. After the file downloads, you can open it to view the older baselines current
configuration.
The Change Version pane also includes a button to Create a new profile for the
selected baseline, which has the same function as the Create profile option that is
more commonly used to create new baseline instances.
The following screen capture shows an export for the Microsoft Edge profile
version 85, as viewed in Microsoft Excel. Of the Microsoft Edge baselines 17
settings found in the older profile, only one has been changed the baselines
default: Enable site isolation for every site was set to Disabled. The baseline
default was Enabled:
In the preceding image, there are three columns of information. The information
identifies the settings in the new profile, and the configuration for each of them
that you had in the old profile.
defaultJson – This column identifies the default configuration for this setting
as seen in the new baseline format. Our sample setting for the SitePerProcess
CSP is set to enabled by default.
You might note that the updated Microsoft Edge baseline profile has more than
the 17 settings found in the older profile. The baseline export doesn’t identify
these new settings, as they weren't available in the older baseline version you're
reviewing.
Later, when you create and configure the new profile, you can use the list from the
CSV export to ensure each setting from the previous profile is set in the new
profile with the same configuration.
7 Note
In May 2023, Intune began rollout of a new security baseline format for each new
baseline release or update. Intune also introduced a new update process for
migrating an existing security baseline profile to a newly released security baseline.
This new behavior replaces existing behavior when moving to a baseline version
released in May 2023 or later.
The following guidance is for use when updating a baseline to a newer version that
was released before May 2023. If you’re updating a baseline to a version that was
released in May 2023 or later, see Update a profile to the latest version.
When a new version for a baseline becomes available, plan to update your existing
profiles to the new version:
We recommend you test the version update on a copy of your existing profiles before
you update your live profiles.
You select the latest instance of the same baseline. You can't change between two
different baseline types, such as changing a profile from using a baseline for
Defender for Endpoint to using the MDM security baseline.
You can export and download a CSV file that lists the changes between the two
baseline versions involved.
You don't have the option to change only some settings in a profile during the
update.
During conversion:
New settings that weren't in the older version you were using are added. Any new
settings from the new version use their default values.
Settings that aren't in the new baseline version you select are removed and no
longer enforced by this security baseline profile.
When you create a copy, group assignments aren't included, which means your
baseline copy won't deploy to any devices at the time you make a copy or at the
time you update it to a new version.
After you update the profile to the latest version, you can edit its settings. You can
assign the updated copy to a group of devices and edit it to introduce changes to
individual settings in the profile.
2. Select Endpoint security > Security baselines, and then select the tile for the
baseline type that has the profile you want to change.
3. Next, select Profiles, and then select the check box for the profile you want to edit,
and then select Change Version.
4. On the Change Version pane, use the Select a security baseline to update to
dropdown, and select the version instance you want to use.
5. Select Review update to download a CSV file that displays the difference between
the profiles current instance version and the new version you've selected. Review
this file so that you understand which settings are new or removed, and what the
default values for these settings are in the updated profile.
6. Choose one of the two options for Select a method to update the profile:
Other processes that might later change settings on the device include a different or
new security baseline, device configuration profile, Group Policy configurations, or
manual edit of the setting on the device.
When you create a duplicate, give the copy a new name. The copy is made with the
same setting configurations and scope tags as the original, but doesn't have any
assignments. You must edit the new baseline to add assignments.
After you duplicate a baseline, review and edit the new instance to make changes to its
configuration.
To duplicate a baseline
1. Sign in to the Microsoft Intune admin center .
2. Go to Endpoint security > Security baselines, select the type of baseline you want
to duplicate, and then select Profiles.
3. Right-click on the profile you want to duplicate and select Duplicate, or select the
ellipsis (…) to the right of the baseline and select Duplicate.
4. Provide a New name for the baseline, and then select Save.
After a Refresh, the new baseline profile appears in the admin center.
To edit a baseline
1. Select the baseline, and then select Properties.
2. From this view you can select Edit for the following categories to modify the
profile:
Basics
Assignments
Scope tags
Configuration settings
You can Edit a profiles Configuration settings only when that profile uses the latest
version of that security baseline. For profiles that use older versions, you can
expand Settings to view the configuration of settings in the profile, but you can't
modify them. After a profile is updated to the most recent baseline version, you'll
be able to edit the profiles settings.
3. After you’ve made changes, select Save to save your edits. You save edits to one
category before you can introduce edits to additional categories.
When there are no longer any profiles that use an older baseline listed in your tenant,
Microsoft Intune lists the latest baseline version available.
If you have a profile associated with an older baseline, that older baseline continues to
be listed.
Co-managed devices
Security baselines on Intune-managed devices are similar to co-managed devices with
Configuration Manager. Co-managed devices use Configuration Manager and Microsoft
Intune to manage the Windows 10/11 devices simultaneously. It lets you cloud-attach
your existing Configuration Manager investment to the benefits of Intune. Co-
management overview is a great resource if you use Configuration Manager, and also
want the benefits of the cloud.
When using co-managed devices, you must switch the Device configuration workload
(its settings) to Intune. Device configuration workloads provides more information.
Next steps
Check the status and monitor the baseline and profile
Monitor a security baseline, and any devices that match (or don't match) the
recommended values.
Monitor the security baselines profile that applies to your users and devices.
View how the settings from a selected profile are set on a selected device.
You can also view the Device configuration report to see which device configuration
based policies apply to individual devices, which include security baselines.
For more information about the feature, see Security baselines in Intune.
The Overview pane displays two status views for the selected baseline:
Security baseline posture chart - This chart displays high-level details about device
status for the baseline version. The available details:
Matches default baseline – This status identifies when a devices configuration
matches the default (unmodified) baseline configuration.
Matches custom settings – This status identifies when a devices configuration
matches the customized version of the baseline that you've deployed.
Misconfigured – This status is a roll-up that represents three status conditions
from a device: Error, Pending, or Conflict. These separate states are available
from other views, like the Security baseline posture by category, a list view that
appears below this chart.
Not applicable - This status represents a device that can’t receive the policy. For
example, the policy updates a setting specific to the latest version of Windows,
but the device runs an older (earlier) version that doesn’t support that setting.
Security baseline posture by category - A list view that displays device status by
category. In this list view, the same details as the Security baseline posture chart are
available. However, in place of Misconfigured you’ll see three columns for the status
states that make up Misconfigured:
Error: The policy failed to apply. The message typically displays with an error
code that links to an explanation.
Conflict: Two settings are applied to the same device, and Intune can't sort out
the conflict. An administrator should review.
Pending: The device hasn't checked in with Intune to receive the policy yet.
When you drill-in to the two preceding views, you can view the following details for the
setting status and the device status list views:
From the Version view, you can select Device Status. The Device Status view displays a
list of the devices that receive this baseline and includes the following details:
USER PRINCIPAL NAME - The user profile associated with the baseline on the
device.
SECURITY BASELINE POSTURE - This column displays the devices state:
Succeeded: Policy is applied.
Error: The policy failed to apply. The message typically displays with an error
code that links to an explanation.
Conflict: Two settings are applied to the same device, and Intune can't sort out
the conflict. An administrator should review.
Pending: The device hasn't checked in with Intune to receive the policy yet.
Not applicable: The device can't receive the policy. For example, the policy
updates a setting specific to the latest version of Windows, but the device runs
an older (earlier) version that doesn’t support that setting
Last CHECK-IN - When status was last received from the device.
Tip
It takes up to 24 hours for data to appear after you first assign a baseline. Later
changes take up to six hours to appear.
1. In Intune, select Endpoint security > Security baselines, select a security baseline
type like the MDM Security Baseline > select an instance of that baseline >
Properties.
2. In the Properties of the baseline, expand Settings to drill-in and view all the
settings categories and individual settings in the baseline, including their
configuration for this instance of the baseline.
3. Use the options for Monitor to view the deployment status of the profile on
individual devices, the status for each user, and the status for the settings from the
instance of the baseline:
You can also reach information about settings in conflict or error through two paths
from within Microsoft Intune admin center:
Endpoint security > Security baselines > select a baseline type > Profiles > select a
baseline instance > Device status
Devices > All devices > select a device > Device configuration > select a Policy >
select a setting from the list of settings that shows a Conflict or Error.
When you drill-in, Intune displays a list of settings for that policy that includes each
setting that wasn’t set as Not configured, and the status of that setting.
2. To view details about a specific setting, select it to open the Settings details pane.
In this pane you’ll see:
3. To reconfigure conflicting profiles, select a record from the Source Profile list to
open Overview for that profile. Select the profiles Properties and you can then
review and edit settings in that profile to remove the conflict.
View settings from profiles that apply to a
device
You can select a profile for a Security Baseline, and drill-in to view a list of settings from
that profile as they apply to an individual device. To drill in:
Endpoint Security > All devices > select a device > Device configuration > select a
baseline policy instance
After you drill in, the admin center displays a list of the settings from that profile and the
settings status. Status states include:
Succeeded – The setting on the device matches the value as configured in the
profile. This is either the baselines default and recommended value, or a custom
value specified by an administrator when the profile was configured.
Conflict – The setting is in conflict with another policy, has an error, or is pending
an update.
Error - The settings failed to apply.
1. In Intune, select Endpoint security > Security Baselines > select a baseline >
Profiles.
3. The table shows all the settings, and the status of each setting. Select the Error
column or the Conflict column to see the setting causing the error.
On Windows 10/11 devices, there's a built-in MDM diagnostic information report. This
report includes default values, current values, lists the policy, shows if it's deployed to
the device or the user, and more. Use this report to help determine why the setting is
causing a conflict or error.
4. In the report, look for the error or conflict setting in the different sections of the
report.
For example, look in the Enrolled configuration sources and target resources section or
the Unmanaged policies section. You may get an idea of why it's causing an error or
conflict.
Tip
Some settings also list the GUID. You can search for this GUID in the local
registry (regedit) for any set values.
The Event Viewer logs may also include some error information on the
problematic setting (Event viewer > Applications and Services Logs >
Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-
Provider > Admin).
Next steps
Learn about security baselines
Avoid conflicts
When you integrate Intune with Microsoft Defender for Endpoint, you can take
advantage of Defender for Endpoint's threat and vulnerability management and use
Intune to remediate endpoint weakness identified by Defender's vulnerability
management capability. This integration brings a risk-based approach to the discovery
and prioritization of vulnerabilities that can improve remediation response time across
your environment.
In the Microsoft Defender Security Center console, Defender for Endpoint security
admins review data about endpoint vulnerabilities. The admins then use a few clicks to
create security tasks that flag the vulnerable devices for remediation. The security tasks
are immediately passed to the Microsoft Intune admin center where Intune admins can
view them. The security task identifies the type of vulnerability, priority, status, and the
steps to take to remediate the vulnerability. The Intune admin chooses to accept or
reject the task.
When a task is accepted, the Intune admin then acts to remediate the vulnerability
through Intune, using the guidance provided as part of the security task.
For configuration issues, when there isn’t a plausible remediation that Intune can
provide, then Microsoft Defender for Endpoint won’t create a security task for it.
Following is an example workflow for an application. This same general workflow applies
for configuration issues:
A Microsoft Defender for Endpoint scan identifies a vulnerability for an app named
Contoso Media Player v4, and an admin creates a security task to update that app.
The Contoso Media player is an unmanaged app that was not deployed with
Intune.
This security task appears in the Microsoft Intune admin center with a status of
Pending:
The Intune admin selects the security task to view details about the task. The
admin then selects Accept, which updates the status in Intune, and in Defender for
Endpoint to be Accepted.
The admin then remediates the task based on the guidance provided. The
guidance varies depending on the type of remediation that's needed. When
available, remediation guidance includes links that open relevant panes for
configurations in Intune.
Because the media player in this example isn't a managed app, Intune can only
provide text instructions. If the app was managed, Intune could provide
instructions to download an updated version, and provide a link to open the
deployment for the app so that the updated files can be added to the deployment.
After completing the remediation, the Intune admin opens the security task and
selects Complete Task. The remediation status is updated for Intune and in
Defender for Endpoint, where security admins confirm the revised status for the
vulnerability.
Prerequisites
Subscriptions:
Deploy a device configuration policy with a profile type of Microsoft Defender for
Endpoint (desktop devices running Windows 10 or later) to devices that will have
risk assessed by Defender for Endpoint.
For information about how to set up Intune to work with Defender for Endpoint,
see Enforce compliance for Microsoft Defender for Endpoint with Conditional
Access in Intune.
3. Select a task from the list to open a resource window that displays more details for
that security task.
While viewing the security task resource window, you can select additional links:
MANAGED APPS - View the app that is vulnerable. When the vulnerability
applies to multiple apps, you'll see a filtered list of apps.
DEVICES - View a list of the Vulnerable devices, from which you can link
through to an entry with more details for the vulnerability on that device.
REQUESTOR - Use the link to send mail to the admin who submitted this
security task.
NOTES - Read custom messages submitted by the requestor when opening
the security task.
4. Select Accept or Reject to send notification to Defender for Endpoint for your
planned action. When you accept or reject a task, you can submit notes, which are
sent to Defender for Endpoint.
5. After accepting a task, reopen the security task (if it closed), and follow the
REMEDIATION details to remediate the vulnerability. The instructions provided by
Defender for Endpoint in the security task details vary depending on the
vulnerability involved.
When it's possible to do so, the remediation instructions include links that open
the relevant configuration objects in the Microsoft Intune admin center.
6. After completing the remediation steps, open the security task and select
Complete Task. This action updates the security task status in both Intune and
Defender for Endpoint.
After remediation is successful, the risk exposure score in Defender for Endpoint can
drop, based on new information from the remediated devices.
Next Steps
Learn more about Intune and Microsoft Defender for Endpoint.
Review the Threat & Vulnerability Management dashboard in Microsoft Defender for
Endpoint.
Manage device security with endpoint
security policies in Microsoft Intune
Article • 06/19/2023
Use Intune endpoint security policies to manage security settings on devices. Each
endpoint security policy supports one or more profiles. These profiles are similar in
concept to a device configuration policy template, a logical group of related settings.
As a security admin concerned with device security, you can use these security-focused
profiles to avoid the overhead of device configuration profiles or security baselines.
Device configuration profiles and baselines include a large body of diverse settings
outside the scope of securing endpoints. In contrast, each endpoint security profile
focuses on a specific subset of device settings intended to configure one aspect of
device security.
When using endpoint security policies along side other policy types like security
baselines or endpoint protection templates from device configuration policies, it’s
important to develop a plan for using multiple policy types to minimize the risk of
conflicting settings. Security baselines, device configuration policies, and endpoint
security policies are all treated as equal sources of device configuration settings by
Intune. A settings conflict occurs when a device receives two different configurations for
a setting from multiple sources. Multiple sources can include separate policy types and
multiple instances of the same policy.
When Intune evaluates policy for a device and identifies conflicting configurations for a
setting, the setting that's involved can be flagged for an error or conflict and fail to
apply. Each type of configuration policy supports identifying and resolving conflicts
should they arise:
You'll find endpoint security policies under Manage in the Endpoint security node of the
Microsoft Intune admin center .
Following are brief descriptions of each endpoint security policy type. To learn more
about them, including the available profiles for each, follow the links to content
dedicated to each policy type:
Account protection - Account protection policies help you protect the identity and
accounts of your users. The account protection policy is focused on settings for
Windows Hello and Credential Guard, which is part of Windows identity and access
management.
Antivirus - Antivirus policies help security admins focus on managing the discrete
group of antivirus settings for managed devices.
Application Control (Preview) - Manage approved apps for Windows devices with
Application Control policy and Managed Installers for Microsoft Intune. Intune
Application Control policies are an implementation of Windows Defender
Application Control (WDAC).
Disk encryption - Endpoint security Disk encryption profiles focus on only the
settings that are relevant for a devices built-in encryption method, like FileVault or
BitLocker. This focus makes it easy for security admins to manage disk encryption
settings without having to navigate a host of unrelated settings.
Endpoint detection and response - When you integrate Microsoft Defender for
Endpoint with Intune, use the endpoint security policies for endpoint detection and
response (EDR) to manage the EDR settings and onboard devices to Microsoft
Defender for Endpoint.
Firewall - Use the endpoint security Firewall policy in Intune to configure a devices
built-in firewall for devices that run macOS and Windows 10/11.
2. Select Endpoint security and then select the type of policy you want to configure,
and then select Create Policy. Choose from the following policy types:
Account protection
Antivirus
Application control (Preview)
Attack surface reduction
Disk encryption
Endpoint detection and response
Firewall
Platform: Choose the platform that you're creating policy for. The available
options depend on the policy type you select.
Profile: Choose from the available profiles for the platform you selected. For
information about the profiles, see the dedicated section in this article for
your chosen policy type.
4. Select Create.
5. On the Basics page, enter a name and description for the profile, then choose
Next.
6. On the Configuration settings page, expand each group of settings, and configure
the settings you want to manage with this profile.
7. On the Scope tags page, choose Select scope tags to open the Select tags pane to
assign scope tags to the profile.
Select Next.
9. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list when you select the policy type for the profile you created.
Duplicate a policy
Endpoint security policies support duplication to create a copy of the original policy. A
scenario when duplicating a policy is useful, is if you need to assign similar policies to
different groups but don't want to manually recreate the entire policy. Instead, you can
duplicate the original policy and then introduce only the changes the new policy
requires. You might only change a specific setting and the group the policy is assigned
to.
When creating a duplicate, you'll give the copy a new name. The copy is made with the
same setting configurations and scope tags as the original, but won't have any
assignments. You'll need to edit the new policy later to create assignments.
Account protection
Application Control (preview)
Antivirus
Attack surface reduction
Disk encryption
Endpoint detection and response
Firewall
After creating the new policy, review and edit the policy to make changes to its
configuration.
To duplicate a policy
1. Sign in to the Microsoft Intune admin center .
2. Select the policy that you want to copy. Next, select Duplicate or select the ellipsis
(…) to the right of the policy and select Duplicate.
3. Provide a New name for the policy, and then select Save.
To edit a policy
1. Select the new policy, and then select Properties.
2. Select Settings to expand a list of the configuration settings in the policy. You can’t
modify the settings from this view, but you can review how they're configured.
3. To modify the policy, select Edit for each category where you want to make a
change:
Basics
Assignments
Scope tags
Configuration settings
4. After you’ve made changes, select Save to save your edits. Edits to one category
must be saved before you can introduce edits to additional categories.
Manage conflicts
Many of the device settings that you can manage with Endpoint security policies
(security policies) are also available through other policy types in Intune. These other
policy types include device configuration policy and security baselines. Because settings
can be managed through several different policy types or by multiple instances of the
same policy type, be prepared to identify and resolve policy conflicts for devices that
don't adhere to the configurations you expect.
Security baselines can set a non-default value for a setting to comply with the
recommended configuration that baseline addresses.
Other policy types, including the endpoint security policies, set a value of Not
configured by default. These other policy types require you to explicitly configure
settings in the policy.
Regardless of the policy method, managing the same setting on the same device
through multiple policy types, or through multiple instances of the same policy type can
result in conflicts that should be avoided.
The information at the following links can help you identify and resolve conflicts:
Next steps
Manage endpoint security in Intune
Use reusable groups of settings with
Intune policies
Article • 04/12/2023
Intune supports reusable settings groups that you can add to configuration policies and
profiles to help simplify management of common settings. A good time to use reusable
groups is when you need to use the settings with the same configuration in more than a
single profile.
When you edit the settings in a reusable group, the changes you make automatically
apply to each profile that includes the group. When you save your changes to the
reusable settings group, Intune updates the profiles with those new configurations and
deploys the updated profile to devices based on the profile’s assignments.
To manage groups of reusable settings, in the Microsoft Intune admin center you use
the Reusable settings tab that’s associated with the policy and profiles you want to use a
group with. On the tab, you can create a group, edit the settings in a group, and view
the count of policies that inherit settings from each group. Each reusable settings group
is used with only its related profile type.
For example, the following image shows the Reusable settings tab you would use to
manage reusable groups for the Microsoft Defender Firewall Rules profile:
After creating reusable groups, you use an option in a profiles Configuration settings
page to add groups to that profile. Profiles that include one or more reusable groups
use each setting from each included group as if the settings were directly configured in
the profile.
Prerequisites
The following profiles support use of reusable settings groups:
7 Note
Reusable settings groups are not currently supported for use with Security
Management for Microsoft Defender for Endpoint
Device Control
Microsoft Defender Firewall rules
1. Open the Microsoft Intune admin center , navigate to the policy for which you
want to create a reusable group and then select the Reusable settings (preview)
tab.
4. On the Configuration settings page, select Add and then configure settings for this
group as if configuring settings directly in the supported profile.
For Device Control, when you select Add you then must choose the type of group
settings to configure, and then select Edit instance to continue. If you add more
than one instance, review the Match type configuration for the group.
There's a limit of 100 instances per group. Use the information text in the admin
center for each setting in the reusable settings group as guidance. Follow the Learn
more link for a setting to view details about the setting from that settings content
source.
Tip
Carefully Name each reusable group you create to ensure you can identify it
later. This is important because each reusable group that you create, for any
policy type, is visible when adding reusable groups to a policy, even if the
group contains settings that would not normally apply to the policy you’re
configuring. For example, if you have a reusable group created for Microsoft
Defender Firewall rules, that group will be visible and can be selected when
adding reusable groups to Device Control policies.
5. On the Review + Add page, select Add to save your reusable settings group.
1. Open the Microsoft Intune admin center , navigate to the policy for which you
want to create a reusable group and then select the Reusable settings (preview)
tab.
2. Select the reusable settings group you want to edit. This opens the configuration
workflow that resembles the workflow for creating a new reusable group.
3. On the Basics page you can rename the group, and on the Configuration settings
page you can reconfigure settings. On the last page, select Save to save your
configuration and update the profiles that use the settings group.
1. In the Microsoft Intune admin center , create a new profile or select and edit an
existing profile.
2. On the Configuration settings page, select Add to add a new rule, or Edit rule to
manage a previously created rule.
3. On the Configure instance pane for the rule, configure Action to determine how
this rule manages settings like IP Addresses or FQDNs. For example, you might set
Action to allow or block. This configuration applies to both the settings you add
directly to this rule and to the settings that are in each reusable group that is
added to this rule.
4. For the rule you saved, select Set reusable settings to open the Select reusable
settings pane.
5. Select one or more of the available groups to add them to this rule, and then save
your selections.
6. After adding reusable groups to a profile, save your configuration. When saved,
Intune includes the settings from the reusable groups and deploys the profile to
devices based on the profile’s assignments.
Printer device
Removable storage
On the profiles Configuration settings page, use an option that supports adding one or
more previously created groups.
1. In the Microsoft Intune admin center , create a new profile or select and edit an
existing profile.
2. On the Configuration settings page, expand the Device Control category and select
Add to add a new rule, or Edit Entry to manage a previously created rule.
3. On the Configure Entry pane, give the entry a Name, and then configure the
following and then select OK to save the rule:
Type: Defines the action for the removable storage groups. When there are
conflicts for Type for the same media, the first type that’s defined in the
policy is applied.
Options: Defines whether to display a notification to the device user. The
options available depend on the Type that is selected.
Access mask: Choose one or more from Read, Write, Execute.
Sid: Local user Sid or user Sid group or the Sid of the AD object, defines
whether to apply this policy over a specific user or user group; one entry can
have a maximum of one Sid and an entry without any Sid means it applies
the policy over the machine.
Computer Sid: Local computer Sid or computer Sid group or the Sid of the
AD object, defines whether to apply this policy over a specific machine or
machine group; one entry can have a maximum of one ComputerSid and an
entry without any ComputerSid means it applies the policy over the machine.
If you want to apply an Entry to a specific user and specific machine, add
both Sid and ComputerSid into the same Entry.
For more information about these options, see the following articles in the
Microsoft Defender for Endpoint documentation:
4. For the rule you saved, select Set reusable settings for Included ID and Excluded ID
to meet your needs. Both selections open a Select reusable settings pane.
5. Select one or more of the available groups to add them to this rule, and then save
your selections.
The following shows a configuration with only one group selected
for Excluded ID:
6. After adding reusable groups to a profile, complete the policy configuration. When
saved, Intune includes the settings from the reusable groups and deploys the
profile to devices based on the profile’s assignments. A maximum of 100 reusable
groups can be added per profile.
If you have an E5 license, you can use Microsoft Defender for Endpoint to view device
control events under the Device Control report and Advanced hunting. See Protect your
organization's data with device control | Microsoft Docs in the Defender for Endpoint
documentation.
Use reusable groups for Endpoint Privilege
Manager
For information about support for using reusable groups for Endpoint Privilege
Manager, see Policies for Endpoint Privilege Manager
For more information, review guidance that might be specific to the profile types you
use. For general guidance, see Troubleshoot policies and profiles in Microsoft Intune,
and Common questions and answers with device policies and profiles in Microsoft
Intune.
Next steps
Device configuration overview
Account protection policy for endpoint
security in Intune
Article • 02/24/2023
Use Intune endpoint security policies for account protection to protect the identity and
accounts of your users and manage the built-in group memberships on devices.
Find the endpoint security policies for Account protection under Manage in the
Endpoint security node of the Microsoft Intune admin center .
Account protection (preview) – Settings for account protection policies help you
protect user credentials.
The account protection policy is focused on settings for Windows Hello and
Credential Guard, which is part of Windows identity and access management.
Windows Hello for Business replaces passwords with strong two-factor
authentication on PCs and mobile devices.
Credential Guard helps protect credentials and secrets that you use with your
devices.
To learn more, see Identity and access management in the Windows identity and
access management documentation.
Local user group membership (preview) – Use this profile to add, remove, or
replace members of the built-in local groups on Windows devices. For example,
the Administrators local group has broad rights. You can use this policy to edit the
Admin group's membership to lock it down to a set of exclusively defined
members.
Use of this profile is detailed in the following section, Manage local groups on
Windows devices.
Tip
To learn more about support for managing administrator privileges using Azure
Active Directory (Azure AD) groups, see Assign local admins to Azure AD joined
devices in the Azure AD documentation.
When configuring this profile, on the Configuration settings page you can create
multiple rules to manage which built-in local groups you want to change, the group
action to take, and the method to select the users.
The following are the configurations you can make:
Local group: Select one or more groups from the drop-down. These groups will all
apply the same Group and user action to the users you assign. You can create
more than one grouping of local groups in a single profile and assign different
actions and groups of users to each grouping of local groups.
7 Note
The list of local groups is limited to the six built-in local groups which are
guaranteed to be evaluated at logon, as referenced in the Managing administrator
privileges using Azure AD groups documentation.
Group and user action: Configure the action to apply to the selected groups. This
action will apply to the users you select for this same action and grouping of local
accounts. Actions you can choose include:
Add (Update): Adds members to the selected groups. The group membership
for users that aren’t specified by the policy are not changed.
Remove (Update): Remove members from the selected groups. The group
membership for users that aren’t specified by the policy are not changed.
Add (Replace): Replace the members of the selected groups with the new
members you specify for this action. This option works in the same way as a
Restricted Group and any group members that are not specified in the policy
are removed.
U Caution
If the same group is configured with both a Replace and Update action, the
Replace action wins. This is not considered a conflict. Such a configuration can
occur when you deploy multiple policies to the same device, or when this CSP
is also configured by use of Microsoft Graph.
Selected user(s): Depending on your selection for User selection type, you’ll use
one of the following options:
Select user(s): Select the users and user groups from your Azure AD.
Add users(s): This opens the Add users pane where you can then specify one or
more user identifiers as they appear on a device. You can specify the user by
security identifier (SID), Domain\username, or by Username.
Choosing the Manual option can be helpful in scenarios where you want to manage
your on-prem Active Directory users from Active Directory to a local group for a hybrid
Azure AD joined device. The supported formats of identifying the user selection in order
of most to least preferred is through the SID, domain\username, or member’s username.
Values from Active Directory must be used for hybrid joined devices, while values from
Azure AD must be used for Azure AD join. Azure AD group SIDs can be obtained using
Graph API for Groups.
Conflicts
If policies create a conflict for a group membership, the conflicting settings from each
policy are not sent to the device. Instead, the conflict is reported for those policies in the
Microsoft Intune admin center. To resolve the conflict, reconfigure one or more policies.
Reporting
As devices check in and apply the policy, the admin center displays the status of the
devices and users as successful or in error.
Because the policy can contain multiple rules, consider the following:
When processing the policy for devices, the per-setting status view displays a
status for the group of rules as if it’s a single setting.
Each rule in the policy that results in an error is skipped, and not sent to devices.
Each rule that is successful is sent to devices to be applied.
Next steps
Configure Endpoint security policies
Antivirus policy for endpoint security in
Intune
Article • 08/21/2023
Intune Endpoint security Antivirus policies can help security admins focus on managing
the discrete group of antivirus settings for managed devices.
Antivirus policy includes several profiles. Each profile contains only the settings that are
relevant for Microsoft Defender for Endpoint antivirus for macOS and Windows devices,
or for the user experience in the Windows Security app on Windows devices.
You'll find the antivirus policies under Manage in the Endpoint security node of the
Microsoft Intune admin center .
Antivirus policies include the same settings as found endpoint protection or device
restriction templates for device configuration policy. However, those policy types include
additional categories of settings that are unrelated to Antivirus. The additional settings
can complicate the task of configuring Antivirus workload. Additionally, the settings
found in the Antivirus policy for macOS aren't available through the other policy types.
The macOS Antivirus profile replaces the need to configure the settings by using .plist
files.
Applies to:
Linux
macOS
Windows 10/11
macOS
Any supported version of macOS
For Intune to manage antivirus settings on a device, Microsoft Defender for
Endpoint must be installed on that device. See. Microsoft Defender for Endpoint
for macOS (In the Microsoft Defender for Endpoint documentation)
This scenario is in preview and requires use of Configuration Manager current branch
version 2006 or later.
7 Note
You can use Intune to manage tamper protection on Windows devices as part of
Windows Security Experience profile (an Antivirus policy). This includes both devices you
manage with Intune, and devices you manage with Configuration Manager through the
tenant attach scenario.
Your environment must meet the prerequisites for managing tamper protection
with Intune
Devices are onboarded to Microsoft Defender for Endpoint (P1 or P2)
Profiles for Antivirus policy that support tamper protection for devices managed by
Microsoft Intune:
7 Note
Beginning on April 5, 2022, the Windows 10 and later platform was replaced
by the Windows 10, Windows 11, and Windows Server platform.
The Windows 10, Windows 11, and Windows Server platform supports devices
communicating with Intune through Microsoft Intune or Microsoft Defender
for Endpoint. These profiles also add support for the Windows Server platform
which is not supported through Microsoft Intune natively.
Profiles for this new platform use the settings format as found in the Settings
Catalog. Each new profile template for this new platform includes the same
settings as the older profile template it replaces. With this change you can no
longer create new versions of the old profiles. Your existing instances of the
old profile remain available to use and edit.
You can also use the Endpoint protection profile for Device configuration policy to
configure tamper protection for devices managed by Intune.
Profiles for Antivirus policy that support tamper protection for devices managed by
Configuration Manager:
Antivirus profiles
macOS:
Platform: macOS
When you use Microsoft Defender for Endpoint for Mac, you can configure and
deploy Antivirus settings to your managed macOS devices through Intune
instead of configuring those settings by use of .plist files.
Windows:
7 Note
Beginning on April 5, 2022, the Windows 10 and later platform was replaced
by the Windows 10, Windows 11, and Windows Server platform.
The Windows 10, Windows 11, and Windows Server platform supports devices
communicating with Intune through Microsoft Intune or Microsoft Defender
for Endpoint. These profiles also add support for the Windows Server platform
which is not supported through Microsoft Intune natively.
Profiles for this new platform use the settings format as found in the Settings
Catalog. Each new profile template for this new platform includes the same
settings as the older profile template it replaces. With this change you can no
longer create new versions of the old profiles. Your existing instances of the
old profile remain available to use and edit.
Unlike the antivirus settings in a Device Restriction profile, you can use these
settings with devices that are co-managed. To use these settings, the co-
management workload slider for Endpoint Protection must be set to Intune.
With this policy, you can manage settings for the following Microsoft Defender
Antivirus configuration service providers (CSPs) that define Antivirus exclusions:
Defender/ExcludedPaths
Defender/ExcludedExtensions
Defender/ExcludedProcesses
These CSPs for antivirus exclusion are also managed by Microsoft Defender
Antivirus policy, which includes identical settings for exclusions. Settings from
both policy types (Antivirus and Antivirus exclusions) are subject to policy
merge, and create a super set of exclusions for applicable devices and users.
Antivirus
Manage Antivirus settings for Configuration Manager devices, when you use tenant
attach.
Policy path:
Endpoint security > Antivirus > Windows 10, Windows 11, and Windows Server
(ConfigMgr)
Profiles:
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
For example, you create three separate antivirus policies that define different antivirus
file path exclusions. Eventually, all three policies are assigned to the same user. Because
the Microsoft Defender file path exclusion CSP supports policy merge, Intune evaluates
and combines the file exclusions from all applicable policies for the user. The exclusions
are added to a superset and the single list of exclusions is delivered to the users’ device.
When policy merge isn’t supported for a setting, a conflict can occur. Conflicts can result
in the user or device not receiving any policy for the setting. For example, policy merge
doesn't support the CSP for preventing installation of matching device IDs
(PreventInstallationOfMatchingDeviceIDs). Configurations for this CSP don’t merge, and
are processed separately.
To view the reports, in the Microsoft Intune admin center , go to Endpoint security and
select Antivirus. Selecting Antivirus opens the Summary page. Additional report and
status views are available as additional pages.
In addition to reports detailed in the following sections, additional reports for Microsoft
Defender Antivirus are found in the Reports node of the Microsoft Intune admin center,
as documented in the Intune Reports article:
Summary
On the Summary page, you can create new policies and view a list of the policies that
were previously created. The list includes high-level details about the profile that policy
includes (Policy Type), and if the policy is assigned.
When you select a policy from the list, the Overview page for that policy instance opens
and displays more information. After selecting a tile from this view, Intune displays
additional details for that profile if they’re available.
Unhealthy endpoints
On the Unhealthy endpoints page, you can view information about the antivirus status
of your MDM-managed Windows devices. This information is returned from Windows
Defender Antivirus that runs on the device, as Threat agent status. On this page, select
Columns to view the full list of details that are available in the report.
Only devices with detected issues appear in this view. This view doesn't display details
for devices that are identified as clean.
The information for this report is based on details available from the following CSPs,
which are documented in the Windows client-management documentation:
Defender CSP
WindowsAdvancedThreatProtection CSP.
Next steps
Configure Endpoint security policies
View details for the Windows settings in the deprecated profiles for the Windows 10 and
later platform:
Every day new malicious files and apps appear in the wild. When run on devices in your
organization they present a risk, which can be hard to manage or prevent. To help
prevent undesired apps from running on your managed Windows devices, you can use
Microsoft Intune Application Control policies.
Intune's Application Control policies are part of endpoint security and use the Windows
ApplicationControl CSP to manage allowed apps on Windows devices. Also available
through endpoint security Application Control, managed installer policy adds the Intune
Management Extension to your Tenant as a managed installer. With this extension as a
managed installer, the apps you deploy through Intune are automatically tagged by the
installer. Tagged apps can be identified by your Application Control policies as safe apps
that can be allowed to run on your devices.
The information in this article can help you configure both the Intune Management
Extension as a managed installer and endpoint security Application Control policies.
Combined, they make it easy to control the apps that are allowed to run on Windows
devices in your environment. For more information, see Windows Defender Application
Control in the Windows Security documentation.
7 Note
Applies to:
Windows 10
Windows 11
Prerequisites
Devices
The following devices are supported when enrolled with Intune:
Windows Professional:
Windows 10 with KB5019959
Windows 11:
Version 22H2 with KB5019980
Version 21H2 with KB5019961
Windows 11 SE:
Windows 11 SE is supported for Educational tenants only. For more information,
see Application Control policies for Education tenants later in this article.
Co-managed devices:
To support co-managed devices, set the slider for Endpoint Protection slider to
Intune.
Enable use of a managed installer* - Accounts must be assigned the role of Global
Administrator or Intune Service Administrator.
Manage Application Control policy - Accounts must have the Security Baseline
permissions for Delete, Read, Assign, Create, and Update.
View reports for Application Control policy - Accounts must have the
Organization permission of Read.
For more information, see Role-based access control for Microsoft Intune.
After you enable a managed installer, all subsequent applications you deploy to
Windows devices through Intune are marked with the managed installer tag. The tag
identifies that the app was installed by a known source, and can be trusted. The
managed installer tagging of apps is then used by Intune’s Endpoint security Application
Control policy to automatically identify apps as approved to run on devices in your
environment.
By itself, this tag has no effect on which apps can run on your devices. The tag is
used only when you also WDAC policies that determine which apps are allowed to
run on your managed devices.
Because there's no retroactive tagging, all apps on your devices that were
deployed before enabling the managed installer aren't tagged. If you apply a
WDAC policy, you must include explicit configurations to allow these untagged
apps to run.
You can turn off this policy by editing the Managed Installer policy. Turning off the
policy prevents subsequent apps from being tagged with the managed installer.
Apps that were previously installed and tagged remain tagged. For information
about manual clean-up of a managed installer after turning off the policy, see
Remove the Intune Management Extension as a managed installer later in this
article.
Learn more about how Intune set the managed installer in the Windows Security
documentation.
) Important
Log Analytics is a tool in the Azure Portal which customers may be using to collect
data from AppLocker policy events. With this public preview, if you complete the
opt-in action, AppLocker policy will begin to deploy to applicable devices in your
tenant. Depending on your Log Analytics configuration, especially if you are
collecting some of the more verbose logs, this will result in an increase in events
generated by AppLocker policy. If your organization uses Log Analytics, our
recommendation is to review your Log Analytics setup so that you:
Understand your Log Analytics setup and ensure there is an appropriate data
collection cap in place to avoid unexpected billing costs.
Turn off the collection of AppLocker events altogether in Log Analytics (Error,
Warning, Information) with the exception of MSI and Script logs.
1. In the Microsoft Intune admin center, go to Endpoint security (Preview), select the
Managed installer tab and then select *Add. The Add managed installer pane
opens.
2. Select Add, and then Yes to confirm the addition of the Intune Management
Extension as a managed installer.
3. After adding the Managed installer, in some rare cases, you may need to wait up to
10 minutes before the new policy is added to your tenant. Select Refresh to update
the admin center periodically, until it's available.
The policy is ready in the service when Intune displays a managed installer policy
with the name Managed installer – Intune Management Extension with the status
of Active. From the client side, you may need to wait up to an hour for the policy
to start getting delivered.
4. You can now select the policy to edit its configuration. Only the following two
policy areas support edits:
Settings: Editing the policy settings opens the Opt-out for managed installer
pane, where you can change the value for Set managed installer between On
and Off. When you add the installer, the setting Set managed installer
defaults to On. Before changing the configuration, be sure to review the
behavior detailed on the pane for On and Off.
Scope tags: You can add and modify scope tags that are assigned to this
policy. This allows you to specify which admins can view the policy details.
Before the policy has any effect, you must create and deploy an Application Control
policy to specify rules for which apps can run on your Windows devices.
For more information, see Allow apps installed by a managed installer in the Windows
Security documentation.
2. Edit the policy, and change Set managed installer to Off, and save the policy.
New devices won’t be configured with the Intune Management Extension as a managed
installer. This doesn’t remove the Intune Management Extension as managed installer
from devices that have already been configured to use it.
2. Run this script on devices that have set the Intune Management Extension as a
managed installer. This script removes only the Intune Management Extension as a
managed installer.
3. Please restart the Intune Management Extension service for the above changes to
take effect.
To run this script, you can use Intune to run PowerShell scripts, or other methods of your
choice.
3. Please restart the Intune Management Extension service for the above changes to
take effect.
To run this script, you can use Intune to run PowerShell scripts, or other methods of your
choice.
To manage which apps are allowed or blocked, Intune uses the Windows
ApplicationControl CSP on Windows devices.
When you create an Application Control policy, you must choose a Configuration
settings format to use:
Enter xml data - When you choose to enter xml data, you must provide the policy
with a set of custom XML properties that define your Application Control policy.
Built-in controls – This option is the simplest path to configure, yet remains a
powerful choice. With the built-in controls, you can easily approve all apps that are
installed by a managed installer, and allow trust of Windows components and
store apps.
More details about these options are available from the UI when creating a policy,
and also detailed in the following procedure that walks you through creating a
policy.
After you create an Application Control policy, you can expand the scope of that policy
by creating supplemental policies that add additional rules in XML format to that
original policy. When you use supplemental policies, the original policy is referred to as
the base policy.
7 Note
If your tenant is an Educational Tenant, see Application Control policies for
Education tenants to learn about additional device support and Application
Control policy for those devices.
1. Sign in to the Microsoft Intune admin center and go to Endpoint security >
Application control (Preview) > select the Application control tab > and then
select Create Policy. Application Control policies are automatically assigned to a
platform type of Windows 10 and later.
Name: Enter a descriptive name for the profile. Name profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
Enter xml data - With this option you must provide custom XML properties to
define your Application Control policy. If you select this option but don’t add XLM
properties to the policy, it acts as Not configured. An Application Control policy
that isn't configured results in default behaviors on a device, with no added
options from the ApplicationControl CSP.
Built-in controls – With this option the policy doesn’t use custom XML. Instead,
configure the following settings:
Enable trust of Windows components and store apps – When this setting is
Enabled (the default), managed devices can run Windows components and
store apps, as well as other apps you might configure as trusted. Apps that
aren't defined as trusted by this policy are blocked from running.
This setting also supports an Audit only mode. With audit mode, all events
are logged in the local client logs, but apps aren't blocked from running.
Select additional options for trusting apps – For this setting you can select
one or both of the following options:
Trust apps with a good reputation – This option allows devices to run
reputable apps as defined by the Microsoft Intelligent Security Graph.
Trust apps from managed installers – This option allows devices to run
the apps that were deployed by an authorized source, which is a managed
installer. This applies to apps you deploy through Intune after you
configure the Intune Management Extension as a managed installer.
Behavior for all other apps and files that aren’t specified by rules in this
policy depend on the configuration of Enable trust of Windows components
and store apps:
If Enabled, files and apps are blocked from running on devices
If set to Audit only, files and apps are audited only in local client logs
4. On the Scope tags page, select any desired scope tags to apply, then select Next.
5. For Assignments, select the groups that receive the policy, but consider that
WDAC policies apply to only the device scope. To continue, select Next.
For more information on assigning profiles, see Assign user and device profiles.
6. For Review + create, review your settings and then select Create. When you select
Create, your changes are saved, and the profile is assigned. The policy is also
shown in the policy list.
Supplemental policies must be in XML format, and must reference the Policy ID of the
base policy.
Base policies that are created using the built-in controls for Application Control,
have one of four possible PolicyID’s that are determined by the possible
combinations of the built-in settings. The following table identifies the
combinations and the related PolicyID:
Even though two Application Control policies that use the same configuration of built-in
controls have the same PolicyID, you can apply different supplemental policies based on
the assignments for your policies.
You create two base policies that use the same configuration and therefore they
have the same PolicyID. You deploy one of them to your Executive team, and the
second policy deploys to your Help Desk team.
Next, you create a supplemental policy that allows other apps to run that your
Executive team requires. You assign this supplemental policy to that same group,
the Executive team.
Then you create a second supplemental policy that allows various tools required
by your Help Desk team to be run. This policy is assigned to the Help Desk group.
As a result of these deployments, both supplemental policies could modify both
instances of the base policy. However, due to the distinct and separate assignments, the
first supplemental policy modifies only the allowed apps assigned to the Executive team,
and the second policy modifies only the allowed apps used by the Help Desk team.
When you create a policy in XML format, it must reference the Policy ID of the base
policy.
2. After your Application Control supplemental policy has been created in XML
format, sign in to the Microsoft Intune admin center and go to Endpoint
security > Application control (Preview) > select the Application control tab, and
then select Create Policy.
Name: Enter a descriptive name for the profile. Name profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
5. For Assignments, select the same groups as assigned to the base policy you want
the supplemental policy to apply to, and then select Next.
6. For Review + create, review your settings and then select Create. When you select
Create, your changes are saved, and the profile is assigned. The policy is also
shown in the policy list.
To aid this optimization, WDAC policy and the Intune management Extension are
configured automatically for Windows 11 SE devices:
For Intune EDU tenants, the Intune Management Extension is automatically set as a
Managed Installer. This configuration is automatic and can’t be changed.
1. Replace the existing policy with a new version of the policy that will Allow /* , like
the rules in the example policy found on Windows devices at
%windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml
This configuration removes any blocks that might otherwise be left in place on a
device after the policy is removed.
2. After the updated policy is deployed, you can then delete the new policy from the
Intune portal.
This sequence prevents anything from being blocked and fully removes the WDAC
policy on the next reboot.
To view reports, your account must have the Read permission for the Intune role-
based access control category of Organization.
To view reports, sign in to the Intune admin center and navigate to the Account Control
node. (Endpoint security > Account Control (Preview)). Here you can select the tab for
the policy details you want to view:
Managed installer
On the Managed Installer tab, you can view the status, success count, and error details
for the Managed installer – Intune Management Extension policy:
Select the policy name to open its Overview page, where you can view the following
information:
Device status trend, a historical chart that displays a timeline and count of devices
in each detail category.
New devices – New devices identifies devices that have recently applied the policy.
It can take up to 24 hours for the Device status and Device status trend sections to
update in the Overview.
While viewing the policy details, you can select Device status (below Monitor), to open a
device-based view of the policy details. The Device status view displays the following
details that you can use to identify problems should a device fail to successfully apply
the policy:
Device name
User name
OS version
Managed installer status (Succeeded or Error)
It can take several minutes for the device-based view of the policy details to update
after the device actually receives the policy.
Application Control
On the Application Control tab, you can view the list of your Application Control
policies and basic details including if its assigned and when it was last modified.
Device and user check-in status - A simple chart that displays the count of devices
reporting each available status for this policy.
View Report - This opens a view with a list of the devices that received this policy.
Here you can select devices to drill in and view their Application Control policy
settings format.
Device assignment status - This report shows all the devices that are targeted by
the policy, including devices in a pending policy assignment state.
With this report, you can select the Assignment status values you want to view, and
then select Generate report to refresh the report view individual devices that
received the policy, their last active user, and the assignment status.
You can also select devices to drill in and view their Application Control policy
settings format.
Per setting status - This report displays a count of devices that report status as
Success, Error, or Conflict for the settings from this policy.
Once set, subsequent apps you deploy to devices are appropriately tagged to support
WDAC policies that Trust apps from managed installers.
Beginning with Windows 10 version 1903, WDAC supports only up to 32 active policies
on a device before running into boot issues. Learn more about the Known Issue here. To
avoid unintended device impact as a result of more than 32 active policies, you can:
1. Use CITool.exe on the device to inventory policy count prior to deploying any new
WDAC policies to that device.
2. Consider merging multiple WDAC policies prior to deployment if that meets your
organization’s needs.
3. Redesign the WDAC policy plan for your organization to reduce the number of
policies needed to ensure security and productivity.
If setting Configuration Manager as the Managed Installer is desired, you can allow that
behavior from within Configuration Manager. If you already have Configuration
Manager set as the Managed Installer, the expected behavior is that the new Intune
Management Extension AppLocker policy merges with the existing Configuration
Manager policy.
Next Steps
Configure Endpoint security policies
Attack surface reduction policy for
endpoint security in Intune
Article • 04/18/2023
When Defender antivirus is in use on your Windows 10/11 devices, you can use Intune
endpoint security policies for Attack surface reduction to manage those settings for your
devices.
Attack surface reduction policies help reduce your attack surfaces, by minimizing the
places where your organization is vulnerable to cyberthreats and attacks. For more
information, see Overview of attack surface reduction in the Windows Threat protection
documentation.
Find the endpoint security policies for attack surface reduction under Manage in the
Endpoint security node of the Microsoft Intune admin center . Each attack surface
reduction profile manages settings for a specific area of a Windows 10/11 device.
Windows 10 or Windows 11
Defender antivirus must be the primary antivirus on the device
This scenario is in preview and requires use of Configuration Manager current branch
version 2006 or later.
Beginning in April 2022, new profiles for Attack surface reduction policy have
begun to release. When a new profile becomes available, it uses the same name of
the profile it replaces and includes the same settings as the older profile but in the
newer settings format as seen in the Settings Catalog. Your previously created
instances of these profiles remain available to use and edit, but all new instances
you create will be in the new format. The following profiles have been updated:
App and browser isolation – Manage settings for Windows Defender Application
Guard (Application Guard), as part of Defender for Endpoint. Application Guard
helps to prevent old and newly emerging attacks and can isolate enterprise-
defined sites as untrusted while defining what sites, cloud resources, and internal
networks are trusted.
To learn more, see Application Guard in the Microsoft Defender for Endpoint
documentation.
Web protection (Microsoft Edge Legacy) – Settings you can manage for Web
protection in Microsoft Defender for Endpoint configure network protection to
secure your machines against web threats. By integrating with Microsoft Edge and
popular third-party browsers like Chrome and Firefox, web protection stops web
threats without a web proxy and can protect machines while they're away or on-
premises. Web protection stops access to:
Phishing sites
Malware vectors
Exploit sites
Untrusted or low-reputation sites
Sites that you've blocked in your custom indicator list.
To learn more, see Web protection in the Microsoft Defender for Endpoint
documentation.
To learn more, see Application Control in the Microsoft Defender for Endpoint
documentation.
7 Note
If you use this setting, AppLocker CSP behavior currently prompts end user to
reboot their machine when a policy is deployed.
Attack Surface Reduction Rules – Configure settings for attack surface reduction
rules that target behaviors that malware and malicious apps typically use to infect
computers, including:
Executable files and scripts used in Office apps or web mail that attempt to
download or run files
Obfuscated or otherwise suspicious scripts
Behaviors that apps don't usually start during normal day-to-day work
Reducing
your attack surface means offering attackers fewer ways to perform attacks.
Attack surface reduction rules support a merger of settings from different policies,
to create a superset of policy for each device. Settings that aren't in conflict are
merged, while settings that are in conflict aren't added to the superset of rules.
Previously, if two policies included conflicts for a single setting, both policies were
flagged as being in conflict, and no settings from either profile would be deployed.
Device Control – With settings for device control, you can configure devices for a
layered approach to secure removable media. Microsoft Defender for Endpoint
provides multiple monitoring and control features to help prevent threats in
unauthorized peripherals from compromising your devices.
Device control profiles support policy merge for USB device IDs.
To learn more, see How to control USB devices and other removable media using
Microsoft Defender for Endpoint in the Microsoft Defender for Endpoint
documentation.
Exploit Protection - Exploit protection settings can help protect against malware
that uses exploits to infect devices and spread. Exploit protection consists of many
mitigations that can apply to either the operating system or individual apps.
In public preview, Device control profiles support use of reusable settings groups to
help manage settings for the following settings groups on devices for the Windows 10
and later platform:
Printer device
Removable storage
The following device control profile settings are available for printer device:
PrimaryId
PrinterConnectionID
VID_PID
The following device control profile settings are available in for removable storage:
Device class
Device ID
Hardware ID
Instance ID
Primary ID
Product ID
Serial number
Vendor ID
Vendor ID and Product ID
For information about these options, see the following articles in the Microsoft Defender
for Endpoint documentation:
When you configure a Device control profile and one or more reusable settings groups,
you also configure Actions to define how the settings in those groups are used.
Each rule you add to the profile can include both reusable settings groups and
individual settings that are added directly to the rule. However, consider using each rule
for either reusable settings groups or to manage settings you add directly to the rule.
This separation can help simplify future configurations or changes you might make.
For guidance on configuring reusable groups, and then adding them to this profile, see
Use reusable groups of settings with Intune policies.
Intune supports the following two settings to exclude specific file and folder paths from
evaluation by Attack Surface Reduction rules:
For more information, see the documentation for the Defender CSP:
Defender/AttackSurfaceReductionOnlyExclusions.
When you set an applicable setting in an attack surface reduction rule profile to
anything other than Not configured, Intune presents the option to use ASR Only
Per Rule Exclusions for that individual setting. With this option, you can configure
a file and folder exclusion that are isolated to individual settings, which is in
contrast to use of the global setting Attack Surface Reduction Only Exclusions
which applies its exclusions to all settings on the device.
) Important
ASR polices do not support merge functionality for ASR Only Per Rule
Exclusions and a policy conflict can result when multiple polices that configure
ASR Only Per Rule Exclusions for the same device conflict. To avoid conflicts,
combine the configurations for ASR Only Per Rule Exclusions into a single ASR
policy. We are investigating adding policy merge for ASR Only Per Rule
Exclusions in a future update.
Manage attack surface reduction settings for Configuration Manager devices, when you
use tenant attach.
Policy path:
Endpoint security > Attach surface reduction > Windows 10 and later (ConfigMgr)
Profiles:
Profiles include:
Attack Surface Reduction Rules - Configure settings for attack surface reduction
rules that target behaviors that malware and malicious apps typically use to infect
computers, including:
Executable files and scripts used in Office apps or web mail that attempt to
download or run files.
Obfuscated or otherwise suspicious scripts.
Behaviors that apps don't usually start during normal day-to-day work Reducing
your attack surface means offering attackers fewer ways to perform attacks.
For Attack surface reduction policy, the following profiles support policy merge:
Device control
Policy merge applies to the configuration of each setting across the different profiles
that apply that specific setting to a device. The result is a single list for each of the
supported settings being applied to a device. For example:
Policy merge evaluates the lists of setup classes that were configured in each
instance of Allow hardware device installation by setup classes that applies to a
device. The lists are merged into a single allowlist where any duplicate setup
classes are removed.
Removal of duplicates from the list is done to remove the common source of
conflicts. The combined allowlist is then delivered to the device.
Policy merge doesn’t compare or merge the configurations from different settings. For
example:
Expanding on the first example, in which multiple lists from Allow hardware device
installation by setup classes were merged into a single list, you have several
instances of Block hardware device installation by setup classes that applies to the
same device. All the related blocklists merge into a single blocklist for the device
that then deploys to the device.
The allowlist for setup classes isn’t compared nor merged with the blocklist for
setup classes.
Instead, the device receives both lists, as they are from two distinct settings. The
device then enforces the most restrictive setting for installation by setup classes.
With this example, a setup class defined in the blocklist will override the same
setup class if found on the allowlist. The result would be that the setup class is
blocked on the device.
Next steps
Configure Endpoint security policies
View details for the settings in profiles for Attack surface reduction profiles.
Disk encryption policy for endpoint
security in Intune
Article • 08/02/2023
Endpoint security Disk encryption profiles focus on only the settings that are relevant for
a devices built-in encryption method, like FileVault or BitLocker. This focus makes it easy
for security admins to manage disk encryption settings without having to navigate a
host of unrelated settings.
While you can configure the same device settings by using Endpoint Protection profiles
for device configuration, the device configuration profiles include additional categories
of settings. These additional settings are unrelated to disk encryption and can
complicate the task of configuring only disk encryption.
Find the endpoint security policies for disk encryption under Manage in the Endpoint
security node of the Microsoft Intune admin center .
FileVault - FileVault provides built-in Full Disk Encryption for macOS devices.
To create a FileVault profile, see Use FileVault disk encryption for macOS.
Windows profiles:
7 Note
Beginning on June 19, 2023, the BitLocker profile for Windows 10 and later
was updated to use the settings format as found in the Settings Catalog. The
new profile format includes the same settings as the older profile. With this
change you can no longer create new versions of the old profiles. Your
existing instances of the old profile remain available to use and edit.
With the new profile format, we no longer publish a dedicated list of settings
as found in the profile. Instead, use the Learn more link in the UI while viewing
information for a setting, to open BitLocker CSP in the Windows
documentation, where the setting is detailed in full.
You can continue to find a list of settings from the original BitLocker profile at
BitLocker settings in the Intune documentation.
To create a BitLocker profile, see Use BitLocker disk encryption for Windows.
Manage BitLocker
Manage FileVault
Monitor device encryption
Next steps
To create a FileVault profile
To create a BitLocker profile
Endpoint detection and response policy
for endpoint security in Intune
Article • 08/21/2023
When you integrate Microsoft Defender for Endpoint with Intune, you can use endpoint
security policies for endpoint detection and response (EDR) to manage the EDR settings
and onboard devices to Microsoft Defender for Endpoint.
Applies to:
Windows 10/11
Windows Server 2012 R2 and later
The capabilities of Microsoft Defender for Endpoint endpoint detection and response
provide advanced attack detections that are near real-time and actionable. Security
analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and
take response actions to remediate threats.
EDR policies include platform-specific profiles to manage settings for EDR. The profiles
automatically include an onboarding package for Microsoft Defender for Endpoint.
Onboarding packages are how devices are configured to work with Microsoft Defender
for Endpoint. After a device onboards, you can start to use threat data from that device.
EDR policies deploy to groups of devices in Azure Active Directory (Azure AD) that you
manage with Intune, and to collections of on-premises devices that you manage with
Configuration Manager, including Windows servers. The EDR policies for the different
management paths require different onboarding packages. Therefore, you'll create
separate EDR policies for the different types of devices you manage.
Find the endpoint security policies for EDR under Manage in the Endpoint security node
of the Microsoft Intune admin center .
Tenant for Microsoft Defender for Endpoint – Your Microsoft Defender for
Endpoint tenant must be integrated with your Microsoft Intune tenant (Intune
subscription) before you can create EDR policies. See Use Microsoft Defender for
Endpoint in the Intune documentation.
Support for Configuration Manager clients:
EDR profiles
7 Note
Beginning on April 5, 2022, the Windows 10 and later platform was replaced
by the Windows 10, Windows 11, and Windows Server platform.
The Windows 10, Windows 11, and Windows Server platform supports devices
communicating through Microsoft Intune or Microsoft Defender for Endpoint.
These profiles also add support for the Windows Server platform which is not
supported through Microsoft Intune natively.
Profiles for this new platform use the settings format as found in the Settings
Catalog. Each new profile template for this new platform includes the same
settings as the older profile template it replaces. With this change you can no
longer create new versions of the old profiles. Your existing instances of the
old profile remain available to use and edit.
Options for Microsoft Defender for Endpoint client configuration package type:
After you configure the service-to-service connection between Intune and Microsoft
Defender for Endpoint, the Auto from connector option becomes available for the
setting Microsoft Defender for Endpoint client configuration package type. This
option is not available until you've configured the connection.
When you select Auto from connector, Intune automatically gets the onboarding
package (blob) from your Defender for Endpoint deployment. This replaces the need to
manually configure an Onboard package for this profile. There is no option to
automatically configure an offboard package.
Policy path:
Endpoint security > Endpoint detection and response > Windows 10, Windows 11,
and Windows Server (ConfigMgr)
Profiles:
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
These configurations are made within the Configuration Manager console and to your
Configuration Manager deployment. If you're not familiar with Configuration Manager,
plan to work with a Configuration Manager admin to complete these tasks.
Tip
To learn more about using Microsoft Defender for Endpoint with Configuration
Manager, see the following articles in the Configuration Manager content:
Update details:
You'll find this update as an in-console update for Configuration Manager 2002.
To install this update, follow the guidance from Install in-console updates in the
Configuration Manager documentation.
After installing the update, return here to continue configuring your environment to
support EDR policy from the Microsoft Intune admin center.
For more information about the Tenant attach scenario, see Enable tenant attach in the
Configuration Manager content.
Tip
The following are supported for devices you manage with Intune:
Platform: Windows 10, Windows 11, and Windows Server - Intune deploys the
policy to devices in your Azure AD groups.
Profile: Endpoint detection and response
You choose the type of policy to create while configuring a new EDR policy, by choosing
a platform for the policy.
Before you can deploy policy to devices managed by Configuration Manager, set up
Configuration Manager to support EDR policy from the Microsoft Intune admin center.
See Configure tenant attach to support endpoint protection policies.
Tip
In addition to EDR policy, you can use device configuration policy to onboard
devices to Microsoft Defender for Endpoint. However, device configuration policies
don't support tenant attached devices.
When using multiple polices or policy types like device configuration policy and
endpoint detection and response policy to manage the same device settings (such as
onboarding to Defender for Endpoint), you can create policy conflicts for devices.
To learn more about conflicts, see Manage conflicts in the Manage security policies
article.
2. Select Endpoint security > Endpoint detection and response > Create Policy.
3. Select the platform and profile for your policy. The following information identifies
your options:
Intune - Intune deploys the policy to devices in your Azure AD groups. When
you create the policy, select:
Platform: Windows 10, Windows 11, and Windows Server
Profile: Endpoint detection and response
4. Select Create.
5. On the Basics page, enter a name and description for the profile, then choose
Next.
6. On the Configuration settings page, Choose Auto from Connector for Microsoft
Defender for Endpoint Client configuration package type. Configure the Sample
Sharing and Telemetry Reporting Frequency settings you want to manage with
this profile.
7 Note
To onboard or offboard tenants using the onboarding file from the Microsoft
Defender for Endpoint portal, select either Onboard or Offboard and supply the
contents of the onboarding file to the input directly below the selection.
7. This step only applies for the Endpoint detection and response profile and the
Windows 10, Windows 11, and Windows Server platform:
On the Scope tags page, choose Select scope tags to open the Select tags pane to
assign scope tags to the profile.
8. On the Assignments page, select the groups or collections that will receive this
policy. The choice depends on the platform and profile you selected:
You can choose not to assign groups or collections at this time, and later edit the
policy to add an assignment.
The new profile is displayed in the list when you select the policy type for the
profile you created.
Updating the onboarding state for a device
Organizations may need to update the onboarding information on a device via
Microsoft Intune.
This can be necessary due to a change in the onboarding payload for Microsoft
Defender for Endpoint, or when directed by Microsoft support.
Updating the onboarding information will direct the device to start utilizing the new
onboarding payload at the next Restart.
7 Note
This information will not necessarily move a device between tenants without fully
offboarding the device from the original tenant. For options migrating devices
between Microsoft Defender for Endpoint organizations, engage Microsoft
Support.
4. Create a New Endpoint Detection and Response policy, outlined in Create EDR
policies.
5. While creating the policy, select Onboard from the client package configuration
type, and specify the contents of the onboarding file from the Microsoft Defender
for Endpoint console.
7. Add existing devices to the validation group and ensure the changes work as
expected.
7 Note
If previously using the Auto from connector option to retrieve the onboarding
information, engage Microsoft support to confirm the use of the new onboarding
information.
For policies that target the Windows 10, Windows 11, and Windows Server
platform (Intune), you'll see an overview of compliance to the policy. You can also
select the chart to view a list of devices that received the policy, and drill-in to
individual devices for more details.
The chart for Devices with Defender for Endpoint sensor displays only devices
that successfully onboard to Microsoft Defender for Endpoint through use of the
Windows 10, Windows 11, and Windows Server profile. To ensure you have full
representation of your devices in this chart, deploy the onboarding profile to all
your devices. Devices that onboard to Microsoft Defender for Endpoint by external
means, like Group Policy or PowerShell, are counted as Devices without the
Defender for Endpoint sensor.
For policies that target the Windows 10, Windows 11, and Windows Server
(ConfigMgr) platform (Configuration Manager), you'll see an overview of
compliance to the policy but can't drill-in to view additional details. The view is
limited because the admin center receives limited status details from Configuration
Manager, which manages the deployment of the policy to Configuration Manager
devices.
Next steps
Configure Endpoint security policies
Learn more about endpoint detection and response in the Microsoft Defender for
Endpoint documentation.
View details for the settings in the deprecated Endpoint detection and response profile
for the Windows 10 and later platform:
Endpoint detection and response profile settings you can configure for both
platforms and profiles.
Firewall policy for endpoint security in
Intune
Article • 03/15/2023
Use the endpoint security Firewall policy in Intune to configure a devices built-in firewall
for devices that run macOS and Windows devices.
While you can configure the same firewall settings by using Endpoint Protection profiles
for device configuration, the device configuration profiles include additional categories
of settings. These additional settings are unrelated to firewalls and can complicate the
task of configuring only firewall settings for your environment.
Find the endpoint security policies for firewalls under Manage in the Endpoint security
node of the Microsoft Intune admin center .
Firewall profiles
macOS firewall – Enable and configure settings for the built-in firewall on macOS.
For information about configuring settings in the following profiles, see the Firewall
configuration service provider (CSP).
7 Note
Beginning on April 5, 2022, the Windows 10 and later platform was replaced by the
Windows 10, Windows 11, and Windows Server platform.
The Windows 10, Windows 11, and Windows Server platform supports devices
communicating through Microsoft Intune or Microsoft Defender for Endpoint.
These profiles also add support for the Windows Server platform which is not
supported through Microsoft Intune natively.
Profiles for this new platform use the settings format as found in the Settings
Catalog. Each new profile template for this new platform includes the same settings
as the older profile template it replaces. With this change you can no longer create
new versions of the old profiles. Your existing instances of the old profile remain
available to use and edit.
For information about configuring settings in the following profiles, see the Firewall
configuration service provider (CSP).
Tip
The following firewall rule profile settings are available in reusable settings groups:
When you configure a firewall rule to add one or more reusable settings groups, you’ll
also configure the rules Action to define how the settings in those groups are used.
Each rule you add to the profile can include both reusable settings groups and
individual settings that are added directly to the rule. However, consider using each rule
for either reusable settings groups or to manage settings you add directly to the rule.
This separation can help simplify future configurations or changes you might make.
For prerequisites and guidance on configuring reusable groups, and then adding them
to this profile, see Use reusable groups of settings with Intune policies.
Firewall
Support for devices managed by Configuration Manager is in Preview.
Manage Firewall policy settings for Configuration Manager devices, when you use
tenant attach.
Policy path:
Profiles:
That form of policy conflict applies to the Microsoft Defender Firewall profile,
which can conflict with other Microsoft Defender Firewall profiles, or a firewall
configuration that’s delivered by a different policy type, like device configuration.
Microsoft Defender Firewall profiles don't conflict with Microsoft Defender Firewall
rules profiles.
When you use Microsoft Defender Firewall rules profiles, you can apply multiple rules
profiles to the same device. However, when different rules exist for the same thing with
different configurations, both are sent to the device and create a conflict, on that device.
For example, if one rule blocks Teams.exe through the firewall and a second rule
allows Teams.exe, both rules are delivered to the client. This result is different from
conflicts created through other policies for Firewall settings.
When rules from multiple rules profiles don't conflict with each other, devices merge the
rules from each profile to create a combined firewall rule configuration on the device.
This behavior enables you to deploy more than the 150 rules that each individual profile
supports to a device.
For example, you have two Microsoft Defender Firewall rules profiles. The first
profile allows Teams.exe through the firewall. The second profile allows Outlook.exe
through the firewall. When a device receives both profiles, the device is configured
to allow both apps through the firewall.
Summary
Summary is the default view when you open the Firewall node. Open the Microsoft
Intune admin center , and then go to Endpoint security > Firewall > Summary.
Data is reported through the Windows DeviceStatus CSP, and identifies each device
where the Firewall is off. By default, visible details include:
Device name
Firewall status
User principal name
Target (The method of device management)
Last check in time
MDM Firewall status for Windows 10 and later
This organizational report is also described in Intune Reports.
As an organizational report, this report is available from the Reports node. Open the
Microsoft Intune admin center , and then go to Reports > Firewall > MDM Firewall
status for Windows 10 and later.
Data is reported through the Windows DeviceStatus CSP, and reports on the status of
the firewall on your managed devices. You can filter returns for this report by using one
or more of the status detail categories.
You can filter returns for this report by using one or more of the status detail categories.
Investigate issues for Firewall rules
To learn more about Firewall rules in Intune, and how to troubleshoot common
problems, see the following Intune Customer Success blog:
How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation
process
Verify configured ranges are ascending (Example: 1-5 is correct, 5-1 will cause this
error)
Verify configured ranges are within the overall port range of 0-65535
If either remote port ranges or local port ranges are configured in a rule, protocol
must also be configured with 6 (TCP) or 17 (UDP)
If edge traversal is enabled in a rule, the rule direction must be set to "This rule
applies to inbound traffic".
If "All" interface type is enabled in a rule, the other interface types must not be
selected.
Next steps
Configure Endpoint security policies
View details for the settings in the deprecated Firewall profiles for the Windows 10 and
later platform:
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile
Threat Defense solution. Integration can help you prevent security breaches and limit
the impact of breaches within an organization.
Android
iOS/iPadOS
Windows 10
Windows 11
Windows Server 2008 R2
Windows Server 2012 R2
Windows Server 2016
Windows Server Semi-Annual Enterprise Channel
Windows Server 2019 and later
Windows Server 2019 Core edition
Windows Server 2022
When you integrate Intune with Microsoft Defender for Endpoint, you can take
advantage of Microsoft Defender for Endpoints Threat & Vulnerability Management
(TVM) and use Intune to remediate endpoint weakness identified by TVM.
Consider an event where someone sends a Word attachment with embedded malicious
code to a user within your organization.
Microsoft Defender for Endpoint can help resolve security events like this scenario.
In our example, Microsoft Defender for Endpoint detects that the device executed
abnormal code, experienced a process privilege escalation, injected malicious
code, and issued a suspicious remote shell.
Based on these actions from the device, Microsoft Defender for Endpoint classifies
the device as high-risk and includes a detailed report of suspicious activity in the
Microsoft Defender Security Center portal.
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile
Threat Defense solution. Integration can help you prevent security breaches and limit
the impact of breaches within an organization.
Because you have an Intune device compliance policy to classify devices with a Medium
or High level of risk as noncompliant, the compromised device is classified as
noncompliant. This classification allows your conditional access policy to kick in and
block access from that device to your corporate resources.
For devices that run Android, you can use Intune policy to modify the configuration of
Microsoft Defender for Endpoint on Android. For more information, see Microsoft
Defender for Endpoint web protection.
Prerequisites
Subscriptions:
To use Microsoft Defender for Endpoint with Intune, you must have the following
subscriptions:
Microsoft Defender for Endpoint - This subscription provides you access to the
Microsoft Defender Security Center (ATP portal).
The following platforms are supported for Intune with Microsoft Defender for Endpoint:
Android
iOS/iPadOS
Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory
Joined)
For the system requirements for Microsoft Defender for Endpoint, see Minimum
requirements for Microsoft Defender for Endpoint.
Next steps
To connect Microsoft Defender for Endpoint to Intune, onboard devices, and
configure conditional access policies, see Configure Microsoft Defender for
Endpoint in Intune.
Use the information and procedures in this article to configure integration of Microsoft
Defender for Endpoint with Intune. Configuration includes the following general steps:
Before you start, your environment must meet the prerequisites to use Microsoft
Defender for Endpoint with Intune.
In addition to managing settings for Microsoft Defender for Endpoint on devices you
manage with Intune, you can manage Defender for Endpoint security configurations on
devices that aren’t enrolled with Intune. This scenario is called Security Management for
Microsoft Defender for Endpoint and requires configuring the Allow Microsoft Defender
for Endpoint to enforce Endpoint Security Configurations toggle to On. For more
information, see MDE Security Configuration Management.
You only need to enable Microsoft Defender for Endpoint a single time per tenant.
2. Select Endpoint security > Microsoft Defender for Endpoint, and then select
Open the Microsoft Defender Security Center.
This opens the Microsoft 365 Defender portal at security.microsoft.com, which
replaces the use of the previous portal at securitycenter.windows.com.
Tip
If the Connection status at the top of the page is already set to Enabled, the
connection to Intune has already been made, and the admin center displays
different UI than in the following screen shot. In this event, you can use the
link Open the Microsoft Defender for Endpoint admin console to open the
Microsoft Defender Security Center and use the guidance in the following
step to confirm that the Microsoft Intune connection is set to On.
7 Note
Once the connection is established, the services are expected to sync with
each other at least once every 24 hours. The number of days without sync
until the connection is considered unresponsive is configurable in the
Microsoft Intune admin center . Select Endpoint security > Microsoft
Defender for Endpoint > Number of days until partner is unresponsive
4. Return to Microsoft Defender for Endpoint page in the Microsoft Intune admin
center.
a. To use Defender for Endpoint with compliance policies, configure the following
under MDM Compliance Policy Settings for the platforms you support:
When these configurations are On, applicable devices that you manage with
Intune, and devices you enroll in the future, are connected to Microsoft
Defender for Endpoint for compliance.
For iOS devices, Defender for Endpoint also supports the following settings that
help provide the Vulnerability Assessment of apps on Microsoft Defender for
Endpoint for iOS. For more information about using the following two settings,
see Configure vulnerability assessment of apps.
Enable App Sync for iOS Devices: Set to On to allow Defender for
Endpoint to request metadata of iOS applications from Intune to use for
threat analysis purposes. The iOS device must be MDM-enrolled and will
provide updated app data during device check-in.
When set to On, Defender for Endpoint can request a list of applications
from Intune for personally-owned iOS/iPadOS devices. This includes
unmanaged apps and apps that were deployed through Intune.
When set to Off, data about unmanaged apps isn’t provided. Intune does
share data for the apps that were deployed through Intune.
b. To use Defender for Endpoint with app protection policies, configure the
following under App Protection Policy Settings for the platforms you support.
These capabilities are available for Android and iOS/iPadOS.
Set Connect Android devices to Microsoft Defender for Endpoint for app
protection policy evaluation to On.
Set Connect iOS devices to Microsoft Defender for Endpoint for app
protection policy evaluation to On.
To set up an integration Microsoft Defender for Endpoint for compliance and app
protection policy evaluation, you must have a role that includes the Mobile Threat
Defense permission in Intune. The Endpoint Security Manager built-in admin role
for Intune has this permission included. For more information about both MDM
Compliance Policy Settings and App Protection Policy Settings, see Mobile Threat
Defense toggle options.
5. Select Save.
Tip
When you integrate a new application to Intune Mobile Threat Defense and enable
the connection to Intune, Intune creates a classic conditional access policy in Azure
Active Directory. Each MTD app you integrate, including Microsoft Defender for
Endpoint or any of our additional MTD partners, creates a new classic conditional
access policy. These policies can be ignored, but should not be edited, deleted, or
disabled.
If the classic policy is deleted, you will need to delete the connection to Intune that
was responsible for its creation, and then set it up again. This recreates the classic
policy. It's not supported to migrate classic policies for MTD apps to the new policy
type for conditional access.
Are used by Intune MTD to require that devices are registered in Azure AD so
that they have a device ID before communicating to MTD partners. The ID is
required so that devices and can successfully report their status to Intune.
Have no effect on any other Cloud apps or Resources.
Are distinct from conditional access policies you might create to help manage
MTD.
By default, don't interact with other conditional access policies you use for
evaluation.
To view classic conditional access policies, in Azure , go to Azure Active Directory
> Conditional Access > Classic policies.
Onboard devices
When you enabled support for Microsoft Defender for Endpoint in Intune, you
established a service-to-service connection between Intune and Microsoft Defender for
Endpoint. You can then onboard devices you manage with Intune to Microsoft Defender
for Endpoint. Onboarding enables collection of data about device risk levels.
When onboarding devices, be sure to use most recent version of Microsoft Defender for
Endpoint for each platform.
After onboarding a device using the configuration package, you don't need to do it
again.
Endpoint detection and response (EDR) policy. Intune EDR policy is part of
endpoint security in Intune. Use EDR policies to configure device security without
the overhead of the larger body of settings found in device configuration profiles.
You can also use EDR policy with tenant attached devices, which are devices you
manage with Configuration Manager.
To view the onboarded devices from Microsoft Defender for Endpoint within the
Microsoft Defender for Endpoint connector page, you need an Intune role with the
Microsoft Defender ATP permission.
When you configure EDR policy after connecting Intune and Microsoft Defender for
Endpoint, the policy setting Microsoft Defender for Endpoint client configuration package
type has a new configuration option: Auto from connector. With this option, Intune
automatically gets the onboarding package (blob) from your Defender for Endpoint
deployment, replacing the need to manually configure an Onboard package.
Tip
When using multiple policies or policy types like device configuration policy and
endpoint detection and response policy to manage the same device settings (such as
onboarding to Defender for Endpoint), you can create policy conflicts for devices.
To learn more about conflicts, see Manage conflicts in the Manage security policies
article.
2. Select Endpoint security > Endpoint detection and response > Create Policy.
4. For Profile type, select Endpoint detection and response, and then select Create.
5. On the Basics page, enter a Name and Description (optional) for the profile, then
choose Next.
6. On the Configuration settings page, configure the following options for Endpoint
Detection and Response:
Sample sharing for all files: Returns or sets the Microsoft Defender for
Endpoint Sample Sharing configuration parameter.
Expedite telemetry reporting frequency: For devices that are at high risk,
Enable this setting so it reports telemetry to the Microsoft Defender for
Endpoint service more frequently.
The preceding screen capture shows your configuration options after you’ve
configured a connection between Intune and Microsoft Defender for
Endpoint. When connected, the details for the onboarding and offboarding
blobs are automatically generated and transferred to Intune.
7. Select Next to open the Scope tags page. Scope tags are optional. Select Next to
continue.
8. On the Assignments page, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
When you deploy to user groups, a user must sign in on a device before the policy
applies and the device can onboard to Defender for Endpoint.
Select Next.
9. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list when you select the policy type for the profile you created.
OK,
and then Create to save your changes, which creates the profile.
For configuration guidance for Intune, see Microsoft Defender for Endpoint for macOS.
For more information about Microsoft Defender for Endpoint for Mac, including what's
new in the latest release, see Microsoft Defender for Endpoint for Mac in the Microsoft
365 security documentation.
There isn't a configuration package for devices that run Android. Instead, see Overview
of Microsoft Defender for Endpoint for Android in the Microsoft Defender for Endpoint
documentation for the prerequisites and onboarding instructions for Android.
For devices that run Android, you can also use Intune policy to modify Microsoft
Defender for Endpoint on Android. For more information, see Microsoft Defender for
Endpoint web protection.
There isn't a configuration package for devices that run iOS/iPadOS. Instead, see
Overview of Microsoft Defender for Endpoint for iOS in the Microsoft Defender for
Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS.
For devices that run iOS/iPadOS (in Supervised Mode), there is specialized ability given
the increased management capabilities provided by the platform on these types of
devices. To take advantage of these capabilities, the Defender app needs to know if a
device is in Supervised Mode. Intune allows you to configure the Defender for iOS app
through an App Configuration policy (for managed devices) that should be targeted to
all iOS Devices as a best practice. For more information, see Complete deployment for
supervised devices.
1. Sign in to the Microsoft Intune admin center .
3. On the Basics page, enter a Name and Description (optional) for the profile, select
Platform as iOS/iPadOS then choose Next.
5. On the Settings page, set the Configuration key as issupervised, then Value type
as string with the {{issupervised}} as the Configuration value.
6. Select Next to open the Scope tags page. Scope tags are optional. Select Next to
continue.
7. On the Assignments page, select the groups that will receive this profile. For this
scenario, it's a best practice to target All Devices. For more information on
assigning profiles, see Assign user and device profiles.
When deploying to user groups, a user must sign-in on a device before the policy
applies.
Select Next.
8. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list of configuration profiles.
Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for iOS
team has made available a custom .mobileconfig profile to deploy to iPad/iOS devices.
The .mobileconfig profile will be used to analyze network traffic to ensure a safe
browsing experience - a feature of Defender for iOS.
6. On the Basics page, enter a Name and Description (optional) for the profile, then
choose Next.
9. On the Assignments page, select the groups that will receive this profile. For this
scenario, it's a best practice to target All Devices. For more information on
assigning profiles, see Assign user and device profiles.
When you deploy to user groups, a user must sign in on a device before the policy
applies.
Select Next.
10. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list of configuration profiles.
If you're not familiar with creating compliance policy, reference the Create a policy
procedure from the Create a compliance policy in Microsoft Intune article. The following
information is specific to configuring Microsoft Defender for Endpoint as part of a
compliance policy.
2. Select Devices > Compliance policies > Policies > Create Policy.
3. For Platform, use the drop-down box to select one of the following options:
4. Specify a Name that helps you identify this policy later. You can also choose to
specify a Description.
5. On the Compliance settings tab, expand the Microsoft Defender for Endpoint
group and set the option Require the device to be at or under the machine risk
score to your preferred level.
Clear: This level is the most secure. The device can't have any existing threats
and still access company resources. If any threats are found, the device is
evaluated as noncompliant. (Microsoft Defender for Endpoint uses the value
Secure.)
Low: The device is compliant if only low-level threats exist. Devices with
medium or high threat levels aren't compliant.
Medium: The device is compliant if the threats found on the device are low or
medium. If high-level threats are detected, the device is determined as
noncompliant.
High: This level is the least secure and allows all threat levels. Devices with
high, medium, or low threat levels are considered compliant.
Apps: Select the apps you wish to be targeted by app protection policies. For this
feature set, these apps are blocked or selectively wiped based on device risk
assessment from your chosen Mobile Threat Defense vendor.
Conditional launch: Below Device conditions, use the drop-down box to select Max
allowed device threat level.
Assignments: Assign the policy to groups of users. The devices used by the
group's members are evaluated for access to corporate data on targeted apps via
Intune app protection.
) Important
If you create an app protection policy for any protected app, the device's threat
level is assessed. Depending on the configuration, devices that don’t meet an
acceptable level are either blocked or selectively wiped through conditional launch.
If blocked, they are prevented from accessing corporate resources until the threat
on the device is resolved and reported to Intune by the chosen MTD vendor.
Tip
3. Enter a policy Name and select Users and groups. Use the Include or Exclude
options to add your groups for the policy, and then select Done.
4. Select Cloud apps, and then choose which apps to protect. For example, choose
Select apps, and select Office 365 SharePoint Online and Office 365 Exchange
Online.
5. Select Conditions > Client apps to apply the policy to apps and browsers. For
example, select Yes, and then enable Browser and Mobile apps and desktop
clients.
Next steps
Configure Microsoft Defender for Endpoint settings on Android
Monitor compliance for risk levels
When you integrate Microsoft Intune and Microsoft Defender for Endpoint, you can use
device configuration profiles to modify some Defender for Endpoint settings on Android
devices.
Before you begin, you must successfully configure Microsoft Defender for Endpoint in
Intune and onboard Android devices to Defender for Endpoint.
While this protection is enabled by default, there are valid reasons to disable it on some
Android devices. For example, you might decide to use only the Defender for Endpoint
app scan feature or to prevent web protection from using your VPN while it scans for
harmful URLs.
Intune allows you to turn off all or part of the web protection feature. The method you
use and the capabilities you can disable depend on how the Android device is enrolled
with Intune:
To configure web protection on devices, use the following procedures to create and
deploy the applicable configuration.
Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, Android custom profile for
Defender for Endpoint web protection.
Description: Enter a description for the profile. This setting is optional but
recommended.
7 Note
7 Note
Select Add to save the OMA-URI settings configuration, and then select Next to
continue.
6. In Assignments, specify the groups that will receive the profile. For more
information on assigning profiles, see Assign user and device profiles.
7. In Review + create, when you're done, select Create. The new profile is displayed
in the list when you select the policy type for the profile you created.
7 Note
You can't disable web protection for the Android Enterprise personally owned work
profile if you've configured the Auto Setup of Always-on VPN device
configuration policy on the enrolled devices.
2. Select Apps > App configuration policies > Add, and then select Managed
devices.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, Android app configuration for
Microsoft Defender for Endpoint web protection.
Description: Enter a description for the profile. This setting is optional but
recommended.
Platform: Select Android Enterprise.
Profile Type: Select Personally-Owned Work Profile Only.
Targeted app: Click Select app.
4. In Associated app, find and select Defender for Endpoint, and then select OK >
Next.
6. Find and select configuration keys Anti-Phishing and VPN, and then select OK to
return to the Settings page.
7 Note
The Web Protection configuration key is deprecated. If you've used this key in
the past, complete the previous steps to re-configure the setting by setting
the keys Anti-Phishing and VPN to enable or disable web protection.
7 Note
Enter 1 for both configuration values (Anti-Phishing and VPN) to enable web
protection. This setting is the default.
8. In Assignments, specify the groups that will receive the profile. For more
information on assigning profiles, see Assign user and device profiles.
9. In Review + create, when you're done, select Create. The new profile is displayed
in the list when you select the policy type for the profile you created.
7 Note
You can't disable VPN for the Android Enterprise Fully Managed profile if
you've configured the Auto Setup of Always-on VPN device configuration
policy on the enrolled devices.
7 Note
Enter 1 for both configuration values (Anti-Phishing and VPN) to enable web
protection. This setting is the default.
Select Next to continue.
2. In Assignments, specify the groups that will receive the profile. For more
information on assigning profiles, see Assign user and device profiles.
3. In Review + create, when you're done, select Create. The new profile is displayed in
the list when you select the policy type for the profile you
created.
Next steps
Monitor compliance for risk levels
When you integrate Microsoft Intune and Microsoft Defender for Endpoint, you can
view information about device compliance and onboarding in the Microsoft Intune
admin center.
3. Find your Microsoft Defender for Endpoint policy in the list, and see which devices
are compliant or noncompliant.
You can also use the operational report for noncompliant devices from the same
location:
Next steps
Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in
Intune
Manage Microsoft Defender for
Endpoint on devices with Microsoft
Intune
Article • 08/14/2023
When you use Microsoft Defender for Endpoint, you can deploy policies from Microsoft
Intune to manage the Defender security settings on the devices you’ve onboarded to
Defender without enrolling those devices with Intune. This capability is known as
Defender for Endpoint security settings management.
7 Note
You can opt-in to the public preview by enabling the use of Preview features from
within the Microsoft 365 Defender portal . For more information on this, see
Microsoft Defender for Endpoint preview features in the Defender
documentation.
When you manage devices through security settings management without participation
in the public preview:
You use the Microsoft Intune admin center to configure endpoint security policies
for Defender for Endpoint and assign those policies to Azure AD groups
Devices get the policies based on their Azure Active Directory device object. A
device that isn’t already present in Azure Active Directory is joined as part of this
solution
When a device receives a policy, the Defender for Endpoint components on the
device enforce the policy and report on the device's status. The device's status is
available in the Microsoft Intune admin center
This scenario extends the Microsoft Intune Endpoint Security surface to devices that
aren't capable of enrolling in Intune. When a device is managed by Intune (enrolled to
Intune) the device won't process policies for Security Management for Microsoft
Defender for Endpoint. Instead, use Intune to deploy policy for Defender for Endpoint to
your devices.
Applies to:
Windows 10
Windows 11
Prerequisites
Review the following sections for requirements for the Defender for Endpoint security
settings management Scenario.
Environment
When a supported device onboards to Microsoft Defender for Endpoint:
The device is surveyed for an existing Microsoft Intune presence, which is a mobile
device management (MDM) enrollment to Intune.
Devices without an Intune presence enable the security settings management
feature.
A trust is created with Azure Active Directory if one doesn't already exist.
Policies retrieved from Microsoft Intune are enforced on the device by Microsoft
Defender for Endpoint.
7 Note
If the device was part of a dynamic Azure AD group, the policy targeting the device
will be resolved within a minimum of 48 hours. However, if the device was targeted
as part of a static Azure AD group, administrators will need to go back and retarget
the device.
Connectivity requirements
Devices must have access to the following endpoints:
that are used for enrollment, check-in, and reporting, and which can change as the
service scales.
7 Note
You need to configure an endpoint system-wide proxy in an environment that is
not connected to the internet. Use of only the EDR static proxy configuration is not
sufficient.
If your organization uses Secure Socket Layer (SSL) inspection, the endpoints
should be excluded from inspection.
Supported platforms
Policies for Microsoft Defender for Endpoint security management are supported for the
following device platforms:
Windows:
Security settings management doesn't work on and is not supported with the following:
) Important
In some cases, Domain Controllers that are run a down level server Operating
system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender
for Endpoint. In order to ensure that this doesn’t happen in your environment, we
recommend making sure your domain controllers are neither tagged “MDE-
Management” or managed by MDE.
A subscription that grants licenses for Microsoft Defender for Endpoint, like
Microsoft 365, or a standalone license for only Microsoft Defender for Endpoint. A
subscription that grants Microsoft Defender for Endpoint licenses also grants your
tenant access to the Endpoint security node of the Microsoft Intune admin center.
7 Note
The Endpoint security node is where you configure and deploy policies to manage
Microsoft Defender for Endpoint for your devices and monitor device status.
For current information about options, see Minimum requirements for Microsoft
Defender for Endpoint.
Architecture
The following diagram is a conceptual representation of the Microsoft Defender for
Endpoint security configuration management solution.
When you deploy an endpoint security policy that’s supported for both Defender for
Endpoint security settings management and Microsoft Intune, a single instance of that
policy can be processed by devices supported through security settings management
(Microsoft Defender), and by devices that are managed by either Intune or
Configuration Manager.
Profiles for the Windows 10 and later platform aren't supported for devices managed by
security settings management.
Endpoint security policies are discrete groups of settings intended for use by security
admins who focus on protecting devices in your organization. The following are
descriptions of the policies that support security settings management:
Attack surface reduction (ASR) policies focus on minimizing the places where your
organization is vulnerable to cyberthreats and attacks. With security settings
management, ASR rules apply to devices that run Windows 10, Windows 11, and
Windows Server. For more information, see:
Overview of attack surface reduction in the Windows Threat protection
documentation.
ASR rules supported operating systems in the Windows Threat protection
documentation.
Attack surface reduction policy for endpoint security, in the Intune
documentation.
Endpoint detection and response (EDR) policies manage the Defender for
Endpoint capabilities that provide advanced attack detections that are near real-
time and actionable. Based on EDR configurations, security analysts can prioritize
alerts effectively, gain visibility into the full scope of a breach, and take response
actions to remediate threats. See endpoint detection and response policy for
endpoint security.
Firewall policies focus on the Defender firewall on your devices. See firewall policy
for endpoint security.
Firewall Rules configure granular rules for Firewalls, including specific ports,
protocols, applications, and networks. See firewall policy for endpoint security.
1. Sign in to Microsoft 365 Defender portal and go to Settings > Endpoints >
Configuration Management > Enforcement Scope and enable the platforms for
security settings management.
2. Initially, we recommend testing the feature for each platform by selecting the
platforms option for On tagged devices, and then tagging the devices with the
MDE-Management tag.
3. Configure the feature for Microsoft Defender for Cloud onboarded devices and
Configuration Manager authority settings to fit your organization's needs:
Tip
Use the proper device tags to test and validate your rollout on a small number
of devices. Without using pilot mode, any device that falls into the scope
configured will automatically be enrolled.
4. Make sure the relevant users have permissions to manage endpoint security
settings in Microsoft Intune. If not already provided, request for your IT
administrator to grant applicable users the Microsoft Intune's Endpoint Security
Manager built-in RBAC role.
Configure Intune
In the Microsoft Intune admin center, your account need permissions equal to Endpoint
Security Manager built-in Role based access control (RBAC) role.
2. Select Endpoint security > Microsoft Defender for Endpoint, and set Allow
Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to
On.
When you set this option to On, all devices in the platform scope for Microsoft
Defender for Endpoint that aren't managed by Microsoft Intune qualify to onboard
to Microsoft Defender for Endpoint.
Onboard devices to Microsoft Defender for
Endpoint
Microsoft Defender for Endpoint supports several options to onboard devices. For
current guidance, see Onboard devices and configure Microsoft Defender for Endpoint
capabilities in the Defender for Endpoint documentation.
To support this, configure the Manage Security settings using Configuration Manager
toggle to Off. Sign in to the Microsoft 365 Defender portal and go to Settings >
Endpoints > Configuration Management > Enforcement Scope:
2. Go to Devices > All devices, and then select the column Managed by to sort the
view of devices. Devices that onboard to Microsoft Defender for Endpoint but
aren't managed by Intune display Microsoft Defender for Endpoint in the Managed
by column. These are the devices that can receive policies for security settings
management.
Devices that onboard to Microsoft Defender for Endpoint and have registered but
aren't managed by Intune display Microsoft Defender for Endpoint in the
Managed by column. These are the devices that can receive policy for security
management for Microsoft Defender for Endpoint.
You can also find two labels for devices that are using security management for
Microsoft Defender for Endpoint:
MDEJoined - Added to devices that are joined to the directory as part of this
scenario.
MDEManaged - Added to devices that are actively using the security
management scenario. This tag is removed from the device if Defender for
Endpoint stops managing the security configuration.
You can create groups for these devices in Azure AD or from within the Microsoft Intune
admin center. When creating groups, you can use the OS value for a device if you're
deploying policies to devices running Windows Server vs devices that run a client
version of Windows:
) Important
Custom scripts and Azure AD dynamic device groups created before this change
that specify rules that reference only Windows might exclude Windows Servers
when used with the Security Management for Microsoft Defender for Endpoint
solution. For example:
If you have a rule that uses the equals or not equals operator to identify
Windows, this change will affect your rule. That is because previously both
Windows and Windows Server were reported as Windows. To continue to
include both, you must update the rule to also reference Windows Server.
If you have a rule that use the contains or like operator to specify Windows,
then the rule won’t be affected by this change. These operators can find both
Windows and Windows Server.
Tip
Users that are delegated the ability to manage endpoint security settings may not
have the ability to implement tenant-wide configurations in Microsoft Intune.
Check with your Intune administrator for more information on roles and
permissions in your organization.
Deploy policy
After creating one or more Azure AD groups that contain devices managed by Microsoft
Defender for Endpoint, you can create and deploy the following policies for security
settings management to those groups. The policies and profiles available vary by
platform.
For the list of policy and profile combinations supported for security settings
management, see the chart in Which solution should I use? earlier in this article.
Tip
Avoid deploying multiple policies that manage the same setting to a device.
2. Go to Endpoint security, select the type of policy you want to configure, and then
select Create Policy.
3. For the policy, select the Platform and the Profile that you want to deploy. For a list
of the Platforms and Profiles that support security settings management, see the
chart in Which solution should I use? earlier in this article.
7 Note
5. On the Basics page, enter a name and description for the profile, then choose
Next.
6. On the Configuration settings page, select the settings you want to manage with
this profile.
To learn more about a setting, expand its information dialog and select the Learn
more link to view the on-line Configuration Service Provider (CSP) documentation
or related details, for that setting.
7. On the Assignments page, select the Azure AD groups that will receive this profile.
For more information on assigning profiles, see Assign user and device profiles.
Tip
8. Complete the policy creation process and then on the Review + create page,
select Create. The new profile is displayed in the list when you select the policy
type for the profile you created.
9. Wait for the policy to be assigned and view a success indication that policy was
applied.
10. You can validate that settings have applied locally on the client by using the Get-
MpPreference command utility.
Monitor status
Status and reports for policies that target devices in this channel are available from the
policy node under Endpoint security in the Microsoft Intune admin center.
Drill in to the policy type and then select the policy to view its status. You can view the
list of platforms, policy types, and profiles that support security settings management in
the table in Which solution should I use, earlier in this article.
When you select a policy, you can view information about the device check-in status,
and can select:
View report - View a list of devices that received the policy. You can select a device
to drill in and see its per-setting status. You can then select a setting to view more
information about it, including other policies that manage that same setting, which
could be a source of conflict.
Per setting status - View the settings that are managed by the policy, and a count
of success, errors, or conflicts for each setting.
You can manually sync a device on-demand from the Microsoft 365 Defender portal .
Sign-in to the portal and go to Devices. Select a device that is managed by Microsoft
Defender for Endpoint, and then select the Policy sync button:
The Policy sync button only appears for devices that are successfully managed by
Microsoft Defender for Endpoint.
Devices protected by Tamper Protection
If a device has Tamper Protection turned on, it isn't possible to edit the values of Tamper
Protected settings without disabling Tamper Protection first.
From within the Microsoft Intune admin center go to Devices > All devices,
select a device that displays either MDEJoined or MDEManaged in the Managed by
column, and then select Delete.
You can also remove devices from the scope of Configuration Management in the
Security Center.
Once a device is removed from either location, that change propagates to the other
service.
) Important
In some cases, Domain Controllers that are run a down level server Operating
system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender
for Endpoint. In order to ensure that this doesn’t happen in your environment, we
recommend making sure your domain controllers are neither tagged “MDE-
Management” or managed by MDE.
Many organizations are moving their security configuration to Microsoft Intune to make
use of modern, cloud-based management. Endpoint security in Endpoint Manager offers
rich management experiences of Windows Firewall configuration and granular firewall
rule management.
Because it can be challenging to move large numbers of existing Group Policies for
Windows Firewall rules to Endpoint security policies in Endpoint Manager, we've created
the Endpoint security firewall rule migration tool, which is a PowerShell script.
When you run the Endpoint security firewall rule migration tool on a reference
Windows 10/11 client that has firewall rules based on Group Policy applied, the tool can
automatically create Endpoint security firewall rule policies in Endpoint Manager. After
the endpoint security rules are created, administrators can target the rules to Azure AD
groups to configure MDM and co-managed clients.
Tool usage
Tip
The tool's PowerShell script looks for endpoint security policies that target MDM.
When there are no policies that target MDM, the script can loop and fail to exit. To
work around this condition, either add a policy that targets MDM before running
the script, or edit the line 46 of the script to the following:
while(($profileNameExist) -and ($profiles.Count -gt 0))
Run the tool on a reference machine to migrate that machines current Windows Firewall
rule configuration. When run, the tool exports all enabled firewall rules that are present
on the device, and automatically creates new Intune policies with the collected rules.
The script downloads all the prerequisites it requires to run. When prompted,
provide appropriate Intune administrator credentials. For more information about
required permissions, see Required permissions.
4. Provide a policy name when prompted. The policy name must be unique for the
tenant.
When more than 150 firewall rules are found, multiple policies are created.
Policies created by the tool are visible in the Microsoft Intune admin center in
the Endpoint security > Firewall pane.
7 Note
By default, only enabled firewall rules are migrated and only firewall rules
created by GPO are migrated. The tool supports switches you can use to
modify these defaults.
The time the tool takes to run depends on the number of firewall rules found.
5. After the tool runs, it outputs a count of firewall rules that it couldn't automatically
migrate. For more information, see Unsupported configuration.
Switches
Use the following switches (parameters) to modify the tool's default behavior.
Unsupported configuration
The following registry-based settings aren't supported because of a lack of MDM
support in Windows. While these settings are uncommon, should you require these
settings consider logging this need through your standard support channels.
TYPE-VALUE =/ "Security=" IFSECURE- IPSec related setting not supported by Windows MDM
VAL
TYPE-VALUE =/ "Defer=" DEFER-VAL Inbound NAT Traversal related not exposed via Group
Policy or Windows MDM
TYPE-VALUE =/ "LSM=" BOOL-VAL Loose Source Mapped not exposed via Group Policy or
Windows MDM
TYPE-VALUE =/ "RMauth=" STR-VAL IPSec related setting not supported by Windows MDM
TYPE-VALUE =/ "RUAuth=" STR-VAL IPSec related setting not supported by Windows MDM
TYPE-VALUE =/ "LOM=" BOOL-VAL Local Only Mapped not exposed via Group Policy or
Windows MDM
TYPE-VALUE =/ "PCross=" BOOL-VAL Allow profile crossing not exposed via Group Policy or
Windows MDM
TYPE-VALUE =/ "LUOwn=" STR-VAL Local User Owner SID not applicable in MDM
TYPE-VALUE =/ "TTK=" TRUST-TUPLE- Match traffic with the trust tuple keyword not exposed
KEYWORD-VAL via Group Policy or Windows MDM
TYPE-VALUE =/ “TTK2_22=” TRUST- Match traffic with the trust tuple keyword not exposed
TUPLE-KEYWORD-VAL2-22 via Group Policy or Windows MDM
GPO Field Reason
TYPE-VALUE =/ “TTK2_27=” TRUST- Match traffic with the trust tuple keyword not exposed
TUPLE-KEYWORD-VAL2-27 via Group Policy or Windows MDM
TYPE-VALUE =/ “TTK2_28=” TRUST- Match traffic with the trust tuple keyword not exposed
TUPLE-KEYWORD-VAL2-28 via Group Policy or Windows MDM
TYPE-VALUE =/ "NNm=" STR-ENC-VAL IPSec related setting not supported by Windows MDM
Ports:
Address ranges:
After the tool completes, it generates a report with rules that weren't successfully
migrated. You can view these rules by viewing RulesError.csv found in C:\<folder> .
Required permissions
Users assigned the Intune roles for Endpoint Security Manager, Intune Service Admin, or
Global Admin can migrate Windows Firewall rules to Endpoint security policies.
Alternatively, you can assign the user a custom role where Security baselines
permissions are set with Delete, Read, Assign, Create, and Update grants are applied.
For more information, see Grant admin permissions to Intune.
Next steps
After creating Endpoint security policies for Firewall rules, assign those policies to Azure
AD groups to configure both your MDM and co-managed clients. For more information,
see Add groups to organize users and devices.
Configure tenant attach to support
endpoint security policies from Intune
Article • 03/02/2023
When you use the Configuration Manager tenant attach scenario, you can deploy
endpoint security policies from Intune to devices you manage with Configuration
Manager. To use this scenario, you must first configure tenant attach for Configuration
Manager and enable collections of devices from Configuration Manager for use with
Intune. After collections are enabled for use, you use the Microsoft Intune admin center
to create and deploy policies.
Tenant attach is often configured with co-management, but you can configure
tenant attach on its own.
After selecting devices to synchronize, you must enable collections for use with
endpoint security policies from Intune. Supported policies for Configuration
Manager devices can only be assigned to collections you’ve enabled.
Antivirus
Manage Antivirus settings for Configuration Manager devices, when you use tenant
attach.
Policy path:
Endpoint security > Antivirus > Windows 10, Windows 11, and Windows Server
(ConfigMgr)
Profiles:
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Endpoint detection and response
Manage Endpoint detection and response policy settings for Configuration Manager
devices, when you use tenant attach.
Policy path:
Endpoint security > Endpoint detection and response > Windows 10, Windows 11,
and Windows Server (ConfigMgr)
Profiles:
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Firewall
Manage Firewall policy settings for Configuration Manager devices, when you use
tenant attach.
Policy path:
Profiles:
The following tasks are completed in the Configuration Manager console. If you’re not
familiar with Configuration Manager, work with a Configuration Manager admin to
complete these tasks.
Tip
To learn more about using Microsoft Defender for Endpoint with Configuration
Manager, see the following articles in the Configuration Manager content:
When a Configuration Manager hotfix is necessary, you can find the hotfix as an in-
console update for Configuration Manager. For more information see Install in-console
updates in the Configuration Manager documentation.
After installing necessary updates, return here to continue configuring your environment
to support endpoint security policies from the Microsoft Intune admin center.
For more information about the tenant attach scenario, see Enable tenant attach in the
Configuration Manager content.
Tip
a. Click Sign In. Use your Global Administrator account to sign in.
b. Ensure the option Upload to Microsoft Intune admin center is selected on the
Tenant onboarding page.
c. Remove the check from Enable automatic client enrollment for co-
management.
When this option is selected, the Wizard presents additional pages to complete
the setup of co-management. For more information, see Enable co-
management in the Configuration Manager content.
4. Click Next and then Yes to accept the Create AAD Application notification. This
action provisions a service principal and creates an Azure AD application
registration to facilitate the sync of collections to the Microsoft Intune admin
center.
5. On the Configure upload page, configure which collections of devices you want to
sync.
You can limit your configuration to device collections or use the
recommended device upload setting for All my devices managed by Microsoft
Endpoint Configuration Manager.
Tip
You can skip selecting collections now, and later use the information in the
following task, Task 3, to configure which collections of devices to synchronize
with the Microsoft Intune admin center.
Tenant attach is now configured, and selected devices sync to Microsoft Intune
admin center.
3. In the Configure upload tab, select Upload to Microsoft Intune admin center.
Click Apply.
The default setting for device upload is All my devices managed by Microsoft
Endpoint Configuration Manager. You can also choose to limit your configuration
to one or few device collections.
4. Sign in with your Global Administrator account when prompted.
5. Click Yes to accept the Create AAD Application notification. This action provisions
a service principal and creates an Azure AD application registration to facilitate the
sync.
Tenant attach is now configured, and selected devices sync to Microsoft Intune
admin center.
3. In the Configure upload tab, select Upload to Microsoft Intune admin center.
Click Apply.
The default setting for device upload is All my devices managed by Microsoft
Endpoint Configuration Manager. You can also choose to limit your configuration
to one or few device collections.
2. On the Cloud Sync tab, enable the option to Make this collection available to
assign Endpoint security policies from Microsoft Intune admin center.
You can't select this option if your Configuration Manager hierarchy isn't
tenant attached.
The collections available for this option are limited by the collection scope
selected for tenant attach upload.
3. Select Add and then select the Azure Active Directory group that you would like to
synchronize with Collect membership results.
Devices in this collection can now onboard with Microsoft Defender for Endpoint,
and support use of Intune endpoint security policies.
Next steps
Configure Endpoint security policies for Antivirus, Firewall, and Endpoint detection
and response.
Use Intune to configure BitLocker Drive Encryption on devices that run Windows 10/11.
BitLocker is available on devices that run Windows 10/11. Some settings for BitLocker
require the device have a supported TPM.
Use one of the following policy types to configure BitLocker on your managed devices:
Endpoint security disk encryption policy for BitLocker. The BitLocker profile in
Endpoint security is a focused group of settings that is dedicated to configuring
BitLocker.
View the BitLocker settings that are available in BitLocker profiles from disk
encryption policy.
View the BitLocker settings that are available for BitLocker in endpoint protection
profiles from device configuration policy.
Tip
Intune provides a built-in encryption report that presents details about the
encryption status of devices, across all your managed devices. After Intune encrypts
a Windows device with BitLocker, you can view and manage BitLocker recovery
keys when you view the encryption report.
You can also access important information for BitLocker from your devices, as
found in Azure Active Directory (Azure AD).
4. On the Configuration settings page, configure settings for BitLocker to meet your
business needs.
Select Next.
5. On the Scope (Tags) page, choose Select scope tags to open the Select tags pane
to assign scope tags to the profile.
Select Next to continue.
6. On the Assignments page, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
7. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list when you select the policy type for the profile you created.
2. Select Devices > Configuration profiles > On the Profiles tab, select Create profile.
If you want to enable BitLocker silently, see Silently enable BitLocker on devices, in
this article for additional prerequisites and the specific setting configurations you
must use.
Manage BitLocker
To view information about devices that receive BitLocker policy, see Monitor disk
encryption.
Devices must meet the following prerequisites, receive applicable settings to silently
enable BitLocker, and not have incompatible settings for TPM startup PIN or key.
Device Prerequisites
A device must meet the following conditions to be eligible for silently enabling
BitLocker:
If end users sign in to the devices as Administrators, the device must run Windows
10 version 1803 or later, or Windows 11.
If end users sign in to the devices as Standard Users, the device must run Windows
10 version 1809 or later, or Windows 11.
The device must be Azure AD Joined or Hybrid Azure AD Joined.
Device must contain at least TPM (Trusted Platform Module) 1.2.
The BIOS mode must be set to Native UEFI only.
Endpoint security disk encryption policy - Configure the following settings in the
BitLocker profile:
2 Warning
In the Endpoint Security policy, some of these settings are not visible if *Startup
Authentication Required, System Drive Recovery, or Fixed Drive Recovery are set to
Not Configured
Tip
While the setting labels and options in the following two policy types are different
from each other, they both apply the same configuration to Windows encryption
CSPs that manage BitLocker on Windows devices.
When a TPM startup PIN or startup key is required on a device, BitLocker can't silently
enable on the device, and instead requires interaction from the end user. Settings to
configure the TPM startup PIN or key are available in both the endpoint protection
template and the BitLocker policy. By default, these policies don't configure these
settings.
Endpoint security disk encryption policy - In the BitLocker profile you'll find the
following settings in the BitLocker - OS Drive Settings category when BitLocker system
drive policy is set to Configure, and then Startup authentication required is set to Yes.
Device configuration policy - In the endpoint protection template you'l find the
following settings in the Windows Encryption category:
2 Warning
While neither the endpoint security or device configuration policies configure the
TPM settings by default, some versions of the security baseline for Microsoft
Defender for Endpoint will configure both Compatible TPM startup PIN and
Compatible TPM startup key by default. These configurations might block silent
enablement of BitLocker.
If you deploy this baseline to devices on which you want to silently enable
BitLocker, review your baseline configurations for possible conflicts. To remove
conflicts, either reconfigure the settings in the baselines to remove the conflict, or
remove applicable devices from receiving the baseline instances that configure
TPM settings that block silent enablement of BitLocker.
To verify whether the hardware is modern standby capable, run the following command
from a command prompt:
Console
powercfg /a
If the device supports modern standby, it shows that Standby (S0 Low Power Idle)
Network Connected is available
If the device doesn't support modern standby, such as a virtual machine, it shows that
Standby (S0 Low Power Idle) Network Connected isn't supported
To verify the encryption type, run the following command from an elevated (admin)
command prompt:
Console
manage-bde -status c:
The 'Conversion Status' field reflects the encryption type as either Used Space Only
encrypted or Fully Encrypted.
To change the disk encryption type between full disk encryption and used space only
encryption, use the'Enforce drive encryption type on operating system drives' setting
within settings catalog.
To be accessible, the device must have its keys escrowed to Azure AD.
3. Select a device from the list, and then under Monitor, select Recovery keys.
4. Hit Show Recovery Key. Selecting this generates an audit log entry under
'KeyManagement' activity.
When keys are available in Azure AD, the following information is available:
BitLocker Key ID
BitLocker Recovery Key
Drive Type
When keys aren't in Azure AD, Intune will display No BitLocker key found for this
device.
7 Note
Information for BitLocker is obtained using the BitLocker configuration service provider
(CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, Windows 10
Pro version 1809 and later, and Windows 11.
IT admins need to have a specific permission within Azure Active Directory to be able to
see device BitLocker recovery keys: microsoft.directory/bitlockerKeys/key/read . There
are some roles within Azure AD that come with this permission, including Cloud Device
Administrator, Helpdesk Administrator, etc. For more information on which Azure AD
roles have which permissions, see Azure AD role descriptions.
All BitLocker recovery key accesses are audited. For more information on Audit Log
entries, see Azure portal audit logs.
7 Note
If you delete the Intune object for an Azure AD joined device protected by
BitLocker, the deletion triggers an Intune device sync and removes the key
protectors for the operating system volume. Removing the key protector leaves
BitLocker in a suspended state on that volume. This is necessary because BitLocker
recovery information for Azure AD joined devices is attached to the Azure AD
computer object and deleting it may leave you unable to recover from a BitLocker
recovery event.
To support the display of recovery keys for tenant attached devices, your
Configuration Manager sites must run version 2107 or later. For sites that run 2107,
you must install an update rollup to support Azure AD joined devices: See
KB11121541.
To view the recovery keys, your Intune account must have the Intune RBAC
permissions to view BitLocker keys, and must be associated with an on-premises
user that has the related permissions for Configuration Manager of Collection Role,
with Read Permission > Read BitLocker Recovery Key Permission. For more
information, see Configure role-based administration for Configuration Manager.
Prerequisites
Devices must meet the following prerequisites to support rotation of the BitLocker
recovery key:
Azure AD-joined and Hybrid-joined devices must have support for key rotation
enabled via BitLocker policy configuration:
Client-driven recovery password rotation to Enable rotation on Azure AD-joined
devices or Enable rotation on Azure AD and Hybrid-joined devices
Save BitLocker recovery information to Azure Active Directory to Enabled
Store recovery information in Azure Active Directory before enabling
BitLocker to Required
For information about BitLocker deployments and requirements, see the BitLocker
deployment comparison chart.
3. In the list of devices that you manage, select a device, select More, and then select
the BitLocker key rotation device remote action.
4. On the Overview page of the device, select the BitLocker key rotation. If you don't
see this option, select the ellipsis (…) to show additional options, and then select
the BitLocker key rotation device remote action.
Next steps
Manage FileVault policy
Monitor disk encryption
Troubleshooting BitLocker policy
Known issues for Enforcing BitLocker policies with Intune
BitLocker management for enterprises, in the Windows security documentation
Use FileVault disk encryption for macOS
with Intune
Article • 02/22/2023
Use one of the following policy types to configure FileVault on your managed devices:
Endpoint security policy for macOS FileVault. The FileVault profile in Endpoint
security is a focused group of settings that is dedicated to configuring FileVault.
View the FileVault settings that are available in profiles for disk encryption policy.
View the FileVault settings that are available in endpoint protection profiles for
device configuration policy.
Tip
Intune provides a built-in encryption report that presents details about the
encryption status of devices, across all your managed devices.
After you create a policy to encrypt devices with FileVault, the policy is applied to
devices in two stages. First, the device is prepared to enable Intune to retrieve and back
up the recovery key. This action is referred to as escrow. After the key is escrowed, the
disk encryption can start.
In addition to using Intune policy to encrypt a device with FileVault, you can deploy
policy to a managed device to enable Intune to assume management of FileVault when
the device was encrypted by the user. This scenario requires the device to receive
FileVault policy from Intune, followed by the user uploading their personal recovery key
to Intune.
User-approved device enrollment is required for FileVault to work on a device. The user
must manually approve of the management profile from system preferences for
enrollment to be considered user-approved.
Following are the FileVault permissions, which are part of the Remote tasks category,
and the built-in RBAC roles that grant the permission:
3. On the Create a profile page, set the following options, and then click Create:
Platform: macOS
Profile type: Templates
Template name: Endpoint protection
4. On the Basics page, enter the following properties:
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name might include the
profile type and platform.
Description: Enter a description for the policy. This setting is optional, but
recommended.
For example: To retrieve a lost or recently rotated recovery key, sign in to the
Intune Company Portal website from any device. In the portal, go to Devices
and select the device that has FileVault enabled, and then select Get recovery
key. The current recovery key is displayed.
Configure the remaining FileVault settings to meet your business needs, and then
select Next.
7. On the Scope (Tags) page, choose Select scope tags to open the Select tags pane
to assign scope tags to the profile.
8. On the Assignments page, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
9. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list when you select the policy type for the profile you created.
3. On the Basics page, enter the following properties, and then choose Next.
Platform: macOS
Profile: FileVault
Consider adding a message to help guide users on how to retrieve the recovery
key for their device. This information can be useful for your users when you use the
setting for Personal recovery key rotation, which can automatically generate a new
recovery key for a device periodically.
For example: To retrieve a lost or recently rotated recovery key, sign in to the
Intune Company Portal website from any device. In the portal, go to Devices and
select the device that has FileVault enabled, and then select Get recovery key. The
current recovery key is displayed.
6. On the Scope (Tags) page, choose Select scope tags to open the Select tags pane
to assign scope tags to the profile.
7. On the Assignments page, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
8. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list when you select the policy type for the profile you created.
Manage FileVault
To view information about devices that receive FileVault policy, see Monitor disk
encryption.
When Intune first encrypts a macOS device with FileVault, a personal recovery key is
created. Upon encryption, the device displays the personal key a single time to the
device user.
For managed devices, Intune can escrow a copy of the personal recovery key. Escrow of
keys enables Intune administrators to rotate keys to help protect devices, and users to
recover a lost or rotated personal recovery key.
Intune escrows a recovery key when Intune policy encrypts a device, or after a user
uploads their recovery key for device that they manually encrypted.
Admins can manage and rotate the FileVault recovery keys for any managed
macOS device, by using the Intune encryption report.
Admins can view the personal recovery key for only managed macOS devices that
are marked as corporate. They can’t view the recovery key for personal devices.
Users can view and retrieve their personal recovery key from a supported location.
For example, from the Company Portal website, the user can choose to Get
recovery key as a remote device action.
Upload a personal recovery key to Intune – Use this method when the user knows
their personal recovery key.
The user generates a new recovery key on the device – Use this method if the
personal recovery key isn’t known by the user.
Both methods require that the device has active policy from Intune that manages
FileVault encryption. To deliver this policy, you can use an endpoint security disk
encryption profile, or a device configuration endpoint protection profile to encrypt
devices with FileVault.
To enable Intune to manage FileVault on a previously encrypted device, the user who
encrypted the device can use the Company Portal website to upload their personal
recovery key for the device to Intune. Upload of the key enables Intune to assume
management of the encryption.
Upon upload, Intune rotates the key to create a new personal recovery key. Intune
stores the new key for future recovery needs and makes it available to the device user.
Prerequisites:
The encrypted device must have an Intune FileVault policy for disk encryption.
The user who encrypted the device must have access to their personal recovery
key for the device and be directed to upload it to Intune.
Intune doesn’t alert users that they must upload their personal recovery key to
complete encryption. Instead, use your normal IT communication channels to alert
users who have previously encrypted their macOS device with FileVault that they
must upload their personal recovery key to Intune.
7 Note
1. After the device receives the FileVault profile, direct the user to use the Company
Portal website .
2. In the Company Portal website, the user locates their encrypted macOS device and
selects the option Store recovery key.
3. The user must enter their personal recovery key, and Intune then attempts to
rotate the key to generate a new key.
If the key rotation is successful, Intune stores the new key for future use, and
makes the key available to the user should the user need to recover their
device.
If the key rotation fails, then either the device hasn’t processed the FileVault
policy, or the key that is entered isn't accurate for the device.
4. After successful rotation, a user can retrieve their new personal recovery key from a
supported location.
For more information, see end-user content for upload of the personal recovery key.
Prerequisites:
The encrypted device must have an Intune FileVault policy for disk encryption.
Before Intune can assume management of encryption of a user-encrypted device,
that device must receive an Intune FileVault policy for disk encryption.
The device user must have access to the Terminal app on the encrypted device.
1. After the device receives the FileVault profile, the user who encrypted the device
must sign-in to the device, open Terminal, and run the following two commands, in
order:
a. cd /Applications/Utilities
When this command runs, the user is prompted to provide their device
password. After the password is provided, the device rotates the personal
recovery key and presents the new personal recovery key to the user.
After recording the new recovery key, complete the remaining prompts from
the command.
2. After the command prompts are completed, the personal recovery key on the
device has been rotated. If the device successfully received the FileVault policy,
Intune assumes management of the device’s encryption the next time the device
checks-in with Intune.
By default, the device checks in about every eight hours. To expedite device check-
in, use one of the following options:
3. After Intune assumes management of the encryption, a user can retrieve their new
personal recovery key from a supported location.
For additional information, see end-user content for upload of the personal recovery
key.
Retrieve a personal recovery key
For a macOS device that has its FileVault encryption managed by Intune, end users can
retrieve their personal recovery key (FileVault key) from the following locations, using
any device:
Administrators can view personal recovery keys for encrypted macOS devices that are
marked as a corporate device. They can’t view the recovery key for a personal device.
The device that has the personal recovery key must be enrolled with Intune and
encrypted with FileVault through Intune. Using the iOS Company Portal app, Android
Company Portal app, the Android Intune app, or the Company Portal website, the user
can see the FileVault recovery key needed to access their Mac devices.
Device users can select Devices > the encrypted and enrolled macOS device > Get
recovery key. The browser will show the Web Company Portal and display the recovery
key.
Automatic rotation: As an admin, you can configure the FileVault setting Personal
recovery key rotation to automatically generate new recovery key's periodically.
When a new key is generated for a device, the key isn't displayed to the user.
Instead, the user must get the key either from an admin, or by using the company
portal app.
Manual rotation: As an admin, you can view information for a device that you
manage with Intune and that's encrypted with FileVault. You can then choose to
manually rotate the recovery key for corporate devices. You can't rotate recovery
keys for personal devices.
The next time the device checks in with Intune, the personal key is rotated.
When needed, the new key can be obtained by the user through the
company portal.
End-user: End-users use the Company Portal website from any device to view the
current personal recovery key for any of their managed devices. You can't view
recovery keys from the Company Portal app.
2. In the portal, go to Devices and select the macOS device that is encrypted
with FileVault.
Next steps
Manage BitLocker policy
The Microsoft Intune encryption report is a centralized location to view details about a
device's encryption status and find options to manage device recovery keys. The
recovery key options that are available depend on the type of device you're viewing.
To find the report, Sign in to the Microsoft Intune admin center . Select Devices >
Monitor, and then under Configuration, select Encryption report.
Prerequisites
The encryption report supports reporting on devices that run the following operating
system versions:
Report details
The Encryption report pane displays a list of the devices you manage with high-level
details about those devices. You can select a device from the list to drill-in and view
additional details from the devices Device encryption status pane.
TPM version (applies to Windows 10/11 only) – The version of the Trusted Platform
Module (TPM) chip detected on the Windows device.
For more information on how we query the TPM version, see DeviceStatus CSP -
TPM Specification.
Encryption readiness – An evaluation of the devices readiness to support an
applicable encryption technology, like BitLocker or FileVault encryption. Devices
are identified as:
Ready: The device can be encrypted by using MDM policy, which requires the
device meet the following requirements:
Not ready: The device doesn't have full encryption capabilities, but may still
support encryption.
When a Windows 10/11 device has a readiness of Not ready, it might still support
encryption. To have the Ready designation, the Windows device must have a TPM
chip activated. However, TPM chips aren't required to support encryption, as the
device can still be manually encrypted. or through a MDM/Group Policy setting
that can be set to allow encrypting without a TPM.
For Windows devices, this field does not look at whether other drives, such as fixed
drives, are encrypted. Encryption status is coming from DeviceStatus CSP -
DeviceStatus/Compliance/EncryptionCompliance.
Profiles – A list of the Device configuration profiles that apply to this device and are
configured with the following values:
macOS:
Profile type = Endpoint protection
Settings > FileVault > FileVault = Enable
Windows 10/11:
Profile type = Endpoint protection
Settings > Windows Encryption > Encrypt devices = Require
You can use the list of profiles to identify individual policies for review should the
Profile state summary indicate problems.
Profile state summary – A summary of the profiles that apply to this device. The
summary represents the least favorable condition across the applicable profiles.
For example, if only one out of several applicable profiles results in an error, the
Profile state summary will display Error.
To view more details of a status, go to Intune > Device configuration > Profiles,
and select the profile. Optionally, select Device status and then select a device.
This field displays information for each applicable error that can be detected. You
can use this information to understand why a device might not be encryption
ready.
The following are examples of the status details Intune can report:
macOS:
The recovery key hasn't been retrieved and stored yet. Most likely, the device
hasn't been unlocked, or it hasn't checked in.
Consider: This result doesn't necessarily represent an error condition but a
temporary state that could be because of timing on the device where escrow for
recovery keys must be set up before the encryption request is sent to the device.
This status might also indicate the device remains locked or hasn't checked in with
Intune recently. Finally, because FileVault encryption doesn't start until a device is
plugged in (charging), it's possible for a user to receive a recovery key for a device
that isn't yet encrypted.
Consider: Either the user hasn't yet logged out after receiving the encryption
request, which is necessary before FileVault can encrypt the device, or the user has
manually decrypted the device. Intune can't prevent a user from decrypting their
device.
The device is already encrypted. Device user must decrypt the device to
continue.
FileVault needs the user to approve their management profile in macOS Catalina
and higher.
Unknown.
Consider: One possible cause for an unknown status is that the device is locked
and Intune can't start the escrow or encryption process. After the device is
unlocked, progress can continue.
Windows 10/11:
For Windows devices, Intune only shows Status details for devices that run the
Windows 10 April 2019 Update or later, or Windows 11. Status details are coming
from BitLocker CSP - Status/DeviceEncryptionStatus.
The BitLocker policy requires user consent to launch the BitLocker Drive
Encryption Wizard to start encryption of the OS volume but the user didn't
consent.
The encryption method of the OS volume doesn't match the BitLocker policy.
The policy BitLocker requires a TPM protector to protect the OS volume, but a
TPM isn't used.
The BitLocker policy requires a TPM-only protector for the OS volume, but TPM
protection isn't used.
The BitLocker policy requires TPM+PIN protection for the OS volume, but a
TPM+PIN protector isn't used.
The BitLocker policy requires TPM+startup key protection for the OS volume,
but a TPM+startup key protector isn't used.
Consider: A BitLocker policy to encrypt OS drives was applied on the machine but
encryption was suspended or did not complete for the OS drive.
Consider: Check the Event log on device to see why the recovery key backup failed.
You may need to run the manage-bde command to manually escrow recovery
keys.
Consider: A BitLocker policy to encrypt fixed drives was applied on the machine
but encryption was suspended or did not complete for the fixed drive.
The encryption method of the fixed drive doesn't match the BitLocker policy.
To encrypt drives, the BitLocker policy requires either the user to sign in as an
Administrator or, if the device is joined to Azure AD, the
AllowStandardUserEncryption policy must be set to 1.
A TPM isn't available for BitLocker, either because it isn't present, it's been made
unavailable in the Registry, or the OS is on a removable drive.
Consider: The BitLocker policy applied to this device requires a TPM, but on this
device, the BitLocker CSP has detected that the TPM may be disabled at the BIOS
level.
Consider: The BitLocker CSP sees that this device has an available TPM, but the
TPM may need to be initialized. Consider running intialize-tpm on the machine
to initialize the TPM.
The network isn't available, which is required for recovery key backup.
This report can be of use in identifying problems for groups of devices. For example,
you might use the report to identify a list of macOS devices that all report FileVault is
already enabled by the user, which indicates devices that must be manually decrypted
before Intune can manage their FileVault settings.
Windows BitLocker:
Next steps
Manage BitLocker policy
Troubleshooting BitLocker policy
Manage FileVault policy
Known issues for Enforcing BitLocker policies with Intune
Microsoft Intune support for Windows
LAPS
Article • 04/28/2023
Every Windows machine has a built-in local administrator account that can’t be deleted,
and which has full permissions to the device. Securing this account is an important step
in securing your organization. Windows devices include Windows Local Administrator
Password Solution (LAPS), a built-in solution to help manage local admin accounts.
You can use Microsoft Intune endpoint security policies for account protection to
manage LAPS on devices that have enrolled with Intune. Intune policies can:
You can also view details about the managed local admin accounts in the Intune Admin
center, and manually rotate their account passwords outside of a scheduled rotation.
Use of Intune LAPS policies helps you protect Windows devices from attacks that are
aimed at exploiting local user accounts like pass-the-hash or lateral-traversal attacks.
Managing LAPS with Intune can also help improve security for remote help desk
scenarios and recover devices that are otherwise inaccessible.
Intune LAPS policy manages the settings available from the Windows LAPS CSP. Intune's
use of the CSP replaces the use of Legacy Microsoft LAPS or other LAPS management
solutions, with CSP based taking precedence over other LAPS management sources.
To learn about Windows LAPS in more detail, start with the following articles in the
Windows documentation:
What is Windows LAPS? – Introduction to Windows LAPS and the Windows LAPS
documentation set.
Windows LAPS CSP – View the full details for LAPS settings and options. Intune
policy for LAPS uses these settings to configure the LAPS CSP on devices.
Applies to:
Windows 10
Windows 11
Prerequisites
The following are requirements for Intune to support Windows LAPS in your tenant:
Licensing requirements
Intune subscription - Microsoft Intune Plan 1, which is the basic Intune
subscription. You can also use Windows LAPS with a free trial subscription for
Intune.
Active Directory subscription – Azure Active Directory Free, which is the free
version of Azure AD that’s included when you subscribe to Intune. With Azure AD
Free, you can use all the features of LAPS.
Devices that are workplace-joined (WPJ) are not supported by Intune for LAPS.
Cloud – Cloud supports back up to your Azure AD for the following scenarios:
Azure AD Join
Support for Azure AD Join requires you to enable LAPS in your Azure AD. The
following steps can help you complete this configuration. For the larger context,
view these steps in the Azure AD documentation at Enabling Windows LAPS
with Azure AD. Hybrid Azure AD Join does not require LAPS to be enabled in
Azure AD.
) Important
LAPS on Windows devices can be configured to use one directory type or the
other, but not both. Also consider, the backup directory must be supported by
the devices join type – if you set the directory to an on-premises Active
Directory and the device is not domain joined, it will accept the policy settings
from Intune, but LAPS cannot successfully use that configuration.
Create and access LAPS policy – To work with and view LAPS policies, your
account must be assigned sufficient permissions from the Intune RBAC category
for Security baselines. By default, these are included in the built-in role Endpoint
Security Manager. To use custom roles, ensure the custom role includes the rights
from the Security baselines category.
Rotate local Administrator password – To use the Intune admin center to view or
rotate a devices local admin account password, your account must be assigned the
following Intune permissions:
Managed devices: Read
Organization: Read
Remote tasks: Rotate Local Admin Password
microsoft.directory/deviceLocalCredentials/standard/read
During the public preview, these permissions aren't available to add to custom
Azure AD roles. Instead, your account must be assigned one of the following Azure
AD built-in rules, which include these permissions by default:
Global Administrator
Cloud Device Administrator
In the future, Azure AD will add support for assigning the required permissions to
custom Azure AD roles.
View Azure AD audit logs and events – To view details about LAPS policies and
recent device actions such as password rotation events, your account must
permissions equivalent to the built-in Intune role Read Only Operator.
For more information, see Role-based access control for Microsoft Intune.
LAPS Architecture
For information about Windows LAPS architecture, see Key concepts in Windows LAPS
in the Windows documentation.
When a policy doesn’t specify an account name, Intune manages the default built-
in administrator account regardless of its current name on the device.
You can change the account that Intune manages for a device by changing the
device’s assigned policy or editing its current policy to specify a different account.
If two separate policies are assigned to a device that both specify a different
account, a conflict occurs that must be resolved before the device’s account can be
managed.
Next steps
Create policy for LAPS
View reports for LAPS
Account protection policy for endpoint security in Intune
Manage Windows LAPS policy with
Microsoft Intune
Article • 04/19/2023
When you’re ready to manage the Windows Local Administrator Password Solution
(Windows LAPS) on Windows devices you manage with Microsoft Intune, the
information in this article can help you use the Intune admin center to:
Before creating policies, be familiar with the information in Microsoft Intune support for
Windows LAPS, which includes:
Applies to:
Windows 10
Windows 11
Intune policies manage LAPS by using the Windows LAPS configuration service provider
(CSP). Windows LAPS CSP configurations take precedence over, and overwrite, any
existing configurations from other LAPS sources, like GPOs or the Legacy Microsoft
LAPS tool.
Windows LAPS allows for the management of a single local administrator account per
device. Intune policy can specify which local admin account it applies to by use of the
policy setting Administrator Account Name. If the account name specified in the policy
isn’t present on the device, no account is managed. However, when Administrator
Account Name is left blank, the policy defaults to the devices built-in local admin
account that is identified by its well-known relative identifier (RID).
7 Note
Ensure the prerequisites for Intune to support Windows LAPS in your tenant are
met before creating policies.
Intune’s LAPS policies do not create new accounts or passwords. Instead, they
manage an account that’s already on the device.
Configure and assign LAPS policies carefully. The Windows LAPS CSP supports a single
configuration for each LAPS setting on a device. Devices that receive multiple Intune
policies that include conflicting settings can fail to process policy. Conflicts can also
prevent the backup of the managed local admin account and password to your tenants
Directory.
To help reduce potential conflicts, we recommend assigning a single LAPS policy to each
device through device groups, and not through user groups. While LAPS policy supports
user group assignments, they can result in a cycle of changing LAPS configurations each
time a different user signs-in to a device. Frequently changing policies can introduce
conflicts, a lack of device compliance with requirements, and create confusion around
which local admin account from a device is currently being managed.
) Important
Ensure that you have enabled LAPS in Azure AD, as covered in the Enabling
WindowsLAPS with Azure AD documentation.
To create or manage LAPS policy, your account must have applicable rights from the
Security baseline category. By default, these permissions are included in the built-in role
Endpoint Security Manager. To use custom roles, ensure the custom role includes the
rights from the Security baselines category. See Role based access controls for LAPS.
Before you create a policy, you can review details about the available settings in the
Windows LAPS CSP documentation.
1. Sign in to the Microsoft Intune admin center and go to Endpoint security >
Account protection, and then select Create Policy.
Set the Platform to Windows 10 and later, Profile to Local admin password
solution (Windows LAPS) (preview), and then select Create.
Name: Enter a descriptive name for the profile. Name profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
) Important
When configuring a policy, keep in mind that the backup directory type in the
policy must be supported by the join type of the device the policy is assigned
to. For example, if you set the directory to Active Directory and the device isn’t
domain joined (but a member of Azure AD), the device can apply the policy
settings from Intune without error, but LAPS on the device will not be able to
successfully use that configuration to back up the account.
After configuring Backup Directory, review and configure the available settings to
meet your organization’s requirements.
4. On the Scope tags page, select any desired scope tags to apply, then select Next.
7 Note
As with all Intune policies, when a new policy applies to a device, Intune
attempts to notify that device to check in and process the policy.
Until a device successfully checks in with Intune and successfully processes its
LAPS policy, data about its managed local admin account won’t be available
to view or manage from within the admin center.
For more information on assigning profiles, see Assign user and device profiles.
6. In Review + create, review your settings and then select Create. When you select
Create, your changes are saved, and the profile is assigned. The policy is also
shown in the policy list.
For more information, see Role based access controls for LAPS.
1. In the Microsoft Intune admin center , go to Devices > All devices , and select a
device that has a LAPS policy that backs up a local admin account. Intune displays
that devices Overview pane.
2. On the device Overview pane, you can view Device actions status. Previously
requested actions and pending actions display, including the time of the request,
and if the action failed or was successful. In the following example screenshot, a
device has had its Local Admin account Password successfully rotated.
3. Selecting an action from the list opens the Device action status pane, which can
display additional details about that action.
Global Admin
Cloud Device Admin
For more information, see Role based access controls for LAPS.
1. In the Microsoft Intune admin center , go to Devices > All devices > select a
Windows device to open its Overview pane.
From the overview pane, you can view the devices Device actions status. The status
displays current and past actions, such as password rotation.
2. On the devices Overview pane, below Monitor select Local admin password. If your
account has sufficient permissions, the Local admin password pane for the device
opens, which is the same view that’s available from within the Azure portal.
The following information can be viewed from within the admin center. However,
the Local admin password can only be viewed when the account was backed up to
Azure AD. It can’t be viewed for an account that’s backed up to an on-premises
Active Directory (Windows Server Active Directory):
Account name – The name of the local admin account that was backed up
from the device.
Security ID – The well-known SID for the account that is backed up from the
device.
Local admin password – Obscured by default. If your account has permission,
you can select Show to reveal the password. You can then use the Copy
option to copy the password to your clipboard. This information isn't
available for devices that back up to an on-premises Active Directory.
Last password rotation – In UTC, the date and time that the password was
last changed or rotated by policy.
Next password rotation – In UTC, the next date and time when the password
will be rotated per policy.
The following are considerations for viewing a devices account and password
information:
Retrieving (viewing) the password for a local admin account triggers an audit
event.
To use this device action, your account must have the following three Intune
permissions:
To rotate a password
1. In the Microsoft Intune admin center , go to Devices > All devices, and select the
Windows device with the account you want to rotate.
2. While viewing the device details, expand the ellipsis (…) on the right side of the
menu bar to reveal the available options, and then select Rotate Local admin
password.
3. When you select Rotate Local admin password, Intune displays a warning that
requires confirmation before the password is rotated.
After you confirm the intent to rotate the password, Intune initiates the process,
which can take a few minutes to complete. During this time, the device details
pane displays a banner and a Device actions status that indicate the action is
Pending.
After a successful rotation, the confirmation will be visible in the Device actions status as
Complete.
The Rotate local admin password device action is available for all Windows
devices, but any device that hasn’t successfully backed up its account and
password data fails to complete a rotate request.
When a password is manually rotated, the time to the next scheduled password
rotation is reset. The time to the next scheduled rotation is managed through the
PasswordAgeDays setting in the LAPS policy.
Here's how this works: A device receives a policy on March 1, which sets
PasswordAgeDays to 10 days. The result is that the device will automatically rotate
its password after 10 days, on March 11. On March 5, an admin manually rotates
that device’s password, and action that resets the start date for PasswordAgeDays
to March 5. As a result, the device will now automatically rotate its password 10
days later, on March 15.
For Azure AD Joined devices, the device must be online at the time the manual
rotation is requested. If the device isn’t online at the time of the request, it results
in a failure.
Password rotation isn't supported as Bulk Action. You can only rotate a single
device at a time.
When a device with successful policy is assigned an two or more policies that introduce
a conflict:
Settings that were in use on the device remain on the device at the value last set.
Both policies, the original and the new, report as being in conflict.
To resolve the conflict, either remove policy assignments until the conflicting policy
doesn’t apply, or reconfigure applicable policies to set the same configuration,
removing the conflict.
When a device that doesn’t have a LAPS policy then receives two conflicting policies at
the same time:
Settings aren't sent to the device, and both policies are reported as having
conflicts.
While a conflict remains, settings from the policies don't apply to the device.
To resolve conflicts, you must either remove policy assignments from the device, or
reconfigure settings in applicable policies until no more conflicts remain.
Next steps
Introduction to Intune policy for LAPS
View reports for LAPS
Account protection policy for endpoint security in Intune
Reports for LAPS policy in Intune
Article • 04/19/2023
After devices are assigned Microsoft Intune policy for Windows LAPS, you can view
policy details from within the Microsoft Intune admin center. Reports for LAPS include
details about the devices and users that have been assigned policies, which settings
from those policies have been set successfully, have errors or conflicts, and which
devices are pending the submission of device status for assigned policy.
Reports for Windows LAPS policies are found in the Endpoint security node for Account
protection policies. The Reports node of the Intune admin center doesn't have
dedicated reports for Windows LAPS.
To use the report, sign into the Intune admin center and navigate to the Account
protection policy node. (Endpoint security > Account protection). Here you can view a
list of all Account protection policies, including the policies for LAPS that use the Local
admin password solution (Windows LAPS) (preview) profile. You can identify the profile by
the Policy type column:
When you select any row from the list of policies, Intune displays details for that policy
that include:
A summarization of the Device and user check-in status that displays the count of
devices that the policy targets and that have succeeded in reporting status, have
errors, and so forth.
A link labeled View report that opens a detailed report for each device or user
that’s been assigned the policy. This report can help you understand the policy
configuration and identify the source of conflicts that might prevent the policy
from applying to a device.
Each policy includes tiles you can use to investigate specific aspects of the LAPS
report:
Device assignment status - This tile opens a customized report you can use to
review details for a subset of assignment status, like devices with Success,
Conflict, or devices that are Pending and haven’t yet reported their status.
To use this report option, select one or more Assignment status options and
then select Generate again to run the report for current details.
The results you see are a subset of the results that are available from the View
report option. This custom view includes support to drill in to device details to
view more information about the selected assignment status that was selected
for this report.
Per setting status - A report that lists each setting in policy, and the count of
devices that have Success in applying the setting, have an Error, or a Conflict.
This report view doesn’t support drilling in for more detail.
In the following image, we’ve selected the policy named LAPSSHTest. We use this policy
as we examine what you can learn by using the View report button to drill in for more
information:
While viewing the details for a policy, select the View report button to view a list that
identifies each device that has been assigned the policy. The device list includes the
following information:
Logged in user – Identifies the name of the user logged into the device at the time
the policy last reported status.
Check-in status - The policy status for the device. In the following example, the
device shows a status of Conflict. Conflicts indicate that one or more other policies
that are assigned to this device uses a different configuration for a setting.
Filter
Last report modification time – When the policy was last updated.
In the following image, we see that our example policy is assigned to a single device.
The view also shows that there's a conflict for the devices Check-in status:
When you select the name of a device from the Device name column Intune displays
details about the settings assigned to that device. In the following image, we see that
the device we selected has two assigned settings. Of the twos settings, Password Age
Days is identified as being in conflict per the Setting status column. When you select a
setting from the setting name column, Intune opens the Settings Details pane where you
can view details about that setting.
In the following image, we’ve selected Password Age Days so we can learn more about
its conflict:
The Settings Details pane shows us that the selected setting, Password Age Days, is
configured through two profiles, one named LAPSSHTest (the profile we have been
viewing), and the other named Lapsshtestapril.
With the source profiles that are in conflict now identified by name, you can go back to
the list of policies to view the Password Age Days, setting from each, and resolve the
conflict.
Events and Audit logs
When you use Intune policies to manage Windows LAPS, the following events are
audited and logged in Azure Active Directory (Azure AD):
For information about Azure AD event logs, see Audit logs in Azure Active Directory.
Next steps
Introduction to Intune policy for LAPS
Create policy for LAPS
Account protection policy for endpoint security in Intune
Use Endpoint Privilege Management
with Microsoft Intune
Article • 07/24/2023
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users
to run as a standard user (without administrator rights) and complete tasks that require
elevated privileges.
Tasks that commonly require administrative privileges are application installs (like
Microsoft 365 Applications), updating device drivers, and running certain Windows
diagnostics.
Endpoint Privilege Management supports your Zero Trust journey by helping your
organization achieve a broad user base running with least privilege, while allowing users
to still run tasks allowed by your organization to remain productive. For more
information, see Zero Trust with Microsoft Intune
The following sections of this article discuss requirements to use EPM, provide a
functional overview of how this capability works, and introduce important concepts for
EPM.
Applies to:
Windows 10
Windows 11
Prerequisites
Licensing
Endpoint Privilege Management requires an additional license beyond the Microsoft
Intune Plan 1 license. You can choose between an stand-alone license that adds only
EPM, or license EPM as part of the Microsoft Intune Suite. For more information, see Use
Intune Suite add-on capabilities.
Windows Client requirements
Endpoint Privilege Management has the following operating system requirements:
) Important
Elevation settings policy will show as not applicable if a device is not at the
minimum version specified above.
Only devices with a Hybrid Azure Active Directory join or Azure Active Directory
join are supported. Workplace join is not a supported trust type.
License Endpoint Privilege Management - Before you can use Endpoint Privilege
Management policies, you must license EPM in your tenant as an Intune add-on.
For licensing information, see Use Intune Suite add-on capabilities.
Run with elevated access - A right-click context menu option that appears when
EPM is activated on a device. When this option is used, the devices elevation rules
policies are checked for a match to determine if, and how, that file can be elevated
to run in an administrative context. If there's no applicable elevation rule, then the
device uses the default elevation configurations as defined by the elevation
settings policy.
File elevation and elevation types – EPM allows users without administrative
privileges to run processes in the administrative context. When you create an
elevation rule, that rule allows EPM to proxy the target of that rule to run with
administrator privileges on the device. The result is that the application has full
administrative capability on the device.
When you use Endpoint Privilege Management, there are a few options for
elevation behavior:
For automatic elevation rules, EPM automatically elevates these applications
without input from the user. Broad rules in this category can have widespread
impact to the security posture of the organization.
For user confirmed rules, end users use a new right-click context menu Run with
elevated access. User confirmed rules require the end-user to complete some
additional requirements before the application is allowed to elevate. These
requirements provide an extra layer of protection by making the user
acknowledge that the app will run in an elevated context, before that elevation
occurs.
7 Note
Each elevation rule can also set the elevation behavior for child processes that
the elevated process creates.
Child process controls - When processes are elevated by EPM, you can control
how the creation of child processes is governed by EPM. This allows you to have
granular control over any subprocesses that may be created by your elevated
application.
Once the device has received an elevation settings policy requiring EPM to be
disabled, Intune immediately disables the client-side components. EPM will remove
the EPM component after a period of seven days. The delay is to ensure temporary
or accidental changes in policy or assignments don't result in mass de-
provisioning/re-provisioning events that might have a substantial impact on
business operations.
You can add this permission with one or more rights to your own custom RBAC roles, or
use a built-in RBAC role dedicated to managing Endpoint Privilege Management:
Endpoint Privilege Reader - Use this built-in role to view Endpoint Privilege
Management policies in the Intune console, including reports. This role includes
the following rights for Endpoint Privilege Management Policy Authoring:
View Reports
Read
In addition to the dedicated roles, the following built-in roles for Intune also include
rights for Endpoint Privilege Management Policy Authoring:
Endpoint Security Manager - This role includes all rights for Endpoint Privilege
Management Policy Authoring.
Read Only Operator - This role includes the following rights for Endpoint Privilege
Management Policy Authoring:
View Reports
Read
For more information, see Role-based access control for Microsoft Intune.
Get-Policies: Retrieves a list of all policies received by the Epm Agent for a given
PolicyType (ElevationRules, ClientSettings).
DeclaredConfiguration: Retrieves a list of WinCD documents that identify the
policies targeted to the device.
Get-DeclaredConfigurationAnalysis: Retrieves a list of WinDC documents of type
MSFTPolicies and checks if the policy is already present in Epm Agent (Processed
column).
Get-ElevationRules: Query the EpmAgent lookup functionality and retrieves rules
given lookup and target. Lookup is supported for FileName and CertificatePayload.
Get-ClientSettings: Process all existing client settings policies to display the
effective client settings used by the EPM Agent.
Get-FileAttributes: Retrieves File Attributes for a .exe file and extracts its Publisher
and CA certificates to a set location that can be used to populate Elevation Rule
Properties for a particular application.
For more information about each cmdlet, review the readme.txt file from the EpmTools
folder on the device.
Next steps
Guidance for creating Elevation Rules
Configure policies for Endpoint Privilege Management
Reports for Endpoint Privilege Management
Data collection and privacy for Endpoint Privilege Management
Deployment considerations and frequently asked questions
Guidance for creating elevation rules
with Endpoint Privilege Management
Article • 07/24/2023
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
Overview
Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users
to run as a standard user (without administrator rights) and complete tasks that require
elevated privileges.
Tasks that commonly require administrative privileges are application installs (like
Microsoft 365 Applications), updating device drivers, and running certain Windows
diagnostics.
Detections are classified as the set of attributes that are used to identify an application
or binary. Detections are comprised of attributes such as file name, file version, or
attributes of a signature.
Elevation actions are the resulting elevation that occurs after an application or binary
has been detected.
File hash can be gathered from the direct binary using the Get-Filehash PowerShell
method or directly from the reports for Endpoint Privilege Management.
Certificate rules
Certificate rules are a strong type of attribute and should be paired with other attributes.
Pairing a certificate with attributes like product name, internal name, and description,
drastically improves the security of the rule. These attributes are protected by a files
signature, and often indicate specifics about the signed file.
U Caution
Using just a certificate and a file name provides very limited protection for misuse
of a rule. File names can be changed by any standard user provided they have
access to the directory where the file resides. This might not be a concern for files
that reside in a write-protected directory.
This means that file names are highly susceptible to change. Files that are signed by a
certificate that you trust could have their name changed to be detected and
subsequently elevated, which might not be your intended behavior.
) Important
Always ensure that rules including a file name include other attributes that provide
a strong assertion to the file's identity. Attributes like file hash or properties that are
included in the files signature are good indicators that the file you intend is likely
the one being elevated.
7 Note
Changing the child process behavior may have compatiability issues with certain
applications that expect the default Windows behavior. Make sure you thoroughly
test applications when manipulating the child process behavior.
Default Elevation behavior is used only when no rule match can be found. This also
requires use of the Run with elevated access right-click menu, which is interpreted as a
user explicitly asking for an application to be elevated.
When moving users to run as standard users and utilizing Endpoint Privilege
Management, you might choose to change the default UAC behavior for standard users.
This change can reduce confusion when an application requires elevation and create a
better end user experience. Examine behavior of the elevation prompt for standard
users for more information.
7 Note
Endpoint Privilege Management will not interfere with user account control actions
(or UAC) being run by an Administrator on the device. It is possible to create rules
that apply to Administrators on the device, so special considerations should be
given to rules that are applied to all users on a device and the impact on users with
Administrator rights.
Next steps
Learn about Endpoint Privilege Management
Configure policies for Endpoint Privilege Management
Reports for Endpoint Privilege Management
Data collection and privacy for Endpoint Privilege Management
Deployment considerations and frequently asked questions
Configure policies for Endpoint Privilege
Management
Article • 07/24/2023
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users
to run as a standard user (without administrator rights) and complete tasks that require
elevated privileges.
Tasks that commonly require administrative privileges are application installs (like
Microsoft 365 Applications), updating device drivers, and running certain Windows
diagnostics.
The information in this article can help you to configure the following policies and
reusable settings for EPM:
Applies to:
Windows 10
Windows 11
If a device has EPM disabled, the client components immediately disable. There's a
delay of seven days before the EPM component is completely removed. The delay
helps to reduce the time it takes to restore EPM should a device accidentally have
EPM disabled or its elevation settings policy unassigned.
Default elevation response - Set a default response for an elevation request of any
file that’s not managed by a Windows elevation rule policy. For this setting to have
an effect, no rule can exist for the application AND an end user must have explicitly
requested elevation through the Run with elevated access right-click menu. By
default, this option isn't configured. If no setting is delivered, the EPM components
fall back to their built-in default, which is to deny all requests.
Options include:
Deny all requests - This option blocks the elevate request action for files that
aren't defined in a Windows elevation rules policy.
Require user confirmation - When user confirmation is required, you can
choose from the same validation options as found for Windows elevation rules
policy.
7 Note
Default responses are only processed for requests coming through the Run
with elevated access right-click menu.
Validation options - Set validation options when the default elevation response is
defined as Require user confirmation.
Options include:
Business justification - This option requires the end user to provide a
justification before completing an elevation that is facilitated by the default
elevation response.
Windows authentication - This option requires the end user to authenticate
before completing an elevation that is facilitated by the default elevation
response.
7 Note
Send elevation data for reporting - This setting controls whether your device
shares diagnostic and usage data with Microsoft. When enabled to share data, the
type of data is configured by the Reporting scope setting.
Diagnostic data is used by Microsoft to measure the health of the EPM client
components. Usage data is used to show you elevations that happen within your
tenant. For more information about the types of data and how it's stored, see Data
collection and privacy for Endpoint Privilege Management.
Options include:
Yes - This option sends data to Microsoft based on the Reporting Scope setting.
No - This option does not send data to Microsoft.
Reporting Scope - This setting controls the amount of data being sent to
Microsoft when Send elevation data for reporting is set to Yes. By default,
Diagnostic data and all endpoint elevations is selected.
Options include:
Diagnostic data and managed elevations only - This option sends diagnostic
data to Microsoft about the health of the client components AND data about
elevations being facilitated by Endpoint Privilege Management.
Diagnostic data and all endpoint elevations - This option sends diagnostic data
to Microsoft about the health of the client components AND data about all
elevations happening on the endpoint.
Diagnostic data only - This option sends only the diagnostic data to Microsoft
about the health of the client components.
Uses the file name (including extension) to identify the file the rule applies to.
The rule also supports optional conditions like a minimum build version, product
name, or internal name. Optional conditions are used to further validate the file
when elevation is attempted.
Supports use of a file hash to validate the file. A file hash is required for
automatic rules. For user confirmed rules, you can choose to either use a certificate
or a file hash, in which case the file hash becomes optional.
Configures the files elevation type. Elevation type identifies what happens when
an elevation request is made for the file. By default, this option is set to User
confirmed, which is our recommendation for elevations.
7 Note
For more information about creating strong rules, see our guidance for
creating elevation rules with Endpoint Privilege Management.
You can also use the Get-FileAttributes PowerShell cmdlet from the
EpmTools PowerShell module. This cmdlet can retrieve file attributes for a
.exe file and extract its Publisher and CA certificates to a set location that
you can use to populate Elevation Rule Properties for a particular
application.
Manage the behavior of child processes. You can set the elevation behavior that
applies to any child processes that the elevated process creates.
Require rule to elevate - Configure a child processes to require its own rule
before that child process can run in an elevated context
Deny all - All child processes launch without elevated context
Allow child processes to run elevated - Configure a child process to always run
elevated.
7 Note
For more information about creating strong rules, see our guidance for creating
elevation rules with Endpoint Privilege Management.
U Caution
We recommend automatic elevation be used sparingly, and only for trusted files
that are business critical. End users will automatically elevate these applications at
every launch of that application.
Certificates you add directly to an elevation rule: Each certificate that's added
directly to a rule is uploaded as a unique instance by Intune, and that certificate
instance is then associated with that rule. Adding the same certificate directly to
two separate rules results in it uploading twice. Later, if you must change the
certificate, you must edit each individual rule that contains it. With each rule
change, Intune uploads the updated certificate a single time for each rule.
Certificates you manage through a reusable settings group: Each time a certificate
is added to a reusable settings group, Intune uploads the certificate a single time
no matter how many elevation rules include that group. That instance of the
certificate is then associated with the file from each rule that uses that group. Later,
any change to the certificate you make can be made a single time in the reusable
settings group. This change results in Intune uploading the updated file a single
time, and then applying that change to each elevation rule that references the
group.
A device must have an elevation settings policy that enables support for EPM before the
device can process an elevation rules policy or manage elevation requests. When
support is enabled, the C:\Program Files\Microsoft EPM Agent folder is added to the
device along with the EPM Microsoft Agent which is responsible for processing the EPM
policies.
Name: Enter a descriptive name for the profile. Name profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
Diagnostic data and all endpoint elevations (Default): The device reports
diagnostic data and details about all file elevations that are facilitated by
EPM.
This level of information can help you identify additional files that aren't
yet managed by an elevation rule that users seek to run in an elevated
context.
Diagnostic data only: Only diagnostic data for the operation of Endpoint
Privilege Management is collected. Information about file elevations isn’t
reported to Intune.
4. On the Scope tags page, select any desired scope tags to apply, then select Next.
5. For Assignments, select the groups that receive the policy. For more information
on assigning profiles, see Assign user and device profiles.
Select Next.
6. For Review + create, review your settings and then select Create. When you select
Create, your changes are saved, and the profile is assigned. The policy is also
shown in the policy list.
Name: Enter a descriptive name for the profile. Name profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
3. On Configuration settings, add a rule for each file that this policy manages. When
you create a new policy, the policy starts includes a blank rule with an elevation
type of User confirmed and no rule name. Start by configuring this rule, and later
you can select Add to add more rules to this policy. Each new rule you add has an
elevation type of User confirmed, which can be changed when you configure the
rule.
To configure a rule, select Edit instance to open its Rule properties page, and then
configure the following:
Rule name: Like a policy name, enter a descriptive name for the rule. Name
your rules so you can easily identify them later.
Description (Optional): Enter a description for the profile.
Elevation conditions are conditions that define how a file runs, and user validations
that must be met before the file this rule applies to can be run.
Elevation type: By default, this option is set to User confirmed, which is the
elevation type we recommend for most files.
User confirmed: We recommend this option for most rules. When a file is
run, the user receives a simple prompt to confirm their intent to run the
file. The rule can also include additional prompts that are available from
the Validation drop down:
Business justification: Require the user to enter a justification for running
the file. There's no required format for the entry, however the user input
is saved and can be reviewed through logs if the Reporting scope
includes collection of endpoint elevations.
Windows authentication: This option requires the user to authenticate
using their organization credentials.
Automatic: This elevation type automatically runs the file in question with
elevated permissions. Automatic elevation is transparent to the user,
without prompting for confirmation or requiring justification or
authentication by the user.
U Caution
Only use automatic elevation for files you trust. These files will
automatically elevate without user interaction. Rules that are not well
defined could allow unapproved applications to elevate. For more
information on creating strong rules, see the guidance for creating
rules.
File information is where you specify the details that identify a file that this rule
applies to.
File name: Specify the file name and its extension. For example:
myapplication.exe
File path (Optional): Specify the location of the file. If the file can be run from
any location or is unknown, you can leave this blank. You can also use a
variable.
Upload a certificate file: Add a certificate file directly to the elevation rule.
For File upload, specify a .cer file that can validate the integrity of the file
that this rule applies to. Then, specify the Certificate type of Publisher or
Certificate authority.
Not configured: Use this option when you don't want to use a certificate
to validate the integrity of the file. When no certificate is used, you must
provide a file hash.
File hash: The file hash is required when Signature source is set to Not
configured, and optional when set to use a certificate.
Product name: (Optional) Specify the name of the product that the file is
from.
Select Save to save the rule configuration. You can then Add additional rules, and
when you've added all the rules this policy will include, select Next to continue.
4. On the Scope tags page, select any desired scope tags to apply, then select Next.
5. For Assignments, select the groups that receive the policy. For more information
on assigning profiles, see Assign user and device profiles. Select Next.
6. In Review + create, review your settings and then select Create. When you select
Create, your changes are saved, and the profile is assigned. The policy is also
shown in the policy list.
1. Sign in to the Microsoft Intune admin center and go to Endpoint security >
Endpoint Privilege Management > select the Reusable settings (preview) tab >
and then select Add.
Name: Enter a descriptive name for the reusable group. Name groups so you
can easily identify each later.
Description: Enter a description for the profile. This setting is optional but
recommended.
3. In Configuration settings, select the folder icon for Certificate file, and browse to a
.CER file to add it to this reusable group. The Base 64 value field fills in based on
the certificate selected.
4. In Review + create, review your settings and then select Add. When you select
Add, your configuration is saved, and group is then shown in the reusable settings
group list for Endpoint Privilege Management.
Policy conflict handling for Endpoint Privilege
Management
Except for the following situation, conflicting policies for EPM are handled like any other
policy conflict.
When a device receives two separate elevation settings policies with conflicting values,
the EPM client reverts to the default client behavior until the conflict is resolved.
7 Note
If a device receives two rules targeting the same application, both rules are consumed
on the device. When EPM goes to resolve rules that apply to an elevation, it uses the
following logic:
7 Note
If a rule does not exist for an elevation and that elevation was requested through
the Run with elevated access right-click context menu, then the Default Elevation
Behavior will be used.
Next steps
Guidance for creating Elevation Rules
Reports for Endpoint Privilege Management
Data collection and privacy for Endpoint Privilege Management
Deployment considerations and frequently asked questions
Reports for Endpoint Privilege
Management
Article • 08/21/2023
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users
to run as a standard user (without administrator rights) and complete tasks that require
elevated privileges.
Tasks that commonly require administrative privileges are application installs (like
Microsoft 365 Applications), updating device drivers, and running certain Windows
diagnostics.
The information available in EPM reports depends on the reporting scope of a device.
The reporting scope for each device is configured as part of a Windows elevation
settings policy, and different devices can have different reporting scope configurations.
The EPM reports are available from the Reports tab of the Endpoint Privilege
Management node from within the Microsoft Intune admin center . Go to Endpoint
security > Endpoint Privilege Management, and select the Reports tab. Select from the
following tiles to view a report:
Elevation report
Managed elevations report
Elevation report by applications
7 Note
Data is processed once every 24 hours. There may be a delay before seeing data in
the elevation usage reports.
Elevation report
The Elevation report displays a list view with details about all reported elevations. This
list includes elevations that are managed by specific rules and elevations that are
captured by default elevation setting policies. Several columns of information are
available by default, including but not limited to:
File name - The name of the file that received an elevation request.
User - The user who requested elevation of the file.
Device - The name of the device on which the file request was made.
Result - Whether the elevation was successful.
Date and time - When the elevation request was made.
By selecting an entry in the report, you can drill in to view more details about the
elevation request and the file involved.
The information in this report can help identify applications that might require elevation
rules to function properly, including rules for child processes.
Next steps
Guidance for creating Elevation Rules
Configure policies for Endpoint Privilege Management
Data collection and privacy for Endpoint Privilege Management
Deployment considerations and frequently asked questions
Data collection and privacy for Endpoint
Privilege Management
Article • 04/18/2023
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users
to run as a standard user (without administrator rights) and complete tasks that require
elevated privileges.
Tasks that commonly require administrative privileges are application installs (like
Microsoft 365 Applications), updating device drivers, and running certain Windows
diagnostics.
This article provides information about the data that EPM can collect from devices.
Applies to:
Windows 10
Windows 11
Diagnostic data
Usage data
When configuring EPM, you configure the Send elevation data for reporting and
Reporting scope settings in a Windows elevation settings policies to determine which
data is reported to Microsoft.
Diagnostic Data
Diagnostic data is event data that is used by Microsoft to monitor the health of the
client side components that provide the capability to elevate as a standard user.
Usage Data
Usage data is elevation data that is used by customers to determine what elevations
have occurred in their environment. This data is stored with your Intune infrastructure
and is used to populate the elevation reports. When configuring reporting scope, you
have the ability to configure what scope of data is collected. You can choose between
none, only elevations completed by EPM, or all elevations that take place on a device.
File name Name of the file (String) that completed the elevation
Event Name Internal Name (String) used to identify the type of elevation
described in the event.
Event Name Internal Name (String) used to identify the type of elevation
described in the event.
Parent Process Id Process Id of the parent process that facilitates the elevation
Policy Type Type of policy that facilitated the elevation (if applicable)
Policy Identifier Identifier (GUID) unique to the policy that facilitated the
elevation
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
Microsoft Intune Endpoint Privilege Management (EPM) allows your organization’s users
to run as a standard user (without administrator rights) and complete tasks that require
elevated privileges.
Tasks that commonly require administrative privileges are application installs (like
Microsoft 365 Applications), updating device drivers, and running certain Windows
diagnostics.
The following sections of this article discuss deployment considerations and frequently
asked questions for EPM.
Applies to:
Windows 10
Windows 11
) Important
Always ensure that rules including a file name include other attributes that provide
a strong assertion to the file's identity. Attributes like file hash or properties that are
included in the files signature are good indicators that the file you intend is likely
the one being elevated.
Next steps
Learn about Endpoint Privilege Management
Guidance for creating Elevation Rules
Configure policies for Endpoint Privilege Management
Reports for Endpoint Privilege Management
Data collection and privacy for Endpoint Privilege Management
Microsoft Tunnel for Microsoft Intune
Article • 02/22/2023
Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a container
on Linux and allows access to on-premises resources from iOS/iPadOS and Android
Enterprise devices using modern authentication and Conditional Access.
This article introduces the tunnel, how it works, and its architecture.
If you're ready to deploy the Microsoft Tunnel, see Prerequisites for the Microsoft
Tunnel, and then Configure the Microsoft Tunnel.
7 Note
Microsoft Tunnel does not use Federal Information Processing Standard (FIPS)
compliant algorithms.
Tip
Download the Microsoft Tunnel installation script that you’ll run on the Linux
servers.
Configure aspects of Microsoft Tunnel Gateway like IP addresses, DNS servers, and
ports.
Deploy VPN profiles to devices to direct them to use the tunnel.
Deploy the Microsoft Tunnel client apps to your devices.
Through the Defender for Endpoint app, iOS/iPadOS and Android Enterprise devices:
You can install multiple Linux servers to support Microsoft Tunnel, and combine servers
into logical groups called Sites. Each server can join a single Site. When you configure a
Site, you’re defining a connection point for devices to use when they access the tunnel.
Sites require a Server configuration that you’ll define and assign to the Site. The Server
configuration is applied to each server you add to that Site, simplifying the
configuration of more servers.
To direct devices to use the tunnel, you create and deploy a VPN policy for Microsoft
Tunnel. This policy is a device configuration VPN profile that uses Microsoft Tunnel for
its connection type.
) Important
Prior to support for using Microsoft Defender for Endpoint as the tunnel client app
on Android and iOS devices, a standalone tunnel client app was available in
preview and used a connection type of Microsoft Tunnel (standalone client)
(preview).
For Android:
As of June 14 2021, both the standalone tunnel app and standalone client
connection type are deprecated and drop from support after January 31,
2022.
For iOS/iPadOS:
On April 29, 2022 both the Microsoft Tunnel connection type and Microsoft
Defender for Endpoint as the tunnel client app became generally available.
With this general availability, the use of the Microsoft Tunnel (standalone
client)(preview) connection type and the standalone tunnel client app are
deprecated and soon will drop from support.
On July 29, 2022, the standalone tunnel client app will no longer be
available for download. Only the generally available version of Microsoft
Defender for Endpoint will be available as the tunnel client app.
On August 1, 2022, the Microsoft Tunnel (standalone client) (preview)
connection type will cease to connect to Microsoft Tunnel.
To avoid a disruption in service for Microsoft Tunnel, plan to migrate your use
of the deprecated tunnel client app and connection type to those that are
now generally available.
A friendly name for the VPN connection that your end users will see.
The site that the VPN client connects to.
Per-app VPN configurations that define which apps the VPN profile is used for, and
if it's always-on or not. When always-on, the VPN will automatically connect and is
used only for the apps you define. If no apps are defined, the always-on
connection provides tunnel access for all network traffic from the device.
For iOS devices that have the Tunnel client app configured to support per-app
VPNs and TunnelOnly mode set to True, users don’t need to open or sign-in to
Microsoft Defender on their device for the Tunnel to be used. Instead, with the
user signed-in to the Company Portal on the device or to any other app that uses
multi-factor authentication that has a valid token for access, the Tunnel per-app
VPN is used automatically. TunnelOnly mode is supported for iOS/iPadOS, and
disables the Defender functionality, leaving only the Tunnel capabilities.
Manual connections to the tunnel when a user launches the VPN and selects
Connect.
On-demand VPN rules that allow use of the VPN when conditions are met for
specific FQDNs or IP addresses. (iOS/iPadOS)
Proxy support (iOS/iPadOS, Android 10+)
IP address range – The IP addresses that are assigned to devices that connect to a
Microsoft Tunnel.
DNS servers – The DNS server devices should use when they connect to the server.
DNS suffix search.
Split tunneling rules – Up to 500 rules shared across include and exclude routes.
For example, if you create 300 include rules, you can then have up to 200 exclude
rules.
Port – The port that Microsoft Tunnel Gateway listens on.
You assign a server to a Site at the time you install the tunnel software on the Linux
server. The installation uses a script that you can download from within the admin
center. After starting the script, you’ll be prompted to configure its operation for your
environment, which includes specifying the Site the server will join.
To use the Microsoft Tunnel, devices will need to install the Microsoft Defender for
Endpoint app. You get the applicable app from the iOS/iPadOS or Android app stores
and deploy it to users.
Architecture
The Microsoft Tunnel Gateway runs in containers that run on Linux servers.
Components:
A – Microsoft Intune.
B- Azure Active Directory (AD).
C – Linux server with Podman or Docker CE (See the Linux server requirements for
details about which versions require Podman or Docker)
C.1 - Microsoft Tunnel Gateway.
C.2 – Management Agent.
C.3 – Authentication plugin – Authorization plugin, which authenticates with
Azure AD.
D – Public facing IP or FQDN of the Microsoft Tunnel, which can represent a load
balancer.
E – Mobile Device Management (MDM) enrolled device or an unenrolled mobile
device using Tunnel for Mobile Application Management.
F – Firewall
G – Internal Proxy Server (optional).
H – Corporate Network.
I – Public internet.
Actions:
7 Note
Tunnel gateway maintains two channels with the client. A control channel is
established over TCP, and TLS. This also serves as a backup data channel. It
then looks to establish a UDP channel using DTLS (Datagram TLS, an
implementation of TLS over UDP) that serves as the main data channel. If the
UDP channel fails to establish or is temporarily unavailable, the backup
channel over TCP/TLS is used. By default port 443 is used for both TCP and
UDP, but this can be customized via the Intune Server Configuration - Server
port setting. If changing the default port (443) ensure your inbound firewall
rules are adjusted to the custom port.
Many enterprise networks enforce network security for internet traffic using
technologies like proxy servers, firewalls, SSL break and inspect, deep packet inspection,
and data loss prevention systems. These technologies provide important risk mitigation
for generic internet requests but can dramatically reduce performance, scalability, and
the quality of end user experience when applied to Microsoft Tunnel Gateway and
Intune service endpoints.
The following outlines where break and inspect isn't supported. References are to the
architecture diagram from the preceding section.
Additional details:
Conditional Access is done in the VPN client and based on the cloud app Microsoft
Tunnel Gateway. Non-compliant devices won’t receive an access token from Azure
AD and can't access the VPN server. For more information about using Conditional
Access with Microsoft Tunnel, see Use Conditional Access with the Microsoft
Tunnel.
The Management Agent is authorized against Azure AD using Azure app ID/secret
keys.
Next steps
Prerequisites for the Microsoft Tunnel in Intune
Prerequisites for the Microsoft Tunnel in
Intune
Article • 07/17/2023
Before you can install the Microsoft Tunnel VPN gateway for Microsoft Intune, you must
configure prerequisites. Prerequisites include use of a Linux server that runs containers
to host the Tunnel server software. You'll also need to configure your network, firewalls,
and proxies to support communications for the Microsoft Tunnel.
At a high level, you'll need the following to use the Microsoft Tunnel:
An Azure subscription.
A Microsoft Intune Plan 1 subscription
A Linux server that runs containers. This server can be on-premises or in the cloud:
Podman for Red Hat Enterprise Linux (RHEL) (See the Linux server requirements.)
Docker for all other Linux distributions
A Transport Layer Security (TLS) certificate for the Linux server to secure
connections from devices to the Tunnel Gateway server.
Devices that run Android or iOS/iPadOS.
Prerequisites you'll configure include preparing your network, firewalls, and proxy to
support the use of the Microsoft Tunnel.
After configuring prerequisites, we recommend you then run the readiness tool to help
validate that your environment is well configured for a successful installation.
The following sections detail the prerequisites for the Microsoft Tunnel, and provide
guidance on using the readiness tool.
Linux server
Set up a Linux based virtual machine or a physical server on which Microsoft Tunnel
Gateway will install.
7 Note
Only the operating systems and container versions that are listed in the following
table are supported. Versions not listed are not supported. Only after testing and
supportability are verified are newer versions added to this list.
Supported Linux distributions - The following table details which versions of Linux
are supported for the Tunnel server, and the container they require:
Red Hat Podman 3.0 This version of RHEL doesn't automatically load the
(RHEL) 8.5 ip_tables module into the Linux kernel. When you use
this version, plan to manually load the ip_tables before
Tunnel is installed.
Red Hat Podman 4.0 This version of RHEL doesn't automatically load the
(RHEL) 8.6 (default) ip_tables module into the Linux kernel. When you use
Podman 3.0 this version, plan to manually load the ip_tables before
Tunnel is installed.
Red Hat Podman 4.2 This version of RHEL doesn't automatically load the
(RHEL) 8.7 (default) ip_tables module into the Linux kernel. When you use
this version, plan to manually load the ip_tables before
Tunnel is installed.
Red Hat Podman 4.4.1 This version of RHEL doesn't automatically load the
(RHEL) 8.8 ip_tables module into the Linux kernel. When you use
this version, plan to manually load the ip_tables before
Tunnel is installed.
Red Hat Podman 4.4.1 This version of RHEL doesn't automatically load the
(RHEL) 9.0 (default) ip_tables module into the Linux kernel. When you use
this version, plan to manually load the ip_tables before
Tunnel is installed.
Red Hat Podman 4.4.1 This version of RHEL doesn't automatically load the
(RHEL) 9.1 (default) ip_tables module into the Linux kernel. When you use
this version, plan to manually load the ip_tables before
Tunnel is installed.
Red Hat Podman 4.4.1 This version of RHEL doesn't automatically load the
(RHEL) 9.2 (default) ip_tables module into the Linux kernel. When you use
this version, plan to manually load the ip_tables before
Tunnel is installed.
Ubuntu 18.04 Docker CE Support ends April 2023. See the following note for
more information.
) Important
In April of 2023, Ubuntu will end support for Ubuntu 18.04. With the end of
support by Ubuntu, Intune will also end support for Ubuntu 18.04 for use with
Microsoft Tunnel. For more information, see
https://wiki.ubuntu.com/Releases .
Size the Linux server: Use the following guidance to meet your expected use:
# Devices # CPUs Memory GB # Servers # Sites Disk Space GB
1,000 4 4 1 1 30
2,000 4 4 1 1 30
5,000 8 8 2 1 30
10,000 8 8 3 1 30
20,000 8 8 4 1 30
40,000 8 8 8 1 30
Install Docker CE or Podman: Depending on the version of Linux you use for your
Tunnel server, you'll need to install one of the following on the Linux server:
Docker version 19.03 CE or later
Podman version 3.0 or 4.0 depending on the version of RHEL
7 Note
The preceding link directs you to the CentOS download and installation
instructions. Use those same instructions for RHEL 7.4. The version installed
on RHEL 7.4 by default is too old to support Microsoft Tunnel Gateway.
Transport Layer Security (TLS) certificate: The Linux server requires a trusted TLS
certificate to secure the connection between devices and the Tunnel Gateway
server. You'll add the TLS certificate, including the full trusted certificate chain, to
the server during installation of the Tunnel Gateway.
The Subject Alternative Name (SAN) of the TLS certificate you use to secure the
Tunnel Gateway endpoint must match the IP address or FQDN of the Tunnel
Gateway server.
TLS certificate can't have an expiration date longer than two years. If the date is
longer than two years, it won't be accepted on iOS devices.
During installation of the Tunnel Gateway server, you must copy the entire
trusted certificate chain to your Linux server. The installation script provides the
location where you copy the certificate files and prompts you to do so.
If you use a TLS certificate that's not publicly trusted, you must push the entire
trust chain to devices using an Intune Trusted certificate profile.
TLS version: By default, connections between Microsoft Tunnel clients and servers
use TLS 1.3. When TLS 1.3 isn't available, the connection can fall back to use TLS
1.2.
Docker: 172.17.0.0/16
Podman: 10.88.0.0/16
To avoid conflicts, you can reconfigure both Podman and Docker to use a bridge
network that you specify.
) Important
The Tunnel Gateway server must be installed before you can change the bridge
network configuration.
) Important
The IP address that's used in the following steps is an example. Be sure the IP
address you use doesn't conflict with your corporate network.
1. Use the following command to stop the MS Tunnel Gateway container: sudo mst-
cli server stop ; sudo mst-cli agent stop
2. Next, run the following command to remove the existing Docker bridge device:
sudo ip link del docker0
3. If the file /etc/docker/daemon.json is present on your server, use a file editor like
vi or nano to modify the file. Run the file editor with root or sudo permissions:
The following example shows the structure of a daemon.json file with an updated
"bip": entry that uses a modified IP address of "192.168.128.1/24".
Example of daemon.json:
{
"bip": "192.168.128.1/24"
}
4. If the file /etc/docker/daemon.json isn't present on your server, run a command
similar to the following example to create the file and define the bridge IP that you
want to use.
5. Use the following command to start the MS Tunnel Gateway container: sudo mst-
cli agent start ; sudo mst-cli server start
For more information, see Use bridge networks in the Docker documentation.
1. Use the following command to stop the MS Tunnel Gateway container: sudo mst-
cli server stop ; sudo mst-cli agent stop
2. Next, run the following command to remove the existing Podman bridge device:
sudo ip link del cni-podman0
3. Using root permissions and a file editor like vi or nano, modify /etc/cni/net.d as
87-podman-bridge.conflist to update the defaults for "subnet:" and "gateway:"
by replacing the Podman default values with your desired subnet and gateway
addresses. The subnet address must be specified in CIDR notation.
subnet: 10.88.0.0/16
gateway: 10.88.0.1
4. Use the following command to restart the MS Tunnel Gateway containers: sudo
mst-cli agent start ; sudo mst-cli server start
For more information, see Configuring container networking with Podman in the Red
Hat documentation.
Network
Enable packet forwarding for IPv4: Each Linux server that hosts the Tunnel server
software must have IP forwarding for IPv4 enabled. To check on the status of IP
forwarding, on the server run one of the following generic commands as root or
sudo. Both commands return a value of 0 for disabled and a value of 1 for enabled:
sysctl net.ipv4.ip_forward
cat /proc/sys/net/ipv4/ip_forward
If not enabled, you can temporarily enable IP forwarding by running one of the
following generic commands as root or sudo on the server. These commands can
change the IP forwarding configuration until the server restarts. After a restart, the
server returns IP forwarding behavior to its previous state. For both commands,
use a value of 1 to enable forwarding. A value of 0 will disable forwarding. The
following command examples use a value of 1 to enable forwarding:
sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/ipv4/ip_forward
For this change to take effect, you must either reboot the server or run sysctl -p .
If the expected entry isn't present in the sysctl.conf file, consult the documentation
for the distribution you use for how to enable IP forwarding. Typically, you can edit
sysctl.conf to add the missing line at the end of the file to permanently enable IP
forwarding.
Configure multiple NICs per server (Optional): We recommend using two Network
Interface controllers (NICs) per Linux server to improve performance, though use of
two is optional.
NIC 1 - This NIC handles traffic from your managed devices and should be on a
public network with public IP address. This IP address is the address that you
configure in the Site configuration. This address can represent a single server or
a load balancer.
NIC 2 - This NIC handles traffic to your on-premises resources and should be on
your private internal network without network segmentation.
Ensure cloud-based Linux VMs can access your on-premises network: If you run
Linux as a VM in a cloud, ensure the server can access your on-premises network.
For example, for a VM in Azure, you can use Azure ExpressRoute or something
similar to provide access. Azure ExpressRoute isn't necessary when you run the
server in a VM on-premises.
Load balancers (Optional): If you choose to add a load balancer, consult your
vendors documentation for configuration details. Take into consideration network
traffic and firewall ports specific to Intune and the Microsoft Tunnel.
The Tunnel server responds to GET requests with a static page. The response is
used as a probe by load balancers as a way to check for the liveness of Tunnel
server. The response is static and does not contain sensitive information.
Per-app VPN and Top-level domain support - Per-app-VPN use with internal use
of local top-level domains is not supported by Microsoft Tunnel.
Firewall
By default, the Microsoft Tunnel and server use the following ports:
Inbound ports:
Outbound ports:
When creating the Server configuration for the tunnel, you can specify a different port
than the default of 443. If you specify a different port, configure firewalls to support
your configuration.
More requirements:
To access the security token service and Azure storage for logs, provide access to
the following FQDNs:
Security Token Service: *.sts.windows.net
Azure storage for tunnel logs: *.blob.core.windows.net
Additional storage endpoint urls:
*.blob.storage.azure.net
The Tunnel shares the same requirements as Network endpoints for Microsoft
Intune, with the addition of port TCP 22, and graph.microsoft.com.
Proxy
You can use a proxy server with Microsoft Tunnel.
7 Note
Proxy server configurations are not supported with versions of Android prior to
version 10. For more information, see VpnService.Builder in that Android
developer documentation.
7 Note
Make sure your Android LOB applications support direct proxy or Proxy Auto-
Configuration (PAC) for both MDM and MAM.
7 Note
Known Issue: Users who are trying to sign in to Edge using their personal or
corporate accounts may face issues when a Proxy Auto-Configuration (PAC) is
configured. In this scenario, the sign-in process may fail, preventing the user from
accessing internal resources.
Direct proxy is also an option without split tunneling for sign in to work in Edge
using corporate accounts. This involves configuring Microsoft Tunnel to use a direct
proxy instead of a PAC URL.
If no user sign in required in Edge then PAC is supported for normal browsing and
accessing internal resources.
The following considerations can help you configure the Linux server and your
environment for success:
http_proxy=[address]
https_proxy=[address]
The proxy can't perform break and inspect because the Linux server uses TLS
mutual authentication when connecting to Intune.
Configure Docker to use the proxy to pull images. To do so, edit the
/etc/systemd/system/docker.service.d/http-proxy.conf file on the Linux server
and add the following lines:
[Service]
Environment="HTTP_PROXY=http://your.proxy:8080/"
Environment="HTTPS_PROXY=https://your.proxy:8080/"
Environment="NO_PROXY=127.0.0.1,localhost"
7 Note
export HTTP_PROXY=http://10.10.10.1:3128
export HTTPS_PROXY=http://10.10.10.1:3128
If you have access to Red Hat Customer Portal, you can view the knowledge base
article associated with this solution. See Setting up HTTP Proxy variables for
Podman - Red Hat Customer Portal .
When you add those two lines to http_proxy.sh before you install Microsoft Tunnel
Gateway by running the mstunnel-setup, the script will automatically configure the
Tunnel Gateway proxy environment variables in /etc/mstunnel/env.sh.
To configure a proxy after the Microsoft Tunnel Gateway setup has completed, do
the following actions:
1. Modify or create the file /etc/profile.d/http_proxy.sh and add the two lines
from the previous bullet point.
2. Edit /etc/mstunnel/env.sh and add the following two lines to end of the file.
Like the previous lines, replace the example address:port value of
10.10.10.1:3128 with the values for your proxy IP address:port:
HTTP_PROXY=http://10.10.10.1:3128
HTTPS_PROXY=http://10.10.10.1:3128
Be aware that RHEL uses SELinux. Because a proxy that doesn't run on a SELinux
port for http_port_t can require extra configuration, check on the use of SELinux
managed ports for http. Run the following command to view the configurations:
sudo semanage port -l | grep "http_port_t"
Example of the results of the port check command. In this example, the proxy uses
3128 and isn't listed:
If your proxy runs on one of the SELinux ports for http_port_t, then you can
continue with the Tunnel Gateway install process.
If your proxy does't run on a SELunux port for http_port_t as in the preceding
example, you'll need to make extra configurations.
If your proxy port is not listed for http_port_t, check if the proxy port is used by
another service. Use the semnage command to first check the port that your
proxy uses and then later if needed, to change it. To check the port your proxy
uses, run: sudo semanage port -l | grep "your proxy port"
Example of the results of checking for a service that might use the port:
In the example, the port we expect (3128) is used by squid, which happens to
be an OSS proxy service. Squid proxy SELinux policies are part of many
common distributions. Because squid uses port 3128 (our example port), we
must modify the http_port_t ports and add port 3128 to be allowed via
SELinux for the proxy used by Tunnel. To modify the port use, run the
following command: sudo semanage port -m -t http_port_t -p tcp "your
proxy port"
After running the command to change the port, run the following command
to check if the port is used by another service: sudo semanage port -l | grep
"your proxy port"
Example of the command to check the port after modifying the port:
In this example, port 3128 is now associated with both http_port-t and
squid_port_t. That result is expected. If your proxy port isn't listed when
running the sudo semanage port -l | grep "your_proxy_port" command, then
run the command to modify the port again, but the -m in the semanage
command with -a: sudo semanage port -a -t http_port_t -p tcp "your
proxy port"
1. On the tunnel server, use a command prompt to run the following command to
open an editor for the override file for the Microsoft Tunnel service:
2. Add the following four lines to the file. Replace each instance of [address] with your
proxy DN or address, and then save the file:
[Service]
Environment="http_proxy=[address]"
Environment="https_proxy=[address]"
PassEnvironment=http_proxy, https_proxy
4. Finally, run the following at the command prompt to confirm the configuration is
successful:
Environment="http_proxy=address:port"
Environment="https_proxy=address:port"
PassEnvironment=http_proxy https_proxy
1. On the tunnel server, edit /etc/mstunnel/env.sh and specify the new proxy server.
This command rebuilds the containers with the new proxy server details. During
this process, you're asked to verify the contents of /etc/mstunnel/env.sh and to
make sure that the certificate is installed. The certificate should already be present
from the previous proxy server configuration.
Platforms
Devices must be enrolled to Intune to be supported with Microsoft Tunnel. Only the
following device platforms are supported:
iOS/iPadOS
Android Enterprise:
Fully Managed
Corporate-Owned Work Profile
Personally-Owned Work profile
7 Note
Azure Active Directory (Azure AD) authentication to the Tunnel using username
and password.
Active Directory Federation Services (AD FS) authentication to the Tunnel using
username and password.
Per-app support.
Manual full-device tunnel through a Tunnel app, where the user launches VPN and
selects Connect.
Split tunneling. However, on iOS split tunneling rules are ignored when your VPN
profile uses per app VPN.
Support for a Proxy is limited to the following platforms:
Permissions
To manage the Microsoft Tunnel, users must have permissions that are included in the
Microsoft Tunnel Gateway permissions group in Intune. By default, Intune
Administrators and Azure AD administrators have these permissions. You can also add
them to custom roles you create for your Intune tenant.
While configuring a role, on the Permissions page, expand Microsoft Tunnel Gateway
and then select the permissions you want to grant.
The Microsoft Tunnel Gateway permissions group grants the following permissions:
Delete - Delete Microsoft Tunnel Gateway server configurations and sites. Server
configurations include settings for IP address ranges, DNS servers, ports, and split
tunneling rules. Sites are logical groupings of multiple servers that support
Microsoft Tunnel.
Read - View Microsoft Tunnel Gateway server configurations and sites. Server
configurations include settings for IP address ranges, DNS servers, ports, and split
tunneling rules. Sites are logical groupings of multiple servers that support
Microsoft Tunnel.
Validates that the Azure Active Directory (Azure AD) account you use to install
Microsoft Tunnel has the required roles to complete enrollment.
Confirms that your network configuration allows Microsoft Tunnel to access the
required Microsoft endpoints.
Checks for the presence of the ip_tables module on the Linux server. This check
was added to the script on February 11 2022, when support for RHEL 8.5 was
added. RHEL 8.5 later don't load the ip_tables module by default. If they're missing
after the Linux server installs, you must manually load the ip_tables module.
) Important
1. Get the most recent version of the readiness tool by using one of the following
methods:
For example, to use wget and log details to mst-readiness during the
download, run wget --output-document=mst-readiness
https://aka.ms/microsofttunnelready
You can run the script from any Linux server that is on the same network as the
server you plan to install, allowing network admins to run it and troubleshoot
network issues independently.
2. To validate your network and Linux configuration, run the script with the following
commands to set the execute permissions on the script, to validate the Tunnel can
connect to the correct endpoints, and then to check for the presence of utilities
that Tunnel uses:
sudo ./mst-readiness utils - This command validates that utilities that are
3. To validate that the account you'll use to install Microsoft Tunnel has the required
roles and permissions to complete enrollment, run the script with the following
command line: ./mst-readiness account
The script prompts you to use a different machine with a web browser, which you
use to authenticate to Azure AD and to Intune. The tool will report success or an
error.
For more information about this tool, see Reference for mst-cli in the reference article
for Microsoft Tunnel article.
To check for the presence of this module, run the most recent version of mst-readiness
tool on the Linux server. The check for ip_tables was added to the readiness tools script
on February 11 2022.
If the module isn't present, the tool stops on the ip_tables module check. In this
scenario, you can run the following commands to manually load the module.
2. If ip_tables isn't present, run the following to load the module into the kernel
immediately, without a restart: /sbin/modprobe ip_tables
3. Rerun the validation to confirm the tables are now loaded: lsmod |grep ip_tables
) Important
When updating the Tunnel server, a manually loaded ip_tables module might not
persist. This can require you to reload the module after the update completes. After
your server update is completed, review the server for the presence of the ip_tables
module.
If the tables aren't present, use the preceding steps to reload the module, with the
additional step to restart the server after the module is loaded.
In the context of sudo, run the following command on your Linux server to create a
config file that will load the ip_tables into kernel during boot time: echo ip_tables >
/etc/modules-load.d/mstunnel_iptables.conf
To validate the present of the tun module on the server, run: lsmod |grep tun
1. If tun isn't present, run the following to load the module into the kernel
immediately, without a restart: /sbin/modprobe tun
2. Rerun the validation to confirm the tun module is now loaded: lsmod |grep tun
) Important
When updating the Tunnel server, a manually loaded tun module might not persist.
This can require you to reload the module after the update is completed. After your
server update is completed, review the server for the presence of the tun module.
If not present, use the preceding steps to reload the module, with the additional
step to restart the server after the module is loaded.
In the context of sudo, run the following command on your Linux server to create a
config file that will load tun into kernel during boot time: echo tun > /etc/modules-
load.d/mstunnel_tun.conf
Next steps
Configure Microsoft Tunnel
Configure Microsoft Tunnel for Intune
Article • 05/22/2023
To Install Microsoft Tunnel Gateway, you’ll need at least one Linux server with Docker
installed, which runs either on-premises or in the cloud. Depending on your
environment and infrastructure, additional configurations and software like Azure
ExpressRoute might be needed.
After your prerequisites are ready, return to this article to begin installation and
configuration of the tunnel.
2. On the Basics tab, enter a Name and Description (optional) and select Next.
IP address range: IP addresses within this range are leased to devices when
they connect to Tunnel Gateway. The Tunnel Client IP address range specified
must not conflict with an on-premises network range.
Consider using the Automatic Private IP Addressing (APIPA) range of
169.254.0.0/16, as this range avoids conflicts with other corporate
networks.
If the client IP address range conflicts with the destination, it will loopback
and fail to communicate with the corporate network.
You can select any client IP address range you want to use if it doesn't
conflict with your corporate network IP address ranges.
Server port: Enter the port that the server listens to for connections.
DNS servers: These servers are used when a DNS request comes from a
device that's connected to Tunnel Gateway.
DNS suffix search (optional): This domain is provided to clients as the default
domain when they connect to Tunnel Gateway.
4. Also on the Settings tab, configure Split tunneling rules, which are optional.
You can include or exclude addresses. Included addresses are routed to Tunnel
Gateway. Excluded addresses aren’t routed to Tunnel Gateway. For example, you
might configure an include rule for 255.255.0.0 or 192.168.0.0/16.
IP ranges to include
IP ranges to exclude
7 Note
Do not use an IP range that specifies 0.0.0.0 in any of the include or exclude
addresses, Tunnel Gateway cannot route traffic when this range is used.
5. On the Review + create tab, review the configuration, and then select Create to
save it.
7 Note
By default, each VPN session will stay active for only 3,600 seconds (one hour)
before it disconnects (a new session will be established immediately in case
the client is set to use Always On VPN).
However, you can modify the session
timeout value along with other server configuration settings using graph calls
(microsoftTunnelConfiguration).
Create a Site
Sites are logical groups of servers that host Microsoft Tunnel. You’ll assign a Server
configuration to each Site you create. That configuration is applied to each server that
joins the Site.
Description (optional)
URL for internal network access check: Specify an HTTP or HTTPS URL for a
location on your internal network. Every five minutes, each server that's
assigned to this site will attempt to access the URL to confirm that it can
access your internal network. Servers report the status of this check as
Internal network accessibility on the servers Health check tab.
For example, to use wget and log details to mstunnel-setup during the
download, run wget --output-document=mstunnel-setup
https://aka.ms/microsofttunneldownload
2. To start the server installation, run the script as root. For example, you might use
the following command line: sudo chmod +x ./mstunnel-setup . The script always
installs the most recent version of Microsoft Tunnel.
To see detailed console output during the tunnel and installation agent enrollment
process:
a. Run export mst_verbose_log="true" before you run the ./mstunnel-setup script.
To confirm verbose logging is enabled, run export .
b. After setup completes, edit the environment file /etc/mstunnel/env.sh to add a
new line: mst_verbose_log="true" . After adding the line, run mst-cli server
restart to restart the server.
) Important
For the U.S. government cloud, the command line must reference the
government cloud environment. To do so, run the following commands to
add intune_env=FXP to the command line:
a. Run sudo chmod +x ./mstunnel-setup
b. Run sudo intune_env=FXP ./mstunnel-setup
Tip
If you stop the installation and script, you can restart it by running the
command line again. Installation continues from where you left off.
When you start the script, it downloads container images from Microsoft Tunnel
Gateway container images from the Intune service, and creates necessary folders
and files on the server.
During setup, the script will prompt you to complete several admin tasks.
4. Review and configure variables in the following files to support your environment.
5. When prompted, copy the full chain of your Transport Layer Security (TLS)
certificate file to the Linux server. The script displays the correct location to use on
the Linux server.
The TLS certificate secures the connection between the devices that use the tunnel
and the Tunnel Gateway endpoint. The certificate must have the IP address or
FQDN of the Tunnel Gateway server in its SAN.
The private key will remain available on the machine where you create the
certificate signing request for the TLS certificate. This file must be exported with a
name of site.key.
Install the TLS certificate and private key. Use the following guidance that matches
your file format:
PFX:
The certificate file name must be site.pfx. Copy the certificate file to
/etc/mstunnel/private/site.pfx.
PEM:
The certificate file name must be *site.crt. Copy the full chain certificate
into /etc/mstunnel/certs/site.crt. For example: cp [full path to cert]
/etc/mstunnel/certs/site.crt
6. After setup installs the certificate and creates the Tunnel Gateway services, you’re
prompted to sign in and authenticate with Intune. The user account must have
either the Intune Administrator or Global Administrator roles assigned. The
account you use to complete the authentication must have an Intune license. The
credentials of this account aren't saved and are only used for initial sign-in to
Azure Active Directory. After successful authentication, Azure app IDs/secret keys
are used for authentication between the Tunnel Gateway and Azure Active
Directory.
This authentication registers Tunnel Gateway with Microsoft Intune and your
Intune tenant.
b. After Microsoft Tunnel Gateway registers with Intune, the script gets
information about your Sites and Server configurations from Intune. The script
then prompts you to enter the GUID of the tunnel Site you want this server to
join. The script presents you with a list of your available sites.
c. After you select a Site, setup pulls the Server configuration for that Site from
Intune, and applies it to your new server to complete the Microsoft Tunnel
installation.
7. After the installation script finishes, you can navigate in Microsoft Intune admin
center to the Microsoft Tunnel Gateway tab to view high-level status for the
tunnel. You can also open the Health status tab to confirm that the server is online.
8. If you’re using RHEL 8.4 or later, be sure to restart the Tunnel Gateway server by
entering mst-cli server restart before you attempt to connect clients to it.
Android:
When you use Microsoft Defender for Endpoint as your tunnel client application
and as a mobile threat defense (MTD) application, see Use Microsoft Defender
for Endpoint for MTD and as the Microsoft Tunnel client app for important
configuration guidance.
iOS/iPadOS:
If you still use the standalone Microsoft Tunnel client app or a preview version
of Defender for Endpoint (available prior to April 29 2022), plan to migrate
devices to the latest version of Defender for Endpoint.
Microsoft Tunnel client app - For iOS/iPadOS, download the Microsoft Tunnel
client app from the Apple App Store. See Add iOS store apps to Microsoft
Intune.
) Important
Plan for change. On April 29, 2022 both the Microsoft Tunnel connection type
and Microsoft Defender for Endpoint as the tunnel client app became generally
available. With this general availability, the use of the Microsoft Tunnel
(standalone client)(preview) connection type and the standalone tunnel client
app are deprecated and soon will drop from support.
On July 29, 2022, the standalone tunnel client app will no longer be
available for download. Only the generally available version of Microsoft
Defender for Endpoint will be available as the tunnel client app.
On August 1, 2022, the Microsoft Tunnel (standalone client) (preview)
connection type will cease to connect to Microsoft Tunnel.
To avoid a disruption in service for Microsoft Tunnel, plan to migrate your use
of the deprecated tunnel client app and connection type to those that are
now generally available.
For more information on deploying apps with Intune, see Add apps to Microsoft Intune.
Android:
Microsoft Tunnel - Use this connection type with Defender for Endpoint as the
tunnel client app.
7 Note
Prior to support for using Microsoft Defender for Endpoint as the tunnel
client app, a standalone tunnel client app was available in preview and
used a connection type of Microsoft Tunnel (standalone client). As of June
14 2021, both the standalone tunnel app and standalone client connection
type are deprecated and drop from support after October 26, 2021.
The Android platform supports routing of traffic through a per-app VPN and split
tunneling rules independently, or at the same time.
7 Note
Prior to support for using Microsoft Defender for Endpoint as the tunnel client
app, a standalone tunnel client app was available in preview and used a
connection type of Microsoft Tunnel (standalone client). As of June 14 2021,
both the standalone tunnel app and standalone client connection type are
deprecated and drop from support after January 31, 2022.
iOS/iPadOS:
Microsoft Tunnel – Use this connection type with Microsoft Defender for
Endpoint as the tunnel client app.
Microsoft Tunnel (standalone client) (preview) – Use this connection type when
you use the standalone Microsoft Tunnel client app. This connection type
doesn’t support Microsoft Defender for Endpoint as the client Tunnel app.
) Important
Plan for change. On April 29, 2022 both the Microsoft Tunnel connection
type and Microsoft Defender for Endpoint as the tunnel client app became
generally available. With this general availability, the use of the Microsoft
Tunnel (standalone client)(preview) connection type and the standalone
tunnel client app are deprecated and soon will drop from support.
On July 29, 2022, the standalone tunnel client app will no longer be
available for download. Only the generally available version of Microsoft
Defender for Endpoint will be available as the tunnel client app.
On August 1, 2022, the Microsoft Tunnel (standalone client) (preview)
connection type will cease to connect to Microsoft Tunnel.
The iOS platform supports routing traffic by either a per-app VPN or by split
tunneling rules, but not both simultaneously. If you enable a per-app VPN for iOS,
your split tunneling rules are ignored.
Android
1. Sign in to Microsoft Intune admin center > Devices > Configuration profiles >
Create profile.
2. For Platform, select Android Enterprise. For Profile select VPN for either
Corporate-Owned Work Profile or Personally-Owned Work Profile, and then
select Create.
7 Note
Android Enterprise dedicated devices aren't supported by the Microsoft
Tunnel.
3. On the Basics tab, enter a Name and Description (optional) and select Next.
4. For Connection type select Microsoft Tunnel, and then configure the following
details:
Base VPN:
For Connection name, specify a name that will display to users.
For Microsoft Tunnel Site, select the Tunnel site that this VPN profile will
use.
Per-app VPN:
Apps that are assigned in the per-app VPN profile send app traffic to the
tunnel.
On Android, launching an app won't launch the per-app VPN. However,
when the VPN has Always-on VPN set to Enable, the VPN will already be
connected and app traffic will use the active VPN. If the VPN isn't set to be
Always-on, the user must manually start the VPN before it can be used.
If you're using the Defender for Endpoint app to connect to Tunnel, have
web protection enabled, and are using per-app VPN, web protection will
only apply to the apps in the per-app VPN list. On devices with a work
profile, in this scenario we recommend adding all web browsers in the
work profile to the per-app VPN list to ensure all work profile web traffic is
protected.
To enable a per-app VPN, select Add and then browse to the custom or
public apps you’ve imported to Intune.
Always-on VPN:
For Always-on VPN, select Enable to set the VPN client to automatically
connect and reconnect to the VPN. Always-on VPN connections stay
connected. If Per-app VPN is set to Enable, only the traffic from apps you
select go through the tunnel.
Proxy:
Configure proxy server details for your environment.
7 Note
For more information about VPN settings, see Android Enterprise device settings
to configure VPN
) Important
For Android Enterprise devices that use Microsoft Defender for Endpoint as a
Microsoft Tunnel client application and as a MTD app, you must use custom
settings to configure Microsoft Defender for Endpoint instead of using a
separate app configuration profile. If you do not intend to use any Defender
for Endpoint functionality, including web protection, use custom settings in
the VPN profile and set the defendertoggle setting to 0.
5. On the Assignments tab, configure groups that will receive this profile.
6. On the Review + create tab, review the configuration, and then select Create to
save it.
iOS
1. Sign in to Microsoft Intune admin center > Devices > Device Configuration >
Create profile.
2. For Platform, select iOS/iPadOS, and then for Profile select VPN, and then Create.
3. On the Basics tab, enter a Name and Description (optional) and select Next.
4. For Connection type, select Microsoft Tunnel and then configure the following
items:
Base VPN:
For Connection name, specify a name that will display to users.
For Microsoft Tunnel Site, select the tunnel Site that this VPN profile will
use.
7 Note
When using the Tunnel VPN connection and Defender web protection
together in combined mode, the Disconnect on sleep setting is not
supported. If this Intune VPN setting is set to Enabled and the iOS device
goes to sleep, both the Tunnel VPN and the Defender VPN are
disconnected.
Per-app VPN:
Define on-demand rules that allow use of the VPN when conditions are met
for specific FQDNs or IP addresses.
Proxy:
Configure proxy server details for your environment.
For devices enrolled as Android Enterprise personally-owned work profile that use
Defender for Endpoint for both purposes, you must use custom settings instead of an
app configuration profile. On these devices, the app configuration profile for Defender
for Endpoint conflicts with Microsoft Tunnel and can prevent the device from
connecting to Microsoft Tunnel.
If you use Microsoft Defender for Endpoint for Microsoft Tunnel but not MTD , then you
continue to use the app tunnel configuration profile to configure Microsoft Defender for
Endpoint as a Tunnel Client.
Add app configuration support for Microsoft Defender
for Endpoint to a VPN profile for Microsoft Tunnel
Use the following information to configure the custom settings in a VPN profile to
configure Microsoft Defender for Endpoint in place of a separate app configuration
profile. Available settings vary by platform.
0 - Disable
TunnelOnly True – All Defender for Determines whether the Defender app is
Endpoint functionality is limited to only Microsoft Tunnel, or if the app
disabled. This setting should be also supports the full set of Defender for
used if you're using the app Endpoint capabilities.
only for Tunnel capabilities.
WebProtection True (default) – Web Protection Determines whether Defender for Endpoint
is enabled, and users will see Web Protection (anti-phishing functionality) is
the web protection tab in the enabled for the app. By default, this
Defender for Endpoint app.
functionality is on.
The Microsoft Tunnel VPN feature in Defender for Endpoint is European Union Data
Boundary (EUDB) compliant. However, the Defender for Endpoint threat protection
components related to logging are not yet EUDB compliant. EUBD compliance will
become available in a future release.
In the meantime, Microsoft Tunnel customers with EU tenants can enable TunnelOnly
mode in the Defender for Endpoint Client app. To configure this, use the following steps:
1. Follow the steps found in Install and configure Microsoft Tunnel VPN solution for
Microsoft Intune | Microsoft Learn to create an app configuration policy which
disables Defender for Endpoint functionality.
Guest accounts and Microsoft Accounts (MSA) that are not specific to your
organization's tenant are not supported for cross-tenant access using Microsoft Tunnel
VPN. This means that these types of accounts cannot be used to access internal
resources securely through the VPN. It is important to keep this limitation in mind when
setting up secure access to internal resources using Microsoft Tunnel VPN.
For more information about the EU Data Boundary, see EU Data Boundary for the
Microsoft Cloud | Frequently Asked Questions on the Microsoft security and
compliance blog.
By default, after a new upgrade is available Intune automatically starts the upgrade of
tunnel servers as soon as possible, at each of your tunnel sites. To help you manage
upgrades, you can configure options that manage the upgrade process:
You can allow automatic upgrade of servers at a site, or require admin approval
before upgrades being.
You can configure a maintenance window, which limits when upgrades at a site can
start.
For more information about upgrades for Microsoft Tunnel, including how to view
tunnel status and configure upgrade options, see Upgrade Microsoft Tunnel.
PFX:
PEM:
For more information about mst-cli, see Reference for Microsoft Tunnel.
Uninstall the Microsoft Tunnel
To uninstall the product, run ./mst-cli uninstall from the Linux server as root.
After the product is uninstalled, delete the corresponding server record in the Microsoft
Intune admin center under Tenant administration > Microsoft Tunnel Gateway >
Servers.
Next steps
Use Conditional Access with the Microsoft Tunnel
7 Note
This capability is available when you add Microsoft Intune Plan 2 or Microsoft
Intune Suite as an add-on license. For more information, see Use Intune Suite add-
on capabilities.
When you use the Microsoft Tunnel VPN Gateway, you can extend Tunnel support by
adding Tunnel for Mobile Application Management (MAM). Tunnel for MAM extends
the Microsoft Tunnel VPN gateway to support devices that run Android or iOS, and that
aren't enrolled with Microsoft Intune. With this solution, your users can use a single
device that hasn't enrolled with Intune to gain secure access to the organizations on-
premises apps and resources using modern authentication, Single Sign On and
conditional access. With Tunnel for MAM, your users can use their own device (BYOD)
for both work and personal use, without having to grant the organization’s IT
department control over that device.
Applies to:
Android
iOS/iPadOS
Learn about the Microsoft Tunnel VPN solution for Microsoft Intune
Identify the prerequisites to install and use the Microsoft Tunnel VPN solution for
Microsoft Intune
Install and configure Microsoft Tunnel VPN solution for Microsoft Intune
Requirements: - Company Portal app (sign-in not - No Company Portal app or Defender
required)
for Endpoint app requirement
Features: - VPN is provided via the Defender for - VPN is provided via Tunnel for MAM
Endpoint app:
SDK for iOS integration
- No Device-wide VPN
Microsoft - Identity switch: VPN connects when - Identity switch: VPN connects when
Edge browser using a work or school account and using a work/school account and
support: disconnects when switching to a disconnects when switching to a
personal account or in-Private personal account or in-Private
browsing
browsing
Next steps
Learn about the Microsoft Tunnel VPN solution for Microsoft Intune
Use MAM Tunnel for Android
MAM Tunnel for iOS
Microsoft Tunnel for Mobile Application
Management for Android
Article • 06/07/2023
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your
tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled Android devices to
support MAM scenarios. With support for MAM, your unenrolled devices can use Tunnel
to securely connect to your organization allowing users and apps safe access to your
organizational data.
Applies to:
Android Enterprise
To extend your existing Microsoft Tunnel configuration to support MAM, you'll create
and deploy three profiles that configure this support on your unenrolled devices:
App configuration policy for Microsoft Defender. This policy configures Microsoft
Defender for Endpoint on a device as the VPN tunnel client app.
App configuration policy for Microsoft Edge. This policy configures Microsoft Edge
to support identity-switch, which automatically connects and disconnects the VPN
tunnel when switching from a Microsoft "Work or school" account to a Microsoft
"personal account" in Microsoft Edge.
App protection policy to automatically start the connection to Microsoft Tunnel
when the MAM enabled app on the device accesses corporate resources.
With these policies in place, your existing Site and Server configurations for Tunnel
support access from devices that aren't enrolled in Intune. In addition, you can choose
to deploy your configurations for MAM Tunnel to enrolled devices instead of using
MDM Tunnel configurations. However, an enrolled device must use only the MDM
Tunnel configurations or the MAM Tunnel configurations, but not both. For example,
enrolled devices can't have an app like Microsoft Edge that uses MAM tunnel
configurations while other apps use MDM Tunnel configurations.
Prerequisites
Infrastructure and tenant:
Tunnel for MAM requires the same considerations and prerequisites as using Tunnel for
enrolled devices. For more information, see Tunnel prerequisites.
After configuring Microsoft Tunnel, you'll be ready to add the two App configuration
policies and the App protection policy that enables unenrolled devices to use Tunnel.
Configuration of these policies is detailed in the following sections.
Devices:
Users of devices that aren't enrolled with Intune must install the following apps on their
Android device before they can use the Tunnel for MAM scenario. These apps can all be
manually installed from the Google Play store:
2. Microsoft Edge – Get it from Microsoft Edge: Web Browser - Apps on Google
Play . Each device must manually enable the Tunnel functionality for Microsoft
Edge before the device can use Tunnel. To enable support for Tunnel, users must
browse to edge://flags from within the Microsoft Edge app, and then search for
and select Tunnel to enable it.
For your Line of Business (LOB) apps, integrate them with the MAM SDK. Later, you'll
need to add your LOB apps to your app protection policy and app configuration polices
for MAM Tunnel. See Getting started with MAM for Android.
7 Note
Make sure your Android LOB applications support direct proxy or Proxy Auto-
Configuration (PAC) for both MDM and MAM.
When all three are configured and deployed to the same groups, the app protection
policy will automatically trigger Tunnel to connect to the VPN whenever Microsoft Edge
is launched.
In addition, you can configure a Trusted certificate profile for use with your line-of-
business apps when they must connect to on-premises resources and are protected by
an SSL/TLS certificate issued by an on-premises or private certificate authority (CA).
7 Note
Ensure only a single Defender app configuration policy targets the unenrolled
device. Targeting more than 1 app configuration policy with different tunnel
settings for Defender for Endpoint will create tunnel connection issues on the
device.
1. Sign in to the Microsoft Intune admin center and go to Apps > App
Configuration polices > Add > Managed Apps.
3. On the Settings tab, skip the General configuration settings category, which isn't
used for this policy. For the Microsoft Tunnel settings category, make the following
configurations:
For Site Name, select an available site, and then click OK.
) Important
MAM Tunnel for Android doesn't support the use of Always-on VPN.
When Always-on VPN is set to Enable, Tunnel does not connect
successfully and sends connection failure notifications to the device user.
Proxy is an optional setting. Configure proxy settings to meet your on-
premises network requirements.
7 Note
4. On the Assignments tab, select Add Groups, and then select the same Azure Active
Directory groups that you deployed the Microsoft Edge App configuration profile
to, and then select Next.
5. On the Review + Create tab, select Create to complete creation of the policy and
deploy the policy to the assigned groups.
The new policy will appear in the list of App configuration policies.
1. Sign in to the Microsoft Intune admin center and go to Apps > App
Configuration polices > Add > Managed Apps.
3. On the Settings tab, configure the Name and Value pair in the General
configuration settings category as follows:
Name =
com.microsoft.intune.mam.managedbrowser.TunnelAvailable.IntuneMAMOnly
Value = True
7 Note
Ensure there are no trailing spaces at the end of the General configuration
setting. This setting provides "Identity switch" support to Edge on Android.
This enables Edge on Android to automatically connect the VPN when signing
in with a "Work account or School account" and disconnect the VPN when
switching to a "Personal account" enabling in-Private browsing.
You can also use this same policy to configure other configurations for Microsoft
Edge in the Microsoft Edge configuration settings category. After any additional
configurations for Microsoft Edge are ready, select Next.
4. On the Assignments tab, select Add Groups, and then select one or more Azure
Active Directory groups that will receive this policy. After configuring groups, select
Next.
5. On the Review + Create tab, select Create to complete creation of the policy and
deploy the policy to the assigned groups.
The new policy will appear in the list of App configuration policies.
When the app is started, the Tunnel VPN connection will attempt to start, once
started, the device will have access to the on-premises network routes available via
the Microsoft Tunnel Gateway. If you wish to limit the tunnel network access to
specific apps, then configure the "Per-App VPN (Android only) settings.
1. Sign in to the Microsoft Intune admin center and go to Apps > App protection
policies > Create policy > Android.
2. On the Basics tab, enter a Name for this policy, and a Description (optional), and
then select Next.
3. On the Apps tab, click Select public apps, select Microsoft Edge, and then click
Select.
4. On the Data protection tab, scroll to the bottom and set Start Microsoft Tunnel
connection on app-launch to Yes, and then select Next.
5. Continue past the Access requirements and Conditional launch tabs.
6. On the Assignments tab, select Add Groups, and then select the same Azure Active
Directory groups that you deployed the two app configuration profiles to, and
then select Next.
7. On the Review + Create tab, select Create to complete creation of the policy and
deploy the policy to the assigned groups.
The new policy will appear in the list of app configuration policies.
For more information about adding custom apps to policies, see the following articles
for the two policy types:
To support LOB apps on your unenrolled devices, the apps must deploy as available
apps from within Microsoft Intune admin center. You can't use Intune to deploy apps as
required apps to unenrolled devices.
Use a trusted certificate profile
LOB apps that use the MAM tunnel on Android are required to integrate with the Intune
App SDK and must use the new Tunnel for MAM trust manager to utilize trusted root
certificate support for their LOB apps. To support trusted root certificates, you must use
the minimum SDK version (or later) as detailed in the Prerequisites section of this article.
Requirements:
MAMCertTrustWebViewClient supports:
Android 10 or higher
MAMTrustedRootCertsManager supports:
SSLContext
SSLSocketFactory
TrustManager
WebView
During configuration of the app configuration profile for an app that will use Tunnel for
MAM, select the certificate profile that will be used:
1. On the Settings tab of your app configuration profile, expand Microsoft Tunnel for
Mobile Application Management settings.
For information about configuring root certificate profiles, see Trusted root
certificate profiles for Microsoft Intune.
3. After configuring the Tunnel MAM settings, Select Next to open the Assignments
tab.
Known Issues
The following are known issues or limitations for MAM Tunnel for Android.
Workaround: None.
Workaround: Manually deploy and install the trusted root certificate on unenrolled
Android devices that will use Microsoft Edge with Tunnel.
Workaround: To ensure proper certificate validation, admins must deploy the root
certificate and all intermediate certificates in Intune. If the root certificate along with all
intermediate certificates are not deployed, Android can fail to build the certificate chain
and fail to trust the server.
Workaround: Manually install the corresponding trusted root certificate of the private
certificate authority on the Android device. A future update of the Defender for
Endpoint app will provide support and remove the need to manually install the trusted
root certificate.
Workaround: Refresh the browser connection on the device. The resource becomes
available after the connection to Tunnel is established.
Workaround: Install all three apps manually from the Google Play store. You'll find links
to all three apps on Google Play in this articles Prerequisites section.
Workaround: Target each device with a single app configuration policy for Microsoft
Defender, ensuring each unenrolled device is configured to use only one Site.
Next steps
Overview of Microsoft Tunnel for Mobile Application Management
MAM Tunnel for iOS
Also see:
7 Note
This capability is available as an Intune add-on. For more information, see Use
Intune Suite add-on capabilities.
When you add Microsoft Tunnel for Mobile Application Management (MAM) to your
tenant, you can use Microsoft Tunnel VPN Gateway with unenrolled iOS devices to
support MAM the following scenarios:
Applies to:
iOS/iPadOS
Tunnel for MAM iOS is a powerful tool that allows organizations to securely manage
and protect their mobile applications. The VPN connection for this solution is provided
through the Microsoft Tunnel for MAM iOS SDK.
In addition to using MAM Tunnel with unenrolled devices, you can also use it with
enrolled devices. However, an enrolled device must use either the MDM Tunnel
configurations or the MAM Tunnel configurations, but not both. For example, enrolled
devices can't have an app like Microsoft Edge that uses MAM tunnel configurations
while other apps use MDM Tunnel configurations.
To use the Microsoft Tunnel for MAM iOS, you must update your Line of Business (LOB)
apps to integrate the following three SDKs. Find guidance for integrating each SDK later
in this article:
Actions
0. Upon initial launch of the app, a connection is made via the Tunnel for MAM SDK.
1. An authentication token is required to authenticate.
a. The device may already have an Azure AD auth token obtained from a previous
sign-in using another MAM enabled app on the device (like Outlook, Microsoft
Edge, and Microsoft 365 Office mobile apps).
2. A TCP Connect (TLS Handshake occurs with the token to the tunnel server.
3. If UDP is enabled on the Microsoft Tunnel Gateway, a data-channel connection
using DTLS is made. If UDP is disabled, then TCP is used to establish the data
channel to Tunnel gateway. See TCP, UDP notes in the Microsoft Tunnel
Architecture.
4. When the mobile app makes a connection to an on-premises corporate resource:
a. A Microsoft Tunnel for MAM API connect request for that company resource
occurs.
b. An encrypted web request gets made to the corporate resource.
7 Note
The Tunnel for MAM iOS SDK provides VPN Tunnel. It’s scoped to the networking
layer within the app. VPN connections are not displayed in iOS settings.
Each active line-of-business (LOB) app that's integrated with Tunnel for MAM iOS-
SDK and that runs in the foreground represents an active client connection on the
Tunnel Gateway server. The mst-cli command line tool can be used to monitor
active client connections. For information about the mst-cli command-line tool, see
Reference for Microsoft Tunnel Gateway.
App configuration policy - Configures the Microsoft Tunnel Gateway settings for
Edge and LOB apps. You can add any trusted certificates required for on-premises
resource access.
App protection policy - Configures data protection settings. It also establishes a
way to deploy an app configuration policy that configures the Microsoft Tunnel
settings for Edge and LOB apps.
Trusted certificate profile - For apps that connect to on-premises resources and
are protected by an SSL/TLS certificate issued by an on-premises or private
certificate authority (CA).
1. Sign in to the Microsoft Intune admin center and go to Apps > App
Configuration polices > Add > Managed Apps.
2. On the Basics tab, enter a Name for the policy and a Description (optional).
3. For LOB apps, select + Select custom apps to open the Select apps to target pane.
On the Select apps to target pane:
a. For Bundle or Package ID, specify the LOB apps Bundle ID
b. For Platform, select iOS/iPadOS, and then select Add.
c. Select the app you just added, and then Select.
7 Note
LOB apps require Intune App SDK for iOS and MSAL integration. MSAL
requires an Azure AD app registration. Ensure the Bundle ID used in the App
configuration policy is the same Bundle ID specified in the Azure AD app
registration and the Xcode app project. Xcode is the Apple Integrated
Developer Environment that that runs on macOS and used to integrate the
Tunnel for MAM iOS SDK with your app.
For more information about adding custom apps to policies, see App configuration
policies for Intune App SDK managed apps.
4. On the Settings tab, expand *Microsoft Tunnel for Mobile Application Management
settings and configure the following options:
7 Note
When configuring proxy and split tunneling, if the proxy server is configured in the
included routes, all traffic will flow through the proxy. If the proxy server is not
configured in the included routes, then all traffic will be blocked. Enabling both split
tunneling and proxy is not supported.
For Federated Azure active directory tenants, the following configurations are required
to ensure that your applications can authenticate and access the required resources.
This configuration will bypass the URL of the publicly available secure token service:
1. On the Settings tab, expand General configuration settings and then configure the
Name and Value pair as follows to set up the Edge profile for Tunnel:
Name = com.microsoft.tunnel.custom_configuration
Value = {"bypassedUrls":["Company’sSTSURL"]}
7 Note
After configuring the Tunnel MAM settings, Select Next to open the Assignments tab.
5. On the Assignments tab, select Add Groups, and then select one or more Azure AD
user groups that will receive this policy. After configuring groups, select Next.
6. On the Review + Create tab, select Create to complete creation of the policy and
deploy the policy to the assigned groups.
7 Note
If you already have an app configuration policy created for your LOB App, you can
edit that policy to include Edge and the required key/value pair settings.
1. In the Microsoft Intune admin center , go to Apps > App Configuration polices
> Add > Managed Apps.
3. On the Settings tab, expand General configuration settings and then configure the
Name and Value pair as follows to set up the Edge profile for Tunnel:
Name =
com.microsoft.intune.mam.managedbrowser.TunnelAvailable.IntuneMAMOnly
Value = True
7 Note
Ensure there are no trailing spaces at the end of the General configuration
settings. These settings provide Identity switch support to Microsoft Edge on
iOS. This enables Edge on iOS to automatically connect the VPN when signing
in with a Work account or School account and to disconnect the VPN when
switching to a Personal account enabling in-Private browsing.
For Federated Azure active directory tenants, the following configurations are
required to ensure that Edge can authenticate and access the required resources.
This configuration will bypass the URL of the publicly available secure token
service:
a. On the Settings tab, expand General configuration settings and then configure
the Name and Value pair as follows to set up the Edge profile for Tunnel:
Name = com.microsoft.tunnel.custom_configuration
Value = {"bypassedUrls":["Company’sSTSURL"]}
7 Note
After any additional configurations for Microsoft Edge are ready, select Next.
4. On the Assignments tab, select Add Groups, and then select one or more Azure AD
groups that will receive this policy. After configuring groups, select Next.
5. On the Review + Create tab, select Create to complete creation of the policy and
deploy the policy to the assigned groups.
This policy provides the necessary data protection and establishes a means of delivering
app configuration policy to apps. To create an app protection policy, use the following
steps:
1. Sign in to the Microsoft Intune admin center and go to Apps > App protection
policies > + Create policy > and select iOS/iPadOS.
2. On the Basics tab, enter a Name for the policy, and a Description (optional), and
then select Next.
4. For LOB apps, select on + Select custom apps to open the Select apps to target
pane. Next, on the Select apps to target pane:
a. For Bundle ID, specify the LOB apps Bundle ID and then select Add.
b. Select the app you just added, and then Select.
7 Note
LOB apps require Intune App SDK for iOS and MSAL integration. MSAL
requires an Azure AD app registration. Ensure the Bundle ID used in the App
configuration policy is the same Bundle ID specified in the Azure AD app
registration and the Xcode app project.
5. In the Data protection, Access requirements, and Conditional launch tabs, configure
any remaining app protection policy settings based on your deployment and data
protection requirements.
6. On the Assignments tab, select Add Groups, and then select one or more Azure AD
user groups that will receive this policy. After configuring groups, select Next.
A trusted certificate profile is required to establish a chain of trust with your on-
premises infrastructure. The profile allows the device to trust the certificate that's used
by the on-premises web or application server, ensuring secure communication between
the app and the server.
Tunnel for MAM uses the public-key certificate payload contained in the Intune trusted
certificate profile but doesn’t require the profile be assigned to any Azure AD user or
device groups. As a result, a trusted certificate profile for any platform can be used. So,
an iOS device can use a trusted certificate profile for Android, iOS, or Windows to meet
this requirement.
) Important
Tunnel for MAM iOS SDK requires that trusted certificates use the DER encoded
binary X.509 or PEM certificate format.
During configuration of the app configuration profile for an app that will use Tunnel for
MAM, you select the certificate profile that will be used. For information on configuring
these profiles, see Trusted root certificate profiles for Microsoft Intune.
Application ID
Tenant ID
The following guidance is specific to requirements for the Tunnel for MAM iOS SDK
integration.
1. In the Azure AD portal for your tenant, go to Azure Active Directory, and then
under Manage, select App registrations > + New registration.
3. On the Overview pane, note the values for Application (client) ID and the Directory
(tenant) ID. These values are required for the app registrations Xcode project. After
recording the two values, select under Manage, select Authentication.
4. On the Authentication pane for your app registration, select + Add a platform, and
then select the tile for iOS/macOS. The Configure your iOS or macOS app pane
opens.
5. On the Configure your iOS or macOS app pane, Enter the Bundle ID for the Xcode
app to be integrated with the Tunnel for MAM iOS SDK, and then select Configure.
The iOS/macOS configuration pane opens.
The Bundle ID in this view must exactly match the Bundle ID in Xcode. This detail
can be found in the following locations in the Xcode project:
A Redirect URI and MSAL Configuration are automatically generated. Select Done at
the bottom of the dialog window to finish. No other settings are required for
Authentication.
6. Next, while viewing the app registration, select API permissions and then + Add a
permission. Add the API permissions for Microsoft Mobile Application Management
and Microsoft Tunnel Gateway:
On the Request API permissions page, select the tab for APIs my organization
uses.
Search for Microsoft Mobile Application Management, select the result, and
then select the checkbox.
Select Add permissions.
To complete the configuration, return to the API permissions pane and select Grant
admin consent for YOUR_TENANT, and then select Yes.
7. Next, while viewing the app registration, select Token configuration, and then +
Add optional claim. On the Add optional claim page, for Token type select Access,
and then for Claim, select the checkbox for acct. Tunnel for MAM requires this
Auth token to authenticate users to Azure AD.
8. To verify that all settings were applied successfully, select Integration assistant:
For What application types are you building? select Mobile app (Android, iOS,
Xamarin, UWP).
Set Is this application calling APIs? to No, and then select Evaluate my app
registration.
1. In the Azure AD portal , go to Azure Active Directory, and then under Manage,
select App registrations. Next, select the app registration that you want to review
and update to open its Overview pane. Record the values for the Application
(client) ID and the Directory (tenant) ID.
These values must exactly match the following values in your Xcode app project:
2. Select Authentication and review the app platform type. It must be iOS/macOS
and have a Bundle ID and Redirect URI. The Redirect URI must be formed as
msauth.Your_Bundle_ID://auth .
Next, select View to view the details of the Bundle ID and Redirect URI. Ensure that
a MSAL Configuration is present. If it isn't, see Create an Azure AD app and service
principal in the portal - Microsoft Entra for guidance.
As in the previous step, compare the values Bundle ID and Redirect URI with these
values from your Xcode app project:
Also ensure the Xcode Bundle Identifier in your app project matches the app
registration Bundle ID:
3. Verify, and update the API permissions. Ensure you have Microsoft Graph, and
Microsoft Mobile Application Management permissions already set.
Next add permissions for the Microsoft Tunnel Gateway service principal:
c. Search for Microsoft Tunnel Gateway, and select it to Request API permissions.
If Microsoft Tunnel Gateway doesn't appear in the list, then it hasn't been
provisioned. To provision it, see Use Microsoft Tunnel VPN gateway with
Conditional Access policies.
After being updated, you should see the following three API permissions with the
status of Granted for YOUR_TENANT_NAME:
Microsoft Graph
Microsoft Mobile Management
Microsoft Tunnel Gateway
4. Select Token configuration to confirm the settings. For Claim, you should see a
value for acct with a Token type of Access.
The following are requirements for using Xcode to successfully integrate an iOS App to
use Microsoft Tunnel for MAM iOS:
For guidance on integrating the SDK, see Tunnel for MAM iOS SDK developer guide.
Known Issues
The following are known issues or limitations for Tunnel for MAM on iOS. For known
issues with the Microsoft Tunnel for MAM iOS SDK, go to Tunnel for MAM iOS SDK
developer guide.
MAM Tunnel not supported when using the MDM Tunnel
You can choose to use MAM Tunnel with enrolled devices instead of using MDM Tunnel
configurations. However, deploying both MAM and MDM Tunnel App configuration
policies containing Microsoft Tunnel settings, to the same device isn't supported and
results in client networking failures.
For example, enrolled devices can't have an app like Microsoft Edge that uses MAM
tunnel App configuration policy setting while other apps use MDM Tunnel
configurations.
Workaround: To use MAM Tunnel with enrolled devices, ensure, the Defender for
Endpoint iOS app does not have an App configuration policy with Microsoft Tunnel
settings configured.
Workaround: To avoid this issue, ensure that the app logic prioritizes establishing a
successful connection to Tunnel before initializing Firebase.
Workaround: This issue can be resolved by refreshing the Intune admin center and
accessing the policy again:
1. In the Intune admin center, go to Apps > App Configuration Policies > Add.
2. Select custom apps, add a Bundle or Package ID for iOS, complete the flow, and
create the app config policy.
3. Edit the basic settings. The newly added bundle ID should appear in the list of
targeted custom apps.
Experienced in Edge browser when users sign-in with work account.Also experienced
when users sign-in to LOB app for the 1st time.
key: com.microsoft.tunnel.custom_configuration
7 Note
Workaround: None.
Next steps
Configure Microsoft Tunnel
Monitor Microsoft Tunnel
MAM Tunnel for Android
Monitor Microsoft Tunnel
Article • 02/22/2023
After installation of Microsoft Tunnel, you can view the server configuration and server health in
the Microsoft Intune admin center .
Select a server and then open the Health check tab to view that servers health status metrics. By
default, each metric uses predefined threshold values that determine the status. The following
metrics support customization of these thresholds:
CPU usage
Memory usage
Disk space usage
Latency
Last check-in – When the Tunnel Gateway server last checked in with Intune.
Healthy – The last check-in was within the last five minutes.
Unhealthy – More than five minutes have passed since the last check-in.
Current connections – The number of unique connections that were active at the last server
check-in.
Healthy – There were 4,990 or fewer connections
Unhealthy – There were more than 4,990 active connections
Throughput – The megabits bits per second of traffic passing through the Tunnel Gateway
NIC at the last server check-in.
CPU usage – The average CPU use by the Tunnel Gateway server every five minutes.
Healthy - 95% or less
Warning - 96% to 99%
Unhealthy - 100% use
Memory usage – The average memory use by the Tunnel Gateway server every 5 minutes.
Healthy - 95% or less
Warning - 96% to 99%
Unhealthy - 100% use
Latency – The average amount of time it takes for IP packets to arrive and then exit the
network interface.
Healthy - Less than 10 milliseconds
Warning - 10 milliseconds to 20 milliseconds
Unhealthy - More than 20 milliseconds
TLS certificate - The number of days until the TLS certificate that secures traffic between
clients and the Tunnel Gateway server will expire.
Healthy - More than 30 days
Warning - 30 days or less
Unhealthy - The certificate is expired
Internal network accessibility – Status from the most recent check of the internal URL. You
configure the URL as part of a Tunnel Site configuration.
Healthy - The server can access the URL specified in the site properties.
Unhealthy - The server can't access the URL specified in the site properties.
Unknown - This status appears when you haven't set a URL in the site properties. This
status doesn’t affect the overall status of the site.
Server version - The status of the Tunnel Gateway Server software, in relation to the most
recent version.
Healthy - Up to date with the most recent software version
Warning - One version behind
Unhealthy - Two or more versions behind, and out of support
When Server version isn’t Healthy, plan to install upgrades for Microsoft Tunnel.
CPU usage
Memory usage
Disk space usage
Latency
3. On the Configure thresholds page, set new thresholds for each health check category that
you want to customize.
4. Select Save.
5. On the Health status pane, select Refresh to update the status of all servers based on the
customized threshold values.
After you modify thresholds, the values on a servers Health check tab automatically update to
reflect its status, based on the current thresholds.
Health status trends for Tunnel servers
View health status trends Microsoft Tunnel Gateway health metrics in the form of a chart. Data
for the charts is averaged over a three-hour block and as such can be delayed up to three hours.
The health status trend charts are available for the following metrics:
Connections
CPU usage
Disk space usage
Memory usage
Average latency
Throughput
2. Go to Tenant administration > Microsoft Tunnel Gateway > Health status > Select a
server, and then select Trends
3. Use the Metric drop-down to select the metric chart you want to view.
By default, access logging is disabled. Enabling access logs can reduce performance,
depending on the number of active connections and usage patterns on the server. Logging
for DNS connections increases the verbosity of the logs, which can become noisy.
) Important
If access logs are too noisy, you can turn off DNS connection logging by setting
TRACE_SESSIONS=1 and restarting the server.
) Important
To view information for only the tunnel server, run journalctl -t ocserv .
To view the telemetry log, run journalctl -t ocserv | grep TELEMETRY
To view information for all log options, you can run journalctl -t ocserv -t ocserv-access
-t mstunnel-agent -t mstunnel_monitor .
Add -f to the command to display an active and continuing view of the log file. For
example, to actively monitor ongoing processes for Microsoft Tunnel, run journalctl -t
mstunnel_monitor -f .
journalctl, see the documentation for the version of Linux that you use.
Known issues
The following are known issues for Microsoft Tunnel.
Server health
Clients can successfully use the Tunnel when Server health status shows as
offline
Issue: On the Tunnel Health status tab, a server’s health status reports as offline indicating it's
disconnected, even though users can reach the tunnel server and connect to the organization’s
resources.
Solution: To resolve this issue, you must reinstall Microsoft Tunnel, which re-enrolls the Tunnel
server agent with Intune. To prevent this issue, install updates for the Tunnel agent and server
soon after they're released. Use the Tunnel server health metrics in the Microsoft Intune admin
center to monitor server health.
Agent:
Error details
\tstack:
Server:
Error details
\tstack:
Solution: To resolve this issue, manually restart the Podman containers . Podman should then
be able to identify the containers. If the problem persists, or returns, consider using cron to
create a job that automatically restarts the containers when this issue is seen.
This issue occurs due to differences in formatting dates between Podman and Tunnel Agent.
These errors don't indicate a fatal issue or prevent connectivity. Beginning with containers
released after October 2022, the formatting issues should be resolved.
Solution: To resolve these issues, update the agent container (Podman or Docker) to the latest
version. As new sources of these errors are discovered, we’ll continue to fix them in subsequent
version updates.
Connectivity to Tunnel
Issue: Devices fail to connect to the server, and the Tunnel server ocserv log file contains an entry
similar to the following entry: main: tun.c:655: Can't open /dev/net/tun: Operation not
permitted
For guidance on viewing Tunnel logs, see View Microsoft Tunnel logs in this article.
Solution: Restart the server using mst-cli server restart after the Linux server reboots.
If this issue persists, consider automating the restart command by using the cron scheduling
utility. See How to use cron on Linux at opensource.com.
Solution: This issue can occur when the standalone Tunnel client app remains installed while the
Microsoft Defender for Endpoint app is in use. To resolve this issue, uninstall the standalone
Tunnel client app. It's also possible to uninstall the standalone client app prior to installing
Microsoft Defender for Endpoint, but doing so might leave your devices unable to use Microsoft
Tunnel until the new Tunnel app is in place and fully configured.
Next steps
Reference for Microsoft Tunnel
Upgrade Microsoft Tunnel for Microsoft
Intune
Article • 07/26/2023
Microsoft Tunnel, a VPN gateway solution for Microsoft Intune, periodically receives
software upgrades, which must install on the tunnel servers to keep them in support. To
stay in support, servers must run the most recent release, or at most be one version
behind. The information in this article explains the upgrade process, upgrade controls,
and status reports you use to understand the software version of tunnel servers, when
upgrades are available, and how to control when upgrades happen.
Intune handles the upgrade of servers assigned to each tunnel site for you. When
upgrades for site begin, all servers in the site will upgrade one at a time, which is
referred to as an upgrade cycle. While a server is upgrading, the Microsoft Tunnel on the
server isn't available for use. Upgrading a single server at a time helps minimize
disruptions to users when the site includes multiple servers.
Intune begins by upgrading one server in the site. The upgrade can start as soon
as 10 minutes after the release becomes available.
If a server was off, upgrade begins after the server turns on.
After a successful upgrade of one server at a site, Intune waits a short time before
it starts the upgrade of the next server.
If you set a maintenance window for the site, the upgrade cycle begins between
the windows start and end time. When no maintenance window is set, the upgrade
cycle starts as soon as possible.
No – When set to No, Intune won’t upgrade servers until an admin explicitly
chooses to begin the upgrade cycle.
After upgrade is approved for a site with a maintenance window, the upgrade cycle
begins between the windows start and end time. If there's no maintenance
window, the upgrade cycle starts as soon as possible.
) Important
When you configure site for manual upgrades, periodically review the Health
check tab to understand when newer versions of Microsoft Tunnel are
available to install. The report also identifies when the current tunnel version
at the site is out of support.
When configured for site, the server upgrade cycle can begin only during the configured
period. However, once begun, the cycle continues to update servers one-by-one until all
servers assigned to the site complete the upgrade.
Yes – Set a maintenance window. The window limits when a server upgrade cycle
can begin at the site. The maintenance window doesn’t define when individual
servers assigned to the site might start to upgrade.
Sites configured to upgrade automatically will start the upgrade cycle only during
the configured period. Sites configured to require the admin to approve the
upgrade before beginning, will do during the next maintenance window after the
upgrade is approved.
For sites that don't support automatic upgrade, you can also view when upgrades to a
new version are available.
Sign in to Microsoft Intune admin center > Tenant administration > Microsoft Tunnel
Gateway > Health status. Select a server and then open the Health check tab to view
the following information about it:
Server version - The status of the Tunnel Gateway Server software, in the context
of the most recent version available.
Healthy - Up to date with the most recent software version.
Warning - One version behind.
Unhealthy - Two or more versions behind, and out of support.
When a server doesn’t run the most recent software version, plan to install an available
upgrade to keep the Microsoft Tunnel in support.
Approve upgrades
Sites that have the setting Automatically upgrade servers at this site set to No won't
automatically upgrade servers. Instead, an admin must approve upgrades for servers at
that site before the upgrade cycle starts.
To understand when an upgrade is available for servers, use the Health check tab to
review server status.
To approve an upgrade
1. Sign in to Microsoft Intune admin center > Tenant administration > Microsoft
Tunnel Gateway > Sites.
After you choose to upgrade servers, Intune starts the process to do so, which cannot be
canceled. The time that upgrades begin at the site depends on the configuration of
maintenance windows for the site.
After an update releases, it rolls out to tenants over the following days. This rollout time
means new updates might not be available for your tunnel servers for a few days.
The Microsoft Tunnel version for a server isn’t available in the Intune UI at this time.
Instead, run the following command on the Linux server that hosts the tunnel to identify
the hash values of agentImageDigest and serverImageDiegest: cat
/etc/mstunnel/images_configured
) Important
Container releases take place in stages. If you notice that your container images are
not the most recent, please be assured that they will be updated and delivered
within the following week.
agentImageDigest:
sha256:683f756e15678264599f005f2eefe128e30a39ad74673da84426837b67bc083
7
serverImageDigest:
sha256:7665f4407f8f5a0b67d352c7c7291fa5d4011c55bd718b6e390247e85585b3c
1
agentImageDigest:
sha256:ef5c23cc4c56263732124be7215f01a0904b5abaf78f5f033672d139205fcc3a
serverImageDigest:
sha256:1b11852378c1a0f0f595d76d841dafe4d23cc962b296eae365629c5c31adcc9
a
April 3, 2023
Image hash values:
agentImageDigest:
sha256:73b95c79b430c4ae88199132f62d1da08c7ce7bdf76484dbb0b28fa324c5f8a
d
serverImageDigest:
sha256:e424c4bb707d3a18c59f18259549de007f2916c995dea92212a1d3396cf05bf
5
March 1, 2023
Image hash values:
agentImageDigest:
sha256:c4478f5e54dc1536523113885095b6eda37da1b2a31461347cd85ea8a7d487
b5
serverImageDigest:
sha256:cf706bc6a5ea8a743bab84ed8be9901733738881e2e84d0f9083654e9c5cd3
17
February 2, 2023
Image hash values:
agentImageDigest:
sha256:9140d4e7f397d0a7c6c203b0c74a4f11b66affee3d36837298a50821b5dca9a
4
serverImageDigest:
sha256:709219327f6aff5f81f6b6dc9f644334ccefd6af2f75ed4461ae06885bff9551
agentImageDigest:
sha256:517a2267b5b4fbbd58ab46be22202158e55562bfb8f79eb7ef4fc35a0fc3cc8d
serverImageDigest:
sha256:3a367955746522fe89fc8f0fb6edc259aefe0e681db652281b1ff264fdcce6dc
agentImageDigest:
sha256:df03d4ad8469511a4b649dcbbad5dbaa5c7f10cdc9640b7801190623090a67
ae
serverImageDigest:
sha256:0f66f2b5463e283c1621fc4250f69fac97ebda77bef8f570ed181b78000d762c
agentImageDigest:
sha256:186ff8d5c9a70085adc01778251f577988fef9b456801dc30e846f1a2bc3784c
serverImageDigest:
sha256:ec5bd023b5582e58b6b9eb6aa41a9b064003f5b2b228508115bf6d42be956
4a3
Security improvements
Mst-readiness script enhancements
agentImageDigest:
sha256:94e08d27c4f18706b2e3d92594d8a173446638a641240ae86a18a583be257c
ae
serverImageDigest:
sha256:683ff13cfc16824741e961f04b94bce766777a5dcc80f019af234b4c9948fd66
Changes in this release:
Next steps
Reference for Microsoft Tunnel
Use Conditional Access with Microsoft
Tunnel in Intune
Article • 02/22/2023
If your Microsoft Intune environment uses both Azure Active Directory (AD) and
Conditional Access, you can use Conditional Access policies to gate device access to
your Microsoft Tunnel VPN gateway.
To support integration of Conditional Access and Microsoft Tunnel, you’ll use Azure AD
PowerShell to enable your tenant to support Microsoft Tunnel. After enabling your
tenant to support Microsoft Tunnel, you can then create Conditional Access policies that
apply to the Microsoft Tunnel app.
3. Using credentials that have the Azure Role permissions equivalent to Global
Administrator, run the script from any location in your environment, to provision
your tenant.
The script modifies your tenant by creating a service principal with the following
details:
The addition of this service principal is required so you can select the tunnel cloud
app while configuring Conditional Access policies. It's also possible to use Graph to
add the service principal information to your tenant.
4. After the script completes, you can use your normal process to create Conditional
Access policies.
1. Sign in to Microsoft Intune admin center > Endpoint Security > Conditional
access > New policy.
3. To configure user and group access, below Assignments, select Users and groups.
a. Select Include > All users.
b. Next, select Exclude and configure the groups you want to grant access to, and
then save the user and Group configuration.
4. Under Cloud apps or actions > Select apps, select the Microsoft Tunnel Gateway
app.
5. Below Access controls, select Grant, select Block access, and then save the
configuration.
7. Select Create.
For more information about creating policies for Conditional Access, see Create a
device-based Conditional Access policy.
Next steps
Monitor Microsoft Tunnel
Migrate to Microsoft Defender for
Endpoint for the Microsoft Tunnel in
Intune
Article • 02/22/2023
If you use Microsoft Tunnel as a VPN gateway solution for Microsoft Intune, plan to
migrate from the standalone Microsoft Tunnel client app to Microsoft Defender for
Endpoint with support for Microsoft Tunnel.
Platform support
If you've previously configured Microsoft Tunnel for iOS using the standalone Microsoft
Tunnel client app, you must migrate your devices to use Microsoft Defender for
Endpoint as the tunnel client app before support for the iOS standalone tunnel client
app ends by the end of July 29, 2022.
Support for the Android standalone tunnel client app ended on January 31, 2022.
The following device platforms support Microsoft Defender for Endpoint as the tunnel
client app:
Android Enterprise:
Fully managed
Corporate-owned work profile
Personally owned work Profile
On June 14, 2021, Microsoft Defender for Endpoint became generally available as
the Microsoft Tunnel client app for Android for use with the Microsoft Tunnel
Gateway in Microsoft Intune.
If you've previously configured Microsoft Tunnel for Android using the standalone
Microsoft Tunnel client app, you must migrate your devices to use Microsoft
Defender for Endpoint as the Tunnel client app before support for the Android
standalone Tunnel client app ends on October 26, 2021.
When using Microsoft Defender for Endpoint to connect to Tunnel for Android,
use custom settings in the VPN profile to manage Defender for Endpoint instead
of using a separate app configuration profile. If you don't intend to use any
Defender for Endpoint functionality, including web protection, use custom settings
in the VPN profile and set the defendertoggle setting to 0.
iOS/iPadOS devices:
On April 29, 2022, Microsoft Defender for Endpoint became available as the
Microsoft Tunnel client app for iOS/iPadOS devices for use with the Microsoft
Tunnel Gateway in Microsoft Intune.
To configure the Microsoft Defender for Endpoint app to connect to Tunnel, you'll
need to create a new VPN profile with the Microsoft Tunnel connection type.
When using Microsoft Defender for Endpoint to connect to Tunnel for iOS/iPadOS,
use custom settings in the VPN profile to manage Defender for Endpoint. If you
don't intend to use any Defender for Endpoint functionality, including web
protection, use custom settings in the VPN profile and set the TunnelOnly setting
to True.
To support Defender for Endpoint, all VPN profiles created before March 2, 2021 that
have a connection type of Microsoft Tunnel were updated to a connection type of
Microsoft Tunnel (standalone client).
This change:
Android:
Microsoft Tunnel
A VPN profile with this connection type configures the Microsoft Defender
for Endpoint app to connect to Microsoft Tunnel Gateway.
Use this VPN connection type for devices that run Android Enterprise.
A connection type of Microsoft Tunnel (standalone client) should no longer be
created for Android. Existing VPN profiles with this connection type should
be migrated to Microsoft Tunnel and you should use Defender for Endpoint
as the Tunnel client app.
iOS/iPadOS:
Microsoft Tunnel
A VPN profile with this connection type configures the Microsoft Defender
for Endpoint app to connect to Microsoft Tunnel Gateway.
A connection type of Microsoft Tunnel (standalone client) (preview) should no
longer be created for iOS/iPadOS. Existing VPN profiles with this connection
type should be migrated to Microsoft Tunnel, which requires Defender for
Endpoint as the Tunnel client app.
7 Note
On April 29, 2022, the Microsoft Tunnel connection type became generally
available and supports Microsoft Defender for Endpoint as a tunnel client
app. However, the connection type continues to reflect preview.
End-user changes:
The Microsoft Defender for Endpoint app that you use as the Tunnel client app includes
a new tab for the Microsoft Tunnel functionality.
The functionality that’s available in the Microsoft Defender for Endpoint app depends on
the policy settings you deploy to manage the app on a device. The following tabs are
available:
Tunnel - This tab is where users connect to the Tunnel Gateway and can view
connection statistics and client configuration settings.
The Tunnel tab is available after a device receives a VPN profile for Microsoft
Tunnel that supports Defender for Endpoint.
Dashboard – This tab displays a summary of the device’s overall health, app
security status, web protection status, and Tunnel status.
App security (Android only) – On this tab, users can view the status of automatic
scans on the device. Users can also uninstall the apps identified as threats and run
a manual scan. This tab isn’t available when the VPN profile turns off the Defender
for Endpoint functionality or when the Defender for Endpoint functionality is
turned off by a separate app configuration profile.
Web Protection – This tab displays the status of the feature enabled or disabled by
administrators, and details of the feature described in the flip cards. This tab isn’t
available when the VPN profile turns off the Defender for Endpoint functionality
(iOS/iPadOS and Android) or the Defender for Endpoint functionality is turned off
by a separate app configuration profile (Android).
For information about license requirements for Microsoft Defender for Endpoint, see
Get Microsoft Defender for Endpoint.
Migrating to Microsoft Defender for Endpoint requires the following broad actions,
which are described in the following sections:
1. Locate and Approve the app in the Managed Google Play store for your tenant,
and then Sync it. For information on this process, see Managed Google Play store
apps.
3. Complete the assignment, and then ask users to install the Microsoft Defender for
Endpoint app.
You'll use this information when you deploy new VPN profiles and the Defender for
Endpoint app, to mirror your existing deployments.
1. Sign in to Microsoft Intune admin center > Devices > Configuration profiles.
Locate the VPN profiles you use for Microsoft Tunnel for your Android devices.
They display a connection type of Microsoft Tunnel (standalone client). You’ll
replace these profiles with new profiles that use the Defender for Endpoint app.
b. From Properties, record the available values. This information will help you
create new VPN profiles that mirror your current configurations.
2. Next, record details for your Tunnel app deployments. In the admin center, go to
Apps. Locate your deployments of Microsoft Tunnel to Android Enterprise devices.
b. From Properties, record the available values. This information will help you to
create similar deployments for the Microsoft Defender for Endpoint app.
1. Use the information from Create a VPN Profile to create and deploy new VPN
profiles for your Android Enterprise devices.
2. During configuration, reference the settings you recorded from your existing
profiles, but use a connection type of Microsoft Tunnel.
If you’re using only the Tunnel functionality from the Defender for Endpoint app,
and not Defender-specific functionality, add a custom setting of defendertoggle
that is set to 0. This configuration disables the Defender for Endpoint functionality,
leaving only the Tunnel capabilities.
7 Note
If you are using the Microsoft Defender for Endpoint app for Android, have web
protection enabled, and are using per-app VPN, web protection will only apply to
the apps in the per-app VPN list. On devices with a work profile, in this scenario we
recommend adding all web browsers in the work profile to the per-app VPN list to
ensure all work profile web traffic is protected.
Migrating to Defender for Endpoint requires the following broad actions, which are
described in the following sections:
The server settings stay exactly the same regardless of the client you’re using.
1. Locate and Approve the app in the Apple app store for your tenant, and then Sync
it. For information on this process, see Add iOS store apps to Microsoft Intune.
2. Assign the app to groups.
3. Complete the assignment, and then ask users to install the Microsoft Defender for
Endpoint app.
1. Go to Devices > Configuration profiles and select each applicable profile and
review its Properties.
2. From Properties, record the available values. This information will help you
create new VPN profiles that mirror your current configurations.
If you use per-app VPN, look at your iOS app deployments and record details for
apps that are assigned to a Microsoft Tunnel (standalone client) (preview) profile.
1. Go to Apps and select each applicable deployment and review its Properties.
2. From Properties, record the available values including those that are assigned
as required or are assigned as available. This information will help you to
create similar deployments for the Microsoft Defender for Endpoint app.
1. Sign in to the Microsoft Intune admin center and go to > Devices >
Configuration profiles > iOS/iPadOS.
2. Select the VPN profile you want to edit, and then select Properties, and then Edit
the Configuration settings.
a. Review the current settings for each category. When you change the Connection
type the profiles settings are cleared and you’ll need to restore them.
b. Change the Connection type from Microsoft Tunnel (standalone client)(preview)
to Microsoft Tunnel(preview).
) Important
Even when a setting appears to remain configured and not cleared, reenter
each setting to ensure the correct values are applied.
d. If you’re using only the Tunnel functionality from the Defender for Endpoint
app, and not Defender-specific functionality, add a custom setting of
TunnelOnly that is set to True. This configuration disables the Defender
functionality, leaving only the Tunnel capabilities.
5. After the profile redeploys, wait for devices to check in or force devices to sync to
get the new policies.
6. Verify that users can connect to Tunnel manually in the Defender for Endpoint app.
If your VPN profile includes on-demand rules, users must open the Defender for
Endpoint app one time before the new on-demand rules can apply.
1. Use the information from Create a VPN Profile to create and deploy new VPN
profiles for your iOS/iPadOS devices.
2. During configuration, reference the settings you recorded from your existing
profiles, but use a connection type of Microsoft Tunnel.
If you’re using only the
Tunnel functionality from the Defender for Endpoint app, and not Defender-
specific functionality, add a custom setting of TunnelOnly that is set to True. This
configuration disables the Defender for Endpoint functionality, leaving only the
Tunnel capabilities.
3. After the profile deploys, wait for devices to check in or force devices to sync to
get the new policies.
4. Verify that users can connect to Tunnel manually in the Defender for Endpoint app.
If your VPN profile includes on-demand rules, users must open the Defender for
Endpoint app one time before the new on-demand rules can apply.
a. Wait at least 10 minutes after creating the new VPN profile. After 10 minutes
you can then change the app deployment assignments from the Microsoft
Tunnel (standalone client) (preview) VPN profile to the new VPN profile for
Microsoft Tunnel.
b. After the new VPN profile deploys to a device, that device must restart before
the new VPN profile is used. To restart a device, see remotely restart devices
with Intune.
Next Steps
Use Conditional Access with Microsoft Tunnel
With Microsoft Intune, you can create a tenant-wide policy that configures use of
Windows Hello for Business on Windows 10 or Windows 11 devices at the time those
devices enroll with Intune. This policy targets your entire organization and supports the
Windows Autopilot out-of-box-experience (OOBE).
For Windows 10/11 devices, use of Windows Hello for Business replaces the use of
passwords with strong two-factor authentication on devices. This authentication consists
of a user credential that’s tied to a device and uses a biometric or PIN.
After device enrollment, or when you choose not to use the tenant-wide enrollment
policy, Intune supports the following methods to manage Windows Hello on discrete
groups of devices:
Security baselines: Some settings for Windows Hello can be managed by security
baselines like the baselines for Microsoft Defender for Endpoint security or Security
Baseline for Windows 10 and later.
) Important
Prior to the Anniversary Update (Windows version 1607), you could set two
different PINS that could be used to authenticate to resources:
The device PIN could be used to unlock the device and connect to cloud
resources.
The work PIN was used to access Azure AD resources on user's personal
devices (BYOD).
In the Anniversary Update, these two PINS were merged into one single device PIN.
Any Intune configuration policies you set to control the device PIN, and
additionally, any Windows Hello for Business policies you configured, now both set
this new PIN value. If you have set both policy types to control the PIN, the
Windows Hello for Business policy is applied. To ensure policy conflicts are resolved
and that the PIN policy is applied correctly, update your Windows Hello for
Business Policy to match the settings in your configuration policy, and ask your
users to sync their devices in the Company Portal app.
2. Go to Devices > Enroll devices > Windows enrollment > Windows Hello for
Business. The Windows Hello for Business pane opens.
3. Select from the following options for Configure Windows Hello for Business:
Enabled. Select this setting if you want to configure Windows Hello for
Business settings. When you select Enabled, other settings for Windows Hello
are visible and can be configured for devices.
Disabled. If you don't want to enable Windows Hello for Business during
device enrollment, select this option. When disabled, users can't provision
Windows Hello for Business. When set to Disabled, you can still configure the
subsequent settings for Windows Hello for Business even though this policy
won't enable Windows Hello for Business.
Not configured. Select this setting if you don't want to use Intune to control
Windows Hello for Business settings. Any existing Windows Hello for Business
settings on 10/11 devices isn't changed. All other settings on the pane are
unavailable.
4. If you selected Enabled in the previous step, configure the required settings that
are applied to all enrolled Windows 10/11 devices. After you configure these
settings, select Save.
A TPM chip provides another layer of data security. Choose one of the
following values:
Required (default). Only devices with an accessible TPM can provision
Windows Hello for Business.
Preferred. Devices first attempt to use a TPM. If this option isn't available,
they can use software encryption.
You can enforce a stronger PIN by requiring the use of uppercase letters,
lowercase letters, and special characters in the PIN. For each, select from:
Allowed. Users can use the character type in their PIN, but it isn't
mandatory.
Required. Users must include at least one of the character types in their
PIN. For example, it's common practice to require at least one uppercase
letter and one special character.
Not allowed (default). Users must not use these character types in their
PIN. (This is also the behavior if the setting isn't configured.)
It's a good practice to specify an expiration period for a PIN, after which users
must change it. The default is 41 days.
Restricts the reuse of previously used PINs. By default, the last 5 PINs can't be
reused.
When set to Yes, Windows requires all users to use anti-spoofing for facial
features when that is supported.
If this option is set to Yes, users can use a remote passport to serve as a
portable companion device for desktop computer authentication. The
desktop computer must be Azure Active Directory joined, and the companion
device must be configured with a Windows Hello for Business PIN.
When set to Enable, this setting provides the capacity for remotely turning
ON/OFF Windows Hello Security Keys for all computers in a customer's
organization.
Next steps
Learn more about Windows Hello from the following subjects in the Windows
documentation:
Use an Identity protection profile to manage Windows Hello for Business on groups of
devices in Microsoft Intune. Windows Hello for Business is a method for signing in to
Windows devices by replacing passwords, smart cards, and virtual smart cards. Intune
includes built-in settings so Administrators can configure and use Windows Hello for
Business. For example, you can use these settings to:
Windows 10
Windows 11
In addition to use of an Identity protection profile, Intune supports the following options
to manage settings for Windows Hello for Business:
During device enrollment: Manage Windows Hello when a device enrolls with a
tenant-wide policy.
Security baselines: Some settings for Windows Hello can be managed by security
baselines like the baselines for Microsoft Defender for Endpoint security or Security
Baseline for Windows 10 and later.
Endpoint security Account protection policy: Account protection policies include
some of the settings used by Windows Hello.
7 Note
For customers looking to configure Windows Holographic for Business, please use
DeviceLock CSP
Intune uses configuration profiles to create and customize these settings for your
organization's needs. After you add these features in a profile, push or deploy these
settings to user and device groups in your organization.
This article shows you how to create a device configuration profile. For a list of all the
settings, and what they do, see Windows device settings to enable Windows Hello for
Business.
) Important
Due to how Intune determines the scope and applicability of Windows Hello for
Business policy, the device may log Event ID 454 as a result of applying policy. This
can be safely ignored when policy is being successful applied (and enforced).
4. Select Create.
Name: Enter a descriptive name for the new profile. Name your policies so
you can easily identify them later.
Description: Enter a description for the profile. This setting is optional, but
recommended.
Configure Windows Hello for Business: Choose how you want to configure
Windows Hello for Business:
Disabled: If you don't want to use Windows Hello for Business, select this
option. This option disables Windows Hello for Business for all users.
Enabled: Choose this option to provision, and configure Windows Hello
for Business settings in Intune. Enter the settings you want to configure.
For a list of all settings, and what they do, see - Windows device settings
to enable Windows Hello for Business.
Use security keys for sign-in: Enable Windows Hello security key as a sign-in
credential for all PCs in the tenant.
Enable
Not configured (default)
7. In Assignments, select the user and device groups that will receive this profile. For
more information on assigning profiles, see Assign user and device profiles.
) Important
Select Next.
8. In Applicability Rules, use the Rule, Property, and Value options to define how this
profile applies within assigned groups. Intune applies the profile to devices that
meet the rules you enter. For more information about applicability rules, see
Applicability rules.
Select Next.
9. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
Review settings, and what they do
Monitor the profile status
Learn about Conditional Access and
Intune
Article • 02/21/2023
Use Conditional Access with Microsoft Intune compliance policies to control the devices
and apps that can connect to your email and company resources. When integrated, you
can gate access to keep your corporate data secure, while giving users an experience
that allows them to do their best work from any device, and from any location.
Conditional Access is an Azure Active Directory capability that is included with an Azure
Active Directory Premium license. Through Azure Active Directory, Conditional Access
brings signals together to make decisions, and enforce organizational policies. Intune
enhances this capability by adding mobile device compliance and mobile app
management data to the solution. Common signals include:
7 Note
Intune and Azure Active Directory work together to make sure only managed and
compliant devices can access email, Microsoft 365 services, Software as a service
(SaaS) apps, and on-premises apps. Additionally, you can set a policy in Azure
Active Directory to enable only domain-joined computers or mobile devices that
have enrolled in Intune to access Microsoft 365 services. Including:
Conditional Access for Windows PCs. Both corporate-owned and bring your
own device (BYOD).
Intune and Azure Active Directory work together to make sure only managed apps
can access corporate e-mail or other Microsoft 365 services.
Next steps
Common ways to use Conditional Access with Intune
Common ways to use Conditional
Access with Intune
Article • 02/22/2023
There are two types of Conditional Access policies you can use with Intune: device-
based Conditional Access and app-based Conditional Access. To support each, you'll
need to configure the related Intune policies. When the Intune policies are in place and
deployed, you can then use Conditional Access to do things like allow or block access to
Exchange, control access to your network, or integrate with a Mobile Threat Defense
solution.
The information in this article can help you understand how to use the Intune mobile
device compliance capabilities and the Intune mobile application management (MAM)
capabilities.
7 Note
With Intune, you deploy device compliance policies to determine if a device meets your
expected configuration and security requirements. The compliance policy evaluation
determines the devices compliance status, which is reported to both Intune and Azure
AD. It's in Azure AD that Conditional Access policies can use a device's compliance
status to make decisions on whether to allow or block access to your organization's
resources from that device.
Device-based Conditional Access policies for Exchange online and other Microsoft 365
products are configured through the Microsoft Intune admin center.
Learn more about Require managed devices with Conditional Access in Azure
Active Directory.
Learn more about Supported browsers with Conditional Access in Azure Active
Directory.
7 Note
When you enable Device Based Access for content that users access from browser
apps on their Android personally-owned work profile devices, users that enrolled
before January 2021 must enable browser access as follows:
This enables access in browser apps, but not to browser WebViews that open within
apps.
1. Microsoft Intune - This application controls access to the Microsoft Intune admin
center and data sources. Configure grants/controls on this application when you
want to target the Microsoft Intune admin center and data sources.
2. Microsoft Intune Enrollment - This application controls the enrollment workflow.
Configure grants/controls on this application when you want to target the
enrollment process. For more information, see Require multi-factor authentication
for Intune device enrollments.
Conditional Access based on network access
control
Intune integrates with partners like Cisco ISE, Aruba Clear Pass, and Citrix NetScaler to
provide access controls based on the Intune enrollment and the device compliance
state.
Users can be allowed or denied access to corporate Wi-Fi or VPN resources based on
whether the device they're using is managed and compliant with Intune device
compliance policies.
The Intune and mobile threat defense integration plays a factor in the Conditional
Access decisions based on device risk.
Corporate-owned
Hybrid Azure AD joined: This option is commonly used by organizations that are
reasonably comfortable with how they're already managing their PCs through AD
group policies or Configuration Manager.
You can configure advanced settings in Conditional Access for more granular control
such as:
When devices don't meet the conditions set, the end user is guided through the process
of enrolling the device to fix the issue that is making the device noncompliant.
7 Note
Beginning in July of 2020, support for the Exchange connector is deprecated, and
replaced by Exchange hybrid modern authentication (HMA). Use of HMA does not
require Intune to setup and use the Exchange Connector. With this change, the UI
to configure and manage the Exchange Connector for Intune has been removed
from the Microsoft Intune admin center, unless you already use an Exchange
connector with your subscription.
If you have an Exchange Connector set up in your environment, your Intune tenant
remains supported for its use, and you’ll continue to have access to UI that
supports its configuration. For more information, see Install Exchange on-premises
connector. You can continue to use the connector or configure HMA and then
uninstall your connector.
) Important
Keep in mind that the user who's using the device must have a compliance profile
and Intune license assigned to them so the device can be evaluated for compliance.
If no compliance policy is deployed to the user, the device is treated as compliant
and no access restrictions are applied.
Next steps
How to configure Conditional Access in Azure Active Directory
) Important
The information in this article applies to customers who are supported to use an
Exchange Connector.
Beginning in July of 2020, support for the Exchange connector is deprecated, and
replaced by Exchange hybrid modern authentication (HMA). If you have an
Exchange Connector set up in your environment, your Intune tenant remains
supported for its use, and you’ll continue to have access to UI that supports its
configuration. You can continue to use the connector or configure HMA and then
uninstall your connector.
Use of HMA does not require Intune to setup and use the Exchange Connector.
With this change, the UI to configure and manage the Exchange Connector for
Intune has been removed from the Microsoft Intune admin center, unless you
already use an Exchange connector with your subscription.
) Important
Intune will be removing support for the Exchange On-Premises Connector feature
from the Intune service beginning in the 2007 (July) release. Existing customers with
an active connector will be able to continue with the current functionality at this
time. New customers and existing customers that do not have an active connector
will no longer be able to create new connectors or manage Exchange ActiveSync
(EAS) devices from Intune. For those tenants, Microsoft recommends the use of
Exchange hybrid modern authentication (HMA) to protect access to Exchange on-
premises. HMA enables both Intune App Protection Policies (also known as MAM)
and Conditional Access through Outlook Mobile for Exchange on-premises.
The information in this article can help you install and monitor the Intune Exchange
connector. You can use the connector with your conditional access policies to allow or
block access to your Exchange on-premises mailboxes.
The connector is installed and runs on your on-premises hardware. It discovers devices
that connect to Exchange, communicating device information to the Intune service. The
connector allows or blocks devices based on whether the devices are enrolled and
compliant. These communications use the HTTPS protocol.
When a device tries to access your on-premises Exchange server, the Exchange
connector maps Exchange ActiveSync (EAS) records in Exchange Server to Intune
records to make sure the device enrolls with Intune and complies with your device's
policies. Depending on your conditional access policies, the device can be allowed or
blocked. For more information, see What are common ways to use conditional access
with Intune?
Both discovery and allow and block operations are done by using standard Exchange
PowerShell cmdlets. These operations use the service account that's provided when the
Exchange connector is initially installed.
Follow these general steps to set up a connection that enables Intune to communicate
with the on-premises Exchange server:
1. Download the on-premises connector from the Microsoft Intune admin center.
2. Install and configure the Exchange connector on a computer in the on-premises
Exchange organization.
3. Validate the Exchange connection.
4. Repeat these steps for each additional Exchange organization you want to connect
to Intune.
If the EAS record is new and Intune isn't aware of it, Intune issues a cmdlet (pronounced
"command-let") that directs the Exchange server to block access to e-mail. Following are
more details on how this process works:
2. If the device is not managed by Intune, access to email will be blocked. Intune
sends a block notification to the EAS client.
3. EAS receives the block notification, moves the device to quarantine, and sends the
quarantine email with remediation steps that contain links so the users can enroll
their devices.
4. The Workplace join process happens, which is the first step to have the device
managed by Intune.
6. Intune maps the EAS record to a device record, and saves the device compliance
state.
7. The EAS client ID gets registered by the Azure AD Device Registration process,
which creates a relationship between the Intune device record, and the EAS client
ID.
10. Exchange server sends the notification to EAS client so the user can access e-mail.
The following table lists the requirements for the computer on which you install the
Intune Exchange connector.
Operating Intune supports the Intune Exchange connector on a computer that runs any
systems edition of Windows Server 2008 SP2 64-bit, Windows Server 2008 R2, Windows
Server 2012, Windows Server 2012 R2, or Windows Server 2016.
Hardware The computer on which you install the connector requires a 1.6 GHz CPU with 2
GB of RAM and 10 GB of free disk space.
Active Directory Before you use the connector to connect Intune to your Exchange server, set up
synchronization Active Directory synchronization. Your local users and security groups must be
synced with your instance of Azure Active Directory.
Additional The computer that hosts the connector must have a full installation of
software Microsoft .NET Framework 4.5 and Windows PowerShell 2.0.
Requirement More information
Network The computer on which you install the connector must be in a domain that has
a trust relationship with the domain that hosts your Exchange server.
- manage.microsoft.com
- *manage.microsoft.com
- *.manage.microsoft.com
Get-ActiveSyncOrganizationSettings , Set-ActiveSyncOrganizationSettings
Get-CasMailbox , Set-CasMailbox
ActiveSyncDeviceAccessRule , Remove-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncDevice
Get-ExchangeServer
Get-ActiveSyncDeviceClass
Get-Recipient
Clear-ActiveSyncDevice , Remove-ActiveSyncDevice
Set-ADServerSettings
Get-Command
Follow these steps to install the Intune Exchange connector. If you have multiple
Exchange organizations, repeat the steps for each Exchange connector you want to set
up.
1. On a supported operating system for the Intune Exchange connector, extract the
files in Exchange_Connector_Setup.zip to a secure location.
) Important
2. After the files are extracted, open the extracted folder and double-click
Exchange_Connector_Setup.exe to install the connector.
) Important
If the destination folder isn't a secure location, delete the certificate file
MicrosoftIntune.accountcert when you finish installing your on-premises
connectors.
3. In the Microsoft Intune Exchange Connector dialog box, select either On-
premises Microsoft Exchange Server or Hosted Microsoft Exchange Server.
For an on-premises Exchange server, provide either the server name or the fully
qualified domain name of the Exchange server that hosts the Client Access Server
role.
For a hosted Exchange server, provide the Exchange server address. To find the
hosted Exchange server URL:
b. Choose the ? icon in the upper-left corner, and then select About.
d. Choose Proxy Server to specify proxy server settings for your hosted Exchange
server.
i. Select Use a proxy server when synchronizing mobile device information.
ii. Enter the proxy server name and the port number to be used to access the
server.
iii. If user credentials are required to access the proxy server, select Use
credentials to connect to the proxy server. Then enter the domain\user and
the password.
Make sure the Autodiscover service and Exchange Web Services are configured on
the Exchange CAS. For more information, see Client Access server.
6. In the Password field, provide the password for this account to enable Intune to
access the Exchange server.
7 Note
The account you use to sign in to the tenant needs to be at least an Intune
service administrator. Without this administrator account, you'll get a failed
connection with the error "The remote server returned an error: (400) Bad
Request".
7. Choose Connect.
7 Note
During configuration, the Exchange connector stores your proxy settings to enable
access to the internet. If your proxy settings change, reconfigure the Exchange
connector to apply the updated proxy settings to the Exchange connector.
After the Exchange connector sets up the connection, mobile devices that are associated
with Exchange-managed users are automatically synchronized and added to the
Exchange connector. This synchronization might take some time to complete.
7 Note
To fail over, the connector uses the specified CAS to create a successful connection to
Exchange. It then discovers additional CASs for that Exchange organization. This
discovery enables the connector to fail over to another CAS if one is available, until the
primary CAS becomes available.
By default, discovery of additional CASs is enabled. If you need to turn off failover:
3. Change <IsCasFailoverEnabled>true</IsCasFailoverEnabled> to
<IsCasFailoverEnabled>false</IsCasFailoverEnabled>.
Before you make this change, ensure the account you use to run the Exchange
connector isn't used for other Exchange management purposes. An Exchange account
has a limited number of run spaces, and the connector will use most of them.
Performance tuning isn't suitable for connectors that run on older or slower hardware.
1. On the server where the connector installed, open the connector's installation
directory. The default location is C:\ProgramData\Microsoft\Windows Intune
Exchange Connector.
<EnableParallelCommandSupport>true</EnableParallelCommandSupport>
4. Save the file, and then restart the Microsoft Intune Exchange connector service.
You might need to reinstall an Intune Exchange connector. Because only a single
connector can connect to each Exchange organization, if you install a second connector
for the organization, the new connector you install replaces the original connector.
1. To reinstall the new connector, follow the steps in the Install and configure the
Exchange connector section.
3. Continue the steps from the Install and configure the Intune Exchange connector
section, and sign in to Intune again.
4. The console displays details for the connector you select, where you can view the
Status and the date and time of the last successful synchronization.
In addition to the in-console status, you can use the System Center Operations Manager
management pack for Exchange connector and Intune . The management pack offers
different ways to monitor the Exchange connector when you need to troubleshoot
issues.
A quick sync occurs regularly, several times a day. A quick sync retrieves device
information for Intune-licensed and on-premises Exchange users that are targeted
for conditional access and that have changed since the last sync.
A full sync occurs once daily by default. A full sync retrieves device information for
all Intune-licensed and on-premises Exchange users that are targeted for
conditional access. A full sync also retrieves Exchange Server information and
ensures that the configuration that Intune specifies is updated on the Exchange
server.
You can force a connector to run a sync by using the Quick Sync or Full Sync options on
the Intune dashboard:
1. Sign in to the Microsoft Intune admin center .
2. Select Tenant administration > Exchange access > Exchange ActiveSync on-
premises connector.
3. Select the connector you want to sync, and then choose Quick Sync or Full Sync.
Next steps
Create a conditional access policy for on-premises Exchange servers.
Configure Exchange on-premises access
for Intune
Article • 02/22/2023
This article shows you how to configure Conditional Access for Exchange on-premises
based on device compliance.
If you have an Exchange Online Dedicated environment and need to find out whether it
is in the new or the legacy configuration, contact your account manager. To control
email access to Exchange on-premises or to your legacy Exchange Online Dedicated
environment, configure Conditional Access to Exchange on-premises in Intune.
) Important
The information in this article applies to customers who are supported to use an
Exchange Connector.
Beginning in July of 2020, support for the Exchange connector is deprecated, and
replaced by Exchange hybrid modern authentication (HMA). If you have an
Exchange Connector set up in your environment, you’re Intune tenant remains
supported for its use, and you’ll continue to have access to UI that supports its
configuration. You can continue to use the connector or configure HMA and then
uninstall your connector.
Use of HMA does not require Intune to setup and use the Exchange Connector.
With this change, the UI to configure and manage the Exchange Connector for
Intune has been removed from the Microsoft Intune admin center, unless you
already use an Exchange connector with your subscription.
Your Exchange version is Exchange 2010 SP3 or later. Exchange server Client
Access Server (CAS) array is supported.
You have installed and use the Exchange ActiveSync on-premises Exchange
connector, which connects Intune to on-premises Exchange.
) Important
The connector supports Exchange CAS environment. Intune supports installing the
connector on the Exchange CAS server directly. We recommend you install it on a
separate computer because of the additional load the connector puts on the
server. When configuring the connector, you must set it up to communicate to one
of the Exchange CAS servers.
When Conditional Access policies are configured and targeted to a user, before a
user can connect to their email, the device they use must be:
Either enrolled with Intune or is a domain joined PC.
Registered in Azure Active Directory. Additionally, the client Exchange
ActiveSync ID must be registered with Azure Active Directory.
If the device doesn't meet Conditional Access settings, the user is presented with
one of the following messages when they sign in:
If the device isn't enrolled with Intune, or isn't registered in Azure Active
Directory, a message displays with instructions about how to install the
Company Portal app, enroll the device, and activate email. This process also
associates the device's Exchange ActiveSync ID with the device record in Azure
Active Directory.
If the device isn't compliant, a message displays that directs the user to the
Intune Company Portal website, or the Company Portal app. From the company
portal, they can find information about the problem and how to remediate it.
3. Select Devices > Configuration profiles > Create profile, enter Name and
Description for the profile.
7 Note
Microsoft Outlook for Android and iOS/iPadOS is not supported via the Exchange
on-premises connector. If you want to leverage Azure Active Directory Conditional
Access policies and Intune App Protection Policies with Outlook for iOS/iPadOS and
Android for your on-premises mailboxes, please see Using hybrid Modern
Authentication with Outlook for iOS/iPadOS and Android.
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Before you can use the following procedure to set up Exchange on-premises access
control, you must install and configure at least one Intune on-premises Exchange
connector for Exchange on-premises.
2. Go to Tenant administration > Exchange access, and then select Exchange On-
premises access.
3. On the Exchange on-premises access pane, choose Yes to Enable Exchange on-
premises access control.
4. Under Assignment, choose Select groups to include, and then select one or more
groups to configure access.
Members of the groups you select have the Conditional Access policy for Exchange
on-premises access applied to them. Users who receive this policy must enroll their
devices in Intune and be compliant with the compliance profiles before they can
access Exchange on-premises.
5. To exclude groups, choose Select groups to exclude, and then select one or more
groups that are exempt from requirements to enroll devices and to be compliant
with the compliance profiles before accessing Exchange on-premises.
Select Save to save your configuration, and return to the Exchange access pane.
6. Next, configure settings for the Intune on-premises Exchange connector. In the
admin center, select Tenant administration > Exchange Access> Exchange
ActiveSync on-premises connector and then select the connector for the
Exchange organization that you want to configure.
7. For User notifications, select Edit to open the Edit Organization workflow where
you can modify the User notification message.
Modify the default email message that's sent to users if their device isn't compliant
and they want to access Exchange on-premises. The message template uses
Markup language. You can also see the preview of how the message looks as you
type
Select Review + save, and then Save to save your edits to complete configuration
of Exchange on-premises access.
Tip
To learn more about Markup language see this Wikipedia article .
8. Next, select Advanced Exchange ActiveSync access settings to open the Advanced
Exchange ActiveSync access settings workflow where you configure device access
rules.
For Unmanaged device access, set the global default rule for access from
devices that are not affected by Conditional Access or other rules:
Block access and Quarantine – All devices are immediately blocked from
accessing Exchange on-premises initially. Devices that belong to users in
the groups you configured as included in the previous procedure get
access after the device enrolls in Intune and is evaluated as compliant.
Android devices that do not run Samsung Knox standard don't support this
setting and are always blocked.
For Device platform exceptions, select Add, and then specify details as
needed for your environment.
If the Unmanaged device access setting is set to Blocked, devices that are
enrolled and compliant are allowed even if there's a platform exception to
block them.
9. Select OK to save your edits.
10. Select Review + save, and then Save to save the Exchange Conditional Access
policy.
Next steps
Next, create a compliance policy and assign it to the users for Intune to evaluate their
mobile devices, See Get started with device compliance.
With Microsoft Intune device compliance policies, your Azure Active Directory (Azure
AD) Conditional Access policies can use a devices status to either grant or deny access
to your organizations apps and services.
You can use the Microsoft Intune admin center to configure your device-based
Conditional Access policies. From within the admin center you have access to the
Conditional Access policy UI as found in Azure AD. Use of the Azure AD UI provides
access to all the options you would have if you were to configure the policy from within
the Azure portal. The policies you create can specify the apps or services you want to
protect, the conditions under which the apps or services can be accessed, and the users
the policy applies to.
To Create a device-based Conditional Access policy your account must have one of the
following permissions in Azure AD:
Global administrator
Security administrator
Conditional Access administrator
) Important
Before you set up Conditional Access, you'll need to set up Intune device
compliance policies to evaluate devices based on whether they meet specific
requirements. See Get started with device compliance policies in Intune.
The New pane opens, which is the configuration pane from Azure AD. The policy
you’re creating is an Azure AD policy for Conditional Access. To learn more about
this pane and Conditional Access policies, see Conditional Access policy
components in the Azure AD content.
3. Under Assignments, configure Users to select the Identities in the directory that
the policy applies to. To learn more, see Users and groups in the Azure AD
documentation.
On the Include tab, configure the user and groups you want to include.
Use the Exclude tab if there are any users, roles, or groups you want to
exclude from this policy.
Tip
Test the policy against a smaller group of users to make sure it works as
expected before deploying it to larger groups.
4. Next configure Cloud apps or actions, which is also under Assignments. For the
drop-down selection for what this policy applies to, choose Cloud apps.
On the Include tab, use available options to identify the apps and services
you want to protect with this Conditional Access policy.
If you choose Select apps, select the apps and services you want to protect
with this policy.
U Caution
If you choose All cloud apps, be sure to review the warning, and then
Exclude from this policy your account or other relevant users and groups
that should retain access to use the Azure portal or Microsoft Intune
admin center after this policy takes effect.
Use the Exclude tab if there are any apps or services you want to exclude
from this policy.
For more information, see Cloud apps or actions in the Azure AD documentation.
5. Next, configure Conditions. Select the signals you want to use as conditions for
this policy. Options include:
User risk
Sign-in risk
Device platforms
Locations
Client apps
Filter for devices
Tip
6. Under Access controls, select Grant and then one or more requirements. To learn
about the options for Grant, see Grant in the Azure AD Documentation.
Block access: The users specified in this policy will be denied access to the
apps or services under the conditions you've specified.
Grant access: The users specified in this policy will be granted access, but you
can require any of the following further actions:
Require multi-factor authentication
Require device to be marked as compliant - This option is required for the
policy to use device compliance status.
Require Hybrid Azure AD joined device
Require approved client app
Require app protection policy
Require password change
7. Under Enable policy, select On. By default, the policy is set to Report-only.
8. Select Create.
Next steps
App-based Conditional Access with Intune
Intune app protection policies work with Conditional Access, an Azure Active (Azure AD)
capability, to help protect your organizational data on devices your employees use.
These policies work on devices that enroll with Intune and on employee owned devices
that don't enroll.
App protection policies are rules that ensure an organization's data remains safe or
contained in a managed app.
An app protection policy can be a rule that's enforced when the user attempts to
access or move "corporate" data, or a set of actions that are prohibited or
monitored when the user is inside the app.
A managed app is an app that has app protection policies applied to it, and can be
managed by Intune.
You can also block the built-in mail apps on iOS/iPadOS and Android when you
allow only the Microsoft Outlook app to access Exchange Online. Additionally, you
can block apps that don't have Intune app protection policies applied from
accessing SharePoint Online.
App-based Conditional Access with client app management adds a security layer by
making sure only client apps that support Intune app protection policies can access
Exchange online and other Microsoft 365 services.
Prerequisites
Before you create an app-based Conditional Access policy, you must have:
For more information, see Enterprise Mobility pricing or Azure Active Directory
pricing .
Supported apps
A list of apps that support app-based Conditional Access can be found in Conditional
Access: Conditions in the Azure AD documentation.
App-based Conditional Access also supports line-of-business (LOB) apps, but these apps
need to use Microsoft 365 modern authentication.
7 Note
2. The user gets redirected to the app store to install a broker app when trying to
authenticate for the first time. The broker app can be the Microsoft Authenticator
for iOS, or Microsoft Company portal for Android devices.
If users try to use a native e-mail app, they'll be redirected to the app store to then
install the Outlook app.
4. The broker app starts the Azure AD registration process, which creates a device
record in Azure AD. This process isn't the same as the mobile device management
(MDM) enrollment process, but this record is necessary so the Conditional Access
policies can be enforced on the device.
5. The broker app confirms the Azure AD device ID, the user, and the application. This
information is passed to the Azure AD sign-in servers to validate access to the
requested service.
6. The broker app sends the App Client ID to Azure AD as part of the user
authentication process to check if it's in the policy approved list.
7. Azure AD allows the user to authenticate and use the app based on the policy
approved list. If the app isn't on the list, Azure AD denies access to the app.
10. The Outlook app communicates with Exchange Online to retrieve the user's
corporate e-mail.
Next steps
Create an app-based Conditional Access policy
Block apps that don't have modern authentication
Set up app-based Conditional Access
policies with Intune
Article • 02/22/2023
Set up app-based Conditional Access policies for apps that are part of the list of
approved apps. The list of approved apps consists of apps that were tested by
Microsoft.
Before you can use app-based Conditional Access policies, you need to have Intune app
protection policies applied to your apps.
) Important
This article walks through the steps to add a simple app-based Conditional Access
policy. You can use the same steps for other cloud apps. For more information, see
Plan Conditional Access deployment
Before you can create Conditional Access policies from the Microsoft Intune admin
center, you must have an Azure AD Premium license.
3. Enter a policy Name, and then under Assignments, select Users or workload
identities, and apply the policy to Users and groups. Use the Include or Exclude
options to add your groups for the policy.
4. Select Cloud apps or actions, and apply the policy to Cloud apps. Use the Include
or Exclude options to select the apps to protect. For example, choose Select apps,
and select Office 365 (preview).
5. Select Conditions > Client apps to apply the policy to apps and browsers. For
example, select Yes, and then select the checkboxes for enable Browser and
Mobile apps and desktop clients.
6. Under Access controls, select Grant to apply Conditional Access based on a device
compliance status. For example, select Grant access > Require approved client
app and Require app protection policy, then select Require one of the selected
controls.
7. For Enable policy, select On, and then select Create to save your changes. By
default, Enable policy is set to Report-only.
Next steps
Block apps that don't have modern authentication
Protect app data with app protection policies
Learn about Conditional Access in Azure Active Directory
Block apps that don't use modern
authentication (MSAL)
Article • 07/19/2023
App-based Conditional Access with app protection policies rely on applications using
modern authentication , which is an implementation of OAuth2. Most current Office
mobile and desktop applications use modern authentication. However, there are third-
party apps and older Office apps that use other authentication methods, like basic
authentication and forms-based authentication.
Additional information
For more information about Azure AD Conditional Access, see the following topics:
Next steps
App-based Conditional Access with Intune
Configure the Jamf Cloud Connector to
integrate with Microsoft Intune
Article • 08/30/2023
) Important
Beginning on September 1, 2024, the platform that Jamf Pro’s Conditional Access
feature is built on will no longer be supported.
If you use Jamf Pro’s Conditional Access integration for macOS devices, follow
Jamf’s documented guidelines to migrate your devices to Device Compliance
integration at Migrating from macOS Conditional Access to macOS Device
Compliance – Jamf Pro Documentation .
If you need help, contact Jamf Customer Success . For more information, see the
blog post at https://aka.ms/Intune/Jamf-Device-Compliance .
This article can help you install the Jamf Cloud Connector to integrate Jamf Pro with
Microsoft Intune. Through integration, you can require that your macOS devices that are
managed by Jamf Pro meet your Intune device compliance requirements before those
devices are allowed to access your organization's resources. Resource access is
controlled by your Azure Active Directory (Azure AD) Conditional Access policies in the
same way as for devices managed through Intune.
We recommend use of the Jamf Cloud Connector as it automates many of the steps that
are required when you manually configure integration as documented in Integrate Jamf
Pro with Intune for compliance.
Set up automatically creates the Jamf Pro applications in Azure, replacing the need
to manually configure them.
You can integrate multiple instances of Jamf Pro with the same Azure tenant that
hosts your Intune subscription.
Connecting multiple instances of Jamf Pro with a single Azure tenant is supported only
when you use the Cloud Connector. When you use a manually configured connection,
only a single instance of Jamf can integrate with an Azure tenant.
Use of the Cloud Connector is optional:
For new tenants that don't yet integrate with Jamf, you can choose to configure
the Cloud Connector as described in this article. Or you can manually configure
integration as described in Integrate Jamf Pro with Intune for compliance
For tenants that already have a manual configuration, you can choose to remove
that integration, and then set up the Cloud Connector. Both the removal of an
existing integration and setup of the Cloud Connector are described in this article.
If you plan to replace your previous integration with the Jamf Cloud Connector:
Use the procedure to remove your current configuration, which includes deleting
the Enterprise apps for Jamf Pro and disabling the manual integration. Then you
can use the procedure to configure the Cloud Connector.
You won't need to re-register devices. Devices that are already registered can use
the Cloud Connector without further configuration.
Be sure to configure the Cloud Connector within 24 hours of removing your
manual integration to ensure your registered devices can continue to report their
status.
For more information about the Jamf Cloud Connector, see Configuring the macOS
Intune Integration using the Cloud Connector on docs.jamf.com.
Prerequisites
Products and services:
Network:
The following ports and endpoints must be accessible for Jamf and Intune to integrate
correctly:
For APNS to function correctly on the network, you must enable outgoing connections
to, and redirects from the following ports:
The Apple 17.0.0.0/8 block over TCP ports 5223 and 443 from all client networks.
Ports 2195 and 2196 from Jamf Pro servers.
For more information about these ports, see the following articles:
Accounts:
Procedures in this article require use of accounts with the following permissions:
If you have not previously set up a connection between Jamf Pro and Intune, or if you've
one or more connections that already use the Cloud Connector, skip this procedure and
begin with Configure the Cloud Connector for a new tenant.
2. Select Settings (the gear icon in the upper right corner), and then go to Global
Management > Conditional Access.
3. Select Edit.
When you deselect this setting, you disable the connection but save your
configuration.
5. Sign in to the Microsoft Intune admin center and go Tenant administration >
Partner device management.
The Application ID is the ID of the Azure Enterprise app that is created in Azure
when you set up a manual integration if Jamf Pro.
6. Sign in to the Azure portal with an account that has Global Admin permissions,
and go to Azure Active Directory > Enterprise applications.
Locate the two Jamf apps and delete them. New applications will be automatically
created when you configure the Jamf Cloud Connector in the next procedure.
After you've disabled integration in Jamf Pro, and deleted the Enterprise
applications, the Partner device management node displays the connection status
of Terminated.
Now that you've successfully removed the manual configuration for Jamf Pro
integration, you can set up integration using the Cloud Connector. To do so, see
Configure the Cloud Connector for a new tenant in this article.
You don't have any integration between Jamf Pro and Intune configured for your
Azure tenant.
You already have a Cloud Connector set up between Jamf Pro and Intune in your
Azure tenant and want to integrate another Jamf instance with your subscription.
If you currently have a manually configured integration between Intune and Jamf Pro,
see Remove the Jamf Pro integration for a previously configured tenant in this article to
remove that integration before proceeding. Removal of a manually configured
integration is required before you can successfully set up the Jamf the Cloud Connector.
2. Select Settings (the gear icon in the upper right corner0, and then go to Global
Management > Conditional Access.
3. Select Edit.
Select this setting to have Jamf Pro send inventory updates to Microsoft
Intune.
You can deselect this setting to disable the connection but save your
configuration.
) Important
6. From the Sovereign Cloud pop-up menu, select the location of your Sovereign
Cloud from Microsoft. If you're replacing your previous integration with the Jamf
Cloud Connector, you can skip this step if the location has been specified.
7. Select one of the following landing page options for computers that aren't
recognized by Microsoft Azure:
The Default Jamf Pro Device Registration page - Depending on the state of
the macOS device, this option redirects users to either the Jamf Pro device
enrollment portal (to enroll with Jamf Pro) or the Intune Company Portal app
(to register with Azure AD).
The Access Denied page
Custom URL
If you're replacing your previous integration with the Jamf Cloud Connector, you
can skip this step if the landing page has been specified.
8. Select Connect. You're redirected to register the Jamf Pro applications in Azure.
When prompted, specify your Microsoft Azure credentials and follow the onscreen
instructions to grant the requested permissions. You'll grant permissions for the
Cloud Connector, and then again for the Cloud Connector user registration app.
Both apps are registered in Azure as Enterprise Applications.
After permissions are granted for both apps, the Application ID page opens.
The Application ID is copied to your system clipboard for use in the next step, and
the Partner device management node in the Microsoft Intune admin center opens.
(Tenant administration > Partner device management).
10. On the Partner device management node, Paste the Application ID in to the
Specify the Azure Active Directory App ID for Jamf field, and then select Save.
11. Return to the Application ID page in Jamf Pro and select Confirm.
12. Jamf Pro completes and tests the configuration and displays the success or failure
of the connection on the Conditional Access settings page. The following image is
an example of success:
13. In the Microsoft Intune admin center, refresh the Partner device management
node. The connection should now show as Active:
When the connection between Jamf Pro and Microsoft Intune is successfully established,
Jamf Pro sends inventory information to Microsoft Intune for each computer that is
registered with Azure AD (registering with Azure AD is an end-user workflow). You can
view the Conditional Access Inventory State for a user and a computer in the Local User
Account category of a computer's inventory information in Jamf Pro.
After you integrate one instance of Jamf Pro by using the Jamf Cloud Connector, you
can use this same procedure to configure more instances of Jamf Pro with the same
Intune subscription in your Azure tenant.
2. Select the option Terminate. Intune displays a message about the action. Review
the message and when ready, select OK. The option to Terminate the integration
only appears when the Jamf connection exists.
After you terminate the integration, refresh the view of the admin center to update the
view. Your organization's macOS devices are removed from Intune in 90 days.
1. In the Jamf Pro console, go to Global Management > Conditional Access. On the
macOS Intune Integration tab, select Edit.
3. Select Save. Jamf Pro sends your configuration to Intune and the integration will
be terminated.
5. Select Tenant administration > Connectors and tokens > Partner device
management to verify that the status is now Terminated.
After you terminate the integration, your organization's macOS devices will be removed
at the date shown in your console, which is after three months.
Review the Prerequisites such as ports and product version you use.
Confirm that permissions for the following two Jamf Pro apps created in Azure
haven't been modified. Changes to the app permissions aren't supported by Intune
and can cause integration to fail.
Next steps
Apply compliance policies to Jamf-managed devices
Data Jamf sends to Intune
Manually Integrate Jamf Pro with Intune
for compliance
Article • 08/30/2023
) Important
Beginning on September 1, 2024, the platform that Jamf Pro’s Conditional Access
feature is built on will no longer be supported.
If you use Jamf Pro’s Conditional Access integration for macOS devices, follow
Jamf’s documented guidelines to migrate your devices to Device Compliance
integration at Migrating from macOS Conditional Access to macOS Device
Compliance – Jamf Pro Documentation .
If you need help, contact Jamf Customer Success . For more information, see the
blog post at https://aka.ms/Intune/Jamf-Device-Compliance .
Microsoft Intune supports integrating your Jamf Pro deployment to bring device
compliance and Conditional Access policies to your macOS devices. Through
integration, you can require that your macOS devices that are managed by Jamf Pro
meet your Intune device compliance requirements before those devices are allowed to
access your organization's resources. Resource access is controlled by your Azure Active
Directory (Azure AD) Conditional Access policies in the same way as for devices
managed through Intune.
When Jamf Pro integrates with Intune, you can sync the inventory data from macOS
devices with Intune, through Azure AD. Intune's compliance engine then analyzes the
inventory data to generate a report. Intune's analysis is combined with intelligence
about the device user's Azure AD identity to drive enforcement through Conditional
Access. Devices that are compliant with the Conditional Access policies can gain access
to protected company resources.
This article can help you manually integrate Jamf Pro with Intune.
Tip
After you configure integration, you'll then configure Jamf and Intune to enforce
compliance with Conditional Access on devices managed by Jamf.
Prerequisites
Network ports
The following ports should be accessible for Jamf and Intune to integrate correctly:
To allow APNS to function correctly on the network, you must also enable outgoing
connections to, and redirects from:
the Apple 17.0.0.0/8 block over TCP ports 5223 and 443 from all client networks.
ports 2195 and 2196 from Jamf Pro servers.
For more information about these ports, see the following articles:
In the Name section, enter a meaningful application name, for example Jamf
Conditional Access.
For the Supported account types section, select Accounts in any
organizational directory.
For Redirect URI, leave the default of Web, and then specify the URL for your
Jamf Pro instance.
3. Select Register to create the application and to open the Overview page for the
new app.
4. On the app Overview page, copy the Application (client) ID value and record it for
later use. You'll need this value in later procedures.
5. Select Certificates & secrets under Manage. Select the New client secret button.
Enter a value in Description, select any option for Expires and choose Add.
) Important
Before you leave this page, copy the value for the client secret and record it
for later use. You will need this value in later procedures. This value isn't
available again, without recreating the app registration.
7. On the API permissions page, remove all permissions from this app by selecting
the ... icon next to each existing permission. This removal is required; the
integration won't succeed if there are any unexpected extra permissions in this app
registration.
8. Next, add permissions to update device attributes. At the top left of the API
permissions page, select Add a permission to add a new permission.
9. On the Request API permissions page, select Intune, and then select Application
permissions. Select only the check box for update_device_attributes and save the
new permission.
12. Navigate to APIs my organization uses. Search for and select Windows Azure
Active Directory. Select Application permissions, and then select
Application.Read.All.
14. Next, grant admin consent for this app by selecting Grant admin consent for
<your tenant> in the top left of the API permissions page. You may need to
reauthenticate your account in the new window and grant the application access
by following the prompts.
15. Refresh the page by selecting Refresh at the top of the page. Confirm that admin
consent has been granted for the update_device_attributes permission.
16. After the app is registered successfully, the API permissions should only contain
one permission called update_device_attributes, and should appear as follows:
7 Note
If the client secret expires, you must create a new client secret in Azure and then
update the Conditional Access data in Jamf Pro. Azure allows you to have both the
old secret and new key active to prevent service disruptions.
2. Select Tenant administration > Connectors and tokens > Partner device
management.
3. Enable the Compliance Connector for Jamf by pasting the Application ID you saved
during the previous procedure into the Specify the Azure Active Directory App ID
for Jamf field.
4. Select Save.
Select Include and specify which User groups you want to target for macOS
enrollment with Jamf.
Use Exclude to select groups of Users that won't enroll with Jamf and instead
will enroll their Macs directly with Intune.
Exclude overrides Include, which means any device that is in both groups is
excluded from Jamf and directed to enroll with Intune.
7 Note
This method of including and excluding user groups affects the enrollment
experience of the user. Any user with a macOS device thats already enrolled in
either Jamf or Intune who is then targeted to enroll with the other MDM must
unenroll their device and then re-enroll it with the new MDM before
management of the device works properly.
3. Select Evaluate to determine how many devices will be enrolled with Jamf, based
on your group configurations.
5. To proceed, you'll next need to use Jamf to deploy the Company Portal for Mac so
that users can register their devices to Intune.
2. Select the option Terminate. Intune displays a message about the action. Review
the message and when ready, select OK. The option to Terminate the integration
only appears when the Jamf connection exists.
After you terminate the integration, refresh the view of the admin center to update the
view. Your organization's macOS devices are removed from Intune in 90 days.
1. In the Jamf Pro console, go to Global Management > Conditional Access. On the
macOS Intune Integration tab, select Edit.
3. Select Save. Jamf Pro sends your configuration to Intune and the integration will
be terminated.
5. Select Tenant administration > Connectors and tokens > Partner device
management to verify that the status is now Terminated.
After you terminate the integration, your organization's macOS devices will be removed
at the date shown in your console, which is after three months.
Next steps
Apply compliance policies to Jamf-managed devices
Data Jamf sends to Intune
Enforce compliance on Macs managed
with Jamf Pro
Article • 08/30/2023
) Important
Beginning on September 1, 2024, the platform that Jamf Pro’s Conditional Access
feature is built on will no longer be supported.
If you use Jamf Pro’s Conditional Access integration for macOS devices, follow
Jamf’s documented guidelines to migrate your devices to Device Compliance
integration at Migrating from macOS Conditional Access to macOS Device
Compliance – Jamf Pro Documentation .
If you need help, contact Jamf Customer Success . For more information, see the
blog post at https://aka.ms/Intune/Jamf-Device-Compliance .
After you integrate Jamf Pro with Intune, configure Intune compliance policies and
Azure Active Directory (Azure AD) Conditional Access policies to enforce compliance of
macOS devices with your organizational requirements.
The procedures in this article require access to both the Intune and Jamf Pro consoles.
Intune supports two methods to integrate Jamf Pro, which you configure separately
from the procedures in this article:
Recommended - Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
Manually configure integration of Jamf Pro with Intune
After integration is configured, device users learn about Jamf Pro and Intune integration
through either a communication from your IT department about how to register a
device, or by discovering the Intune Company Portal app that you deploy through Jamf
Pro Self Service. After device registration completes, inventory data collected by Jamf Pro
for that device is shared with Intune. Information is shared for only those Mac devices
that have completed.
2. Select Devices > Compliance policies. If you're using a previously created policy,
select that policy in the admin center and then go to the next step of this
procedure. To create a new policy, select Create Policy and then specify details for
a policy with a Platform of macOS. Configure Settings and Actions for
noncompliance to meet your organizational requirements, and then select Create
to save the policy.
3. On the policies Overview pane, select Assignments. Use the available options to
configure which Azure Active Directory (Azure AD) users and security groups
receive this policy. Jamf integration with Intune doesn't support compliance
policy that targets device groups.
7 Note
Jamf integration with Intune only supports Azure AD user groups. Device
compliance policies that are targeted to device groups will not apply.
Policies you deploy target the devices that are used by the assigned users. Those
devices are evaluated for compliance. Compliant devices are marked as compliant for
the setting "Require device to be marked as compliant" in Azure AD.
7 Note
To complete the following procedure, you need access to a macOS device and the Jamf
Pro portal.
3. Create a new package with the Company Portal app for macOS, then select Save.
5. Use the General payload to configure settings for the policy. These settings should
be:
7. Select Add to select the package with the Company Portal app.
10. Select the Scope tab to specify on which computers the Company Portal app
should install. Select Save. The policy runs on scoped devices the next time the
selected trigger occurs on the computer and the criteria in the General payload is
met.
Device registration requires a device user to manually select the Intune Company Portal
app from within Jamf Self Service. We recommend you contact your end users through
email, Jamf Pro notifications, or any other method your organization uses to direct them
to complete this action to get their devices registered.
2 Warning
Launching the Company Portal app manually (such as from the Applications or
Downloads folders) won't register the device. If device user launches the Company
Portal manually, they'll see a warning, 'AccountNotOnboarded'.
2. Configure the Microsoft Intune Integration payload, including the trigger and
execution frequency.
3. Select the Scope tab, and then scope the policy to all targeted devices.
4. Select the Self Service tab to make the policy available in Jamf Self Service. Include
the policy in the Device Compliance category. Select Save.
In Jamf Pro, go to Settings > Global Management > Microsoft Intune Integration,
and then select Test.
The console displays a message with the success or failure of the connection. Should the
connection test from the Jamf Pro console fail, review the Jamf configuration.
Get information on how to remove a Jamf-managed device in the Jamf Pro docs . You
can also file a support ticket with Jamf support for more help.
Next steps
Conditional Access in Azure Active Directory
Get started with Conditional Access in Azure Active Directory
Add Endpoint protection settings in
Intune
Article • 02/22/2023
With Intune, you can use device configuration profiles to manage common Endpoint
protection security features on devices, including:
Firewall
BitLocker
Allowing and blocking apps
Microsoft Defender and encryption
For example, you can create an Endpoint protection profile that only allows macOS
users to install apps from the Mac App Store. Or, enable Windows SmartScreen when
running apps on Windows 10/11 devices.
Before you create a profile, review the following articles that detail the Endpoint
protection settings Intune can manage for each supported platform:
macOS settings
Windows settings
4. Select Create.
Select Next.
6. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Choose your platform for detailed settings:
macOS settings
Windows settings
7. Select Next.
8. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
9. In Applicability Rules, use the Rule, Property, and Value options to define how this
profile applies within assigned groups. Intune applies the profile to devices that
meet the rules you enter. For more information about applicability rules, see
Applicability rules.
Select Next.
10. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
When you plan for profiles with custom Firewall rules, consider the following
information, which could affect how you choose to group firewall rules in your profiles:
Each profile supports up to 150 firewall rules. When you use more than 150 rules,
create additional profiles, each limited to 150 rules.
For each profile, if a single rule fails to apply, all rules in that profile are failed and
none of the rules are applied to the device.
When a rule fails to apply, all rules in the profile are reported as failed. Intune
cannot identify which individual rule failed.
The Firewall rules that Intune can manage are detailed in the Windows Firewall
configuration service provider (CSP). To review the list of custom firewall settings for
Windows devices that Intune supports, see Custom Firewall rules.
4. Select Create.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name might include the
profile type and platform.
Description: Enter a description for the policy. This setting is optional, but
recommended.
Select Next.
7. Specify settings for the Firewall rule, and then select Save to save it. To review the
available custom firewall rule options in documentation, see Custom Firewall rules.
a. The rule appears on the Microsoft Defender Firewall page in the list of rules.
b. To modify a rule, select the rule from the list, to open the Edit Rule page.
c. To delete a rule from a profile, select the ellipsis (…) for the rule, and then select
Delete.
d. To change the order in which rules display, select the up arrow, down arrow icon
at the top of the rule list.
Select Next.
8. In Assignments, select the device groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
9. In Applicability Rules, use the Rule, Property, and Value options to define how this
profile applies within assigned groups. Intune applies the profile to devices that
meet the rules you enter. For more information about applicability rules, see
Applicability rules.
Select Next.
10. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
Monitor the profile status.
Mobile Threat Defense integration with
Intune
Article • 07/07/2023
7 Note
This article is about third-party Mobile Threat Defense vendors, for more
information on Microsoft Defender for Endpoint, see Microsoft Defender for
Endpoint.
Intune can integrate data from a Mobile Threat Defense (MTD) vendor as an information
source for device compliance policies and device Conditional Access rules. You can use
this information to help protect corporate resources like Exchange and SharePoint, by
blocking access from compromised mobile devices.
Intune can use this same data as a source for unenrolled devices using Intune app
protection policies. As such, admins can use this information to help protect corporate
data within a Microsoft Intune protected app, and issue a block or selective wipe.
7 Note
Intune for GCC High only supports the Mobile Threat Defense (MTD) connector for
Android and iOS devices with MTD vendors that also have support in this
environment. You will see connectors enabled for those specific vendors when you
log in with a GCC-H tenant. Learn more about Microsoft Intune for US
Government GCC High support.
Typically, companies are proactive in protecting PCs from vulnerabilities and attack while
mobile devices often go unmonitored and unprotected. Where mobile platforms have
built-in protection such as app isolation and vetted consumer app stores, these
platforms remain vulnerable to sophisticated attacks. As more employees use devices
for work and to access sensitive information, the information from MTD vendors can
help you protect devices and your resources from increasingly sophisticated attacks.
Intune Mobile Threat Defense connectors
Intune uses a Mobile Threat Defense connector to create a channel of communication
between Intune and your chosen MTD vendor. Intune MTD partners offer intuitive, easy
to deploy applications for mobile devices. These applications actively scan and analyze
threat information to share with Intune. Intune can use the data for either reporting or
enforcement purposes.
For example: A connected MTD app reports to the MTD vendor that a phone on your
network is currently connected to a network that is vulnerable to Man-in-the-Middle
attacks. This information is categorized to an appropriate risk level of low, medium, or
high. This risk level is then compared with the risk level allowances you set in Intune.
Based on this comparison, access to certain resources of your choice can be revoked
while the device is compromised.
Connector status
Once you add a Mobile Threat Defense connector to your tenant, the status will show
one of the following states:
Unavailable Connector is/was deprovisioned. The MTD Yes (starting Yes (starting
partner will need to talk to Intune to 2308) 2308)
provision it once more.
App inventory
If you enable App Sync for iOS/iPadOS devices, inventories from both corporate and
personally owned iOS/iPadOS devices are sent to your MTD service provider. Data in the
app inventory includes:
App ID
App Version
App Short Version
App Name
App Bundle Size
App Dynamic Size
Whether the app is validated or not
Whether the app is managed or not
7 Note
We recommend using one Mobile Threat Defense vendor per tenant per platform.
For Device Compliance, you can use multiple Mobile Defense vendors with a single
Intune tenant. However, when two or more vendors are configured for use for the
same platform, all devices that run that platform must install each MTD app and
scan for threats. Failure to submit a scan from any configured app results in the
device being marked as non-compliant.
This recommendation does not apply to Microsoft Defender for Endpoint. You can
use Defender for Endpoint with a third-party MTD app and check compliance
separately by deploying different compliance policies to different groups.
Better Mobile
BlackBerry Protect Mobile
Check Point Harmony Mobile
Lookout for Work
Microsoft Defender for Endpoint
MVISION Mobile
Pradeo
SentinelOne
Sophos Mobile
Symantec Endpoint Protection Mobile
Trend Micro Mobile Security as a Service
Wandera Mobile Threat Defense
Zimperium
Add Mobile Threat Defense apps to
unenrolled devices
Article • 02/21/2023
By default, when using Intune app protection policies with Mobile Threat Defense,
Intune does the work to guide the end user on their device to install and sign in to all
required apps to enable the connections with the relevant services.
End users need the Microsoft Authenticator (iOS) to register their device, and the Mobile
Threat Defense (both Android and iOS) to receive notifications when a threat is
identified in their mobile devices, and to receive guidance to remediate the threats.
Optionally, you can use Intune to add and deploy the Microsoft Authenticator, and
Mobile Threat Defense (MTD) apps as well.
7 Note
This article applies to all Mobile Threat Defense partners that support app
protection policies:
For unenrolled devices, you do not need an iOS app configuration policy that sets
up the Mobile Threat Defense for iOS app you use with Intune. This is a key
difference compared to Intune enrolled devices.
However, should you wish to make the app available to end users via the Intune
Company Portal, see the instructions for adding iOS store apps to Microsoft Intune. Use
this Microsoft Authenticator - iOS App Store URL when completing the Configure app
information section. Don't forget to assigning app to groups with Intune as the final
step.
7 Note
For iOS devices, you need the Microsoft Authenticator so users can have their
identities checked by Azure AD. The Intune Company Portal works as the broker on
Android devices so users can have their identities checked by Azure AD.
However, should you wish to make the app available to end users via the Intune
Company Portal, you can follow the steps provided in the following sections. Make sure
you're familiar with the process of:
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
ActiveShield - App Store URL when completing the Configure app
information section.
Making Check Point Harmony Mobile Protect available to
end users
Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
Harmony Mobile Protect - Play Store URL when completing the Configure
app information section.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Harmony Mobile Protect - App Store URL when completing the Configure
app information section.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Lookout for Work - iOS App Store URL when completing the Configure app
information section.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this SEP
Mobile - App Store URL when completing the Configure app information
section.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Wandera Mobile - App Store URL when completing the Configure app
information section.
Next steps
Enable the Mobile Threat Defense connector in Intune for unenrolled devices
Create Mobile Threat Defense app
protection policy with Intune
Article • 02/21/2023
Intune with Mobile Threat Defense (MTD) helps you detect threats and assess risk on
mobile devices. You can create an Intune app protection policy that assesses risk to
determine if the device is allowed to access corporate data or not.
7 Note
This article applies to all Mobile Threat Defense partners that support app
protection policies:
Set up MTD integration with Intune. Without this integration, the MTD app
protection policy will have no effect.
Apps: Select the apps you wish to be targeted by app protection policies. For this
feature set, these apps are blocked or selectively wiped based on device risk
assessment from your chosen Mobile Threat Defense vendor.
Conditional launch: Below Device conditions, use the drop-down box to select Max
allowed device threat level.
Assignments: Assign the policy to groups of users. The devices used by the
group's members are evaluated for access to corporate data on targeted apps via
Intune app protection.
) Important
If you create an app protection policy for any protected app, the device's threat
level is assessed. Depending on the configuration, devices that don’t meet an
acceptable level are either blocked or selectively wiped through conditional launch.
If blocked, they are prevented from accessing corporate resources until the threat
on the device is resolved and reported to Intune by the chosen MTD vendor.
Next steps
Learn more about Mobile Threat Defense in Microsoft Intune.
Enable the Mobile Threat Defense
connector in Intune for unenrolled
devices
Article • 08/21/2023
During Mobile Threat Defense (MTD) setup, you've configured a policy for classifying
threats in your Mobile Threat Defense partner console and you've created the app
protection policy in Intune. If you've already configured the Intune connector in the
MTD partner console, you can now enable the MTD connection for MTD partner
applications.
7 Note
This article applies to all Mobile Threat Defense partners that support app
protection policies:
If the classic policy is deleted, you'll need to delete the connection to Intune that was
responsible for its creation, and then set it up again. This process recreates the classic
policy. It's not supported to migrate classic policies for MTD apps to the new policy type
for conditional access.
Are used by Intune MTD to require that devices are registered in Azure AD so that
they have a device ID before communicating to MTD partners. The ID is required
so that devices and can successfully report their status to Intune.
Are distinct from conditional access policies you might create to help manage
MTD.
By default, don't interact with other conditional access policies you use for
evaluation.
To view classic conditional access policies, in Azure , go to Azure Active Directory >
Conditional Access > Classic policies.
7 Note
With the 2308 service release of Intune, a classic Conditional Access (CA) policy is
no longer created for the Microsoft Defender for Endpoint connector. If your
tenant has one previously created due to an integration with Microsoft Defender
for Endpoint, it can be deleted. Classic CA policies continue to be needed for 3rd
party MTD partners.
2. Select Tenant administration > Connectors and tokens > Mobile Threat Defense.
To set up an integration with a 3rd party Mobile Threat Defense vendor, you must
be a Global administrator.
4. Choose your MTD solution as the Mobile Threat Defense connector to setup from
the drop-down list.
7 Note
Ensure your tenant's MDM Authority is set to Intune (and not SCCM) to see the full
list of toggle options.
You can decide which MTD toggle options you need to enable according to your
organization's requirements. Here are more details:
Connect Android devices of version 4.4 and above to <MTD partner name> for
app protection policy evaluation: When you enable this option, app protection
policies using the Device Threat Level rule will evaluate devices including data from
this connector.
Connect iOS devices version 11 and above to <MTD partner name> for app
protection policy evaluation: When you enable this option, app protection policies
using the Device Threat Level rule will evaluate devices including data from this
connector.
Tip
You can see the Connection status and the Last synchronized time between Intune
and the MTD partner from the Mobile Threat Defense pane.
Next Steps
Create Mobile Threat Defense (MTD) app protection policy with Intune.
Add and assign Mobile Threat Defense
(MTD) apps with Intune
Article • 02/22/2023
You can use Intune to add and deploy Mobile Threat Defense (MTD) apps so that end
users can receive notifications when a threat is identified in their mobile devices, and to
receive guidance to remediate the threats.
7 Note
Tip
The Intune Company Portal works as the broker on Android devices so users can
have their identities checked by Azure AD.
See the instructions for adding iOS store apps to Microsoft Intune. Use this Microsoft
Authenticator app store URL when you configure App information.
For Configuration settings format, select Enter XML data, copy the following
content and paste it into the configuration policy body. Replace the
https://client.bmobi.net URL with the appropriate console URL.
<dict>
<key>better_server_url</key>
<string>https://client.bmobi.net</string>
<key>better_udid</key>
<string>{{aaddeviceid}}</string>
<key>better_user</key>
<string>{{userprincipalname}}</string>
</dict>
For Configuration settings format, select Enter XML data, copy the following
content and paste it into the configuration policy body.
<dict><key>MDM</key><string>INTUNE</string></dict>
See the instructions for using Microsoft Intune app configuration policies for
Android to add the MVISION Android app configuration policy.
For Configuration settings format, select Use configuration designer, and add the
following settings:
tenantid string Copy value from admin console “Manage” page in the MVISION
console
defaultchannel string Copy value from admin console “Manage” page in the MVISION
console
iOS
See the instructions for using Microsoft Intune app configuration policies for iOS
to add the MVISION Mobile iOS app configuration policy.
For Configuration settings format, select Use configuration designer, and add the
following settings:
tenantid string Copy value from admin console “Manage” page in the MVISION
console
defaultchannel string Copy value from admin console “Manage” page in the MVISION
console
See the instructions for using Microsoft Intune app configuration policies for
Android to add the SentinelOne Android app configuration policy.
For Configuration settings format, select Use configuration designer, and add the
following settings:
tenantid string Copy value from admin console “Manage” page in the
SentinelOne console
defaultchannel string Copy value from admin console “Manage” page in the
SentinelOne console
iOS
See the instructions for using Microsoft Intune app configuration policies for iOS
to add the SentinelOne iOS app configuration policy.
For Configuration settings format, select Use configuration designer, and add the
following settings:
tenantid string Copy value from admin console “Manage” page in the
SentinelOne console
defaultchannel string Copy value from admin console “Manage” page in the
SentinelOne console
Select the Integration setup files link and save the generated *.zip file. The .zip
file contains the *.plist file that will be used to create the iOS app configuration
policy in Intune.
See the instructions for using Microsoft Intune app configuration policies for
iOS to add the SEP Mobile iOS app configuration policy.
For Configuration settings format, select Enter XML data, copy the content
from the *.plist file, and paste its content into the configuration policy body.
7 Note
If you are unable to retrieve the files, contact Symantec Endpoint Protection
Mobile Enterprise Support .
7 Note
For initial testing, use a test group when assigning users and devices in the
Assignments section of the configuration policy.
Android Enterprise
See the instructions for using Microsoft Intune app configuration policies for
Android to add the Wandera Android app configuration policy using the
information below when prompted.
1. In the RADAR Wandera Portal, select the Add button under Configuration
settings format.
2. Select Activation Profile URL from the list of Configuration Keys. Select OK.
3. For Activation Profile URL select string from the Value type menu then copy the
Shareable Link URL from the desired Activation Profile in RADAR.
4. In the Intune admin center app configuration UI, select Settings, define
Configuration settings format > Use Configuration Designer and paste the
Shareable Link URL.
7 Note
Unlike iOS, you will need to define a unique Android Enterprise app configuration
policy for each Wandera Activation Profile. If you don’t require multiple Wandera
Activation Profiles, you may use a single Android app configuration for all target
devices. When creating Activation Profiles in Wandera, be sure to select “Azure
Active Directory” under the Associated User configuration to ensure Wandera is
able to synchronize the device with Intune via UEM Connect.
iOS
See the instructions for using Microsoft Intune app configuration policies for iOS
to add the Wandera iOS app configuration policy using the information below
when prompted.
1. In RADAR Wandera Portal, navigate to Devices > Activations and select any
activation profile. Select Deployment Strategies > Managed Devices > Microsoft
Intune and locate the iOS App Configuration settings.
2. Expand the box to reveal the iOS app configuration XML and copy it to your
system clipboard.
3. In Intune admin center app configuration UI Settings, define Configuration
settings format > Enter XML data.
4. Paste the XML in the app configuration text box.
7 Note
A single iOS configuration policy may be used across all devices that are to be
provisioned with Wandera.
See the instructions for using Microsoft Intune app configuration policies for
Android to add the Zimperium Android app configuration policy.
For Configuration settings format, select Use configuration designer, and add the
following settings:
tenantid string Copy value from admin console “Manage” page in the Zimperium
console
defaultchannel string Copy value from admin console “Manage” page in the Zimperium
console
iOS
See the instructions for using Microsoft Intune app configuration policies for iOS
to add the Zimperium iOS app configuration policy.
For Configuration settings format, select Use configuration designer, and add the
following settings:
tenantid string Copy value from admin console “Manage” page in the Zimperium
console
defaultchannel string Copy value from admin console “Manage” page in the Zimperium
console
Assigning Mobile Threat Defense apps to end
users via Intune
To install the Mobile Threat Defense app on the end user device, you can follow the
steps that are detailed in the following sections. Make sure you're familiar with the
process of:
Better Mobile
Check Point Harmony Mobile Protect
Lookout for Work
MVISION Mobile
Pradeo
SentinelOne
Sophos Mobile
Symantec Endpoint Protection Mobile (SEP Mobile)
Wandera
Zimperium
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
ActiveShield app store URL for the Appstore URL.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Check Point Harmony Mobile Protect app store URL for the Appstore URL.
Assigning Lookout for Work
Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
Lookout for work Google app store URL for the Appstore URL.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Lookout for Work iOS app store URL for the Appstore URL.
You must re-sign the Lookout for Work iOS app. Lookout distributes its Lookout
for Work iOS app outside of the iOS App Store. Before distributing the app, you
must re-sign the app with your iOS Enterprise Developer Certificate.
For detailed instructions to re-sign the Lookout for Work iOS apps, see Lookout
for Work iOS app re-signing process on the Lookout website.
Enable Azure AD authentication for Lookout for Work iOS app users.
2. Add the Lookout for Work iOS app as a native client application.
7 Note
See configure a native client application with Azure AD for more details.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
MVISION Mobile app store URL for the Appstore URL.
Assigning Pradeo
Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
Pradeo app store URL for the Appstore URL.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Pradeo app store URL for the Appstore URL.
Assigning SentinelOne
Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
SentinalOne app store URL for the Appstore URL.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
SentinalOne app store URL for the Appstore URL.
Assigning Sophos
Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
Sophos app store URL for the Appstore URL.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
ActiveShield app store URL for the Appstore URL.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this SEP
Mobile app store URL for the Appstore URL.
Assigning Wandera
Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
Wandera Mobile app store URL for the Appstore URL. For Minimum
operating system, select Android 8.0.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Wandera Mobile app store URL for the Appstore URL.
Assigning Zimperium
Android
See the instructions for adding Android store apps to Microsoft Intune. Use this
Zimperium app store URL for the Appstore URL.
iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this
Zimperium app store URL for the Appstore URL.
Next steps
Configure the device compliance policy for MTD
Create Mobile Threat Defense (MTD)
device compliance policy with Intune
Article • 02/22/2023
Intune with MTD helps you detect threats and assess risk on mobile devices. You can
create an Intune device compliance policy rule that assesses risk to determine if the
device is compliant or not. You can then use a Conditional Access policy to block access
to services based on device compliance.
7 Note
5. On Compliance settings, expand and configure Device Health. Choose the Mobile
Threat Level from the drop-down list for Require the device to be at or under the
Device Threat Level.
Secured: This level is the most secure. The device can't have any threats
present and still access company resources. If any threats are found, the
device is evaluated as noncompliant.
Low: The device is compliant if only low-level threats are present. Anything
higher puts the device in a noncompliant status.
Medium: The device is compliant if the threats found on the device are low or
medium level. If high-level threats are detected, the device is determined as
noncompliant.
High: This threat level is the least secure as it allows all threat levels and uses
Mobile Threat Defense for reporting purposes only. Devices are required to
have the MTD app activated with this setting.
6. Select Next to advance through to Assignments. Select the groups that will receive
this profile.
) Important
You will see the option to either select user groups, or device based groups under
Select groups to include. The Require the device to be at or under the Device
Threat Level setting is currently only supported with user groups. Targeting device
groups is currently not supported and they should not be selected.
Select Next.
7. On the Review + create page, when you're done, choose Create. The new profile is
displayed in the list when you select the policy type for the profile you created.
) Important
If you create Conditional Access policies for Microsoft 365 or other services, the
device compliance evaluation is assessed and noncompliant devices are blocked
from accessing corporate resources until the threat is resolved in the device and
reported to Intune via the chosen MTD vendor.
4. Select Edit for Assignments, and then use the available options to Include and
Exclude groups to receive this policy. As a reminder, targeting device groups is
currently not supported and they should not be selected.
5. Select Review + save to complete the assignment. When you save the assignment,
the policy deploys to your selected users and their devices are evaluated for
compliance.
Next steps
Enable MTD with Intune
Enable the Mobile Threat Defense
connector in Intune
Article • 07/31/2023
During Mobile Threat Defense (MTD) setup, you've configured a policy for classifying
threats in your Mobile Threat Defense partner console and you've created the device
compliance policy in Intune. If you've already configured the Intune connector in the
MTD partner console, you can now enable the MTD connection for MTD partner
applications.
7 Note
If the classic policy is deleted, you'll need to delete the connection to Intune that was
responsible for its creation, and then set it up again. This process recreates the classic
policy. It's not supported to migrate classic policies for MTD apps to the new policy type
for conditional access.
Are used by Intune MTD to require that devices are registered in Azure AD so that
they have a device ID before communicating to MTD partners. The ID is required
so that devices and can successfully report their status to Intune.
Are distinct from conditional access policies you might create to help manage
MTD.
By default, don't interact with other conditional access policies you use for
evaluation.
To view classic conditional access policies, in Azure , go to Azure Active Directory >
Conditional Access > Classic policies.
7 Note
With the 2308 release of Intune, a classic Conditional Access (CA) policy is no
longer created for the Microsoft Defender for Endpoint connector. If your tenant
has one previously created due to an integration with Microsoft Defender for
Endpoint, it can be deleted. Classic CA policies continue to be needed for 3rd party
MTD partners.
2. Select Tenant administration > Connectors and tokens > Mobile Threat Defense.
To set up an integration with a third-party Mobile Threat Defense vendor, you
must be an Azure Global administrator or be assigned the Endpoint Security
Manager built-in admin role for Intune. You may also use a custom role that
includes the Mobile Threat Defense permission in Intune.
4. For Mobile Threat Defense connector to setup, select your MTD solution from the
drop-down list.
7 Note
Ensure your tenant's MDM Authority is set to Intune (and not SCCM) to see the full
list of toggle options.
You can decide which MTD toggle options you need to enable according to your
organization's requirements. Not all of the following options are supported by all
Mobile Threat Defense partners:
Enable App Sync for iOS Devices: Allows this Mobile Threat Defense partner to
request metadata of iOS applications from Intune to use for threat analysis
purposes. This iOS device must be MDM-enrolled device and will provide updated
app data during device check-in. You can find standard Intune policy check-in
frequencies in the Refresh cycle times.
7 Note
App Sync data is sent to Mobile Threat Defense partners at an interval based
on device check-in, and should not be confused with the refresh interval for
the Discovered Apps report.
This setting has no effect for corporate devices. For corporate devices, Intune
sends data about both managed and unmanaged apps when requested by this
MTD vendor.
Connect iOS devices version <supported versions> to <MTD partner name> for
app protection policy evaluation: When you enable this option, app protection
policies using the "Max allowed threat level" rule will evaluate devices including
data from this connector.
To learn more about using Mobile Threat Defense connectors for Intune App Protection
Policy evaluation, see Set up Mobile Threat Defense for unenrolled devices.
) Important
When possible, we recommend that you add and assign the MTD apps before
creating the device compliance and the Conditional Access policy rules. This helps
ensures that the MTD app is ready and available for end users to install before they
can get access to email or other company resources.
Tip
You can see the Connection status and the Last synchronized time between Intune
and the MTD partner from the Mobile Threat Defense pane.
Next steps
Create Mobile Threat Defense (MTD) device compliance policy with Intune.
Better Mobile Threat Defense connector
with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by Better Mobile, a Mobile Threat Defense (MTD)
solution that integrates with Microsoft Intune. Risk is assessed based on telemetry
collected from devices running the Better Mobile app.
You can configure Conditional Access policies based on Better Mobile risk assessment
enabled through Intune device compliance policies for enrolled devices, which you can
use to allow or block noncompliant devices to access corporate resources based on
detected threats. For unenrolled devices, you can use app protection policies to enforce
a block or selective wipe based on detected threats.
Support for enrolled devices - Intune device compliance policy includes a rule for
Mobile Threat Defense (MTD), which can use risk assessment information from
Better Mobile. When the MTD rule is enabled, Intune evaluates device compliance
with the policy that you enabled. If the device is found noncompliant, users are
blocked access to corporate resources like Exchange Online and SharePoint Online.
Users also receive guidance from the Better Mobile app installed in their devices to
resolve the issue and regain access to corporate resources. To support using Better
Mobile with enrolled devices:
Add MTD apps to devices
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Support for unenrolled devices - Intune can use the risk assessment data from the
Better Mobile app on unenrolled devices when you use Intune app protection
policies. Admins can use this combination to help protect corporate data within a
Microsoft Intune protected app, Admins can also issue a block or selective wipe for
corporate data on those unenrolled devices. To support using Better Mobile with
unenrolled devices:
Add the MTD app to unenrolled devices
Create a Mobile Threat Defense app protection policy
Enable the MTD connector in Intune for unenrolled devices
Supported platforms
Android 4.1 and later
Prerequisites
Azure Active Directory Premium
Sample scenarios
Here are some common scenarios.
Complete the following steps to integrate the Better Mobile Threat Defense solution
with Intune.
Before starting the process of integrating Better Mobile with Intune, make sure you have
the following:
Better Mobile syncs with Azure AD Enrollment Group membership to populate its
device's database.
Allow the Better Mobile admin console to use Azure AD Single Sign On (SSO).
3. Choose Intune.
7. Search for the Azure AD Security groups that you want Better Mobile to sync
devices from, and select them in the list. Then select Continue.
8. Select Done.
Next steps
Set up Better Mobile apps for enrolled devices
Set up Better Mobile apps for unenrolled devices
Use BlackBerry Protect Mobile with
Intune
Article • 02/21/2023
Control mobile device access to corporate resources using Conditional Access based on
risk assessment conducted by BlackBerry Protect Mobile (powered by Cylance AI), a
mobile threat defense (MTD) solution that integrates with Microsoft Intune. Risk is
assessed based on telemetry collected from devices running the BlackBerry Protect
Mobile app.
You can configure Conditional Access policies based on a BlackBerry Protect risk
assessment, enabled through Intune device compliance policies for enrolled devices.
You can set up your policies to allow or block noncompliant devices from accessing
corporate resources based on detected threats.
For more information about how to integrate BlackBerry UES with Microsoft Intune, see
the BlackBerry UES documentation .
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Supported platforms
Android 9.0 and later
Prerequisites
Azure Active Directory Premium
Support for enrolled devices - Intune device compliance policy includes a rule for
MTD, which can use risk assessment information from BlackBerry Protect. When
the MTD rule is enabled, Intune evaluates device compliance with the policy that
you enabled. If the device is found noncompliant, users are blocked access to
corporate resources, such as Exchange Online and SharePoint Online. Users also
receive guidance from the BlackBerry Protect app installed on their devices to
resolve the issue and regain access to corporate resources. To support using
BlackBerry Protect with enrolled devices:
Add MTD apps to devices
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Sample scenarios
The following scenarios demonstrate the use of BlackBerry Protect Mobile MTD when
integrated with Intune:
Connect the BlackBerry Protect Mobile MTD connector to monitor and mitigate device
risk levels on Intune-managed devices. BlackBerry Protect Mobile (powered by Cylance
AI) works by reporting device risk levels to Microsoft Intune. Intune then uses that
information to enforce the appropriate app configuration and risk assessment policies.
For more information about BlackBerry Protect Mobile, see Key features of BlackBerry
Protect Mobile (opens BlackBerry UES docs).
This article describes the requirements and steps to connect the MTD connector in your
tenant.
Azure Active Directory (Azure AD) account with Global Administrator rights to
grant the following permissions:
App authorization
The following authorization process happens when you connect the BlackBerry Protect
Mobile MTD connector:
Allow BlackBerry UES management console to use Azure AD Single Sign On (SSO).
For more information about consent and Azure AD applications, see Request the
permissions from a directory admin.
Next steps
Set up BlackBerry Protect app for enrolled devices
Check Point Harmony Mobile Threat
Defense connector with Intune
Article • 03/15/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by Check Point Harmony Mobile, a mobile threat
defense solution that integrates with Microsoft Intune. Risk is assessed based on
telemetry collected from devices running the Harmony Mobile Protect app.
You can configure Conditional Access policies based on Check Point Harmony Mobile
risk assessment enabled through Intune device compliance policies, which you can use
to allow or block noncompliant devices to access corporate resources based on
detected threats.
Supported platforms
Android 8 and later
Pre-requisites
Azure Active Directory Premium
The Intune device compliance policy includes a rule for Check Point Harmony Mobile
Threat Defense, which is based on the Check Point Harmony risk assessment. When this
rule is enabled, Intune evaluates device compliance with the policy that you enabled. If
the device is found noncompliant, users are blocked access to corporate resources like
Exchange Online and SharePoint Online. Users also receive guidance from the Harmony
Mobile Protect app installed in their devices to resolve the issue and regain access to
corporate resources.
Next steps
Integrate Check Point Harmony Mobile with Intune
Complete the following steps to integrate the Check Point Harmony Mobile Threat
Defense solution with Intune.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Before starting the process of integrating Check Point Harmony Mobile with Intune,
make sure you've the following configurations:
Allow the Harmony Mobile Protect app to sign in using Azure AD SSO.
5. Once you set Microsoft Intune as the MDM Service, the Microsoft Intune
Configuration window pops up, choose the Add to my organization for each
device platform: iOS/iPadOS, Android and Windows to authorize Harmony Mobile
Protect to communicate with Intune and Azure AD.
) Important
You must add all device platforms to proceed to the next step.
8. Choose Verify, once the Azure AD security group is successfully verified, choose
Save.
Next steps
Set up Harmony Mobile Protect apps
Lookout Mobile Endpoint Security
connector with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources based on risk assessment
conducted by Lookout, a Mobile Threat Defense solution integrated with Microsoft
Intune. Risk is assessed based on telemetry collected from devices by the Lookout
service including:
You can configure Conditional Access policies based on Lookout's risk assessment
enabled through Intune compliance policies for enrolled devices, which you can use to
allow or block noncompliant devices to access corporate resources based on detected
threats. For unenrolled devices, you can use app protection policies to enforce a block
or selective wipe based on detected threats.
Support for enrolled devices - Intune device compliance policy includes a rule for
Mobile Threat Defense (MTD), which can use risk assessment information from
Lookout for work. When the MTD rule is enabled, Intune evaluates device
compliance with the policy that you enabled. If the device is found noncompliant,
users are blocked access to corporate resources like Exchange Online and
SharePoint Online. Users also receive guidance from the Lookout for work app
installed in their devices to resolve the issue and regain access to corporate
resources. To support using Lookout for work with enrolled devices:
Add MTD apps to devices
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Support for unenrolled devices - Intune can use the risk assessment data from the
Lookout for work app on unenrolled devices when you use Intune app protection
policies. Admins can use this combination to help protect corporate data within a
Microsoft Intune protected app, Admins can also issue a block or selective wipe for
corporate data on those unenrolled devices. To support using Lookout for work
with unenrolled devices:
Add the MTD app to unenrolled devices
Create a Mobile Threat Defense app protection policy
Enable the MTD connector in Intune for unenrolled devices
Supported platforms
The following platforms are supported for Lookout when enrolled in Intune:
For additional information about platform and language support, visit the Lookout
website .
Prerequisites
Lookout Mobile Endpoint Security enterprise subscription
Microsoft Intune Plan 1 subscription
Azure Active Directory Premium
Enterprise Mobility and Security (EMS) E3 or E5, with licenses assigned to users.
Sample scenarios
Here are the common scenarios when using Mobile Endpoint Security with Intune.
With an environment that meets the prerequisites, you can integrate Lookout Mobile
Endpoint Security with Intune. The information in this article will guide you in setting up
integration and configuring important settings in Lookout for use with Intune.
) Important
An existing Lookout Mobile Endpoint Security tenant that is not already associated
with your Azure AD tenant cannot be used for the integration with Azure AD and
Intune. Contact Lookout support to create a new Lookout Mobile Endpoint Security
tenant. Use the new tenant to onboard your Azure AD users.
To enable your Lookout Mobile Endpoint Security subscription integration with Intune,
you provide the following information to Lookout support
(enterprisesupport@lookout.com):
Azure AD group Object ID for the group with full Lookout Mobile Endpoint
Security (MES) Console access.
You create this user group in Azure AD to contain the users that have full access to
sign in to the Lookout console. Users must be members of this group, or the
optional restricted access group, to sign in to the Lookout Console.
Azure AD group Object ID for the group with restricted Lookout MES Console
access (optional group).
You create this optional user group in Azure AD to contain
users that shouldn't have access to several configuration and enrollment-related
modules of the Lookout console. Instead, these users have read-only access to the
Security Policy module of the Lookout console. Users must be members of this
optional group, or the required full access group, to sign in to the Lookout
Console.
Tip
For more details on the permissions, read this article on the Lookout website.
2. Go to Azure Active Directory > Properties and locate your Directory ID. Use the
Copy button to copy the Directory ID, and then save it in a text file.
3. Next, find the Azure AD Group ID for the accounts you use to grant Azure AD users
access to the Lookout Console. One group is for full access, and the second group,
for restricted access is optional. To get the Object ID, for each account:
a. Go to Azure Active Directory > Groups to open the Groups - All groups pane.
b. Select the group you created for full access to open its Overview pane.
c. Use the Copy button to copy the Object ID, and then save it in a text file.
d. Repeat the process for the restricted access group if you use that group.
After you gather this information, contact Lookout support (email:
enterprisesupport@lookout.com). Lookout Support will work with your primary
contact to onboard your subscription and create your Lookout Enterprise account,
using the information that you provide.
After Lookout support creates your Lookout Enterprise account, Lookout support sends
an email to the primary contact for your company with a link to the sign-in url:
https://aad.lookout.com/les?action=consent .
Initial sign-in
The first sign-in to the Lookout MES Console displays a consent page
(https://aad.lookout.com/les?action=consent ). An Azure AD Global Administrator just
sign-in and Accept. Subsequent sign-in doesn't require the user to have this level of
Azure AD privilege.
A consent page is displayed. Choose Accept to complete the registration.
When you accept and consent, you're redirected to the Lookout Console.
After the initial sign-in and consent is complete, users that sign in from
https://aad.lookout.com are redirected to the MES Console. If consent wasn't yet
granted, all sign-in attempts result in a Bad Login Error.
1. Sign in to the Lookout MES Console and go to System > Connectors, and then
select Add Connector. Select Intune.
2. On the Microsoft Intune pane, select Connection Settings and specify the
Heartbeat Frequency in minutes.
3. Select Enrollment Management, and for Use the following Azure AD security
groups to identify devices that should be enrolled in Lookout for Work, specify
the Group name of an Azure AD group to use with Lookout, and then select Save
changes.
4. Select State Sync and ensure both device status and threat status are set to On.
Both are required for the Lookout Intune integration to work correctly.
5. Select Error Management, specify the email address that should receive the error
reports, and then select Save changes.
Go to Preferences and then set the notifications you want to receive to ON, and
then Save the changes.
If you no longer want to receive email notifications, set the notifications to OFF
and save your changes.
Configure threat classifications
Lookout Mobile Endpoint Security classifies mobile threats of various types. The Lookout
threat classifications have default risk levels associated with them. The risk levels can be
changed at any time to suit your company requirements.
For information about the threat level classifications, and how to manage the risk levels
associated with them, see Lookout Threat Reference .
) Important
Risk levels are an important aspect of Mobile Endpoint Security because the Intune
integration calculates device compliance according to these risk levels at runtime.
For details on how to get the Lookout for Work app deployed to a device, see Add
Lookout for work apps with Intune.
Next steps
Set up Lookout apps for enrolled devices
Set up Lookout apps for unenrolled devices
Use MVISION Mobile with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by McAfee MVISION Mobile, a Mobile Threat
Defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on
telemetry collected from devices running the MVISION Mobile app.
You can configure Conditional Access policies based on MVISION Mobile risk
assessment enabled through Intune device compliance policies for enrolled devices,
which you can use to allow or block noncompliant devices to access corporate resources
based on detected threats. For unenrolled devices, you can use app protection policies
to enforce a block or selective wipe based on detected threats.
Supported platforms
Android 5.1 and later
Prerequisites
Azure Active Directory Premium
For more information, see the documentation for McAfee MVISION Mobile.
Support for enrolled devices - Intune device compliance policy includes a rule for
Mobile Threat Defense (MTD), which can use risk assessment information from
MVISION Mobile. When the MTD rule is enabled, Intune evaluates device
compliance with the policy that you enabled. If the device is found noncompliant,
users are blocked access to corporate resources like Exchange Online and
SharePoint Online. Users also receive guidance from the MVISION Mobile app
installed in their devices to resolve the issue and regain access to corporate
resources. To support using MVISION Mobile with enrolled devices:
Add MTD apps to devices
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Support for unenrolled devices - Intune can use the risk assessment data from the
MVISION Mobile app on unenrolled devices when you use Intune app protection
policies. Admins can use this combination to help protect corporate data within a
Microsoft Intune protected app, Admins can also issue a block or selective wipe for
corporate data on those unenrolled devices. To support using MVISION Mobile
with unenrolled devices:
Add the MTD app to unenrolled devices
Create a Mobile Threat Defense app protection policy
Enable the MTD connector in Intune for unenrolled devices
Sample scenarios
See below a few scenarios when integrating MVISION Mobile with Intune:
Complete the following steps to integrate the MVISION Mobile mobile threat defense
solution with Intune.
Before starting the process of integrating MVISION Mobile with Intune, make sure you
have the following subscription and credentials:
MVISION Mobile syncs with Azure Active Directory (AD) Enrollment Group
membership to populate its device's database.
Allow MVISION Mobile admin console to use Azure AD Single Sign On (SSO).
For more information about consent and Azure Active Directory applications, see
Request the permissions from a directory admin in the Azure Active Directory article
Permissions and consent in the Azure Active Directory v2.0 endpoint.
1. Go to MVISION Mobile console and sign in with your credentials. To perform the
MVISION Mobile integration setup process, you must sign in with an Azure Active
Directory user who has the Global Administrator role. This one-time setup
operation uses the Global Administrator rights to grant permission in your
organization for the MVISION Mobile apps to communicate with Intune.
4. Choose Add MDM, then select Microsoft Intune from the MDM provider list.
5. After you set Microsoft Intune as the MDM service, the Microsoft Intune
Configuration window pops up, choose the Add Azure Active Directory for each
option: MVISION Mobile console, MVISION Mobile iOS and Android apps to
authorize MVISION Mobile to communicate with Intune and Azure AD through
Azure AD Single Sign-On.
) Important
You must add the console, and the MVISION Mobile iOS and Android apps to
complete the integration process with Intune.
6. Choose Accept to authorize the MVISION Mobile app to communicate with Intune
and Azure Active Directory.
7. After you add the console and MVISION Mobile iOS and Android apps to Azure
AD, add the Azure AD security groups. This addition allows MVISION Mobile to
synchronize the Azure AD security group with its service.
8. Choose Finish to save the configuration and start the first Azure AD security group
synchronization.
Next steps
Set up MVISION Mobile apps for enrolled devices
Set up MVISION Mobile apps for unenrolled devices
Pradeo Mobile Threat Defense
connector with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by Pradeo, a Mobile Threat Defense (MTD) solution
that integrates with Microsoft Intune. Risk is assessed based on telemetry collected from
devices running the Pradeo app.
You can configure Conditional Access policies based on Pradeo risk assessment enabled
through Intune device compliance policies, which you can use to allow or block
noncompliant devices to access corporate resources based on detected threats.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Supported platforms
Android 5.1 and later
Prerequisites
Azure Active Directory Premium
Sample scenarios
Here are some common scenarios.
Next steps
Integrate Pradeo with Intune
Complete the following steps to integrate the Pradeo Mobile Threat Defense solution
with Intune.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
7 Note
Before starting the process of integrating Pradeo with Intune, make sure you have the
following:
6. The Pradeo web page reopens. Under Step 2, choose the Pradeo Device Health
button.
10. In the Microsoft Intune authentication window, enter your Intune credentials.
Next steps
Set up Pradeo apps for enrolled devices
SentinelOne Mobile Threat Defense
connector with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by SentinelOne, a Mobile Threat Defense (MTD)
solution that integrates with Microsoft Intune. Risk is assessed based on telemetry
collected from devices running the SentinelOne app.
You can configure Conditional Access policies based on SentinelOne risk assessment
enabled through Intune device compliance policies for enrolled devices, which you can
use to allow or block noncompliant devices to access corporate resources based on
detected threats. For unenrolled devices, you can use app protection policies to enforce
a block or selective wipe based on detected threats.
Supported platforms
Android 5.0 and later
Prerequisites
Azure Active Directory Premium
Support for enrolled devices - Intune device compliance policy includes a rule for
Mobile Threat Defense (MTD), which can use risk assessment information from
SentinelOne. When the MTD rule is enabled, Intune evaluates device compliance
with the policy that you enabled. If the device is found noncompliant, users are
blocked access to corporate resources like Exchange Online and SharePoint Online.
Users also receive guidance from the SentinelOne app installed in their devices to
resolve the issue and regain access to corporate resources. To support using
SentinelOne with enrolled devices:
Add MTD apps to devices
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Support for unenrolled devices - Intune can use the risk assessment data from the
SentinelOne app on unenrolled devices when you use Intune app protection
policies. Admins can use this combination to help protect corporate data within a
Microsoft Intune protected app, Admins can also issue a block or selective wipe for
corporate data on those unenrolled devices. To support using SentinelOne with
unenrolled devices:
Add the MTD app to unenrolled devices
Create a Mobile Threat Defense app protection policy
Enable the MTD connector in Intune for unenrolled devices
Sample scenarios
See below a few scenarios when integrating SentinelOne with Intune:
Complete the following steps to integrate the SentinelOne Mobile Threat Defense
solution with Intune.
Before starting the process of integrating SentinelOne with Intune, make sure you have
the following subscription and credentials:
SentinelOne syncs with Azure Active Directory (AD) Enrollment Group membership
to populate its device's database.
Allow SentinelOne Management Console to use Azure AD Single Sign On (SSO).
For more information about consent and Azure Active Directory applications, see
Request the permissions from a directory admin in the Azure Active Directory article
Permissions and consent in the Azure Active Directory v2.0 endpoint.
4. Choose Add MDM, then select Microsoft Intune from the MDM provider list.
5. After you set Microsoft Intune as the MDM service, the Microsoft Intune
Configuration window pops up, choose the Add Azure Active Directory for each
option: SentinelOne Management Console, SentinelOne iOS and Android apps,
to authorize SentinelOne to communicate with Intune and Azure AD through
Azure AD Single Sign-On.
) Important
You must add the SentinelOne Management Console and SentinelOne iOS
and Android apps to complete the integration process with Intune.
6. Choose Accept to authorize the SentinelOne app to communicate with Intune and
Azure Active Directory.
7. After you add the SentinelOne Management Console and the SentinelOne iOS
and Android apps apps to Azure AD, add the Azure AD security groups. This
addition allows SentinelOne to synchronize the Azure AD security group with its
service.
8. Choose Finish to save the configuration and start the first Azure AD security group
synchronization.
9. Sign out of the SentinelOne MTD console.
Next steps
Set up SentinelOne apps for enrolled devices
Set up SentinelOne apps for unenrolled devices
Sophos Mobile Threat Defense
connector with Intune
Article • 02/21/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by Sophos Mobile, a Mobile Threat Defense (MTD)
solution that integrates with Microsoft Intune. Risk is assessed based on telemetry
collected from devices running the Sophos Mobile app.
You can configure Conditional
Access policies based on Sophos Mobile risk assessment enabled through Intune device
compliance policies, which you can use to allow or block noncompliant devices to access
corporate resources based on detected threats.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Supported platforms
Android 7.0 and later
iOS 14.0 and later
Prerequisites
Azure Active Directory Premium
Microsoft Intune Plan 1 subscription
Sophos Mobile Threat Defense subscription
Sample scenarios
Here are some common scenarios.
Next steps
Integrate Sophos with Intune
Set up Sophos apps
Create Sophos device compliance policy
Enable Sophos MTD connector
Integrate Sophos Mobile with Intune
Article • 02/22/2023
Complete the following steps to integrate the Sophos Mobile Threat Defense solution
with Intune.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
7. Select Bind, and then select Yes. Sophos connects to Intune and requires you to
sign in to your Intune subscription.
8. In the Microsoft Intune authentication window, enter your Intune credentials and
Accept the permissions request for Sophos Mobile Threat Defense.
9. On the Sophos setup page, select Save to complete the configuration for Intune:
Next Steps
Configure Sophos client apps
Symantec Endpoint Protection Mobile
connector
Article • 02/21/2023
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by Symantec Endpoint Protection Mobile (SEP
Mobile), a mobile threat defense solution that integrates with Microsoft Intune. Risk is
assessed based on telemetry collected from devices running SEP Mobile, including:
Physical defense
Network defense
Application defense
Vulnerabilities defense
You can enable SEP Mobile risk assessment through Intune device compliance policies,
and then use Conditional Access policies to allow or block noncompliant device access
to corporate resources based on detected threats.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Supported platforms
Android 5.0 and later
Pre-requisites
Azure Active Directory Premium
The Intune device compliance policy includes a rule for SEP Mobile, which is based on
the SEP Mobile risk assessment. When this rule is enabled, Intune evaluates device
compliance with the policy that you enabled.
If the device is found noncompliant, access to resources like Exchange Online and
SharePoint Online are blocked. Users on blocked devices receive guidance from the SEP
Mobile app to resolve the issue and regain access to corporate resources.
Basic setup which is a read only mode that allows SEP Mobile visibility for devices
in Intune.
Full integration which allows SEP Mobile to report device risk and security incident
details to Intune.
Sample scenarios
Here are some common scenarios:
Add and assign SEP Mobile apps, Microsoft Authenticator and iOS/iPadOS app
configuration policy
Complete the following steps to integrate the Symantec Endpoint Protection Mobile
(SEP Mobile) solution with Intune. You need to add SEP Mobile apps into Azure AD to
have Single Sign On capabilities.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Network Setup
You can make sure your network is properly configured for integration with SEP Mobile
setup by referring to the Symantec article Configuring SEP Manager after installation .
Read-only integration (Basic setup): Only inventories devices from Azure Active
Directory and populates them in the Symantec Endpoint Protection Mobile
Management console.
If the Report the health and risk of devices to Intune, and Also report security
incidents to Intune boxes are not selected in the Symantec Endpoint Protection
Mobile Management console, the integration is read-only and therefore will
never change a device's state (compliant or noncompliant) in Intune.
Full integration: Allows SEP Mobile to report devices on risk and security incident
details to Intune, which creates a bi-directional communication between both
cloud services.
How are the SEP Mobile apps used with Azure AD and
Intune?
iOS app: Allows end-users to sign in to Azure AD using an iOS/iPadOS app.
Management app: This is the SEP Mobile Azure AD multi-tenant app which
enables service-to-service communication with Intune.
) Important
The SEP Mobile admin credentials must consist of an e-mail account that belongs
to a valid user in the Azure Active Directory, otherwise the login will fail. SEP Mobile
uses Azure Active Directory to authenticate its admin using Single Sign On (SSO).
2. Enter your SEP Mobile admin credentials, and then choose Continue.
6. After the app is added to Azure AD, you'll see an indication that the app was
added successfully.
7. Repeat these steps for the SEP Mobile Android and Management apps.
Enter and select all the security groups of devices that are running SEP Mobile, and
then save the changes.
SEP Mobile syncs the devices running its Mobile Threat Defense service with the Azure
AD security groups.
2. Type "Active Directory" in the search box, and then select Azure Active Directory.
3. Choose Properties.
4. Next to the Directory ID, choose the copy icon, and then paste it to a safe location.
You'll need this identifier in a later step.
(Optional) Create a dedicated Security Group for devices
that need to run the SEP Mobile apps
1. In the Azure portal , under Manage, choose Users and groups, and then choose
All groups.
2. Choose the Add button. Type a group Name. Under Membership type, choose
Assigned.
3. In the Members blade, select the group members, and then choose the Select
button.
3. Go to the Settings > Integrations > Intune > EMM Integration Selection section.
4. In the Directory ID box, paste the Directory ID you copied from Azure Active
Directory in the previous section and save the settings.
5. Go to the Settings > Integrations > Intune > Basic Setup section.
7. Sign in using the Azure Active Directory credentials for the Microsoft 365 account
that manages the directory.
8. Choose the Accept button to add the SEP Mobile iOS/iPadOS app to Azure Active
Directory.
9. Repeat the same process for the Android app and the Management App.
10. Select all user groups that need to run the SEP Mobile apps, for example, the
security group you created earlier.
11. SEP Mobile syncs the devices in the selected groups and starts reporting
information to Intune. You can view this data in the Full Integration section. Go to
the Settings > Integrations > Intune > Full Integration section.
Next steps
Set up SEP Mobile apps
Use Trend Micro Mobile Security as a
Service with Microsoft Intune
Article • 02/23/2023
Control mobile device access to corporate resources using Conditional Access based on
risk assessment conducted by Trend Micro Mobile Security as a Service, a mobile threat
defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on
telemetry collected from devices protected by the Trend Micro Mobile Security as a
Service, including:
You can configure Conditional Access policies based on Trend Micro Mobile Security as
a Service’s risk assessment, enabled through Intune device compliance policies for
enrolled devices. You can set up your policies to allow or block noncompliant devices
from accessing corporate resources based on detected threats.
7 Note
This Mobile Threat Defense vendor is not supported for unenrolled devices.
Supported platforms
Android 7.0 and later
iOS 11.0 and later
Prerequisites
Azure Active Directory Premium
Microsoft Intune Plan 1 subscription
Trend Micro account with administrative access to the Trend Micro Vision One
console
How do Intune and the Trend Micro MTD
connector help protect your company
resources?
The Trend Micro Mobile Security as a Service mobile agent app for Android and
iOS/iPadOS captures file system, network stack, device, and application telemetry where
available, then sends the telemetry data to Trend Micro Mobile Security as a Service to
assess the device's risk for mobile threats.
Support for enrolled devices - Intune device compliance policy includes a rule for
MTD, which can use risk assessment information from Trend Micro. When the MTD
rule is enabled, Intune evaluates device compliance with the policy that you
enabled. If the device is found noncompliant, users are blocked access to
corporate resources, such as Exchange Online and SharePoint Online. Users also
receive guidance from the Trend Micro Mobile Security as a Service mobile agent
app installed on their devices to resolve the issue and regain access to corporate
resources. To support using Trend Micro with enrolled devices:
Add MTD apps to devices (This is done automatically when setting up Trend
Micro Mobile Security as a Service integration)
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Sample scenarios
The following scenarios demonstrate the use of Trend Micro MTD when integrated with
Intune:
Connect Trend Micro Mobile Security as a Service to monitor and mitigate device risk
levels on Intune-managed devices. Trend Micro Mobile Security as a Service works by
reporting device risk levels to Microsoft Intune. Intune then uses that information to
enforce the appropriate app configuration and risk assessment policies. For more
information about Trend Micro Mobile Security as a Service, see Getting Started with
Mobile Security in the Trend Micro documentation.
This article describes the requirements and steps to connect Trend Micro Mobile
Security as a Service in your tenant.
For more information about consent and Azure AD applications, see Request the
permissions from a directory admin.
Configuration Overview
The configuration of Trend Micro Mobile Security as a Service and Intune integration can
be done on Trend Micro Vision One console with the following steps:
2. Select groups to install Trend Micro Mobile Security as a Service mobile app. -
Trend Micro Mobile Security as a Service mobile app installs automatically on
devices in the selected groups.
Next steps
Customize Mobile Policies in Trend Micro Mobile Security as a Service
Create Mobile Threat Defense (MTD) device compliance policy with Intune
Wandera Mobile Threat Defense
connector with Intune
Article • 02/21/2023
Control mobile device access to corporate resources using conditional access based on
risk assessment conducted by Wandera. Wandera is a Mobile Threat Defense (MTD)
solution that integrates with Microsoft Intune. Risk is assessed based on telemetry
collected from devices by the Wandera service, including:
You can configure conditional access policies that are based on Wandera's risk
assessment, enabled through Intune device compliance policies. Risk assessment policy
can allow or block noncompliant devices from accessing corporate resources based on
detected threats.
The compliance policy in Intune includes a rule for MTD based on Wandera's risk
assessment. When this rule is enabled, Intune evaluates device compliance with the
policy that you enabled.
For devices that are noncompliant, access to resources like Microsoft 365 can be
blocked. Users on blocked devices receive guidance from the Wandera app to resolve
the issue and regain access.
Wandera will update Intune with each device’s latest threat level (Secure, Low, Medium,
or High) whenever it changes. This threat level is continuously re-calculated by the
Wandera Security Cloud and is based upon device state, network activity, and numerous
mobile threat intelligence feeds across various threat categories.
These categories and their associated threat levels are configurable in Wandera's RADAR
console such that the total calculated threat level for each device is customizable per
your organization’s security requirements. With threat level in hand, there are two
Intune policy types that make use of this information to manage access to corporate
data:
Using App Protection Policies with Conditional Launch, administrators can set
policies that are enforced at the native app level (e.g. Android and iOS/iPad OS
apps like Outlook, OneDrive, etc.) based upon the Wandera-reported threat level.
These policies may also be used for unenrolled devices with MAM managed
applications to provide uniform policy across all device platforms and ownership
modes. See Create Mobile Threat Defense app protection policy with Intune for
configuration details.
Supported platforms
The following platforms are supported for Wandera when enrolled in Intune:
For more information about platform and device, see the Wandera website .
Prerequisites
Microsoft Intune Plan 1 subscription
Azure Active Directory
Wandera Mobile Threat Defense (formerly Wandera Secure)
Sample scenarios
Here are the common scenarios when using Wandera MTD with Intune.
Control access based on threats from malicious apps
When malicious apps such as malware are detected on devices, you can block devices
from common tools until you can resolve the threat. Common blocks include:
Next steps
Integrate Wandera with Intune
Set up Wandera apps
Create Wandera device compliance policy
Enable Wandera MTD connector
Integrate Wandera Mobile Threat
Protection with Intune
Article • 02/22/2023
Complete the following steps to integrate the Wandera Mobile Threat Defense solution
with Intune.
Azure Active Directory administrator credentials and assigned role that is able to
grant the following permissions:
Sign in and read user profile
Access the directory as the signed-in user
Read directory data
Send device risk information to Intune
Integration overview
Enabling Mobile Threat Defense integration between Wandera and Intune entails:
2. Select Tenant administration > Connectors and tokens > Mobile Threat Defense
> Add.
3. On the Add Connector page, use the dropdown and select Wandera. And then
select Create.
4. On the Mobile Threat Defense pane, select the Wandera MTD Connector from the
list of connectors to open the Edit connector pane. Select Open the Wandera
admin console to open RADAR , the Wandera admin console, and sign in.
5. In the Wandera RADAR console, go to Integrations > UEM Integration, and select
the UEM Connect tab. Use the EMM Vendor drop-down and select Microsoft
Intune.
6. You will be presented with a screen similar to the below, indicating the permission
grants required to complete the integration:
7. Next to Intune User and Device Sync, click the Grant button to start the process to
provide consent for Wandera to perform Life Cycle Management (LCM) functions
with Azure and Intune.
8. When prompted, select or enter your Azure admin credentials. Review the
requested permissions, then select the checkbox to Consent on behalf of your
organization. Finally, click Accept to authorize the LCM integration.
9. You will be automatically returned back to the RADAR admin console. If the
authorization was successful, you will see a green tick mark next to the Grant
button.
10. Repeat the consent process for the remaining listed integrations by clicking on
their corresponding Grant buttons until you have green tick marks next to each.
11. Return to the Intune admin center, and resume editing the Wandera MTD
Connector. Set all of the available toggles to On, and then Save the configuration.
Intune and Wandera are now connected.
After creating an Activation Profile in Wandera, you “assign” it to users and devices in
Intune. While an Activation Profile is universal across device platforms and management
strategies, the steps below define how to configure Intune based upon these
differences.
The steps from here assume you have created an Activation Profile in Wandera that you
would like to deploy via Intune to your target devices. Please see the Activation Profiles
Guide for more details on creating and using Wandera Activation Profiles.
7 Note
When creating Activation Profiles for deployment via Intune, be sure to set
Associated User to the Authenticated by Identity Provider > Azure Active Directory
option for maximum security, cross-platform compatibility, and a streamlined end
user experience.
7 Note
Wandera offers an enhanced deployment profile for supervised iOS devices. If you
have a mixed fleet of supervised and unsupervised devices, repeat the above steps
for the other profile type as needed. These same steps need to be followed for any
future Activation Profiles that are to be deployed via Intune. Please contact
Wandera support if you have a mixed fleet of supervised and unsupervised iOS
devices and need assistance with supervised mode-based policy assignments.
Deploying Wandera to unenrolled devices with
MAM managed applications
For unenrolled devices with MAM managed applications, Wandera utilizes an integrated
authentication-based onboarding experience to activate and protect company data
within MAM managed apps.
The following sections describe how to configure Wandera and Intune to enable end
users to seamlessly activate Wandera before being able to access company data.
1. In the Wandera RADAR portal, select an existing, or create a new, Activation Profile
that unenrolled devices with MAM managed applications will use during
enrollment in Devices > Activations.
2. Click the Deployment Strategies tab then Unmanaged Devices then scroll to the
Azure Device Provisioning section.
3. Enter your Azure AD Tenant ID into the appropriate text field. If you don’t have
your tenant ID on hand, click the Get my Tenant ID link to open Azure AD in a new
tab where you can easily copy this value to your clipboard.
4. (Optional) Specify Group ID(s) to limit user activations to specific groups.
If one or more Group IDs are defined, a user activating MAM must be a
member of at least one of the specified groups to activate using this
Activation Profile.
You can set up multiple Activation Profiles configured with the same Azure
Tenant ID but with different Group IDs. This allows you to enroll devices into
Wandera based upon Azure group membership, enabling differentiated
capabilities by group at activation time.
You may configure a single “default” Activation Profile that doesn’t specify
any Group IDs. This group will serve as a catch-all for all activations in which
the authenticated user isn’t a member of a group with an association to
another Activation Profile.
You can control mobile device access to corporate resources using Conditional Access
based on risk assessment conducted by Zimperium, a Mobile Threat Defense (MTD)
solution that integrates with Microsoft Intune. Risk is assessed based on telemetry
collected from devices running the Zimperium app.
You can configure Conditional Access policies based on Zimperium risk assessment
enabled through Intune device compliance policies for enrolled devices, which you can
use to allow or block noncompliant devices to access corporate resources based on
detected threats. For unenrolled devices, you can use app protection policies to enforce
a block or selective wipe based on detected threats.
Supported platforms
Android 5.1 and later
Prerequisites
Azure Active Directory Premium
Support for enrolled devices - Intune device compliance policy includes a rule for
Mobile Threat Defense (MTD), which can use risk assessment information from
Zimperium. When the MTD rule is enabled, Intune evaluates device compliance
with the policy that you enabled. If the device is found noncompliant, users are
blocked access to corporate resources like Exchange Online and SharePoint Online.
Users also receive guidance from the Zimperium app installed in their devices to
resolve the issue and regain access to corporate resources. To support using
Zimperium with enrolled devices:
Add MTD apps to devices
Create a device compliance policy that supports MTD
Enable the MTD connector in Intune
Support for unenrolled devices - Intune can use the risk assessment data from the
Zimperium app on unenrolled devices when you use Intune app protection
policies. Admins can use this combination to help protect corporate data within a
Microsoft Intune protected app, Admins can also issue a block or selective wipe for
corporate data on those unenrolled devices. To support using Zimperium with
unenrolled devices:
Add the MTD app to unenrolled devices
Create a Mobile Threat Defense app protection policy
Enable the MTD connector in Intune for unenrolled devices
Sample scenarios
See below a few scenarios when integrating Zimperium with Intune:
Complete the following steps to integrate the Zimperium Mobile Threat Defense
solution with Intune.
Before starting the process of integrating Zimperium with Intune, make sure you have
the following subscription and credentials:
Zimperium syncs with Azure Active Directory (AD) Enrollment Group membership
to populate its device's database.
Allow Zimperium admin console to use Azure AD Single Sign On (SSO).
For more information about consent and Azure Active Directory applications, see
Request the permissions from a directory admin in the Azure Active Directory article
Permissions and consent in the Azure Active Directory v2.0 endpoint.
4. Choose Add MDM, then select Microsoft Intune from the MDM provider list.
5. After you set Microsoft Intune as the MDM service, the Microsoft Intune
Configuration window pops up, choose the Add Azure Active Directory for each
option: Zimperium zConsole, zIPS iOS and Android apps to authorize Zimperium
to communicate with Intune and Azure AD through Azure AD Single Sign-On.
) Important
You must add the Zimperium zConsole, zIPS iOS and Android apps to
complete the integration process with Intune.
6. Choose Accept to authorize the Zimperium app to communicate with Intune and
Azure Active Directory.
7. After you add the Zimperium zConsole and the zIPS iOS and Android apps to
Azure AD, add the Azure AD security groups. This addition allows Zimperium to
synchronize the Azure AD security group with its service.
8. Choose Finish to save the configuration and start the first Azure AD security group
synchronization.
Intune integrates with network access control (NAC) partners to help organizations
secure corporate data when devices try to access on-premises resources.
7 Note
A new NAC service (CR service) was released in July 2021 and many of our NAC
partners are transitioning to this new service. While we have extended the timeline
for supporting the legacy NAC service through December 31, 2023, we recommend
you to migrate to the new CR serivce to avoid service disruption.Currently, the
following NAC partner product supports the new NAC service:
Contact your NAC partner if you have questions on the impact of this transition. For
more information, see our blog post on the new compliance retrieval service .
Example
If the device is enrolled and compliant with Intune, the NAC solution should allow the
device access to corporate resources. For example, users can be allowed or denied
access when trying to access corporate Wi-Fi or VPN resources.
Feature behaviors
Devices that are actively syncing to Intune can't move from Compliant / Noncompliant
to Not Synced (or Unknown). The Unknown state is reserved for newly enrolled devices
that haven't been evaluated for compliance yet.
For devices that are blocked from access to resources, the blocking service should
redirect all users to the management portal to determine why the device is blocked. If
the users visit this page, their devices are synchronously reevaluated for compliance.
1. Register the NAC partner solution with Azure Active Directory (Azure AD), and
grant delegated permissions to the Intune NAC API.
2. Configure the NAC partner solution with the appropriate settings including the
Intune discovery URL.
3. Configure the NAC partner solution for certificate authentication.
4. User connects to corporate Wi-Fi access point or makes a VPN connection request.
5. NAC partner solution forwards the device information to Intune, and asks Intune
about the device enrollment and compliance state.
6. If the device isn't compliant or isn't enrolled, the NAC partner solution instructs the
user to enroll or fix the device compliance.
7. The device tries to reverify its compliance and enrollment state when applicable.
8. Once the device is enrolled and compliant, NAC partner solution gets the state
from Intune.
9. Connection is successfully established which allows the device access to corporate
resources.
7 Note
NAC partner solutions will typically make two different types of query to Intune to
ask about device compliance state:
Enable NAC
To enable use of NAC and the compliance retrieval service that became available in July
2021, reference your NAC product's most recent documentation for enabling NAC
integration with Intune. This integration might require you to make changes after you
upgrade to their new NAC product or version.
The compliance retrieval service requires certificate-based authentication and the use of
the Intune device ID as the subject alternative name of the certificates. For Simple
Certificate Enrollment Protocol (SCEP) and Private and public key pair (PKCS) certificates,
you can add an attribute of the URI type with a value defined by your NAC provider. For
example, your NAC provider's instructions might say to include
IntuneDeviceId://{{DeviceID}} as the Subject alternative name.
Other NAC products might require you include a device ID when using NAC with iOS
VPN profiles.
To learn more about certificate profiles, see: Use SCEP certificate profiles with Microsoft
Intune and Use a PKCS certificate profile to provision devices with certificates in
Microsoft Intune
The device isn't enrolled in Intune. In this case, no information other than that the
device isn't managed by Intune will be shared with the NAC product.
The OS prevents the specific device property from being shared with Microsoft.
Intune will share empty values back to the NAC product for data properties not
shared with Intune by the OS.
Next steps
Integrate Cisco ISE with Intune
Integrate Citrix Gateway with Intune
Integrate F5 BIG-IP Access Policy Manager with Intune
Integrate HPE Aruba ClearPass with Intune
Integrate Squadra security Removable Media Manager (secRMM) with Intune
Use certificates for authentication in
Microsoft Intune
Article • 08/21/2023
Use certificates with Intune to authenticate your users to applications and corporate
resources through VPN, Wi-Fi, or email profiles. When you use certificates to
authenticate these connections, your end users don't need to enter usernames and
passwords, which can make their access seamless. Certificates are also used for signing
and encryption of email using S/MIME.
Authentication phase: The user’s authenticity is checked to confirm the user is who
they claim to be.
Authorization phase: The user is subjected to conditions for which a determination
is made on whether the user should be given access.
Intune supports Simple Certificate Enrollment Protocol (SCEP), Public Key Cryptography
Standards (PKCS), and imported PKCS certificates as methods to provision certificates on
devices. The different provisioning methods have different requirements, and results. For
example:
SCEP provisions certificates that are unique to each request for the certificate.
PKCS provisions each device with a unique certificate.
With Imported PKCS, you can deploy the same certificate that you’ve exported
from a source, like an email server, to multiple recipients. This shared certificate is
useful to ensure all your users or devices can then decrypt emails that were
encrypted by that certificate.
To provision a user or device with a specific type of certificate, Intune uses a certificate
profile.
In addition to the three certificate types and provisioning methods, you need a trusted
root certificate from a trusted Certification Authority (CA). The CA can be an on-
premises Microsoft Certification Authority, or a third-party Certification Authority. The
trusted root certificate establishes a trust from the device to your root or intermediate
(issuing) CA from which the other certificates are issued. To deploy this certificate, you
use the trusted certificate profile, and deploy it to the same devices and users that
receive the certificate profiles for SCEP, PKCS, and imported PKCS.
Tip
Intune also supports use of Derived credentials for environments that require use
of smartcards.
With a trusted root certificate deployed, you're ready to deploy certificate profiles to
provision users and devices with certificates for authentication.
Trusted Use to deploy the public key (certificate) from a root CA or intermediary CA to
certificate users and devices to establish a trust back to the source CA. Other certificate
profiles require the trusted certificate profile and its root certificate.
Profile type Details
SCEP Deploys a template for a certificate request to users and devices. Each certificate
certificate that’s provisioned using SCEP is unique and tied to the user or device that
requests the certificate.
With SCEP, you can deploy certificates to devices that lack a user affinity,
including use of SCEP to provision a certificate on KIOSK or user-less device.
PKCS Deploys a template for a certificate request that specifies a certificate type of
certificate either user or device.
- Requests for a certificate type of user always require user affinity. When
deployed to a user, each of the user’s devices receives a unique certificate. When
deployed to a device with a user, that user is associated with the certificate for
that device. When deployed to a userless device, no certificate is provisioned.
- Templates with a certificate type of device don’t require user affinity to provision
a certificate. Deployment to a device provisions the device. Deployment to a user
provisions the device the user is signed into with a certificate.
PKCS Deploys a single certificate to multiple devices and users, which supports
imported scenarios like S/MIME signing and encryption. For example, by deploying the
certificate same certificate to each device, each device can decrypt email received from that
same email server.
Other certificate deployment methods are insufficient for this scenario, as SCEP
creates a unique certificate for each request, and PKCS associates a different
certificate for each user, with different users receiving different certificates.
Each individual certificate profile you create supports a single platform. For example, if
you use PKCS certificates, you create PKCS certificate profile for Android and a separate
PKCS certificate profile for iOS/iPadOS. If you also use SCEP certificates for those two
platforms, you create a SCEP certificate profile for Android, and another for iOS/iPadOS.
PKCS imported certificates require you to Install the Certificate Connector for
Microsoft Intune.
Android device
administrator
(see Note 1)
Android Enterprise
- Fully Managed
(Device Owner)
Android Enterprise
- Dedicated (Device
Owner)
Android Enterprise
- Corporate-Owned
Work Profile
Android Enterprise
- Personally-Owned
Work Profile
Android (AOSP)
iOS/iPadOS
macOS
Windows 10/11
Note 1 - Beginning with Android 11, trusted certificate profiles can no longer install
the trusted root certificate on devices that are enrolled as Android device
administrator. This limitation doesn't apply to Samsung Knox. For more
information, see Trusted certificate profiles for Android device administrator.
Note 2 - This profile is supported for Windows Enterprise multi-session remote
desktops.
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Next steps
More resources:
When using Intune to provision devices with certificates to access your corporate
resources and network, use a trusted certificate profile to deploy the trusted root
certificate to those devices. Trusted root certificates establish a trust from the device to
your root or intermediate (issuing) CA from which the other certificates are issued.
You deploy the trusted certificate profile to the same devices and users that receive the
certificate profiles for Simple Certificate Enrollment Protocol (SCEP), Public Key
Cryptography Standards (PKCS), and imported PKCS.
Tip
To export the certificate, refer to the documentation for your Certification Authority.
You'll need to export the public certificate as a DER-encoded .cer file. Don't export the
private key, a .pfx file.
You'll use this .cer file when you create trusted certificate profiles to deploy that
certificate to your devices.
Create a separate trusted certificate profile for each device platform you want to
support, just as you'll do for SCEP, PKCS, and PKCS imported certificate profiles.
) Important
Trusted root profiles that you create for the platform Windows 10 and later, display
in the Microsoft Intune admin center as profiles for the platform Windows 8.1 and
later.
This is a known issue with the presentation of the platform for Trusted certificate
profiles. While the profile displays a platform of Windows 8.1 and later, it is
functional for Windows 10/11.
7 Note
The Trusted Certificate profile in Intune can only be used to deliver either root or
intermediate certificates. The purpose of deploying such certificates is to establish a
chain of trust. Using the trusted certificate profile to deliver certificates other than
root or intermediate certificates is not supported by Microsoft. You might be
blocked from importing certificates which are not deemed to be root or
intermediate certificates when selecting the trusted certificate profile in the
Microsoft Intune admin center. Even if you are able to import and deploy a
certificate which is neither a root or intermediate certificate using this profile type,
you will likely encounter unexpected results between different platforms such as
iOS and Android.
1. Manually provision the device with the trusted root certificate. For sample
guidance, see the following section.
2. Deploy to the device, a trusted root certificate profile that references the trusted
root certificate that you’ve installed on the device.
3. Deploy a SCEP certificate profile to the device that references the trusted root
certificate profile.
This issue isn’t limited to SCEP certificate profiles. Therefore, plan to manually install the
trusted root certificate on applicable devices should your use of PKCS certificate profiles,
or PKCS Imported certificate profiles require it.
Learn more about changes in support for Android device administrator from
techcommunity.microsoft.com.
The following guidance can help you manually provision devices with a trusted root
certificate.
1. Download or transfer the trusted root certificate to the Android device. For
example, you might use email to distribute the certificate to device users, or have
users download it from a secure location. After the certificate is on the device, it
must be opened, named, and saved. Saving the certificate adds it to the User
certificate store on the device.
a. To open the certificate on the device, a user must locate and tap (open) the
certificate. For example, after sending the certificate by email, a device user can
tap on or open the certificate attachment.
b. When the certificate opens, the user must provide their PIN or otherwise
authenticate to the device before they can manage the certificate.
2. After authentication, the certificate opens and must be named before it can be
saved to the Users certificate store. The certificate name must match the certificate
name that’s specified in the Trusted Root Certificate profile that will be sent to the
device.
After naming the certificate, it can be saved.
3. After being saved the certificate is ready for use. A user can confirm the certificate
is in the correct location on the device:
a. Open Settings > Security > Trusted credentials. The actual path to Trusted
credentials can vary by device.
b. Open the User tab and locate the certificate.
c. If present in the list of User certificates, the certificate is installed correctly.
4. With a root certificate installed on a device, you must still deploy the following to
provision the SCEP or PKCS certificates:
Platform: Choose the platform of the devices that will receive this profile.
Profile: Select Trusted certificate. Or, select Templates > Trusted certificate.
4. Select Create.
6. Select Next.
7. In Configuration settings, specify the .cer file for the trusted Root CA Certificate
you previously exported.
For Windows 8.1 and Windows 10/11 devices only, select the Destination Store for
the trusted certificate from:
) Important
On October 22, 2022, Microsoft Intune ended support for devices running
Windows 8.1. Technical assistance and automatic updates on these devices
aren't available.
8. Select Next.
9. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
10. (Applies to Windows 10/11 only) In Applicability Rules, specify applicability rules to
refine the assignment of this profile. You can choose to assign or not assign the
profile based on the OS edition or version of a device.
For more information, see Applicability rules in Create a device profile in Microsoft
Intune.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
Create certificate profiles:
For Microsoft Intune to support use of certificates for authentication and the signing
and encryption of email using S/MIME, you can use the Certificate Connector for
Microsoft Intune. The certificate connector is software you install on an on-premises
server to help deliver and manage certificates for your Intune-managed devices.
This article introduces the Certificate Connector for Microsoft Intune, its lifecycle, and
how to keep it up to date.
Tip
Beginning on July 29, 2021, the Certificate Connector for Microsoft Intune
replaces the use of PFX Certificate Connector for Microsoft Intune and Microsoft
Intune Connector. The new connector includes the functionality of both previous
connectors. With the release of version 6.2109.51.0 of the Certificate Connector for
Microsoft, the previous connectors are no longer supported.
Connector overview
To use the certificate connector, you’ll first download software from within the Microsoft
Intune admin center, which you’ll then install on a Windows Server.
During the installation, you can install one or more connector features, including
support for:
You'll also assign a service account to run the connector. This account is used for all
interactions with your Certification Authority, and for certificate issuance, revocation,
and renewal. Supported options for the service account include the connector servers
SYSTEM account or a Domain account.
After the connector installs, you can run configuration of the connector again at any
time to update it or change the features you’ve installed. After it's installed and
configured, the connector can automatically install future updates to keep your
connectors current to the most recent release.
Intune supports installing of multiple instances of the connector in a tenant, and each
instance can support different features. If you use multiple connectors that support
different features, certificate requests are always routed to a relevant connector. For
example, if you install two connectors that support PKCS, and install two more that
support both PKCS and SCEP, certificate tasks for PKCS can be managed by any of the
four connectors, but tasks for SCEP are only directed to the two connectors that support
SCEP.
Each instance of the certificate connector has the same network requirements as devices
that are managed by Intune. For more information, see Network endpoints for Microsoft
Intune, and Intune network configuration requirements and bandwidth.
PKCS imported certificates (PFX file) for S/MIME email encryption for a specific
user.
Issuing Simple Certificate Enrollment Protocol (SCEP) certificates. When you use an
Active Directory Certificate Services Certification Authority (CA), also called a
Microsoft CA, you must also configure the Network Device Enrollment Service
(NDES) on the server that hosts the connector.
Use of SCEP with a third-party Certification Authority, doesn’t require use of the
Certificate Connector for Microsoft Intune.
Certificate revocation.
Automatic updates to new versions. When servers that host the certificate
connector can access the internet, they automatically install new updates to stay
current. When a connector fails to automatically update, you can manually update
the connector.
Installation of up to 100 instances of the connector per Intune tenant, with each
instance on a separate Windows Server. When you use multiple connectors:
Each instance of the connector must have access to the private key used to
encrypt the passwords of each uploaded PFX file.
Each instance of the connector should be at the same version. Because the
connector supports automatic updates to the newest version, updates can be
managed for you by Intune.
You can configure a proxy to allow the connector to communicate with Intune.
7 Note
Any instance of the connector that supports PKCS can be used to retrieve
pending PKCS requests from the Intune Service queue, process Imported
certificates, and handle revocation requests. It's not possible to define
which connector handles each request.
Therefore, each connector that supports PKCS must have the same
permissions and be able to connect with all the certification authorities
defined later in the PKCS profiles.
Lifecycle
Periodically, updates to the certificate connector are released. Announcements for new
connector updates, including the version and release date for each update, appear in
the What's new for the Certificate Connector section in this article.
Is supported for six months after its release date. During this period, automatic
updates can install a newer connector version. Updated connector versions can
include but aren't limited to bug fixes and performance and feature improvements.
If an out of support connector fails, you’ll need to update to the latest supported
version.
If you block the automatic update of the connector, plan to manually update the
connector within six months, before support for the installed version ends. After
support ends, you’ll need to update the connector to a version that remains in
support to receive support for problems with the connector.
Connectors that are out of support will continue to function for up to 18 months
after its release date. After 18 months, a connectors functionality might fail due to
service level improvements, updates, or in addressing common security
vulnerabilities that might surface in the future.
For example, the connector version 6.2203.12.0 that released on May 4, 2022, will drop
from support on November 4, 2022. The same connector should continue to function
(though not be supported) until November 2023. After November 2023 the connector
might stop communicating with Intune.
Automatic update
Intune can automatically update the connector to the latest version shortly after that
connector version is released.
To update automatically, the server that hosts the connector must access the Azure
update service:
Port: 443
Endpoint: autoupdate.msappproxy.net
Manual update
The process to manually update a certificate connector is the same for reinstalling a
connector.
You can manually update a certificate connector even when it supports automatic
updates. For example, you can manually update the connector when your network
configuration blocks an automatic update.
2. To install the new version, use the procedure to install a new version of the
connector. Be sure to check for any new or updated prerequisites when installing a
newer version of a connector.
Connector status
In the Microsoft Intune admin center, you can select a certificate connector to view
information about its status:
Deprecated connectors show a Warning. After the six-month grace period, the
warning changes to an Error.
Connectors that are beyond the grace period show an Error. These connectors are
no longer supported and can stop working at any time.
Logging
Logs for the Certificate Connector for Microsoft Intune are available as Event logs on the
server where the connector is installed:
Event Viewer > Application and Service Logs > Microsoft > Intune > Certificate
Connectors
The following logs are available and default to 50 MB, and have automatic archiving
enabled:
Admin Log - This log contains one log event per request to the connector. Events
include either a success with information about the request, or an error with
information about the request and the error.
Operational Log - This log displays additional information to that found in the
Admin log, and can be of use in debugging issues. This log also displays ongoing
operations instead of single events.
In addition to the default log level, you can enable debug logging for each log to obtain
more details.
Event IDs
All events have one of the following IDs:
Task Categories
All events are tagged with a Task Category to aid in filtering. Task categories contain but
aren't limited to the following list:
PKCS
Admin
Operational
PKCS Import
Admin
Operational
Revocation
Admin
Received revoke request from Intune and forwarding request to Digicert for
fulfillment of request.
SCEP
Admin
Failed to notify Intune of the result of a SCEP request, will try again.
Failed to write notification to disk and cannot notify Intune of the request
status.
Connector Health
Operational
) Important
Starting April 2022, certificate connectors earlier than version 6.2101.13.0 will be
deprecated and will show a status of Error. Starting August 2022, these connector
versions won't be able to revoke certificates. Starting September 2022, these
connector versions won't be able to issue certificates. This includes both the PFX
Certificate Connector for Microsoft Intune and Microsoft Intune Connector, which
on July 29, 2021 were replaced by the Certificate Connector for Microsoft Intune (as
detailed in this article).
May 4, 2022
Version 6.2203.12.0 - Changes in this release:
Next steps
Review prerequisites for the Certificate Connector for Microsoft Intune
Prerequisites for the Certificate
Connector for Microsoft Intune
Article • 02/21/2023
Before you install and configure the Certificate Connector for Microsoft Intune, review
the prerequisites and infrastructure requirements, which can vary depending on the
features you’ll configure a connector instance to support.
General prerequisites
Requirements for the computer where you install the connector software:
7 Note
The Server installation must include the Desktop Experience and support use
of a browser. For more information, see Install Server with Desktop
Experience in the Windows Server 2016 documentation.
.NET 4.7.2
Transport Layer Security (TLS) 1.2. For more information, see Enable support for
TLS 1.2 in your environment in the Azure Active Directory documentation.
The server must meet the same network requirements as managed devices. See
Network endpoints for Microsoft Intune, and Intune network configuration
requirements and bandwidth
To support automatic updates of the connector software, the server must have
access to the Azure update service:
Port: 443
Endpoint: autoupdate.msappproxy.net
PKCS
Requirements for PKCS certificate templates:
Certificate templates you’ll use for PKCS requests must be configured with
permissions that allow the certificate connector service account to enroll the
certificate.
The certificate templates must be added to the Certification Authority (CA).
7 Note
Any instance of the connector that supports PKCS can be used to retrieve pending
PKCS requests from the Intune Service queue, process Imported certificates, and
handle revocation requests. It's not possible to define which connector handles
each request.
Therefore, each connector that supports PKCS must have the same permissions and
be able to connect with all the certification authorities defined later in the PKCS
profiles.
For information about support for PKCS imported certificates, see Configure and use
imported PKCS certificates with Intune
Revocation Prerequisites
The Certification Authority must be configured to allow the connector service
account to revoke certificates.
SCEP
The Windows Server that hosts the connector must meet the following prerequisites
that are in addition to the general prerequisites:
IIS 7 or higher
Network Device Enrollment Service (NDES) service, which is part of the Active
Directory Certification Services role. The connector isn't supported on the same
server as your issuing Certification Authority (CA). For more information,see
Configure infrastructure to support SCEP with Intune
On the Windows Server, configure select the following Server Roles and Features:
Server Roles:
Active Directory Certificate Services
Web Server (IIS)
Features:
.NET Framework 4.7 Features
.NET Framework 4.7
ASP.NET 4.7
WCF Services
HTTP Activation
Certificate templates you’ll use for SCEP requests must be configured with
permissions that allow the Certificate Connector service account to auto enroll the
certificate.
The certificate templates must be added to the CA.
Accounts
Prepare the following accounts before you install the certificate connector software.
Installation account
You can use any user account that has local administrative permissions on the Windows
Server to install the connector software. You can use this same account to configure the
Windows Server with the NDES Windows server role should you use SCEP and a
Microsoft CA.
Logon as Service
Issue and Manage Certificates permissions on the Certification Authority (required
only for revocation scenarios).
Read and Enroll permissions on any certificate template that you’ll use to issue
certificates.
Permissions to the Key Storage Provider (KSP) that’s used by PFX Import. See
Import PFX Certificates to Intune.
The following options are supported for use as the certificate connector service account:
SYSTEM
Domain user - Use any domain user account that is an administrator on the
Windows Server.
For more information, see Install the Certificate Connector for Microsoft Intune.
For guidance on configuring the NDES server role for the Certificate Connector for
Microsoft Intune, see Set up NDES in Configure infrastructure to support SCEP with
Intune.
Next steps
Install the Certificate Connector for Microsoft Intune
Install the Certificate Connector for
Microsoft Intune
Article • 02/22/2023
To support your use of certificates with Intune, you can install the Certificate Connector
for Microsoft Intune on any Windows Server that meets the connector prerequisites. The
following sections will help you install and then configure the connector. This article also
explains how to modify a previously installed connector, and how to remove the
connector from a server.
2. Select Tenant administration > Connectors and tokens > Certificate connectors >
Add.
3. Select the certificate connector link to download the connector software. Save the
file to a location that’s accessible from the server where you're going to install the
connector.
4. Sign in to the Windows Server that will host the certificate connector and confirm
that the prerequisites for the certificate connector are installed.
If you’ll use SCEP with a Microsoft Certification Authority (CA), confirm that the
Network Device Enrollment Service (NDES) role is installed.
5. Use an account with admin permissions to the server to run the installer
(IntuneCertificateConnector.exe). The installer also installs the policy module for
NDES. The policy module runs as an application in IIS.
7 Note
Either the component that raises this event is not installed on your local
computer or the installation is corrupted. You can install or repair the
component on the local computer.
You can safely ignore this message. This message displays because the event
viewer manifest for the connector could not load while the event viewer is
open. After the event viewer closes and then reopens, the correct messages
display.
6. Review and agree to the license terms and conditions, and then select Install to
continue. Select Options to choose a different installation folder.
7. The connector installation takes only a moment. After installation, the setup
presents two options:
Configure Now – Select this option to close the connector installation and
open the Certificate Connector for Microsoft Intune wizard, which you use to
configure the certificate connector on the local server.
Close - This option closes the connector installation without configuring the
connector. If you choose to Close the install at this time, later you can run the
Certificate Connector for Microsoft Intune wizard to launch the connector
configuration program. By default, the wizard is found in
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Intune.
After a connector installs, you can run the installation program again to uninstall the
connector.
Tip
The installer will attempt to install the .NET Framework 4.7.2. If you experience
issues during this process you can choose to pre-install the .NET Framework using
the Microsoft .NET Framework 4.7.2 offline installer for Windows
command
C:\Program Files\Microsoft
Intune\PFXCertificateConnector\ConnectorUI\PFXCertificateConnectorUI.exe
Each time Certificate Connector for Microsoft Intune starts on a server you’ll see the
following Welcome page:
Tip
When you run Certificate Connector for Microsoft Intune to modify a previously
configure connector, you won’t see the Azure AD Sign In page. This is because the
connector has already been authenticated to your Azure Active Directory.
Use the following procedure to both configure a new connector and modify a previously
configured connector.
2. On Features, select the checkbox for each connector feature you want to install on
this server, and then select Next. Options include:
3. On Service Account, select the type of account to use for the service account of this
connector. The account you select must have the permissions described in
prerequisites for the certificate connector service account.
Options include:
SYSTEM
Domain user account – Use any domain user account that is an administrator
on the Windows Server.
4. On the Proxy page, add details for your proxy server if you require a proxy for
internet access. For example, http://proxy.contoso.com .
) Important
Be sure to include the HTTP or HTTPS prefix. This is a change from the proxy
configuration for previous versions of the connector.
5. On the Prerequisites page, the wizard runs several checks on the server before the
configuration can begin. Review and resolve any errors or warnings before you
continue.
6. On the Azure AD Sign In page, select the environment that hosts your Azure Active
Directory, and then select Sign In. You’ll then be asked to authenticate your access.
This user account must be a Global Admin or an Intune Admin with an Intune
license assigned.
Unless you use a government cloud, use the default of Public Commercial Cloud
for Environment.
After you successfully authenticate to your Azure Active Directory, select Next to
continue:
7. On the Configure page, Intune applies your selections to the connector. If
successful, the utility continues to the Finish page where you select Exit to
complete configuration of the connector.
If configuration isn’t successful, the wizard displays details about the errors to help
you resolve the problem.
After the configuration completes successfully and the wizard closes, the Certificate
Connector for Microsoft Intune is now ready for use.
Tip
It might be helpful to rename the connector to reference the server the connector
is installed on.
To rename the connector, in the Microsoft Intune admin center, select Tenant
administration > Connectors and tokens > Certificate connectors. Select the
connector you want to rename. In Name, enter the name you want to use, and then
select save.
Next steps
Deploy:
Intune supports use of the Simple Certificate Enrollment Protocol (SCEP) to authenticate
connections to your apps and corporate resources. SCEP uses the Certification Authority
(CA) certificate to secure the message exchange for the Certificate Signing Request
(CSR). When your infrastructure supports SCEP, you can use Intune SCEP certificate
profiles (a type of device profile in Intune) to deploy the certificates to your devices.
The Certificate Connector for Microsoft Intune is required to use SCEP certificate profiles
with Intune when you also use an Active Directory Certificate Services Certification
Authority, also called a Microsoft CA. The connector isn't supported on the same server
as your issuing Certification Authority (CA). The connector isn't required when using
Third-party Certification Authorities.
The information in this article can help you configure your infrastructure to support
SCEP when using Active Directory Certificate Services. After your infrastructure is
configured, you can create and deploy SCEP certificate profiles with Intune.
Tip
Intune also supports use of Public Key Cryptography Standards #12 certificates.
If your CA runs Windows Server 2008 R2 SP1, you must install the hotfix from
KB2483564 .
NDES server role – To support using the Certificate Connector for Microsoft Intune
with SCEP, you must configure the Windows Server that hosts the certificate
connector with the Network Device Enrollment Service (NDES) server role. The
connector supports installation on Windows Server 2012 R2 or later. In a later
section of this article, we guide you through installing NDES.
The server that hosts NDES and the connector must be domain-joined and in
the same forest as your Enterprise CA.
Don't use NDES that's installed on the server that hosts the Enterprise CA. This
configuration represents a security risk when the CA services internet requests,
and installation of the connector isn't supported on the same server as your
issuing Certification Authority (CA).
Internet Explorer Enhanced Security Configuration must be disabled on the
server that hosts NDES and the Microsoft Intune Connector.
To learn more about NDES, see Network Device Enrollment Service Guidance in the
Windows Server documentation, and Using a Policy Module with the Network
Device Enrollment Service. To learn how to configure high availability for NDES, see
High Availability.
Support for NDES on the internet
To allow devices on the internet to get certificates, you must publish your NDES URL
external to your corporate network. To do this, you can use a reverse proxy like Azure
AD Application Proxy, Microsoft’s Web Application Proxy Server, or a third-party reverse
proxy service or device.
Azure AD Application Proxy – You can use the Azure AD Application Proxy instead
of a dedicated Web Application Proxy (WAP) Server to publish your NDES URL to
the internet. This solution allows both intranet and internet facing devices to get
certificates. For more information, see Integrate with Azure AD Application Proxy
on a Network Device Enrollment Service (NDES) server.
Web Application Proxy Server - Use a server that runs Windows Server 2012 R2 or
later as a Web Application Proxy (WAP) server to publish your NDES URL to the
internet. This solution allows both intranet and internet facing devices to get
certificates.
The server that hosts WAP must install an update that enables support for the long
URLs that are used by the Network Device Enrollment Service. This update is
included with the December 2014 update rollup , or individually from
KB3011135 .
The WAP server must have an SSL certificate that matches the name that's
published to external clients and trust the SSL certificate that's used on the
computer that hosts the NDES service. These certificates enable the WAP server to
terminate the SSL connection from clients and create a new SSL connection to the
NDES service.
For more information, see Plan certificates for WAP and general information about
WAP servers.
Third-party reverse proxy – When you use a third-party reverse proxy, ensure that
the proxy supports a long URI get request. As part of the certificate request flow,
the client makes a request with the certificate request in the query string. As a
result, the URI length can be large, up to 40 kb in size.
SCEP protocol limitations prevent use of preauthentication. When you publish the NDES
URL via a reverse proxy server, you must have Pre Authentication set to Passthrough.
Intune secures the NDES URL when you install the Intune Certificate connector, by
installing an Intune-SCEP policy module on the NDES server. The module helps to
secure the NDES URL by preventing certificates from being issued to invalid or digitally
tampered certificate requests. This limits access to only Intune enrolled devices that you
manage with Intune and that have well-formed certificate requests.
The Intune policy module works to secure NDES in the following ways:
When attempting to access the published NDES URL directly, the server returns a
403 – Forbidden: Access is denied response.
When a well-formed SCEP certificate request is received and the request payload
includes both the challenge blob and the device CSR, the policy module compares
the details of the device CSR against the challenge blob:
Only the certificate requests from an Intune enrolled device that passes the
challenge blob validation are issued a certificate.
Accounts
To configure the connector to support SCEP, use an account that has permissions to
configure NDES on the Windows Server and to manage your Certification Authority. For
details, see Accounts in the Prerequisites for the Certificate Connector for Microsoft Intune
article.
Network requirements
In addition to the network requirements for the certificate connector, we recommend
publishing the NDES service through a reverse proxy, such as the Azure AD application
proxy, Web Access Proxy, or a third-party proxy. If you don't use a reverse proxy, then
allow TCP traffic on port 443 from all hosts and IP addresses on the internet to the NDES
service.
Allow all ports and protocols necessary for communication between the NDES service
and any supporting infrastructure in your environment. For example, the computer that
hosts the NDES service needs to communicate with the CA, DNS servers, domain
controllers, and possibly other services or servers within your environment, like
Configuration Manager.
Object Details
SCEP Template that you configure on your issuing CA that's used to fullfil the devices
Certificate SCEP requests.
Template
Server Web Server certificate requested from your issuing CA or public CA.
authentication You install and bind this SSL certificate in IIS on the computer that hosts NDES.
certificate
Trusted Root To use a SCEP certificate profile, devices must trust your Trusted Root
CA certificate Certification Authority (CA). Use a trusted certificate profile in Intune to provision
the Trusted Root CA certificate to users and devices.
- Use a single Trusted Root CA certificate per operating system platform and
associate that certificate with each trusted certificate profile you create.
- You can use additional Trusted Root CA certificates when needed. For example,
you might use additional certificates to provide a trust to a CA that signs the
server authentication certificates for your Wi-Fi access points. Create additional
Trusted Root CA certificates for issuing CAs. In the SCEP certificate profile you
create in Intune, be sure to specify the Trusted Root CA profile for the issuing
CA.
For information about the trusted certificate profile, see Export the trusted root
CA certificate and Create trusted certificate profiles in Use certificates for
authentication in Intune.
7 Note
The following certificate is not used with the Certificate Connector for Microsoft
Intune. This information is provided for those who have not yet replaced the older
connector for SCEP (installed by NDESConnectorSetup.exe) with the new connector
software.
Object Details
Object Details
authentic You install this certificate on the computer that hosts the NDES service and it's
ation used by the Certificate Connector for Microsoft Intune.
certificat If the certificate has the client and server authentication key usages set
e (Enhanced Key Usages) on the CA template that you use to issue this certificate,
you can then use the same certificate for server and client authentication.
File-based encryption, which is required on devices that are installed by the OEM
with Android 10 or later. These devices won’t require a PIN. Devices that upgrade
to Android 10 might still require a PIN.
7 Note
The version of Android on a device can affect the available encryption type:
Android 10 and later: Devices installed with Android 10 or later by the OEM use
file-based encryption and won't require a PIN for SCEP to provision a certificate.
Devices that upgrade to version 10 or later and begin to use file-based encryption
might still require a PIN.
For more information, see the following articles in the Android documentation:
File-Based Encryption
Full-Disk Encryption
Considerations for devices enrolled as Android Enterprise
dedicated
For devices that run 9.0 and later and receive a kiosk-mode policy, you can use a device
compliance or device configuration policy to enforce the password requirement. View
Support Tip: New Google-based Compliance Screens for Kiosk Mode from the Intune
Support Team, to understand the device experience.
For devices that run 8.x and earlier, you can also use a device compliance or device
configuration policy to enforce the password requirement. However, to set up a PIN, you
need to manually enter the settings application on the device and configure the PIN.
The following sections require knowledge of Windows Server 2012 R2 or later, and of
Active Directory Certificate Services (AD CS).
General:
Uncheck Publish certificate in Active Directory.
Specify a friendly Template display name so you can identify this template
later.
Subject Name:
Select Supply in the request. The Intune policy module for NDES enforces
security.
Extensions:
) Important
Only add the application policies that you require. Confirm your
choices with your security admins.
For iOS/iPadOS and macOS certificate templates, also edit Key Usage and
make sure Signature is proof of origin isn't selected.
Security:
Add the NDES service account. This account requires Read and Enroll
permissions to this template.
Add additional Accounts for Intune administrators who will create SCEP
profiles. These accounts require Read permissions to the template to
enable these admins to browse to this template while creating SCEP
profiles.
Request Handling:
7 Note
The following certificate is not used with the Certificate Connector for Microsoft
Intune. This information is provided for those who have not yet replaced the older
connector for SCEP (installed by NDESConnectorSetup.exe) with the new connector
software.
The Microsoft Intune Connector requires a certificate with the Client Authentication
Enhanced Key Usage and Subject name equal to the FQDN of the machine where the
connector is installed. A template with the following properties is required:
7 Note
If you have a certificate that satisfies both requirements from the client and server
certificate templates, you can use a single certificate for both IIS and the certificate
connector.
On the server that hosts the certificate connector, use either the NDES server system
account or a specific account such as the NDES service account.
If you opt to use the NDES server system account, provide the permissions to
the NDES server.
If you opt to use the NDES service account, provide permissions for that
account instead.
Modify the validity period of the certificate template
It's optional to modify the validity period of the certificate template.
After you create the SCEP certificate template, you can edit the template to review the
Validity period on the General tab.
By default, Intune uses the value configured in the template, but you can configure the
CA to allow the requester to enter a different value, so that value can be set from within
the Microsoft Intune admin center.
Plan to use a validity period of five days or greater. When the validity period is less than
five days, there's a high likelihood of the certificate entering a near-expiry or expired
state, which can cause the MDM agent on devices to reject the certificate before it’s
installed.
) Important
For iOS/iPadOS and macOS, always use a value set in the template.
2. Validate that the template has published by viewing it in the Certificate Templates
folder.
Set up NDES
The following procedures can help you configure the Network Device Enrollment Service
(NDES) for use with Intune. These are provided as examples as the actual configuration
might vary depending on your version of Windows Server. Ensure required
configurations you add like those for .NET Framework meet the prerequisites for the
Certificate Connector for Microsoft Intune.
For more information about NDES, see Network Device Enrollment Service Guidance.
a. In the Wizard, select Active Directory Certificate Services to gain access to the
AD CS Role Services. Select Network Device Enrollment Service, uncheck
Certification Authority, and then complete the wizard.
Tip
b. When NDES is added to the server, the wizard also installs IIS. Confirm that IIS
has the following configurations:
Installing ASP.NET 3.5 installs .NET Framework 3.5. When installing .NET
Framework 3.5, install both the core .NET Framework 3.5 feature and
HTTP Activation.
Installing ASP.NET 4.7.2 installs .NET Framework 4.7.2. When installing .NET
Framework 4.7.2, install the core .NET Framework 4.7.2 feature, ASP.NET
4.7.2, and the WCF Services > HTTP Activation feature.
Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase
Compatibility
On the server, add the NDES service account as a member of the local
IIS_IUSR group.
2. On the computer that hosts the NDES service, run the following command in an
elevated command prompt. The following command sets the SPN of the NDES
Service account:
setspn -s http/<DNS name of the computer that hosts the NDES service> <Domain
For example, if the computer that hosts the NDES service is named Server01, your
domain is Contoso.com, and the service account is NDESService, use:
1. On the computer that hosts the NDES service, open the AD CS Configuration
wizard, and then make the following updates:
Tip
If you're continuing on from the last procedure and clicked the Configure
Active Directory Certificate Services on the destination server link, this
wizard should already be open. Otherwise, open Server Manager to access the
post-deployment configuration for Active Directory Certificate Services.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\
To update this key, identify the certificate templates' Purpose (found on its
Request Handling tab). Then, update the corresponding registry entry by replacing
the existing data with the name of the certificate template (not the display name of
the template) that you specified when you created the certificate template.
The following table maps the certificate template purpose to the values in the
registry:
Digital Signature
For example, if the Purpose of your certificate template is Encryption, then edit the
EncryptionTemplate value to be the name of your certificate template.
3. Restart the server that hosts the NDES service. Don't use iisreset; iireset doesn't
complete the required changes.
If the web address returns a 503 Service unavailable, check the computers event
viewer. This error commonly occurs when the application pool is stopped due to a
missing permission for the NDES service account.
Install and bind certificates on the server that hosts NDES
On the NDES server, add a Server authentication certificate.
This certificate is used in IIS. It's a simple Web server certificate that allows the
client to trust NDES URL.
Depending how you expose your NDES to the internet, there are different
requirements.
7 Note
If you are using Azure AD App Proxy, the AAD App Proxy connector will
translate the requests from the external URL to the internal URL.
As such,
NDES will only respond to requests directed to the internal URL, usually
the FQDN of the NDES Server.
a. After installing the server authentication certificate, open IIS Manager, and
select the Default Web Site. In the Actions pane, select Bindings.
b. Select Add, set Type to https, and then confirm the port is 443.
7 Note
When configuring NDES for the Certificate Connector for Microsoft Intune , only
the Server authentication certificate is used. If you're configuring NDES to support
the older certificate connector (NDESConnectorSetup.exe), you must also configure
a Client authentication certificate. You can use a single certificate for both server
authentication and client authentication when that certificate is configured to meet
the criteria of both uses.
Regarding the Subject Name, it must meet the client
authentication certificate requirements.
The following information is provided for those who have not yet replaced the
older connector for SCEP (installed by NDESConnectorSetup.exe) with the new
connector software.
This certificate is used during install of the Certificate Connector for Microsoft
Intune to support SCEP.
Request and install a client authentication certificate from your internal CA, or
a public certificate authority.
The certificate connector installs on the server that runs your NDES service.
The connector isn't supported on the same server as your issuing Certification
Authority (CA).
Next steps
Create a SCEP certificate profile
Create and assign SCEP certificate
profiles in Intune
Article • 08/23/2023
After you configure your infrastructure to support Simple Certificate Enrollment Protocol
(SCEP) certificates, you can create and then assign SCEP certificate profiles to users and
devices in Intune.
For devices to use a SCEP certificate profile, they must trust your Trusted Root
Certification Authority (CA). Trust of the root CA is best established by deploying a
trusted certificate profile to the same group that receives the SCEP certificate profile.
Trusted certificate profiles provision the Trusted Root CA certificate.
Devices that run Android Enterprise might require a PIN before SCEP can provision them
with a certificate. For more information, see PIN requirement for Android Enterprise.
7 Note
Beginning with Android 11, trusted certificate profiles can no longer install the
trusted root certificate on devices that are enrolled as Android device administrator.
This limitation does not apply to Samsung Knox.
For more information about this limitation, see Trusted certificate profiles for
Android device administrator.
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Tip
Profile: Select SCEP certificate. Or, select Templates > SCEP certificate.
For Android Enterprise, Profile type is divided into two categories, Fully
Managed, Dedicated, and Corporate-Owned Work Profile and Personally-
Owned Work Profile. Be sure to select the correct SCEP certificate profile for
the devices you manage.
SCEP certificate profiles for the Fully Managed, Dedicated, and Corporate-
Owned Work Profile profile have the following limitations:
a. Under Monitoring, certificate reporting isn't available for Device Owner
SCEP certificate profiles.
b. You can't use Intune to revoke certificates that were provisioned by SCEP
certificate profiles for Device Owner. You can manage revocation through
an external process or directly with the certification authority.
c. For Android Enterprise dedicated devices, SCEP certificate profiles are
supported for Wi-Fi network configuration, VPN, and authentication. SCEP
certificate profiles on Android Enterprise dedicated devices aren't
supported for app authentication.
7 Note
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is SCEP
profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
Certificate type:
User: User certificates can contain both user and device attributes in the
subject and SAN of the certificate.
Device: Device certificates can only contain device attributes in the subject
and SAN of the certificate.
Use Device for scenarios such as user-less devices, like kiosks, or for
Windows devices. On Windows devices, the certificate is placed in the
Local Computer certificate store.
7 Note
macOS - Certificates you provision with SCEP are always placed in the
system keychain (System store) of the device.
Android - Devices have both a VPN and apps certificate store, and a
WIFI certificate store. Intune always stores SCEP certificates in the
VPN and apps store on a device. Use of the VPN and apps store
makes the certificate available for use by any other app.
When configured for VPN apps, user will be prompted to select the
correct certificate. Silent certificate approval for Fully Managed (or
BYOD scenarios) is not supported. If everything is setup correctly, the
correct certificate should already be preselected in the dialog box.
Enter text to tell Intune how to automatically create the subject name in the
certificate request. Options for the subject name format depend on the
Certificate type you select, either User or Device.
Tip
7 Note
There is a known issue for using SCEP to get certificates when the
subject name in the resulting Certificate Signing Request (CSR) includes
one of the following characters as an escaped character (proceeded by a
backslash \):
+
;
,
=
7 Note
For more information about this and other changes introduced with
Android 12, see the Android Day Zero Support for Microsoft Endpoint
Manager blog post.
Use the text box to enter a custom subject name format, including static
text and variables. Two variable options are supported: Common Name
(CN) and Email (E).
Email (E) would usually be set with the {{EmailAddress}} variable. For
example: E={{EmailAddress}}
7 Note
Avoid using {{DeviceId}} for subject name on Windows devices. In
certain instances, certificate generated with this subject name causes
sync with Intune to fail.
All device variables listed in the following Device certificate type section
can also be used in user certificate subject names.
That example includes a subject name format that uses the CN and E
variables, and strings for Organizational Unit, Organization, Location, State,
and Country values. CertStrToName function describes this function, and
its supported strings.
User attributes are not supported for devices that don’t have user
associations, such as devices that are enrolled as Android Enterprise
dedicated. For example, a profile that uses CN={{UserPrincipalName}} in
the subject or SAN won’t be able to get the user principal name when
there is no user on the device.
Format options for the Subject name format include the following
variables:
{{AAD_Device_ID}} or {{AzureADDeviceId}} - Either variable can be used
to identify a device by its Azure AD ID.
{{DeviceId}} - The Intune device ID
{{Device_Serial}}
{{Device_IMEI}}
{{SerialNumber}}
{{IMEINumber}}
{{WiFiMacAddress}}
{{IMEI}}
{{DeviceName}}
{{FullyQualifiedDomainName}} (Only applicable for Windows and
domain-joined devices)
{{MEID}}
You can specify these variables and static text in the textbox. For example,
the common name for a device named Device1 can be added as CN=
{{DeviceName}}Device1.
) Important
When you specify a variable, enclose the variable name in double
curly brackets {{ }} as seen in the example, to avoid an error.
Device properties used in the subject or SAN of a device certificate,
like IMEI, SerialNumber, and FullyQualifiedDomainName, are
properties that could be spoofed by a person with access to the
device.
A device must support all variables specified in a certificate profile
for that profile to install on that device. For example, if {{IMEI}} is
used in the subject name of a SCEP profile and is assigned to a
device that doesn't have an IMEI number, the profile fails to install.
7 Note
Variables available for the SAN value depend on the Certificate type you
selected; either User or Device.
7 Note
With the User certificate type, you can use any of the user or device
certificate variables described above in the Subject Name section.
For example, user certificate types can include the user principal name
(UPN) in the subject alternative name. If a client certificate is used to
authenticate to a Network Policy Server, set the subject alternative name
to the UPN.
With the Device certificate type, you can use any of the variables described
in the Device certificate type section for Subject Name.
To specify a value for an attribute, include the variable name with curly
brackets, followed by the text for that variable. For example, a value for the
DNS attribute can be added {{AzureADDeviceId}}.domain.com where
.domain.com is the text. For a user named User1 an Email address might
appear as {{FullyQualifiedDomainName}}User1@Contoso.com.
{{UserName}}-Home
) Important
When using a device certificate variable, enclose the variable name
in double curly brackets {{ }}.
Don't use curly brackets { }, pipe symbols |, and semicolons ;, in the
text that follows the variable.
Device properties used in the subject or SAN of a device certificate,
like IMEI, SerialNumber, and FullyQualifiedDomainName, are
properties that could be spoofed by a person with access to the
device.
A device must support all variables specified in a certificate profile
for that profile to install on that device. For example, if {{IMEI}} is
used in the SAN of a SCEP profile and is assigned to a device that
doesn't have an IMEI number, the profile fails to install.
You can enter a value that is lower than the validity period in the certificate
template, but not higher. If you configured the certificate template to support
a custom value that can be set from within the Intune admin center, use this
setting to specify the amount of remaining time before the certificate expires.
For example, if the certificate validity period in the certificate template is two
years, you can enter a value of one year, but not a value of five years. The
value must also be lower than the remaining validity period of the issuing
CA's certificate.
Plan to use a validity period of five days or greater. When the validity period
is less than five days, there is a high likelihood of the certificate entering a
near-expiry or expired state, which can cause the MDM agent on devices to
reject the certificate before it’s installed.
Specify where the key to the certificate is stored. Choose from the following
values:
Enroll to Trusted Platform Module (TPM) KSP if present, otherwise
Software KSP
Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
Enroll to Windows Hello for Business, otherwise fail (Windows 10 and
later)
Enroll to Software KSP
Key usage:
Not configured
1024
2048
7 Note
Hash algorithm:
Select one of the available hash algorithm types to use with this certificate.
Select the strongest level of security that the connecting devices support.
NOTE: Android AOSP and Android Enterprise devices will select the strongest
algorithm supported - SHA-1 will be ignored, and SHA-2 will be used instead.
Root Certificate:
Select the trusted certificate profile you previously configured and assigned to
applicable users and devices for this SCEP certificate profile. The trusted
certificate profile is used to provision users and devices with the Trusted Root
CA certificate. For information about the trusted certificate profile, see Export
your trusted root CA certificate and Create trusted certificate profiles in Use
certificates for authentication in Intune.
7 Note
Add values for the certificate's intended purpose. In most cases, the
certificate requires client authentication so that the user or device can
authenticate to a server. You can add additional key usages as required.
Enter the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate. For example, if you enter 20, the renewal
of the certificate will be attempted when the certificate is 80% expired.
Renewal attempts continue until renewal is successful. Renewal generates a
new certificate, which results in a new public/private key pair.
7 Note
Enter one or more URLs for the NDES Servers that issue certificates via SCEP.
For example, enter something like
https://ndes.contoso.com/certsrv/mscep/mscep.dll .
To allow devices on the internet to get certificates, you must specify the NDES
URL external to your corporate network. The URL can be HTTP or HTTPS.
However, to support the following devices, the SCEP Server URL must use
HTTPS:
Android device administrator
Android Enterprise device owner
Android Enterprise corporate-owned work profile
Android Enterprise personally-owned work profile
You can add additional SCEP URLs for load balancing as needed. Devices
make three separate calls to the NDES server. The first is to get the servers
capabilities, the next to get a public key, and then to submit a signing
request. When you use multiple URLs its possible that load balancing might
result in a different URL being used for subsequent calls to an NDES Server. If
a different server is contacted for a subsequent call during the same request,
the request will fail.
The behavior for managing the NDES server URL is specific to each device
platform:
Android: The device randomizes the list of URLs received in the SCEP
policy, and then works through the list until an accessible NDES server is
found. The device then continues to use that same URL and server through
the entire process. If the device can’t access any of the NDES servers, the
process fails.
iOS/iPadOS: Intune randomizes the URLs and provides a single URL to a
device. If the device can’t access the NDES server, the SCEP request fails.
Windows: The list of NDES URLs is randomized and then passed to the
Windows device, which then tries them in the order received, until one
that's available is found. If the device can’t access any of the NDES servers,
the process fails.
If a device fails to reach the same NDES server successfully during any of the
three calls to the NDES server, the SCEP request fails. For example, this might
happen when a load-balancing solution provides a different URL for the
second or third call to the NDES server, or provides a different actual NDES
server based on a virtualized URL for NDES. After a failed request, a device
tries the process again on its next policy cycle, starting with the randomized
list of NDES URLs (or a single URL for iOS/iPadOS).
8. This step applies only to Android Enterprise devices profiles for Fully Managed,
Dedicated, and Corporate-Owned work Profile.
Require user approval for apps (default) – Users must approve use of a
certificate by all applications.
Grant silently for specific apps (require user approval for other apps) – With
this option, select Add apps, and then select one or more apps that will
silently use the certificate without user interaction.
9. Select Next.
10. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. (Applies to Windows 10/11 only) In Applicability Rules, specify applicability rules to
refine the assignment of this profile. You can choose to assign or not assign the
profile based on the OS edition or version of a device.
For more information, see Applicability rules in Create a device profile in Microsoft
Intune.
12. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
+
,
;
=
When your subject name includes one of the special characters, use one of the following
options to work around this limitation:
Encapsulate the CN value that contains the special character with quotes.
Remove the special character from the CN value.
For example, you have a Subject Name that appears as Test user (TestCompany, LLC). A
CSR that includes a CN that has the comma between TestCompany and LLC presents a
problem. The problem can be avoided by placing quotes around the entire CN, or by
removing of the comma from between TestCompany and LLC:
However, attempts to escape the comma by using a backslash character will fail with an
error in the CRP logs:
at
Microsoft.ConfigurationManager.CertRegPoint.ChallengeValidation.ValidationPh
ase3(PKCSDecodedObject pkcsObj, CertEnrollChallenge challenge, String
templateName, Int32 skipSANCheck)
Exception: at
Microsoft.ConfigurationManager.CertRegPoint.ChallengeValidation.ValidationPh
ase3(PKCSDecodedObject pkcsObj, CertEnrollChallenge challenge, String
templateName, Int32 skipSANCheck)
at
Microsoft.ConfigurationManager.CertRegPoint.Controllers.CertificateControlle
r.VerifyRequest(VerifyChallengeParams value
To use a SCEP certificate profile, a device must have also received the trusted
certificate profile that provisions it with your Trusted Root CA certificate. We
recommend you deploy both the trusted root certificate profile and SCEP certificate
profile to the same groups.
When you assign SCEP certificate profiles to groups, the Trusted Root CA certificate
file (as specified in the trusted certificate profile) is installed on the device. The
device uses the SCEP certificate profile to create a certificate request for that
Trusted Root CA certificate.
The SCEP certificate profile installs only on devices that run the platform you
specified when you created the certificate profile.
To publish a certificate to a device quickly after the device enrolls, assign the
certificate profile to a user group rather than to a device group. If you assign to a
device group, a full device registration is required before the device receives
policies.
7 Note
Next steps
Assign profiles
Use third-party certification authorities (CA) with Intune. Third-party CAs can provision
mobile devices with new or renewed certificates by using the Simple Certificate
Enrollment Protocol (SCEP), and can support Windows, iOS/iPadOS, Android, and
macOS devices.
There are two parts to using this feature: open-source API, and the Intune administrator
tasks.
Microsoft created an API to integrate with Intune. Through the API you can validate
certificates, send success or failure notifications, and use SSL, specifically SSL socket
factory, to communicate with Intune.
The API is available on the Intune SCEP API public GitHub repository for you to
download, and use in your solutions. Use this API with third-party SCEP servers to run
custom challenge validation against Intune before SCEP provisions a certificate to a
device.
Integrate with Intune SCEP management solution provides more details on using the
API, its methods, and testing the solution you build.
Using an Azure Active Directory (Azure AD) application, you can delegate rights to
Intune to handle SCEP requests coming from devices. The Azure AD application includes
application ID and authentication key values that are used within the API solution the
developer creates. Administrators then create and deploy SCEP certificates profiles using
Intune and can view reports on the deployment status on the devices.
Overview
The following steps provide an overview of using SCEP for certificates in Intune:
1. In Intune, an administrator creates a SCEP certificate profile, and then targets the
profile to users or devices.
2. The device checks in to Intune.
3. Intune creates a unique SCEP challenge. It also adds additional integrity-check
information, such as what the expected subject and SAN should be.
4. Intune encrypts and signs both the challenge and integrity-check information, and
then sends this information to the device with the SCEP request.
5. The device generates a certificate signing request (CSR) and public/private key pair
on the device based on the SCEP certificate profile that's pushed from Intune.
6. The CSR and encrypted/signed challenge are sent to the third-party SCEP server
endpoint.
7. The SCEP server sends the CSR and the challenge to Intune. Intune then validates
the signature, decrypts the payload, and compares the CSR to the integrity-check
information.
8. Intune sends back a response to the SCEP server, and states whether the challenge
validation is successful or not.
9. If the challenge is successfully verified, then the SCEP server issues the certificate to
the device.
The following diagram shows a detailed flow of third-party SCEP integration with Intune:
7 Note
To support the following devices, the CA must support the use of an HTTPS URL
when you configure you must configure an HTTPS URL when you configure SCEP
Server URLs for the SCEP certificate profile:
Be sure you have the required permissions to register an Azure AD app. See Required
permissions, in the Azure AD documentation.
1. In the Azure portal , go to Azure Active Directory > App Registrations, and then
select New registration.
3. Select Register to create the application and to open the Overview page for the
new app.
4. On the app Overview page, copy the Application (client) ID value and record it for
later use. You'll need this value later.
5. In the navigation pane for the app, go to Certificates & secrets under Manage.
Select the New client secret button. Enter a value in Description, select any option
for Expires, and then and choose Add to generate a value for the client secret.
) Important
Before you leave this page, copy the value for the client secret and record it
for later use with your third-party CA implementation. This value is not shown
again. Be sure to review the guidance for your third-party CA on how they
want the Application ID, Authentication Key, and Tenant ID configured.
6. Record your Tenant ID. The Tenant ID is the domain text after the @ sign in your
account. For example, if your account is admin@name.onmicrosoft.com, then your
tenant ID is name.onmicrosoft.com.
7. In the navigation pane for the app, go to API permissions, which are under
Manage. You're going to add two separate application permissions:
8. Remain on the API permissions page, and select Grant admin consent for <your
tenant>, and then select Yes.
Removing certificates
When you unenroll or wipe the device, the certificates are removed. The certificates
aren't revoked.
Cogito Group
DigiCert
EJBCA
Entrust
EverTrust
GlobalSign
HID Global
IDnomic
KeyTalk
Keytos
Nexus Certificate Manager
SCEPman
Sectigo
SecureW2
Venafi
If you're a third-party CA interested in integrating your product with Intune, review the
API guidance:
See also
Configure certificate profiles
Intune SCEP API GitHub repository
Intune SCEP API guidance for third party CAs
Configure and use PKCS certificates with
Intune
Article • 08/23/2023
Microsoft Intune supports the use of private and public key pair (PKCS) certificates. This
article reviews what's required to use PKCS certificates with Intune, including the export
of a PKCS certificate then adding it to an Intune device configuration profile.
Microsoft Intune includes built-in settings to use PKCS certificates for access and
authentication to your organizations resources. Certificates authenticate and secure
access to your corporate resources like a VPN or a WiFi network. You deploy these
settings to devices using device configuration profiles in Intune.
For information about using imported PKCS certificates, see Imported PFX Certificates.
Tip
Requirements
To use PKCS certificates with Intune, you'll need the following infrastructure:
For more information about installing and configuring Active Directory Domain
Services (AD DS), see AD DS Design and Planning.
Certification Authority:
An Enterprise Certification Authority (CA).
2 Warning
Root certificate:
An exported copy of your root certificate from your Enterprise CA.
1. Log into the Root Certification Authority server with Administrator Account.
2. Go to Start > Run, and then enter Cmd to open command prompt.
3. Specify certutil -ca.cert ca_name.cer to export the Root certificate as a file named
ca_name.cer.
3. Find the User certificate template, right-click it, and choose Duplicate Template to
open Properties of New Template.
7 Note
For S/MIME email signing and encryption scenarios, many administrators use
separate certificates for signing and encryption. If you're using Microsoft
Active Directory Certificate Services, you can use the Exchange Signature
Only template for S/MIME email signing certificates, and the Exchange User
template for S/MIME encryption certificates. If you're using a 3rd-party
certification authority, it's suggested to review their guidance to set up
signing and encryption templates.
5. On the General tab, set Template display name to something meaningful to you.
2 Warning
7 Note
Unlike SCEP, with PKCS the certificate private key is generated on the server
where the certificate connector is installed and not on the device. The
certificate template must allow the private key to be exported so that the
connector can export the PFX certificate and send it to the device.
When the certificates install on the device itself, the private key is marked as
not exportable.
Windows and Android devices support use of 4096-bit key size with a PKCS
certificate profile. To use this key size, specify 40496 as the Minimum key size.
7 Note
For Windows devices, 4096-bit key storage is supported only in the Software
Key Storage Provider (KSP). The following do not support storing keys of this
size:
The hardware TPM (Trusted Platform Module). As a workaround you can
use the Software KSP for key storage.
Windows Hello for Business. There is no workaround for Windows Hello
for Business at this time.
9. In Extensions, confirm that you see Encrypting File System, Secure Email, and Client
Authentication under Application Policies.
) Important
10. In Security:
a. (Required): Add the Computer Account for the server where you install the
Certificate Connector for Microsoft Intune. Allow this account Read and Enroll
permissions.
b. (Optional but recommended): Remove the Domain Users group from the list of
groups or user names allowed permissions on this template by selecting the
Domain Users group and select Remove. Review the other entries in Groups or
user names for permissions and applicability to your environment.
11. Select Apply > OK to save the certificate template. Close the Certificate Templates
Console.
12. In the Certification Authority console, right-click Certificate Templates > New >
Certificate Template to Issue. Choose the template that you created in the
previous steps. Select OK.
13. For the server to manage certificates for enrolled devices and users, use the
following steps:
a. Right-click the Certification Authority, choose Properties.
b. On the security tab, add the Computer account of the server where you run the
connector.
c. Grant Issue and Manage Certificates and Request Certificates Allow
permissions to the computer account.
Platform: Choose the platform of the devices that will receive this profile.
Android device administrator
Android Enterprise:
Fully Managed
Dedicated
Corporate-Owned Work Profile
Personally-Owned Work Profile
iOS/iPadOS
macOS
Windows 10/11
Profile: Select Trusted certificate. Or, select Templates > Trusted certificate.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Trusted
certificate profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, specify the .cer file for the Root CA Certificate you
previously exported.
7 Note
Depending on the platform you chose in Step 3, you may or may not have an
option to choose the Destination store for the certificate.
8. Select Next.
9. In Assignments, select the user or device group(s) that will be assigned the profile.
For more granularity, see Create filters in Microsoft Intune and apply them by
selecting Edit filter.
Plan to deploy this certificate profile to the same groups that receive the PKCS
certificate profile, and that recieve a configuration profile like a Wi-Fi profile that
makes use of the certificate. For more information on assigning profiles, see Assign
user and device profiles.
Select Next.
10. (Applies to Windows 10/11 only) In Applicability Rules, specify applicability rules to
refine the assignment of this profile. You can choose to assign or not assign the
profile based on the OS edition or version of a device.
For more information, see Applicability rules in Create a device profile in Microsoft
Intune.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
7 Note
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is PKCS
profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Select your platform for detailed settings:
Key storage Windows 10/11 For Windows, select where to store the keys
provider (KSP) on the device.
Allow all apps macOS Set to Enable to give apps that are
access to configured for the associated mac device
private key access to the PKCS certificate's private key.
Require user approval for apps (default) – Users must approve use of a
certificate by all applications.
Grant silently for specific apps (require user approval for other apps) – With
this option, select Add apps, and then select one or more apps that will
silently use the certificate without user interaction.
9. Select Next.
10. In Assignments, select the user or groups that will receive your profile. Plan to
deploy this certificate profile to the same groups that receive the trusted certificate
profile, and that receive a configuration profile like a Wi-Fi profile that makes use
of the certificate. For more information on assigning profiles, see Assign user and
device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Platforms:
7 Note
There is a known issue for using PKCS to get certificates which is the same issue as
seen for SCEP when the subject name in the resulting Certificate Signing Request
(CSR) includes one of the following characters as an escaped character (proceeded
by a backslash \):
+
;
,
=
7 Note
Beginning with Android 12, Android no longer supports use of the following
hardware identifiers for personally-owned work profile devices:
Serial number
IMEI
MEID
Intune certificate profiles for personally-owned work profile devices that rely on
these variables in the subject name or SAN will fail to provision a certificate on
devices that run Android 12 or later at the time the device enrolled with Intune.
Devices that enrolled prior to upgrade to Android 12 can still receive certificates so
long as Intune previously obtained the devices hardware identifiers.
For more information about this and other changes introduced with Android 12,
see the Android Day Zero Support for Microsoft Endpoint Manager blog post.
All device variables listed in the following Device certificate type section can also be
used in user certificate subject names.
By using a combination of one or many of these variables and static text strings,
you can create a custom subject name format, such as: CN={{UserName}},E=
{{EmailAddress}},OU=Mobile,O=Finance
Group,L=Redmond,ST=Washington,C=US
That example includes a subject name format that uses the CN and E variables, and
strings for Organizational Unit, Organization, Location, State, and Country values.
CertStrToName function describes this function, and its supported strings.
User attributes aren't supported for devices that don’t have user associations, such
as devices that are enrolled as Android Enterprise dedicated. For example, a profile
that uses CN={{UserPrincipalName}} in the subject or SAN can't get the user
principal name when there isn't a user on the device.
You can specify these variables, followed by the text for the variable, in the textbox.
For example, the common name for a device named Device1 can be added as CN=
{{DeviceName}}Device1.
) Important
When you specify a variable, enclose the variable name in curly brackets { }
as seen in the example, to avoid an error.
Device properties used in the subject or SAN of a device certificate, like
IMEI, SerialNumber, and FullyQualifiedDomainName, are properties that
could be spoofed by a person with access to the device.
A device must support all variables specified in a certificate profile for that
profile to install on that device. For example, if {{IMEI}} is used in the
subject name of a SCEP profile and is assigned to a device that doesn't
have an IMEI number, the profile fails to install.
Next steps
Use SCEP for certificates
Issue PKCS certificates from a Symantec PKI manager web service.
Troubleshoot PKCS certificate profiles
Configure and use imported PKCS
certificates with Intune
Article • 04/27/2023
Microsoft Intune supports the use of imported public key pair (PKCS) certificates,
commonly used for S/MIME encryption with Email profiles. Certain email profiles in
Intune support an option to enable S/MIME where you can define an S/MIME signing
certificate and S/MIME encryption cert.
) Important
As announced in this Microsoft Tech Community blog , support for Azure Active
Directory Authentication Library (ADAL) ends in December 2022. For your
PowerShell scripts or custom code to continue to work to import user PFX
certificates to Intune, they must be updated to leverage Microsoft Authentication
Library (MSAL). Additionally, the global Intune application ID should be updated
with the unique Application (client) ID assigned to your app after registering it in
Azure Active Directory (Azure AD) to prevent future authentication issues.
On GitHub, the sample PowerShell script to help simplify importing PFX certificates
has been updated to reference MSAL and the Azure AD Application (client) ID.
Script samples in this article are also updated where applicable.
For more information, view the PFXImport PowerShell Project readme file on
GitHub, and download the updated sample script.
You must have the private key of the certificate that encrypted the email on the
device where you're reading the email so it can be decrypted.
Before a certificate on a device expires, you should import a new certificate so
devices can continue to decrypt new email. Renewal of these certificates isn't
supported.
Encryption certificates are renewed regularly, which means that you might want to
keep past certificate on your devices, to ensure that older email can continue to be
decrypted.
Because the same certificate needs to be used across devices, it's not possible to use
SCEP or PKCS certificate profiles for this purpose as those certificate delivery
mechanisms deliver unique certificates per device.
For more information about using S/MIME with Intune, Use S/MIME to encrypt email.
Supported platforms
Intune supports import of PFX certificates for the following platforms:
Requirements
To use imported PKCS certificates with Intune, you'll need the following infrastructure:
The certificate connector handles requests for PFX files imported to Intune for
S/MIME email encryption for a specific user. Ensure that each connector you install
has access to the private key that is used to encrypt the passwords of the uploaded
PFX files.
Windows Server:
The certificate connector installs on a Windows Server that meets the connectors
prerequisites.
You use Visual Studio to build the helper PowerShell module with cmdlets for
importing PFX certificates to Microsoft Intune. To get the helper PowerShell
cmdlets, see PFXImport PowerShell Project in GitHub .
How it works
When you use Intune to deploy an imported PFX certificate to a user, there are two
components at play in addition to the device:
Intune Service: Stores the PFX certificates in an encrypted state and handles the
deployment of the certificate to the user device. The passwords protecting the
private keys of the certificates are encrypted before they're uploaded using either a
hardware security module (HSM) or Windows Cryptography, ensuring that Intune
can't access the private key at any time.
If you prefer to use your own custom solution using Graph, use the userPFXCertificate
resource type.
4. Go to Build and select Build PFXImportPS. In a few moments, you'll see the Build
succeeded confirmation at the bottom left of Visual Studio.
5. The build process creates a new folder with the PowerShell Module at .\Intune-
Resource-Access-develop\src\PFXImportPowershell\PFXImportPS\bin\Release .
The PowerShell module provides methods to create a key using Windows cryptography.
You can also use other tools to create a key.
1. Copy the Release folder that's created by Visual Studio to the server where you
installed the Certificate Connector for Microsoft Intune. This folder contains the
PowerShell module.
Tip
The provider you use must be selected again when you import PFX
Certificates. You can use the Microsoft Software Key Storage Provider,
although it is supported to use a different provider. The key name is also
provided as an example, and you can use a different key name of your choice.
If you plan to import the certificate from your workstation, you can export this key
to a file with the following command:
Export-IntunePublicKey -ProviderName "
<ProviderName>" -KeyName "<KeyName>" -FilePath "<File path\Filename.PFX>"
The private key must be imported on each server that hosts the Certificate
Connector for Microsoft Intune so that imported PFX certificates can be processed
successfully.
Options include:
Padding Scheme:
oaepSha256
oaepSha384
oaepSha512
Select the Key Storage Provider that matches the provider you used to create the key.
7 Note
The following changes must be made for GCC High and DoD tenants prior to
running IntunePfxImport.psd1.
Use a text editor or PowerShell ISE to edit the file, which updates the service
endpoints for the GCC High environment. Notice that these updates change
the URIs from .com to .us suffixes. There are a total of two updates within
IntunePfxImport.psd1. One for AuthURI and the second for GraphURI:
PrivateData = @{
AuthURI = "login.microsoftonline.us"
GraphURI = "https://graph.microsoft.us"
SchemaVersion = "beta"
7 Note
5. Convert the password for each PFX file you're importing to a secure string by
running $SecureFilePassword = ConvertTo-SecureString -String "<PFXPassword>" -
AsPlainText -Force .
<IntendedPurpose>"
7 Note
When you import the certificate from a system other than the server where
the connector is installed, you must use the following command that includes
the key file path: $userPFXObject = New-IntuneUserPfxCertificate -
PathToPfxFile "<FullPathToPFX>" $SecureFilePassword "<UserUPN>" "
9. As a best practice to clean up the Azure AD token cache without waiting for it to
expire on it’s own, run Remove-IntuneAuthenticationToken
For more information about other available commands, see the readme file at
PFXImport PowerShell Project at GitHub .
7 Note
After you create a PKCS imported certificate profile, the Intended Purpose and Key
storage provider (KSP) values in the profile are read-only and can't be edited. If
you need a different value for either of these settings, create and deploy a new
profile.
4. Select Create.
5. In Basics, enter the following properties:
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is PKCS
imported certificate profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
Intended purpose: Specify the intended purpose of the certificates that are
imported for this profile. Administrators can import certificates with different
intended purposes (like S/MIME signing or S/MIME encryption). The intended
purpose selected in the certificate profile matches the certificate profile with
the right imported certificates. Intended purpose is a tag to group imported
certificates together and doesn't guarantee that certificates imported with
that tag will meet the intended purpose.
Key storage provider (KSP): For Windows, select where to store the keys on
the device.
8. This step applies only to Android Enterprise devices profiles for Fully Managed,
Dedicated, and Corporate-Owned work Profile.
Require user approval for apps (default) – Users must approve use of a
certificate by all applications.
Grant silently for specific apps (require user approval for other apps) – With
this option, select Add apps, and then select one or more apps that will
silently use the certificate without user interaction.
9. Select Next.
10. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. (Applies to Windows 10/11 only) In Applicability Rules, specify applicability rules to
refine the assignment of this profile. You can choose to assign or not assign the
profile based on the OS edition or version of a device.
For more information, see Applicability rules in Create a device profile in Microsoft
Intune.
Select Next.
12. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
DigiCert
If you use the DigiCert PKI Platform service, you can use the DigiCert Import Tool for
Intune S/MIME Certificates to import PFX certificates to Intune. Use of this tool replaces
the need to follow the instructions in the section Import PFX Certificates to Intune that's
detailed earlier in this article.
To learn more about the DigiCert Import tool, including how to obtain the tool, see
https://knowledge.digicert.com/tutorials/microsoft-intune.html in the DigiCert
knowledge base.
EverTrust
If you use EverTrust as your PKI solution, standalone or combined to an existing PKI, you
can configure EverTrust Horizon to import PFX certificates to Intune. After you complete
the integration, you won’t need to follow the instructions in the section Import PFX
Certificates to Intune that's detailed earlier in this article.
KeyTalk
If you use the KeyTalk service, you can configure their service to import PFX certificates
to Intune. After you complete the integration, you won’t need to follow the instructions
in the section Import PFX Certificates to Intune to Intune that's detailed earlier in this
article.
To learn more about KeyTalk’s integration with Intune, see https://keytalk.com/support
in the KeyTalk knowledge base.
Next steps
Use SCEP for certificates
With this change, you'll be able to improve policy targeting for Microsoft Defender for
Endpoint security configuration. For example, you'll be able to use dynamic groups that
consist of only Windows Server devices, or only Windows client devices (Windows
10/11).
S/MIME overview to sign and encrypt
email in Intune
Article • 02/21/2023
Email certificates, also known as S/MIME certificate, provide extra security to your email
communications by using encryption and decryption. Microsoft Intune can use S/MIME
certificates to sign and encrypt emails to mobile devices running the following
platforms:
Android
iOS/iPadOS
macOS
Windows 10/11
Intune can automatically deliver S/MIME encryption certificates to all platforms. S/MIME
certificates are automatically associated with mail profiles that use the native mail client
on iOS, and with Outlook on iOS and Android devices. For the Windows and macOS
platforms, and for other mail clients on iOS and Android, Intune delivers the certificates
but users must manually enable S/MIME in their mail app and choose their S/MIME
certificates.
For more information about S/MIME email signing and encryption with Exchange, see
S/MIME for message signing and encryption.
This article provides an overview of using S/MIME certificates to sign and encrypt emails
on your devices.
Signing certificates
Certificates used for signing allow the client email app to communicate securely with the
email server.
To use signing certificates, create a template on your certificate authority (CA) that
focuses on signing. On Microsoft Active Directory Certification Authority, Configure the
server certificate template lists the steps to create certificate templates.
Signing certificates in Intune use PKCS certificates. Configure and use PKCS certificates
describes how to deploy and use PKCS certificate in your Intune environment. These
steps include:
Install and configure the Certificate Connector for Microsoft Intune to support
PKCS certificate requests. The connector has the same network requirements as
managed devices.
Create a trusted root certificate profile for your devices. This step includes using
trusted root and intermediate certificates for your certification authority, and then
deploying the profile to devices.
Create a PKCS certificate profile using the certificate template you created. This
profile issues signing certificates to devices, and deploys the PKCS certificate
profile to devices.
You can also import a signing certificate for a specific user. The signing certificate is
deployed across any device that a user enrolls. To import certificates into Intune, use the
PowerShell cmdlets in GitHub . To deploy a PKCS certificate imported in Intune to be
used for email signing, follow the steps in Configure and use PKCS certificates with
Intune. These steps include:
Download, install, and configure the Certificate Connector for Microsoft Intune.
This connector delivers imported PKCS certificates to devices.
Import S/MIME email signing certificates to Intune.
Create a PKCS imported certificate profile. This profile delivers imported PKCS
certificates to the appropriate user's devices.
Encryption certificates
Certificates used for encryption confirm that an encrypted email can only be decrypted
by the intended recipient. S/MIME encryption is an extra layer of security that can be
used in email communications.
When sending an encrypted email to another user, the public key of that user's
encryption certificate is obtained, and encrypts the email you send. The recipient
decrypts the email using the private key on their device. Users can have a history of
certificates used to encrypt email. Each of those certificates must be deployed to all of a
specific user's devices so their email is successfully decrypted.
It's recommended that email encryption certificates aren't created in Intune. While
Intune supports issuing PKCS certificates that support encryption, Intune creates a
unique certificate per device. A unique certificate per device isn't ideal for an S/MIME
encryption scenario where the encryption certificate should be shared across all the
user's devices.
To deploy S/MIME certificates using Intune, you must import all of a user's encryption
certificates to Intune. Intune then deploys all of those certificates to each device that a
user enrolls. To import certificates into Intune, use the PowerShell cmdlets in GitHub .
To deploy a PKCS certificate imported in Intune used for email encryption, follow the
steps in Configure and use PKCS certificates with Intune. These steps include:
Install and configure the Certificate Connector for Microsoft Intune. This connector
delivers imported PKCS certificates to devices.
Import S/MIME email encryption certificates to Intune.
Create a PKCS imported certificate profile. This profile delivers imported PKCS
certificates to the appropriate user's devices.
7 Note
Next steps
Use SCEP for certificates
Use PKCS certificates
Use a partner CA
Issue PKCS certificates from a Symantec PKI manager web service
Set up the Certificate Connector for
Microsoft Intune to support the DigiCert
PKI Platform
Article • 02/22/2023
You can use the Certificate Connector for Microsoft Intune to issue PKCS certificates from
DigiCert PKI Platform to Intune-managed devices. The certificate connector works with
either a DigiCert certification authority (CA) only, or with both a DigiCert CA and a
Microsoft CA.
Tip
DigiCert acquired Symantec's Website Security and related PKI Solutions business.
For more information about this change, see the Symantec technical support
article .
If you already use the Certificate Connector for Microsoft Intune to issue certificates from
a Microsoft CA by using PKCS or Simple Certificate Enrollment Protocol (SCEP), you can
use that same connector to configure and issue PKCS certificates from a DigiCert CA. After
you complete the configuration to support the DigiCert CA, the connector can issue the
following certificates:
If you don't have the connector installed but plan to use it for both a Microsoft CA and a
DigiCert CA, complete the connector configuration for the Microsoft CA first. Then, return
to this article to configure it to also support DigiCert. For more information about
certificate profiles and the connector, see Configure a certificate profile for your devices in
Microsoft Intune.
If you'll use the connector with only the DigiCert CA, you can use the instructions in this
article to install and then configure the connector.
Prerequisites
You'll need the following to support use of a DigiCert CA:
An active subscription at the DigiCert CA - The subscription is required to get a
registration authority (RA) certificate from the DigiCert CA.
[Version]
Signature="$Windows NT$"
[NewRequest]
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
;-----------------------------------------------
2. Open an elevated command prompt and generate a certificate signing request (CSR)
by using the following command:
MIID8TCCAtkCAQAwbTEMMAoGA1UEBhMDVVNBMQswCQYDVQQIDAJXQTEQMA4GA1UE
fzpeAWo=
4. Sign in to the DigiCert CA and browse to Get an RA Cert from the tasks.
c. Select Continue.
d. Use the provided link to download the RA certificate to your local computer.
b. Select File > Add or Remove Snap-ins > Certificate > Add.
f. Right-click the Certificates node and select All Tasks > Import.
g. Select the location of the RA certificate that you downloaded from the DigiCert
CA, and then select Next.
i. Select Finish to import the RA certificate and its private key into the Local
Machine-Personal store.
f. Use the procedure from step 5 to import the private key certificate into the Local
Computer-Personal store.
g. Record a copy the RA certificate thumbprint without any spaces. The following is
an example of the thumbprint:
Later, after you install the Certificate Connector for Microsoft Intune, you'll use this
value to update three .config files for the connector.
7 Note
For assistance in getting the RA certificate from the DigiCert CA, contact
DigiCert customer support.
During installation step 2 of the connector install procedure, select the options
for PKCS and optionally for Certificate revocation.
After you complete the connector installation and configuration procedure,
return to this procedure to continue.
2. Configure the connector to support DigiCert by modifying three .config files for the
connector, and then restarting their related services:
Microsoft.Intune.ConnectorsPkiCreate.exe.config
Microsoft.Intune.ConnectorsPkiRevoke.exe.config
Microsoft.Intune.ConnectorsPkiCreateLegacy.exe.config
For example, locate the entry in each file that is similar to <add
key="RACertThumbprint" value="EA7A4E0CD1A4F81CF0740527C31A57F6020C17C5"/> , and
c. Run services.msc and stop and then restart the following three services:
2. Create a trusted certificate profile in the Microsoft Intune admin center. For detailed
guidance, see To create a trusted certificate profile. Be sure to assign this profile to
devices that will receive certificates. To assign the profile to groups, see Assign
device profiles.
After you create the profile, it appears in the list of profiles in the Device
configuration – Profiles pane, with a profile type of Trusted certificate.
4. Copy the certificate profile OID. It looks similar to the following example:
7 Note
If you need help to get the certificate profile OID, contact DigiCert customer
support.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. In Configuration settings, configure parameters with the values from the following
table. These values are required to issue PKCS certificates from a DigiCert CA,
through the Certificate Connector for Microsoft Intune.
name
If there's any change to this value, the
certificate connector won't issue PKCS
certificates from the DigiCert CA.
Certificate Certificate profile OID from the This value must be a certificate profile
template DigiCert CA. For example: OID obtained in the previous section
name 2.16.840.1.113733.1.16.1.2.3.1.1.61904612 from the DigiCert CA certificate
profile template.
The PKCS certificate profile for Windows platforms doesn't need to associate
with a trusted certificate profile. But it is required for non-Windows platform
profiles such as Android.
7. Complete the configuration of the profile to meet your business needs, and then
select Create to save the profile.
8. On the Overview page of the new profile, select Assignments and configure an
appropriate group that will receive this profile. At least one user or device must be
part of the assigned group.
After you complete the previous steps, Certificate Connector for Microsoft Intune will
issue PKCS certificates from the DigiCert CA to Intune-managed devices in the assigned
group. These certificates will be available in the Personal store of the Current User
certificate store on the Intune-managed device.
Subject Intune supports the subject name in The DigiCert CA supports more attributes. We use
name following three formats only:
If you want to select more attributes, they common
must be defined with fixed values in the name or
1. Common name
DigiCert certificate profile template. email from
2. Common name that includes the PKCS
email
certificate
3. Common name as email
request.
For example:
Any
mismatch
CN = IWUser0 <br><br> E = in
IWUser0@samplendes.onmicrosoft.com attribute
selection
between
the Intune
certificate
profile and
the
DigiCert
certificate
profile
template
results in
no
certificates
issued
from the
DigiCert
CA.
SAN Intune supports only the following The DigiCert Cloud CA also supports these None
SAN field values:
parameters. If you want to select more
attributes, they must be defined with fixed
AltNameTypeEmail
values in the DigiCert certificate profile
AltNameTypeUpn
template.
AltNameTypeOtherName (encoded
value) AltNameTypeEmail: If this type isn't found
in the SAN, the certificate connector uses
the value from AltNameTypeUpn. If
AltNameTypeUpn is also not found in the
SAN, then the certificate connector uses
the value from the subject name if it's in
email format. If the type is still not found,
the certificate connector fails to issue the
certificates.
Example: RFC822
Name=IWUser0@ndesvenkatb.onmicrosoft.com
Attribute Intune supported formats DigiCert Cloud CA supported formats result
Troubleshooting
Logs for the Certificate Connector for Microsoft Intune are available as Event logs on the
server where the connector is installed. These logs provide details about the connectors
operation, and can be used to identify problems with the certificate connector and
operations. For more information, see Logging.
Next steps
Use the information in this article with the information in What are Microsoft Intune
device profiles? to manage your organization's devices and the certificates on them.
Remove SCEP and PKCS certificates in
Microsoft Intune
Article • 02/21/2023
In Microsoft Intune, you can use Simple Certificate Enrollment Protocol (SCEP) and
Public Key Cryptography Standards (PKCS) certificate profiles to add certificates to
devices.
These certificates can be removed when you wipe or retire the device. Certificates that
were provisioned by Intune are also removed when the profile that provisioned the
certificate no longer targets the device or user. There are other scenarios where
certificates are automatically removed, and scenarios where certificates stay on the
device. This article lists some common scenarios and their effect on PKCS and SCEP
certificates.
7 Note
To remove and revoke certificates for a user who's being removed from on-
premises Active Directory or Azure Active Directory (Azure AD), follow these steps
in order:
The majority of this article applies to SCEP and PKCS certificate profiles, but not to
imported PKCS certificates. Imported PKCS certificates are removed by Intune when
company data is removed from the device or when a device is unenrolled from
management.
In this scenario, after the certificate is deleted, the next time the device checks in with
Intune it's found to be out of compliance as it is missing the expected certificate. Intune
then issues a new certificate to restore the device to compliance. No other action is
needed to restore the certificate.
7 Note
SCEP certificates are removed but not revoked when using a third-party
certification authority.
Windows devices
SCEP certificates
A SCEP certificate is revoked and removed when:
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
The device is removed from an Azure AD group.
A certificate profile is removed from the group assignment.
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
A certificate profile is removed from the group assignment.
SCEP certificates stay on the device (certificates aren't revoked or removed) when:
PKCS certificates
A PKCS certificate is revoked and removed when:
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
PKCS certificates stay on the device (certificates aren't revoked or removed) when:
iOS devices
SCEP certificates
A SCEP certificate is revoked and removed when:
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
The device is removed from the Azure AD group.
A certificate profile is removed from the group assignment.
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
SCEP certificates stay on the device (certificates aren't revoked or removed) when:
PKCS certificates
A PKCS certificate is revoked and removed when:
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
PKCS certificates stay on the device (certificates aren't revoked or removed) when:
SCEP certificates
A SCEP certificate is revoked and removed when:
A user unenrolls.
An administrator runs the wipe action.
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
SCEP certificates stay on the device (certificates aren't revoked or removed) when:
PKCS certificates
A PKCS certificate is revoked and removed when:
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
A user unenrolls.
An administrator runs the wipe action.
An administrator runs the retire action.
PKCS certificates stay on the device (certificates aren't revoked or removed) when:
7 Note
Android for Work devices are not validated for the preceding scenarios.
Android
legacy devices (any non-Samsung, non-work profile devices) are not enabled for
certificate removal.
macOS certificates
SCEP certificates
A SCEP certificate is revoked and removed when:
A user unenrolls.
An administrator runs a retire action.
The device is removed from an Azure AD group.
A certificate profile is removed from the group assignment.
SCEP certificates stay on the device (certificates aren't revoked or removed) when:
7 Note
Using the wipe action to factory reset macOS devices is not supported.
PKCS certificates
A PKCS certificate is revoked and removed when:
A user unenrolls.
An administrator runs the retire action.
A user unenrolls.
An administrator runs the retire action.
PKCS certificates stay on the device (certificates aren't revoked or removed) when:
Next steps
Use certificates for authentication
Use derived credentials with Microsoft
Intune
Article • 02/24/2023
Android Enterprise fully managed devices that run version 7.0 and above
iOS/iPadOS
Windows 10/11
In an environment where smart cards are required for authentication or encryption and
signing, you can use Intune to provision mobile devices with a certificate that's derived
from a user's smart card. That certificate is called a derived credential. Intune supports
several derived credential issuers, though you can use only a single issuer per tenant at
a time.
The Intune administrator configures their tenant to work with a supported derived
credential issuer. You don't need to configure any Intune specific settings in the
derived credential issuer's system.
For iOS/iPadOS:
Common profile types like Wi-Fi, VPN, and Email, which includes the iOS/iPadOS
native mail app
App authentication
S/MIME signing and encryption
For Windows:
Common profile types like Wi-Fi, and VPN
7 Note
For Android and iOS/iPadOS, users obtain a derived credential by using their smart
card on a computer to authenticate to the derived credential issuer. The issuer
then issues to the mobile device a certificate that's derived from their smart card.
For Windows, users install the app from the derived credential provider, which
installs the certificate to the device for later use.
After the device receives the derived credential, it's used for authentication and for
S/MIME signing and encryption when apps or resource access profiles require the
derived credential.
Prerequisites
Review the following information before you configure your tenant to use derived
credentials.
Supported platforms
Intune supports derived credentials on the following platforms:
iOS/iPadOS
Android Enterprise:
Fully Managed devices (version 7.0 and above)
Corporate-Owned Work Profile
Windows 10/11
Supported issuers
Intune supports a single derived credential issuer per tenant. You can configure Intune
to work with the following issuers:
) Important
If you delete a derived credential issuer from your tenant, the derived credentials
that were set up through that issuer will no longer function.
Required apps
Plan to deploy the relevant user-facing app to devices that will enroll for a derived
credential. Device users use the app to start the credential enrollment process.
iOS devices use the Company Portal app. See Add iOS store apps to Microsoft
Intune.
Android Enterprise Fully Managed and Corporate-Owned work profile devices use
the Intune App. See Add Android store apps to Microsoft Intune.
For Windows devices, see Derived credentials for Windows, later in this article.
Depending on the issuer you choose, you might need staff to be available at the time of
enrollment to help users complete the process. Also review your current Intune
configurations to ensure they don't block access that's necessary for devices or users to
complete the credential request.
For example, you might use conditional access to block access to email for non-
compliant devices. If you rely on email notifications to inform the user to start the
derived credential enrollment process, your users might not receive those instructions
until they're compliant with policy.
Similarly, some derived credential request workflows require the use of the device
camera to scan an on-screen QR code. This code links that device to the authentication
request that occurred against the derived credential issuer with the user's smart card
credentials. If device configuration polices block camera use, the user can't complete the
derived credential enrollment request.
General information:
You can only configure a single issuer per tenant at a time, and that issuer is
available to all users and supported devices in your tenant.
Users aren't notified that they must enroll for derived credentials until you target
them with a policy that requires derived credentials.
Notification can be through app notification for the Company Portal, through
email, or both. If you choose to use email notifications and you use enabled
conditional access, users might not receive the email notification if their device
isn't compliant.
) Important
DISA Purebred
Review the platform-specific user workflow for the devices you'll use with derived
credentials.
Users need access to a computer or KIOSK where they can use their smart card to
authenticate to the issuer.
iOS and iPadOS devices that will enroll for a derived credential must install the
Intune Company Portal app. Android Fully Managed and Corporate-Owned Work
Profile devices must install and use the Intune app.
Use Intune to deploy the DISA Purebred app to devices that will enroll for a
derived credential. This app must be deployed through Intune so that it's managed
and can then work with the Intune Company Portal app or Intune App, which
device users use to complete the derived credential request.
To retrieve a derived credential from the Purebred app, the device must have
access to the on-premises network. Access might be through corporate Wi-Fi or
VPN.
Device users must work with a live agent during the enrollment process. During
enrollment, time-limited one-time passcodes are provided to the user as they
continue through the enrollment process.
When changes are made to a policy that uses derived credentials, such as creation
of a new Wi-Fi profile, iOS and iPadOS users are notified to open the Company
Portal app.
Users are notified to open the applicable app when they need to renew their
derived credential.
For information getting and configuring the DISA Purebred app, see Deploy the DISA
Purebred app later in this article.
Entrust
Review the platform-specific user workflow for the devices you'll use with derived
credentials.
Users need access to a computer or KIOSK where they can use their smart card to
authenticate to the issuer.
iOS and iPadOS devices that will enroll for a derived credential must install the
Intune Company Portal app. Android Fully Managed and Corporate-Owned Work
Profile devices must install and use the Intune app.
Use of a device camera to scan a QR code that links the authentication request to
the derived credential request from the mobile device.
Users are prompted by the Company Portal app or through email to enroll for
derived credentials.
When changes are made to a policy that uses derived credentials, such as creating
a new Wi-Fi profile:
iOS and iPadOS - Users are notified to open the Company Portal app.
Android Enterprise Corporate-Owned Work Profile or Fully managed devices -
The Company Portal app doesn't need to open.
Users are notified to open the applicable app when they need to renew their
derived credential.
Intercede
Review the platform-specific user workflow for the devices you'll use with derived
credentials.
iOS and iPadOS
Android Enterprise - Corporate-Owned Work Profile or Fully managed devices
Users need access to a computer or KIOSK where they can use their smart card to
authenticate to the issuer.
iOS and iPadOS devices that will enroll for a derived credential must install the
Intune Company Portal app. Android Fully Managed and Corporate-Owned Work
Profile devices must install and use the Intune app.
Use of a device camera to scan a QR code that links the authentication request to
the derived credential request from the mobile device.
Users are prompted by the Company Portal app or through email to enroll for
derived credentials.
When changes are made to a policy that uses derived credentials, such as creating
a new Wi-Fi profile:
iOS and iPadOS - Users are notified to open the Company Portal app.
Android Enterprise Corporate-Owned Work Profile or Fully managed devices -
The Company Portal app doesn't need to open.
Users are notified to open the applicable app when they need to renew their
derived credential.
We recommend you provide a URL that will host your guidance. You specify this URL
when you configure the derived credential issuer for your tenant, and that URL is made
available from within the Company Portal app. If you don't specify your own URL, Intune
provides a link to generic details. These details can't cover all scenarios and might not
be correct for your environment.
App authentication
Wi-Fi
VPN
Email (iOS only)
S/MIME signing and encryption, including Outlook (iOS only)
Avoid requiring use of a derived credential to access a process that you'll use as part of
the process to get the derived credential, as that can prevent users from completing the
request.
2. Select Tenant administration > Connectors and tokens > Derived Credentials.
3. Specify a friendly Display name for the derived credential issuer policy. This name
isn't shown to your device users.
4. For Derived credential issuer, select the derived credential issuer that you have
chosen for your tenant:
5. Specify a Derived credential help URL to provide a link to a location that includes
custom instructions to help users get derived credentials for your organization. The
instructions should be specific to your organization and to the workflow that's
necessary to get a credential from your chosen issuer. The link appears in the
Company Portal app and should be accessible from the device.
If you don't specify your own URL, Intune provides a link to generic details that
can't cover all scenarios. This generic guidance might not be correct for your
environment.
6. Select one or more options for Notification type. Notification types are the
methods you use to inform users about the following scenarios:
7. When ready, select Save to complete configuration of the derived credential issuer.
After you save the configuration, you can make changes to all fields except for the
Derived credential issuer. To change the issuer, see Change the derived credential issuer.
To use DISA Purebred as your derived credential issuer for Intune, you must get the
DISA Purebred app and then use Intune to deploy the app to devices. Then users
request the derived credential from DISA Purebred by using the Company Portal App on
their iOS/iPadOS device, or the Intune app on their Android devices.
In addition to deploying the DISA Purebred app with Intune, the device must have
access to the on-premises network. To provide this access, consider using a VPN or
corporate Wi-Fi.
Additional settings for the Purebred app might be required. Speak to your
Purebred agent to understand which values should be included in your policies, or
if you have a DoD issued Common Access Card (CAC) you can access the Purebred
documentation online at https://cyber.mil/pki-pke/purebred/.
3. If you choose to use a per-app VPN for the DISA Purebred application, see Create
a per-app VPN.
Use derived credentials for authentication and
S/MIME signing and encryption
You can specify Derived credential for the following profile types and purposes:
Applications
Email:
iOS and iPadOS
Android Enterprise
VPN:
iOS and iPadOS
Android Enterprise
Wi-Fi:
iOS and iPadOS
Android Enterprise
For Wi-Fi profiles, Authentication method is available only when the EAP type is set
to one of the following values:
EAP – TLS
EAP-TTLS
PEAP
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Derived
credential for iOS devices profile.
Description: Enter a description that gives an overview of the setting, and any
other important details.
Platform: Select iOS/iPadOS.
Profile type: Select Derived credential.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Derived
credential for Android Enterprise devices profile.
Description: Enter a description that gives an overview of the setting, and any
other important details.
Platform: Select Android Enterprise.
Profile type: Under Fully Managed, Dedicated, and Corporate-Owned Work
Profile, select Derived credential.
On the Apps page, configure Certificate access to manage how certificate
access is granted to applications. Choose from:
Require user approval for apps (default) – Users must approve use of a
certificate by all applications.
Grant silently for specific apps (require user approval for other apps) –
With this option, select Add apps, and then select one or more apps that
will silently use the certificate without user interaction.
4. On the Assignments page, select the groups that should receive the policy.
5. When finished, select OK > Create to create the Intune profile. When complete,
your profile is shown in the Devices - Configuration profiles list.
Users receive the app or email notification depending on the settings you specified
when you set up the derived credential issuer. The notification informs the user to
launch the Company Portal so that the derived credential policies can be processed.
DISA Purebred
Entrust
Intercede
7 Note
For Windows, users don't work through a smartcard registration process to obtain a
certificate for use as a derived credential. Instead, the user needs to install the app for
Windows, which is obtained from the derived credential provider. To use derived
credentials with Windows, complete the following configurations:
1. Install the app from the Derived Credential providers on the Windows device.
When you install the Windows app from a derived credential provider on a
Windows device, the derived certificate is added to that device's Windows
certificate store. After the certificate is added to the device, it becomes available
for use a derived credential authentication method.
After you get the app from your chosen provider, the app can be deployed to
Users, or directly installed by the user of the device.
When configuring a Windows profile for Wi-Fi or VPN, select Derived credential
for the Authentication Method. With this configuration, the profile uses the
certificate that installs on the device when the provider's app was installed.
If you configure one or more methods for Notification type, Intune automatically
notifies users when the current derived credential reaches 80% of its life span. The
notification directs users to go through the credential request process to get a new
derived credential.
After a device receives a new derived credential, policies that use derived credentials
redeploy to that device.
Change the derived credential issuer
At the tenant level, you can change your credential issuer, although only one issuer is
supported by a tenant at a time.
After you change the issuer, users are prompted to get a new derived credential from
the new issuer. They must do so before they can use a derived credential for
authentication.
) Important
If you delete an issuer and immediately reconfigure that same issuer, you must still
update profiles and devices to use derived credentials from that issuer. Derived
credentials that were obtained before you delete the issuer are no longer valid.
Next steps
Create device configuration profiles.
Manage iOS/iPadOS software update
policies in Intune
Article • 02/22/2023
You can use Microsoft Intune device configuration profiles to manage software updates
for iOS/iPad devices that enrolled as supervised devices.
Supervised devices are devices that enroll through one of Apple's Automated Device
Enrollment (ADE) options. Devices enrolled through ADE support management
control through a mobile device management solution like Intune. ADE options include
Apple Business Manager or Apple School Manager.
Choose to deploy the latest update that's available, or choose to deploy an older
update, based on the update version number.
When deploying an older update, you must also deploy a device restrictions profile
to restrict visibility of software updates. This is because update profiles don't
prevent users from updating the OS manually. Users can be prevented from
updating the OS manually with a device configuration policy that restricts visibility
of software updates.
Specify a schedule that determines when the update installs. Schedules can be as
simple as installing updates the next time that the device checks in, or creating
date and time ranges during which updates can install or are blocked from
installing.
7 Note
iOS/iPadOS software updates that you send to a Shared iPad, can install only
when there is no user signed in to a Shared iPad session and the device is
charging. The iPad must be signed out of all user accounts and plugged into a
power source for the device to update successfully.
Tip
2. Select Devices > Update policies for iOS/iPadOS > Create profile.
3. On the Basics tab, specify a name for this policy, specify a description (optional),
and then select Next.
Latest update: Deploys the most recently released update for iOS/iPadOS.
Any previous version that is available in the dropdown box. If you select a
previous version, you must also deploy a device configuration policy to
delay visibility of software updates.
Update at next check-in: The update installs on the device the next time it
checks in with Intune. This option is the simplest and has no extra
configurations.
Update during scheduled time: You configure one or more windows of time
during which the update will install upon check-in.
Update outside of scheduled time: You configure one or more windows of
time during which the updates won't install upon check-in.
c. Weekly schedule: If you choose a schedule type other than update at next
check-in, configure the following options:
Time window: Define one or more blocks of time that restrict when the
updates install. The effect of the following options depends on the
Schedule type you selected. With a start day and end day, overnight
blocks are supported. Options include:
Start day: Choose the day on which the schedule window starts.
Start time: Choose the time day when the schedule window begins. For
example, if you select 5 AM and have a Schedule type of Update during
scheduled time, 5 AM will be the time that updates can begin to install.
If you chose a Schedule type of Update outside of a scheduled time, 5
AM will be the start of a period of time that updates can't install.
End day: Choose the day on which the schedule window ends.
End time: Choose the time of day when the schedule window stops. For
example, if you select 1 AM and have a Schedule type of Update during
scheduled time, 1 AM will be the time when updates can no longer
install. If you chose a Schedule type of Update outside of a scheduled
time, 1 AM will be the start of a period of time that updates can install.
7 Note
When you use a device restriction to hide an update, review your software
update policies to ensure they won't schedule the installation of the update
before that restriction period ends. Software update policies install updates
based on their own schedule, regardless of the update being hidden or
visible to the device user.
5. On the Scope tags tab, select + Select scope tags to open the Select tags pane if
you want to apply them to the update policy.
On the Select tags pane, choose one or more tags, and then Select to add
them to the policy and return to the Scope tags pane.
6. On the Assignments tab, choose + Select groups to include and then assign the
update policy to one or more groups. Use + Select groups to exclude to fine-tune
the assignment. When ready, select Next to continue.
The devices used by the users targeted by the policy are evaluated for update
compliance. This policy also supports userless devices.
7. On the Review + create tab, review the settings, and then select Create when
ready to save your iOS/iPadOS update policy. Your new policy is displayed in the
list of update policies for iOS/iPadOS.
7 Note
You can't use Intune software update policies to downgrade the OS version on a
device.
Edit a policy
You can edit an existing policy, including changing the restricted times:
1. Select Devices > Update policies for iOS. Select the policy you want to edit.
2. While viewing the policies Properties, select Edit for the policy page you want to
modify.
3. After introducing a change, select Review + save > Save to save your edits, and
return to the policies Properties.
7 Note
If the Start time and End time are both set to 12 AM, Intune does not check for
restrictions on when to install updates. This means that any configurations you
have for Select times to prevent update installations are ignored, and updates can
install at any time.
To delay visibility, deploy a device restriction template that configures the following
settings:
This doesn't affect any scheduled updates. It represents days before software
updates are visible to end users after release.
For guidance from the Intune support team, see Delay visibility of software updates in
Intune for supervised devices .
Intune displays a list of supervised iOS/iPadOS devices that are targeted by an update
policy. The list doesn't include devices that are up-to-date and healthy because iOS/iPad
devices only return information about installation failures.
For each device on the list, the Installation Status displays the error that was returned by
the device. To view the list of potential installation status values, on the Installation
failures for iOS devices page, select Filters and then expand the drop-down list for
Installation Status.
Next steps
Monitor device profiles
Software updates admin checklist and scenarios for supervised iOS/iPadOS devices
in Intune
Manage macOS software update
policies in Intune
Article • 04/18/2023
You can use Microsoft Intune to manage software updates for macOS devices that
enrolled as supervised devices.
7 Note
Prior to the macOS 12.5 release, devices may download and install additional
updates before installing the latest update.
Specify a schedule that determines when the update installs. Schedules can be as
simple as installing updates the next time that the device checks in or creating
day-time ranges during which updates can install or are blocked from installing.
By default, devices check in with Intune about every 8 hours. If an update is available
through an update policy, the device downloads the update. The device then installs the
update upon next check-in within your schedule configuration.
Tip
For more information on managing software updates and the update
experience on devices, see Manage software updates for Apple devices -
Apple Support at Apple's Platform Deployment site.
a. For Critical, Firmware, Configuration file, and All other updates (OS, built-in
apps), the following installation actions can be configured:
Install immediately: Download the software update and trigger the restart
countdown notification. This action is recommended for userless devices.
Notify only: Download the software update and notify the user through
System Settings.
Install later: Download the software update and install it later. This action
is not available for major OS upgrades.
When you configure Install later for *All other updates (OS, built-in-apps),
the following additional settings are available:
When the All other updates update type is configured to Install later,
this setting allows you to specify the maximum number of times a user
can postpone a minor OS update before it’s installed. The system
prompts the user once a day. Available for devices running macOS 12
and later.
Priority: When the All other updates update type is configured to Install
later, this setting allows you to specify values of Low or High for the
scheduling priority for downloading and preparing minor OS updates.
Available for devices running macOS 12.3 and later.
7 Note
Update at next check-in: The update installs on the device the next time it
checks in with Intune. This option is the simplest and has no extra
configurations.
Time window: Define one or more blocks of time that restrict when the
updates install. The effect of the following options depends on the
Schedule type you selected. With a start day and end day, overnight
blocks are supported. Options include:
Start day: Choose the day on which the schedule window starts.
Start time: Choose the time day when the schedule window begins. For
example, if you select 5 AM and have a Schedule type of Update during
scheduled time, 5 AM will be the time that updates can begin to install. If
you chose a Schedule type of Update outside of a scheduled time, 5 AM will
be the start of a period of time that updates can't install.
End day: Choose the day on which the schedule window ends.
End time: Choose the time of day when the schedule window stops. For
example, if you select 1 AM and have a Schedule type of Update during
scheduled time, 1 AM will be the time when updates can no longer install.
If you chose a Schedule type of Update outside of a scheduled time, 1 AM
will be the start of a period of time that updates can install.
Tip
You can deploy a settings catalog policy to hide an update from device users
for a period of time on your supervised macOS devices. For more informtaion
see the following section Delay visibility of updates.
5. After configuring Update policy settings, select Next.
The devices used by the users targeted by the policy are evaluated for update
compliance. This policy also supports userless devices.
7 Note
Apple MDM doesn't allow you to force a device to install updates by a certain time
or date. You can't use Intune software update policies to downgrade the OS version
on a device.
A restriction period can give you time to test an update before it’s made available to
users to install. After the restriction period ends, the update becomes visible to users,
and they can choose to install it if your update policies don’t install it first.
If you use device restrictions to hide an update, review your software update policies to
ensure they won’t schedule the installation of that update before the restriction period
ends. Software update policies will install updates per their schedule regardless of the
update being hidden or visible to the device user.
You’ll find settings that can restrict visibility of updates on macOS devices in the
Restrictions category of the settings catalog. A few examples of settings you can use to
defer an update include:
You can also find related settings under the System Updates > Software Update
category to manage how users manually interact with updates through their system UI.
However, updates from a targeted update policy will override these settings.
Edit a policy
You can edit an existing policy, including changing the restricted times:
1. Select Devices > Update policies for macOS. Select the policy you want to edit.
2. While viewing the policies Properties, select Edit for the policy page you want to
modify.
7 Note
If the Start time and End time are both set to 12 AM, Intune does not check for
restrictions on when to install updates. This means that any configurations you
have for Select times to prevent update installations are ignored, and updates can
install at any time.
Enforced Software Update Delay: Sets how many days to delay a software update
on the device. With this restriction in place, the user doesn’t see a software update
until the specified number of days after the software update release date. This
value is used by Force Delayed App Software Updates and Force Delayed Software
Updates.
Force Delayed App Software Updates: If true, delays user visibility of non-OS
Software Updates for built-in software like Safari, XProtect, and Gatekeeper.
Requires a supervised device. The delay is 30 days unless Enforced Software Update
Delay is set to another value.
Enforced Software Update Non OS Deferred Install Delay: This restriction allows the
admin to set how many days to delay an app software update on the device. When
this restriction is in place, the user sees a non-OS software update only after the
specified delay after the release of the software. This value controls the delay for
Force Delayed App Software Updates.
Force Delayed Major Software Updates: If set to true, delays user visibility of major
upgrades to OS Software.
Force Delayed Software Updates: If true, delays user visibility of software updates. In
macOS, seed build updates are allowed, without delay. The delay is 30 days
unless Enforced Software Update Delay is set to another value.
The Software Update category contains the following settings that can be used to
configure the user experience for macOS software update options on devices (Devices >
macOS > Device configuration > Settings catalog > System Updates > Software
Update):
Allow Pre Release Installation: If true, prerelease software can be installed on this
computer.
Automatic Check Enabled: If false, deselects the "Check for updates" option and
prevents the user from changing the option.
Automatic Download: If false, deselects the "Download new updates when available
from the App Store" option and prevents the user from changing the option.
Automatically Install App Updates: If false, deselects the "Install app updates from
the App Store" option and prevents the user from changing the option.
Automatically Install macOS Updates: If false, restricts the "Install macOS Updates"
option and prevents the user from changing the option.
Critical Update Install: If false, disables the automatic installation of critical updates
and prevents the user from changing the "Install system data files and security
updates" option.
Restrict Software Update Require Admin To Install: If true, restrict app installations
to admin users. This key has the same function as the Restrict Store Require Admin
To Install setting in the App Store category.
Intune displays a list of supervised macOS devices that are targeted by an update policy.
The list doesn't include devices that are up-to-date and healthy because macOS devices
only return information about installation failures.
For each device on the list, the Installation Status displays the error that was returned by
the device. To view the list of potential installation status values, on the Installation status
for macOS devices page, select Filters and then expand the drop-down list for Installation
Status.
Next steps
Monitor device profiles
Android FOTA Updates
Article • 05/23/2023
You can use Microsoft Intune to manage software updates on the following Android
Enterprise devices:
Fully Managed
Dedicated
Corporate-Owned Work Profile devices
If FOTA isn't available you can use Device restrictions profiles, which work for all
OEMs.
7 Note
Firmware Over-the-Air (FOTA) updates allow remotely updating the firmware of devices
using a wireless connection, rather than requiring the devices to be physically connected
to a computer or network.
A FOTA update can include software and security patches, feature updates, and other
changes to the device's firmware. This method is more efficient, convenient, and more
secure than manual updates and can be performed on a scheduled or on-demand basis.
) Important
This feature is in public preview. For more information, see Public preview in
Microsoft Intune.
Microsoft Intune allows you to manage firmware updates for supported Zebra devices
directly through the Intune admin center.
Supported Devices
LG OTA is supported on the following devices:
Prerequisites
Set up Managed Google Play for your tenant
Administrators must have all the required RBAC (role-based access control)
permissions:
Mobile Apps (to create and deploy app configuration profiles)
Android FOTA (to manage firmware OTA updates)
Access to all appropriate Zebra licenses, and entitlements to use the LG OTA
service. For more information, contact Zebra support or see Zebra's TechDocs .
For information about services ports and endpoints used by Zebra OTA updates,
refer to Zebra Lifeguard Over the Air FOTA Updates Ports .
For more information about which Zebra devices work with the service based on
the platform, see Zebra's TechDocs .
Process overview
The process for using LG OTA via Intune is as follows:
) Important
Remember the email address of the Zebra account you use to authorize Intune.
You'll need this if you contact Zebra for support. Intune doesn't store this
information.
7 Note
Next, assign Zebra Enrollment Manager and Zebra Common Transport Layer as
Required apps for all the Zebra devices you want to update and use with LG OTA. The
apps are deployed automatically to those devices.
For more information, see Add app configuration policies for managed Android
Enterprise devices
3. In the Settings tab, under the Permissions section, select Add to add the following
permission override:
a. Permission: Phone state (read)
b. Permission state: set to Auto grant
4. In the Settings tab, under the Configuration Settings section, select Add to add
the following two configuration settings:
a. Action: Set Configuration value to Claim Device.
b. Claim Device Token: Paste the enrollment token that you copied in the earlier
step into the Configuration value field.
5. Assign this configuration policy to all the same devices that you assigned the app
earlier.
3. In the Settings tab, under the Permissions section, select Add to add the following
permission override:
a. Permission: Phone state (read)
b. Permission state: set to Auto grant
4. Assign this configuration policy to all the same devices that you assigned the app
earlier.
Wait at least 15 minutes for the required apps and app configuration policy to reach the
devices. If needed, use the Intune app on the device to force a sync by navigating to the
Intune app > select the More menu (...), and select Sync.
After synchronization is complete, the devices that support LG OTA will contact Zebra LG
OTA service to be enrolled in the LG OTA service and are associated with the Microsoft
Intune/Zebra accounts. You can then deploy firmware updates to these LG OTA enrolled
devices.
7 Note
LG OTA deployments are fire and forget actions and are not persistent policies that
enforce compliance. Therefore, Microsoft refers to them as deployments rather
than policy. For example, if an upgrade fails initially but later the issue is
remediated, LG OTA will not try to update the device even after the issue is
remediated.
2. Select Devices > Android > Android FOTA deployments to create and manage
FOTA deployments.
4. On the Basics tab, specify a name for this policy, specify a description (optional),
and then select Next.
5. On the Settings tab, configure the deployment settings you'd like to use.
7 Note
7 Note
7. On the Assignments tab, choose + Select groups to include and then assign your
deployments to one or more groups. Review these important guidelines for
assignment. When ready, select Next to continue.
9. When ready, select Create to create the deployment. The deployment is created
with Zebra for the list of assigned devices.
When you assign a deployment to a group, only eligible Zebra devices, at the time the
deployment was created, are included in the deployment request that Intune sends to
Zebra for processing by the Zebra LG OTA service. So, dynamic group membership
updates may not be reflected in LG OTA deployments.
If devices are added to an assigned group after the deployment is created, those devices
won't be part of the deployment in the LG OTA service. To update devices that are
added to a group after the deployment is created, you can create a new deployment
with the same settings, and assign it to the same group. Devices in the group that have
already been updated by the first deployment won't be updated again.
If devices are later removed from an assigned group after the deployment is created,
those devices may still be updated if they were already part of this deployment request
sent to the LG OTA service. You should assume that all eligible Zebra devices that were
ever added to the assigned groups are updated, even if they're removed from the group
afterwards.
Example
You have a dynamic group G that contains three TC57 devices A, B, and C. Every
time a new TC57 device is enrolled in your tenant, it's automatically added to the
dynamic group. A, B, and C devices start off running firmware version v1.
On January 1, you use Intune and LG OTA to create a deployment that runs as soon
as possible, to update devices in G from v1 to v2. All three devices are now on v2.
On February 1, a new TC57 device, D, running firmware version v1, is enrolled in
the tenant. D is automatically added to the group, and now there are four devices
in group G. D isn't part of the January 1 deployment, so if you want to update D to
v2, you need create a new deployment assigned to either D or G.
On February 15, you create a deployment that runs as soon as possible, to update
devices in G to v3. Now, devices A, B, C, and D are all on v3.
On March 1, you use Intune and LG OTA to create a deployment that starts on April
1 and will update devices in G to v4. Intune sends this deployment to the Zebra
service on March 1 after you select Create.
On March 15, you remove devices A and B from group G.
On April 1, the deployment starts running as scheduled. Now, devices A, B, C, D are
updated from v3 to v4.
7 Note
A device can only be part of one deployment at a time. Deployments are only
supported for devices, not users. For example, if you assign a deployment to a
group containing a device A and a user B who is associated with device B, only
device A will receive the deployment.
Assignment filters are not currently supported. Deployments that are assigned to
empty groups, or groups containing no eligible devices, will fail. If you assigned to
or targeted an empty group, it will fail.
Reporting displays information for eligible devices only and is currently refreshed every
hour. For example, if you assign a deployment to a group containing non-Zebra devices,
or Zebra devices that aren't enrolled with the LG OTA service, those devices aren't
included in the Android FOTA deployments reports.
Deployment status: The status of the deployment. For more information, see the
following table.
The status of a deployment is different from the status of individual devices in the
deployment. For example, if you create a deployment that targets two devices and only
one is successfully updated, the deployment is considered Completed. However, it shows
one device as failed and one as successful.
Deployment in progress Start date has been reached, and end date hasn't passed.
Cancellation requested Intune has sent a cancellation request to the Zebra service.
By selecting the More (…) menu next to a deployment, or by selecting the deployment
details, you can attempt to Cancel a deployment that is in progress or Delete a
completed deployment from Intune. Zebra doesn't support editing of already created
deployments.
A Zebra deployment ID. This ID can be useful when contacting Zebra support.
A Status detail, if applicable. If an error code is displayed
Code NOTAPPLICABLE: the device isn't enrolled with the LG OTA service, or not
eligible for this update
Numeric error code. For example, 4009. Contact Zebra support for more details
on next steps.
Known issues
During public preview, you may need to disconnect and reconnect the Zebra connector.
The following error message appears on the Android FOTA deployments page:
"Something went wrong while communicating with Zebra. Try again later, or if this issue
persists try disconnecting and reconnecting the Zebra connector in Tenant
administration".
Use Microsoft Intune to manage the install of Windows 10/11 software updates from
Windows Update for Business.
By using Windows Update for Business, you simplify the update management
experience. You don't need to approve individual updates for groups of devices and can
manage risk in your environments by configuring an update rollout strategy. With
Intune, you can configure update settings on devices and configure deferral of update
installation. You can also prevent devices from installing features from new Windows
versions to help keep them stable, while allowing those devices to continue installing
updates for quality and security.
Intune stores only the update policy assignments, not the updates themselves. When
you save a policy, Intune passes the configuration details to Windows Update, which
then determines which updates will be offered to each device. Devices access Windows
Update directly for the updates.
Learn more about Windows feature and quality updates in the Windows documentation.
Update rings for Windows 10 and later: This policy is a collection of settings that
configures when devices that run Windows 10 and Windows 11 updates get
installed. Update ring policies are supported for devices that run Windows 10
version 1607 or later, and Windows 11. For more information, see Update rings
policy.
Feature updates for Windows 10 and later: Use Feature updates policy updates
devices to the Windows version you specify, and then freezes the feature set
version on those devices. This version freeze remains in place until you choose to
update them to a later Windows version. While the feature version remains static,
devices can continue to install quality and security updates that are available for
their feature version.
You can also use Feature updates policy to upgrade your devices that run Windows
10 to Windows 11.
Quality updates for Windows 10 and later: With Quality updates for Windows 10
and later, you can expedite the install of the most recent Windows 10 and
Windows 11 security updates as quickly as possible on devices you manage with
Microsoft Intune. Expedited install is accomplished without the need to pause or
edit your existing monthly servicing policies. For more information, see Expedite
updates policy.
Driver updates for Windows 10 and later: With Windows Driver Update
Management in Microsoft Intune, you can review, approve for deployment and
pause deployments of driver updates for your managed Windows 10 and Windows
11 devices. Intune and the Windows Update for Business (WUfB) deployment
service (DS) take care of the heavy lifting to identify the applicable driver updates
for devices that are assigned a driver updates policy. For more information, see
Driver updates policy.
Quality updates for Windows 10 and later: Policy for Quality updates, also referred
to as Expedited updates, allows you to expedite the install of the most recent
Windows 10 and Windows 11 security updates on your managed devices.
Deployment of expedited quality updates is done without the need to pause or
edit your existing monthly servicing policies.
Driver updates for Windows 10 and later: With Driver updates you can review,
approve for deployment, and pause deployments of driver updates for your
managed Windows 10 and Windows 11 devices. Your policies can automatically
install the newest recommended driver for you, or wait for an admin to manually
approve drivers before they are installed. review, approve for deployment and
pause deployments of driver updates for your managed Windows 10 and Windows
11 devices.
If you support WPJ devices with Intune, the following information can help you
understand the differences in capabilities based on policy type, for both WPJ devices
and AADJ devices.
Scan for Updates and Yes Use Update Ring policies to manage
Restart schedules schedules
Quality: Quality:
- Pause all updates - Pause individual updates
Drivers: Drivers:
- Block all updates - Pause individual updates
Capability WUfB WUfB-ds
via Update Ring policy via Driver, Feature, and Quality
update policies
While nothing prohibits use of both policy types to control which updates can install on
a device, there's typically no advantage to doing so. When both policy types apply to a
device, the conditions of both policy types must be met (be true) on the device before
it's offered an applicable update. This scenario can lead to updates not installing as
expected due to a block by one of the policy types.
Plan to transition
Plan to manage the change from using update ring deferrals to feature updates so that
the Windows Update service can be ready to deploy the updates you expect.
When Intune policies for Windows updates are created or modified, Intune passes
the policy details to Windows Update, which then determines the updates that are
applicable for each device that's assigned one or more update policies.
Use the following process to ensure Windows Update has processed your feature
updates policy before deferrals are removed.
After the saved policy is assigned to devices, it will take a few minutes for Windows
Update to process the policy.
2. View the Windows 10 feature updates (Organizational) report for the feature
update policy, and verify devices have a state of OfferReady before you proceed.
Once all devices show OfferReady, Windows Update has completed processing the
policy.
3. After devices are verified to be in the OfferReady state you can safely reconfigure
the Windows 10 and later update ring policy for that same set of devices to
change the setting Feature update deferral period (days) to a value of 0.
Reporting on updates
To learn about report options for Update rings policy and Windows feature updates
policy, see Windows update reports.
Next steps
Use Windows update rings
Use Windows feature updates
Expedite quality updates
Use Windows driver updates policy
For more information, see Manage updates using Windows Update for Business in
the Windows documentation.
Update rings for Windows 10 and later
policy in Intune
Article • 08/30/2023
Create update rings that specify how and when Windows as a Service updates your
Windows 10/11 devices with feature and quality updates. With Windows 10/11, new
feature and quality updates include the contents of all previous updates. As long as
you've installed the latest update, you know your Windows devices are up to date.
Unlike with previous versions of Windows, you now must install the entire update
instead of part of an update.
Update rings can also be used to upgrade your eligible Windows 10 devices to Windows
11. To do so, when creating a policy you use the setting named Upgrade Windows 10
devices to Latest Windows 11 release by configuring it as Yes. When you use update rings
to upgrade to Windows 11, devices install the most current version of Windows 11. If
you later set the upgrade setting back to No, devices that haven't started the upgrade
won't start while devices that are in the process of upgrading will continue to do so.
Devices that have completed the upgrade will remain with Windows 11. For more
information on eligibility, see Windows 11 Specs and System Requirements |
Microsoft .
Windows update rings support scope tags. You can use scope tags with update rings to
help you filter and manage sets of configurations that you use.
Prerequisites
The following prerequisites must be met to use Windows Update Rings for Windows
10/11 devices in Intune.
Devices must have access to endpoints. To get a detailed list of endpoints required
for the associated service listed here, see Network endpoints.
Windows Update
7 Note
Windows 10/11 Enterprise LTSC - LTSC is supported for Quality updates, but not
for Feature updates. As a result, the following ring controls aren't supported for
LTSC:
Pause of Feature updates
Feature Update Deferral period (days)
Set feature update uninstall period (2 - 60 days)
Enable pre-release builds, which includes the following build options:
Windows Insider – Release Preview
Beta Channel
Dev Channel
Use deadline settings for Feature updates.
2. Select Devices > Windows > Update rings for Windows 10 and later > Create
profile.
3. Under Basics, specify a name, a description (optional), and then select Next.
4. Under Update ring settings, configure settings for your business needs. For
information about the available settings, see Windows update settings. After
configuring Update and User experience settings, select Next.
5. Under Scope tags, select + Select scope tags to open the Select tags pane if you
want to apply them to the update ring. Choose one or more tags, and then click
Select to add them to the update ring and return to the Scope tags page.
6. Under Assignments, choose + Select groups to include and then assign the
update ring to one or more groups. Use + Select groups to exclude to fine-tune
the assignment. Select Next to continue.
While update rings can deploy to both device and user groups, consider using only
device groups when you also use feature updates.
7. Under Review + create, review the settings, and then select Create when ready to
save your Windows update ring. Your new update ring is displayed in the list of
update rings.
From this page, you can view the rings assignment status and select the following
actions from the top of the Overview pane to manage the update ring:
Delete
Pause
Resume
Extend
Uninstall
Delete
Select Delete to stop enforcing the settings of the selected Windows update ring.
Deleting a ring removes its configuration from Intune so that Intune no longer applies
and enforces those settings.
Deleting a ring from Intune doesn't modify the settings on devices that were assigned
the update ring. Instead, the device keeps its current settings. Devices don't maintain a
historical record of what settings they held previously. Devices can also receive settings
from other update rings that remain active.
To delete a ring
1. While viewing the overview page for an Update Ring, select Delete.
2. Select OK.
Pause
Select Pause to prevent assigned devices from receiving feature or quality updates for
up to 35 days from the time you pause the ring. After the maximum days have passed,
pause functionality automatically expires and the device scans Windows Updates for
applicable updates. Following this scan, you can pause the updates again. If you resume
a paused update ring, and then pause that ring again, the pause period resets to 35
days.
To pause a ring
1. While viewing the overview page for an Update Ring, select Pause.
2. Select either Feature or Quality to pause that type of update, and then select OK.
3. After pausing one update type, you can select Pause again to pause the other
update type.
When an update type is paused, the Overview pane for that ring displays how many
days remain before that update type resumes.
) Important
After you issue a pause command, devices receive this command the next time they
check into the service. It's possible that before they check in, they might install a
scheduled update. Additionally, if a targeted device is turned off when you issue
the pause command, when you turn it on, it might download and install scheduled
updates before it checks in with Intune.
Resume
While an update ring is paused, you can select Resume to restore feature and quality
updates for that ring to active operation. After you resume an update ring, you can
pause that ring again.
To resume a ring
1. While viewing the overview page for a paused Update Ring, select Resume.
2. Select from the available options to resume either Feature or Quality updates, and
then select OK.
3. After resuming one update type, you can select Resume again to resume the other
update type.
Extend
While an update ring is paused, you can select Extend to reset the pause period for
both feature and quality updates for that update ring to 35 days.
Uninstall
An Intune administrator can use Uninstall to uninstall (roll back) the latest feature
update or the latest quality update for an active or paused update ring. After
uninstalling one type, you can then uninstall the other type. Intune doesn't support or
manage the ability of users to uninstall updates.
) Important
When you use the Uninstall option, Intune passes the uninstall request to devices
immediately.
Windows devices start removal of updates as soon as they receive the change
in Intune policy. Update removal isn't limited to maintenance schedules, even
when they're configured as part of the update ring.
If the update removal requires a device restart, the device restarts without
offering device users an option to delay.
A device must have installed the latest update. Because updates are cumulative, devices
that install the latest update will have the most recent feature and quality update. An
example of when you might use this option is to roll back the last update should you
discover a breaking issue on your Windows machines.
Uninstalling a feature or quality update is only available for the servicing channel
the device is on.
Using uninstall for feature or quality updates triggers a policy to restore the
previous update on your Windows machines.
Once the feature or quality update pause elapses on an Update Ring, devices will
reinstall previously uninstalled feature or quality updates if they're still applicable.
Uninstallation will not be successful when the feature update was applied using an
Enablement Package. An Enablement Package is the most common way devices
update to Windows 10 22H2 from Windows 10 2004, 20H2, and 21H2 via Windows
Update for Business. To learn more about Enablement Packages, see KB5015684:
Featured update to Windows 10, version 22H2 by using an enablement package -
Microsoft Support . To learn more about using a script to uninstall Enablement
Packages, see Uninstalling Windows updates on managed devices using Intune
For feature updates specifically, the time you can uninstall the update is limited
from 2-60 days. This period is configured by the update rings Update setting Set
feature update uninstall period (2 – 60 days). You can't roll back a feature update
that's been installed on a device after the update has been installed for longer than
the configured uninstall period.
For example, consider an update ring with a feature update uninstall period of 20
days. After 25 days you decide to roll back the latest feature update and use the
Uninstall option. Devices that installed the feature update over 20 days ago can't
uninstall it as they've removed the necessary bits as part of their maintenance.
However, devices that only installed the feature update up to 19 days ago can
uninstall the update if they successfully check in to receive the uninstall command
before exceeding the 20-day uninstall period.
For more information about Windows Update policies, see Update CSP in the Windows
client management documentation.
Next steps
Use Windows feature updates in Intune
Use Windows update compatibility reports
Use Windows update reports for Windows updates
Also see Windows Autopatch in the Windows deployment content for an
alternative solution
Feature updates for Windows 10 and
later policy in Intune
Article • 07/25/2023
With Feature updates for Windows 10 and later in Intune, you can select the Windows
feature update version that you want devices to remain at, like Windows 10 version
1909 or a version of Windows 11. Intune supports setting a feature level to any version
that remains in support at the time you create the policy.
You can also use feature updates policy to upgrade devices that run Windows 10 to
Windows 11.
Windows feature updates policies work with your Update rings for Windows 10 and later
policies to prevent a device from receiving a Windows feature version that's later than
the value specified in the feature updates policy.
The device updates to the version of Windows specified in the policy. A device that
already runs a later version of Windows remains at its current version. By freezing
the version, the devices feature set remains stable during the duration of the
policy.
7 Note
A device won't install an update when it has a safeguard hold for that
Windows version. When a device evaluates applicability of an update version,
Windows creates the temporary safeguard hold if an unresolved known issue
exists. Once the issue is resolved, the hold is removed and the device can then
update.
To learn about known issues that can result in a safeguard hold, see the
applicable Windows release information and then reference the relevant
Windows version from the table of contents for that page:
Windows 11 release information
Windows 10 release information
For example, for Windows 11 version 21H2, go to the Windows 11 release
information and then from the left-hand pane, select Version 21H2 and
then Known issues and notifications. The resultant page includes details for
known issues for that Windows version that might result in safeguard hold.
Unlike using Pause with an update ring, which expires after 35 days, the Feature
updates policy remains in effect. Devices won't install a new Windows version until
you modify or remove the Feature updates policy. If you edit the policy to specify a
newer version, devices can then install the features from that Windows version.
The ability to Uninstall the Feature update is still honored by the Update Rings.
You can configure policy to manage the schedule by which Windows Update
makes the offer available to devices. For more information, see Rollout options for
Windows Updates.
Prerequisites
) Important
This feature is not supported on GCC and GCC High/DoD cloud environments.
The following are prerequisites for Intune's Feature updates for Windows 10 and later:
In addition to a license for Intune, your organization must have one of the
following subscriptions that include a license for Windows Update for Business
deployment service:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
Windows Virtual Desktop Access E3 or E5
Microsoft 365 Business Premium
If you’re blocked when creating new policies for capabilities that require WUfB ds
and you get your licenses to use WUfB through an Enterprise Agreement (EA),
contact the source of your licenses such as your Microsoft account team or the
partner who sold you the licenses. The account team or partner can confirm that
your tenants licenses meet the WUfB ds license requirements. See Enable
subscription activation with an existing EA.
Devices must:
Devices that receive a feature updates policy and that have Telemetry set to Not
configured (off), might install a later version of Windows than defined in the
feature updates policy. The prerequisite to require Telemetry is under review as
this feature moves towards general availability.
The Microsoft Account Sign-In Assistant (wlidsvc) must be able to run. If the
service is blocked or set to Disabled, it fails to receive the update. For more
information, see Feature updates aren't being offered while other updates are.
By default, the service is set to Manual (Trigger Start), which allows it to run
when needed.
Have access to endpoints. To get a detailed list of endpoints required for the
associated services listed here, see Network endpoints.
Windows Update
Windows Update for Business deployment service
Feature updates are supported for the following Windows 10/11 editions:
Pro
Enterprise
Education
Education
Pro for Workstations
7 Note
For more information about WPJ limitations for Intune Windows Update policies, see
Policy limitations for Workplace Joined devices in Manage Windows 10 and Windows 11
software updates in Intune.
Tip
Feature updates for Windows 10 and later policies cannot be applied during the
Autopilot out of box experience (OOBE). Instead, the policies apply at the first
Windows Update scan after a device has finished provisioning, which is typically a
day.
2. Go to Devices > Windows > Feature updates for Windows 10 and later >
Create profile.
3. For Deployment settings, enter a meaningful name and a description for the
policy. Then, Specify the feature update you want devices to be running.
Monitor the report for the policy. To do so, go to Reports > Windows
Updates > Reports Tab > Feature Updates report. Select the policy you
created and then generate the report.
5. Devices that have a state of OfferReady or later, are enrolled for feature
updates and protected from updating to anything newer than the update you
specified in step 3. See, Use the Windows 10 feature updates (Organizational)
report.
6. With devices enrolled for updates and protected, you can safely change the
Windows Update policies workload from Configuration Manager to Intune.
See, Switch workloads to Intune in the co-management documentation.
When the device checks in to the Windows Update service, the device's group
membership is validated against the security groups assigned to the feature
updates policy settings for any feature update holds.
Managed devices that receive feature update policy are automatically enrolled with
the Windows Update for Business deployment service. The deployment service
manages the updates a device receives. The service is utilized by Microsoft Intune
and works with your Intune policies for Windows updates to deploy feature
updates to devices.
When a device is no longer assigned to any feature update policies, Intune waits
90 days to unenroll that device from feature update management and to unenroll
that device from the deployment service. This delay allows time to assign the
device to a different policy and ensure that in the meantime the device doesn’t
receive a feature update that wasn't intended.
This means that when a feature updates policy no longer applies to a device, that
device won’t be offered any feature updates until one of the following happens:
90 days elapse.
The device is assigned to a new feature update profile.
The device is unenrolled from Intune, which unenrolls the device from feature
update management by the Deployment Service.
You use the Windows Update for Business deployment service graph API to
remove the device from feature update management.
To keep a device at its current feature update version and prevent it from being
unenrolled and updated to the most recent feature update version, ensure the
device remains assigned to a feature update policy that specifies the devices
current Windows version.
2. Select Devices > Windows > Feature updates for Windows 10 and later > Create
profile.
4. Under Assignments, choose + Select groups to include and then assign the
feature updates deployment to one or more device groups. Select Next to
continue.
5. Under Review + create, review the settings. When ready to save the Feature
updates policy, select Create.
When you use feature updates policy to deploy Windows 11, you can target the policy
to Windows 10 devices that meet the Windows 11 minimum requirements to upgrade
them to Windows 11. Devices that don’t meet the requirements for Windows 11 won’t
install the update and remain at their current Windows 10 version.
However, if a Windows 10 device that can’t run Windows 11 is targeted with a Windows
11 update, future Windows 10 updates will not be offered to that device automatically.
In this case, remove the not eligible device from the Windows 11 policy and assign the
device to a Windows 10 feature update policy. See Update behavior when multiple
policies target a device.
When there are multiple versions of Windows 11 available, you can choose to deploy
the latest build. When you deploy the latest build to a group of devices, those devices
that already run Windows 11 will update while devices that still run Windows 10 will
upgrade to that version of Windows 11 if they meet the upgrade requirements. In this
way, you can always upgrade supported Windows 10 devices to the latest Windows 11
version even if you choose to delay the upgrade of some devices until a future time.
You can use Endpoint analytics in Microsoft Intune to determine which of your devices
meet the hardware requirements. If some of your devices don't meet all the
requirements, you can see exactly which ones aren't met. To use Endpoint analytics, your
devices must be managed by Intune, co-managed, or have the Configuration Manager
client version 2107 or newer with tenant attach enabled.
If you’re already using Endpoint analytics, navigate to the Work from anywhere report,
and select the Windows score category in the middle to open a flyout with aggregate
Windows 11 readiness information. For more granular details, go to the Windows tab at
the top of the report. On the Windows tab, you’ll see device-by-device readiness
information.
When you use configure a policy in the Microsoft Intune admin center to deploy any
Windows 11 version, the Microsoft Intune admin center displays a notice to remind you
that by submitting the policy you are accepting the Windows 11 License Agreement
terms on behalf of the devices, and your device users. After submitting the feature
updates policy, end users won’t see or need to accept the license agreement, making
the update process seamless.
This license reminder appears each time you select a Windows 11 build, even if all your
Windows devices already run Windows 11. This prompt is provided because Intune
doesn’t track which devices will receive the policy, and its possible new devices that run
Windows 10 might later enroll and be targeted by the policy.
For more information including general licensing details, see the Windows 11
documentation.
Policies for Windows 11 and Windows 10 can exist side by side in Microsoft Intune.
Deploying an older Windows version to a device won’t downgrade the device.
Devices only install an update when it's newer than the devices current version.
Deploying a Windows 11 update to a Windows 10 device that supports Windows
11, upgrades that device.
Avoid deploying a Windows 11 policy to a Windows 10 device that doesn't support
Windows 11.
Update behavior when multiple policies target
a device:
Consider the following points when feature update policies target a device with more
than one update policy, or target a Windows 10 device with an update for Windows 11:
Each Windows feature update policy supports a single update. When a device is
targeted by more than one policy, it might be targeted with multiple update
versions.
The Windows Update service can only offer a device one feature update at a time,
and always offers the latest update version that targets the device.
The Windows Update for Business deployment service can’t determine that a
device can’t run Windows 11. Therefore, if a Windows 10 device that can’t run
Windows 11 is targeted with a Windows 11 update, Windows 10 updates will not
be offered automatically. In this case, remove the not eligible device from the
Windows 11 policy and assign the device to a Windows 10 feature update policy.
Support End Date – The end of support date for the feature update version.
7 Note
The date provided is for the Enterprise and Education editions of Windows. To find
the support dates for other editions supported by Windows Update for Business
deployment service, see the Microsoft Product Lifecycle site .
Selecting a profile from the list opens the profiles Overview pane where you can:
Select Delete to delete the policy from Intune and remove it from devices.
Select Properties to modify the deployment. On the Properties pane, select Edit to
open the Deployment settings or Assignments, where you can then modify the
deployment.
7 Note
The End user update status Last Scanned Time value will return 'Not scanned yet'
until an initial user logs on and Update Session Orchestrator (USO) scan is initiated.
For more information on the Unified Update Platform (UUP) architecture and
related components, see Get started with Windows Update.
Next steps
Use Windows update rings in Intune
Use Windows update compatibility reports
Use Windows update reports for Windows 10/11 updates
Also see Windows Autopatch in the Windows deployment content for an
alternative solution
Expedite Windows quality updates in
Microsoft Intune
Article • 08/30/2023
With Quality updates for Windows 10 and Later policy, you can expedite the install of the
most recent Windows 10/11 security updates as quickly as possible on devices you
manage with Microsoft Intune. Deployment of expedited updates is done without the
need to pause or edit your existing monthly servicing policies. For example, you might
expedite a specific update to mitigate a security threat when your normal update
process wouldn’t deploy the update for some time.
Not all updates can be expedited. Currently, only Windows 10/11 security updates that
can be expedited are available to deploy with Quality updates policy. To manage regular
monthly quality updates, use Update rings for Windows 10 and later policies.
To speed installation, expedite is able to check for expedited updates more frequently
than the normal Windows Update scan frequency. This process enables devices to start
the download and install of an expedited update as soon as possible, without having to
wait for the device to check in for updates.
The actual time that a device starts to update depends on the device being online, its
scan timing, whether communication channels to the device are functioning, and other
factors like cloud-processing time.
For each expedite update policy you select a single update to deploy based on its
release date. By using the release date, you don’t have to create separate policies
to deploy different instances of that update to devices that have different versions
of Windows, like Windows 10 version 1809, 1909, and so on.
Windows Update evaluates the build and architecture of each device, and then
delivers the version of the update that applies.
Only devices that need the update receive the expedited update:
Windows Update doesn’t try to expedite the update for devices that already
have a revision that’s equal to or greater than the update version.
For devices with a lower build version than the update, Windows Update
confirms that the device still requires the update before installing it.
) Important
In some scenarios, Windows Update can install an update that is more recent
than the update you specify in expedite update policy. For more information
about this scenario, see About installing the latest applicable update, later in
this article.
Expedite update policies ignore and override any quality update deferral periods
for the update version you deploy. You can configure quality updates deferrals by
using Intune Windows update rings and the setting for Quality update deferral
period.
When a restart is required to complete installation of the update, the policy helps
to manage the restart. In the policy, you can configure a period that users have to
restart a device before the policy forces an automatic restart. Users can also
choose to schedule the restart or let the device try to find the best time outside of
the devices Active Hours. Before reaching the restart deadline, the device displays
notifications to alert device users about the deadline and includes options to
schedule the restart.
If a device doesn’t restart before the deadline, the restart can happen in the middle
of the working day. For more information on restart behavior, see Enforcing
compliance deadlines for updates.
Prerequisites
) Important
This feature is not supported on GCC and GCC High/DoD cloud environments.
The following are requirements to qualify for installing expedited quality updates with
Intune:
Licensing:
In addition to a license for Intune, your organization must have one of the following
subscriptions that include a license for Windows Update for Business deployment
service:
Beginning in November of 2022, the Windows Update for Business deployment service
(WUfB ds) license will be checked and enforced.
If you’re blocked when creating new policies for capabilities that require WUfB ds and
you get your licenses to use WUfB through an Enterprise Agreement (EA), contact the
source of your licenses such as your Microsoft account team or the partner who sold
you the licenses. The account team or partner can confirm that your tenants licenses
meet the WUfB ds license requirements. See Enable subscription activation with an
existing EA.
Windows 10/11 versions that remain in support for Servicing, on x86 or x64
architecture
Only update builds that are generally available are supported. Preview builds, including
the Beta and Dev channels, are not supported with expedited updates.
Professional
Enterprise
Education
Pro Education
Pro for Workstations
Devices must:
Be Azure Active Directory (AD) Joined, or Hybrid Azure AD Joined. Workplace Join
isn't supported.
Have access to endpoints. To get a detailed list of endpoints required for the
associated services listed here, see Network endpoints.
Windows Update
Windows Update for Business deployment service
Windows Push Notification Services: (Recommended, but not required. Without
this access, devices might not expedite updates until their next daily check for
updates.)
Be configured to get Quality Updates directly from the Windows Update service.
Have the Update Health Tools installed, which are installed with KB 4023057 -
Update for Windows 10 Update Service components . To confirm the presence of
the Update Health Tools on a device:
Look for the folder C:\Program Files\Microsoft Update Health Tools or review
Add Remove Programs for Microsoft Update Health Tools.
As an Admin, run the following PowerShell script:
PowerShell
If the script returns a 1, the device has UHS client. If the script returns a 0, the
device doesn’t have UHS client.
Device settings:
Enable pre-release This setting should be set to Not configured. Preview builds, including the
builds Beta and Dev channels, are not supported with expedited updates.
Update ring setting Recommended value
Change notification Use any value other than Turn off all notifications, including restart
update level warnings
For more information about these settings, see Policy CSP – Update.
Group Policy settings override mobile device management policies, and the following
list of Group Policy settings can interfere with Expedited policy. On devices where these
settings were managed by Group Policy, restore them to their device defaults (Not
configured):
Before you can monitor results and update status for expedited updates, your Intune
tenant must enable Windows Health Monitoring. While configuring Windows Health
Monitoring, be sure to set the Scope to Windows updates.
For more information about WPJ limitations for Intune Windows Update policies, see
Policy limitations for Workplace Joined devices in Manage Windows 10 and Windows 11
software updates in Intune.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
Tip
Updates are identified by their release date, and you can select only one
update per policy.
Updates that include the letter B in their name identify updates that released
as part of a patch Tuesday event. The letter B identifies that the update
released on the second Tuesday of the month.
Security updates for Windows 10/11 that release out of band from a patch
Tuesday can be expedited. Instead of the letter B, out-of-band patch releases
have different identifiers.
When the update deploys, Windows Update ensures that each device that
receives the policy installs a version of the update that applies to that devices
architecture and its current Windows version, like version 1809, 2004, and so
on.
Tip
For more information, see the blog Windows 10 update servicing cadence -
Microsoft Tech Community .
5. In Settings, configure Number of days to wait before forced reboot. For this
setting, select how soon after installing the update a device will automatically
restart to complete the update installation. You can select from zero to two days.
The automatic restart is canceled if a device manually restarts before the deadline.
If an update doesn’t require a restart, this setting isn’t enforced.
A setting of 0 days means that as soon as the device installs the update, the
user is notified about the restart and has limited time to save their work.
) Important
This experience can impact user productivity. Consider using it for those
devices or updates that must complete and restart the device as soon as
possible.
7. In Review + create, select Create. After the policy is created, it deploys to assigned
groups.
Installing the most recent quality update reduces disruptions to the device and user
while applying the benefits of the intended update. This avoids having to install multiple
updates, which each might require separate reboots.
A more recent update is deployed when the following conditions are met:
The device isn't targeted with a deferral policy that blocks installation of a more
recent update. In this case, the most recently available update that isn't deferred is
the update that might install.
During the process to expedite an update, the device runs a new scan that detects
the newer update. This can occur due to the timing of:
When the device restarts to complete installation
When the device runs its daily scan
When a new update becomes available
While expedite update policies will override an update deferral for the update version
that’s specified in the policy, they don’t override deferrals that are in place for any other
update version.
1. Each month, Intune administrators deploy the most recent Windows 10 quality
updates on the fourth Tuesday of the month. This period gives them two weeks
after the patch Tuesday event to validate the updates in their environment before
they force installation of the update.
2. On January 19, 2021, device Test-1 and Test-2 install the latest quality update from
the patch Tuesday release on January 12. The next day, both devices are turned off
by their users who are each leaving on vacation.
3. On the February 9, the Intune admin creates policy to expedite installation of the
patch Tuesday release 02/09/2021 – 2021.02 B Security Updates for Windows 10
to help secure company devices against a critical threat that the update resolves.
The expedite policy is assigned to a group of devices that includes both Test-1 and
Test-2. All devices in that group that are active receive and install the expedited
update policy.
4. On the March 9 patch Tuesday event, a new quality update releases as 03/09/2021
– 2021.03 B Security Updates for Windows 10. There are no critical issues that
require an expedited deployment of this update, but admins do find a possible
conflict. To provide time to review the possible issue, admins use a Windows
update ring policy to create a seven-day deferral policy. All managed devices are
prevented from installing this update until March 14.
5. Now consider the following results for Test-1 and Test-2, based on when each is
turned back on:
Test-1 - On March 12, Test-1 is powered back on, connects to the network,
and receives expedited update notifications:
a. Windows Update determines that Test-1 still needs to expedite the update
installation, per policy.
b. Because the March 9 update supersedes the February update, Windows
Update could install the March 9 update.
c. There's an active deferral for the March update that won't expire until
March 14.
Result: With the deferral policy for the March update still active and blocking
installation of that update, Device-1 installs the February update as
configured in policy.
Test-2 - On March 20, Test-2 is powered back on, connects to the network,
and receives expedited update notifications:
a. Windows Update determines that Test-2 still needs to expedite the update
installation, per policy.
b. Because the March 9 update supersedes the February update, Windows
Update could install the March 9 update.
c. There's no longer an active deferral for the March update.
Result: With the deferral policy for the March update having expired, Test-2
installs the more recent March update, skipping over the February update
and installing a later update than was specified in policy.
Select Properties to modify the deployment. On the Properties pane, select Edit to
open the Settings, Scope tags, or Assignments, where you can then modify the
deployment.
) Important
When you configure the Windows Health Monitoring profile, during step seven you
must set the Scope to Windows updates.
After a policy has been created you can monitor results, update status, and errors from
the following reports.
Summary report
This report shows the current state of all devices in the profile and provides an overview
of how many devices are in progress of installing an update, have completed the
installation, or have an error.
2. Select Reports > Windows updates. On the Summary tab you can view the
Windows Expedited Quality updates table.
3. To drill in for more information, select the Reports tab, and then Windows
Expedited Update Report.
5. From the list of profiles that is shown on the right side of the page, select a profile
to see results.
3. In the list of monitoring reports, scroll to the Software updates section and select
Windows Expedited update failures.
4. From the list of profiles that is shown on the right side of the page, select a profile
to see results.
Update states
Pending Validating The device has been added to the policy in the service and
validation that the device can be expedited has begun.
Offering OfferReady The expedite instructions have been sent to the device.
Installing OfferReceived Device scanned against Windows Update and the update is
applicable but hasn't yet begun to download.
Installing InstallComplete The device has completed installing the update. Unless the
update has an update error, the device should move quickly
to RestartRequired or UpdateInstalled.
Update Update SubState Definition
State
Next steps
Configure Update rings for Windows 10 and later
Configure Feature updates for Windows 10 and later
Use Windows update compatibility reports
View Windows release information
Windows Driver update management in
Microsoft Intune
Article • 07/26/2023
With Windows Driver Update Management in Microsoft Intune, you can review, approve
for deployment and pause deployments of driver updates for your managed Windows
10 and Windows 11 devices. Intune and the Windows Update for Business (WUfB)
deployment service (DS) take care of the heavy lifting to identify the applicable driver
updates for devices that are assigned a driver updates policy. Intune and WUfB-DS sort
updates by categories that help you easily identify the recommended driver updates for
all devices, or updates that might be considered optional for more limited use.
Using Windows driver update policies, you remain in control of which driver updates can
install on your devices. You can:
Later, when a newer driver update from the OEM is released and identified as the
current recommended driver update, Intune automatically adds it to the policy and
moves the previously recommended driver to the list of other drivers.
Tip
Configure policy to require manual approval of all updates. This policy ensures
that administrators must approve a driver update before it can be deployed.
Newer versions of driver updates for devices with this policy are automatically
added to the policy but remain inactive until approved.
Later, when a newer driver update from the OEM is recommended for a device in the
policy, the policy status updates to indicate there are drivers pending your review. This
status becomes a call to action to review the policy and decide if you want to approve
deployment of the newest drivers to devices.
Manage which drivers are approved for deployment. You can edit any driver
update policy to modify which drivers are approved for deployment. You can
pause the deployment of any individual driver update to stop its deployment to
new devices, and then later reapprove the paused update to enable Windows
Update to resume installing it on applicable devices.
Regardless of the policy configuration and the drivers included, only approved drivers
can install on devices. Additionally, Windows Update only installs the latest available and
approved update when the version is more recent than the one currently installed on
the device.
Windows 10
Windows 11
Prerequisites
To use Windows Driver Update management, your organization must have the following
licenses, subscriptions, and network configurations:
Subscriptions
Intune: Your tenant requires the Microsoft Intune Plan 1 subscription.
Azure Active Directory (Azure AD): Azure AD Free (or greater) subscription.
Your organization must have one of the following subscriptions that include a license for
Windows Update for Business deployment service:
If you’re blocked when creating new policies for capabilities that require WUfB-DS and
you get your licenses to use WUfB through an Enterprise Agreement (EA), contact the
source of your licenses such as your Microsoft account team or the partner who sold
you the licenses. The account team or partner can confirm that your tenants’ licenses
meet the WUfB-DS license requirements. See Enable subscription activation with an
existing EA.
Windows editions:
Driver updates are supported for the following Windows 10/11 editions:
Pro
Enterprise
Education
Pro for Workstations
7 Note
Devices must:
Have Telemetry turned on and configured to report a minimum data level of Basic
as defined in Changes to Windows diagnostic data collection in the Windows
documentation.
You can use one of the following Intune device configuration profile paths to
configure Telemetry for Windows 10 or Windows 11 devices:
Device restriction template: With this profile, set Share usage data to Required.
Optional is also supported.
Settings catalog: From the Settings catalog, add Allow Telemetry from the
System category, and set it to Basic. Full is also supported.
For more information about Windows Telemetry settings, including both current
and past setting options from Windows, see Changes to Windows diagnostic data
collection in the Windows documentation.
The Microsoft Account Sign-In Assistant (wlidsvc) must be able to run. If the service
is blocked or set to Disabled, it fails to receive the update. For more information,
see Feature updates aren't being offered while other updates are. By default, the
service is set to Manual (Trigger Start), which allows it to run when needed.
Have access to the network endpoints required by Intune managed devices. See
Network endpoints.
1. Sign in to the Microsoft Intune admin center and go to Tenant administration >
Connectors and tokens > Windows data.
2. Expand Windows data and ensure the setting Enable features that require
Windows diagnostic data in processor configuration is toggled to On.
For more information, see Enable use of Windows diagnostic data by Intune.
RBAC requirements
To manage Windows Driver updates, your account must be assigned an Intune role-
based access control (RBAC) role that includes the following permissions:
Device configurations:
Assign
Create
Delete
View Reports
Update
Read
You can add the Device configurations permission with one or more rights to your own
custom RBAC roles or use one the built-in Policy and Profile manager role, which
includes these rights.
For more information, see Role-based access control for Microsoft Intune.
Architecture
1. Microsoft Intune provides the Azure Active Directory IDs and Intune policy settings
for devices to WUfB-DS. Intune also provides the list of driver approvals and pause
commands to WUfB-DS.
2. WUfB-DS configures Windows Updates based on the information provided by
Intune. Windows Updates provides the applicable driver update inventory per
device ID.
3. Devices send data to Microsoft so that Windows Update can identify the
applicable driver updates for a device during its regular Windows Update scans for
updates. Any approved updates install on the device.
4. WUfB-DS reports Windows diagnostic data back to Intune for reports.
Use of deployment rings for driver update policies to limit installation of new
driver updates to test groups of devices before broadly installing those updates on
all devices. With this approach, your team can identify potential issues in an early
ring before deploying updates broadly. Use of rings can provide you with time to
pause a troublesome update in subsequent rings to delay or prevent its
deployment. Examples of organizational approaches for rings include:
Structuring driver update policies for different device and hardware models,
aligned with your organizational units, or a combination of both.
Using policy deferral periods for automatic updates and the make available date
for manually approved updates, to align to your update rings for quality and
feature updates schedules.
You might also set the update availability for manually approved updates to match
common update cycles like Microsoft’s Patch Tuesday release. Alignment of
schedules can help reduce extra system restarts that some driver updates require.
Assign devices to only one driver update policy to help prevent a device from
having its drivers managed through more than one policy. This can help avoid
having a driver installed by one policy when you previously declined or paused
that same update in a separate policy. For more information about planning
deployments, see Create a deployment plan in the Windows deployment
documentation.
To help avoid issues that require rolling back a driver from large numbers of devices, use
deployment rings to limit driver installation to small initial groups of devices. This
approach allows time to evaluate the success or compatibility of a driver before broadly
deploying it across your organization.
For policies with manual approvals, you must review and manually approve each
driver before it can deploy to devices. While more work than policies with
automatic approvals, manual approval can help avoid issues with automatically
approved drivers.
If you use policies with automatic approval, plan to monitor the policy for early
signs of problems. If a driver update problem is identified in an early deployment
ring, you can then pause that same update in your other policies.
Consider a device that receives driver updates from two policies. In one policy, a
specific update is approved and in the other policy, that update is paused. Because
the status of approved always wins, the driver installs on the device despite any
other status for that update that is set in any other policy.
To help mitigate this type of recurring challenge, we're evaluating changes that can
mitigate the need to manually coordinate driver updates with Patch Tuesday
updates.
Installing drivers with older versions than those already present on a device isn't
possible through driver update management.
7 Note
You can move Feature update management to the cloud in Intune by using
other similar policies. If using Update Ring policies in Intune, such as for
Quality Updates, you also need enable co-management and assign the
Windows Updates workload to Intune, or a pilot collection.
Next steps
Create a Windows driver update policy
Use Windows driver update reports
Manage policy for Windows Driver
updates with Microsoft Intune
Article • 06/26/2023
This article can help you use Microsoft Intune to create and manage Windows Driver
updates policies for your Windows 10 and Windows 11 devices. These policies allow you
to view the list of available driver updates that are applicable to the devices targeted by
the policy, approve updates for deployment, or pause the deployment of individual
updates. When driver updates are approved, Intune sends the assignments to Windows
Update, which manages the update installation on devices based on the policy
configuration.
Before you create and deploy driver update policies, take time to plan how you might
deploy and manage Windows driver updates in your organization. Also review the
prerequisites for using Windows driver updates ensure your tenant is configured to
support them.
After you create driver update policies, plan to review them regularly for newly added
driver updates. Recommended driver updates that are added to policies that support
automatic approvals start to deploy without any intervention. However, any other new
updates added to your policies won't install until an admin manually approves them.
Applies to:
Windows 10
Windows 11
) Important
Policies for Windows update rings, and policies that use the settings catalog, can
include configurations that can block the installation of Windows driver updates. To
ensure driver updates are not blocked, review your policies for the following
configurations:
Windows update ring policy: Ensure the Windows driver setting is set to Allow.
Settings catalog policy: In the Windows Update for Business category, ensure
that Exclude WU Drivers in Quality Update is set to Allow Windows Update
drivers.
By default, both settings use a configuration that will allow Windows driver
updates.
1. Sign in to the Microsoft Intune admin center and go to Devices > Windows >
Driver updates for Windows 10 and later (preview), and select Create profile.
Name: Enter a descriptive name for the profile. Name profiles so you can
easily identify them later.
Description: Enter a description for the profile. This setting is optional but
recommended.
3. On Settings, configure the approval method for device updates in this policy.
Select one of the following options for Approval method:
Manually approve and deploy driver updates - With this option, each new
driver update that is added to the policy has its status set to Needs review. An
admin must edit the policy to change the status of each individual update to
Approved before that update can deploy to applicable devices.
When you manually approve an update, you can specify a date on which it
becomes available for Windows Update to install on applicable devices. This
date is distinct from the deferral period that is required for automatically
approved updates in policies that use automatic approvals.
Automatically approve all recommended driver updates – With this option,
all new recommended driver updates that are added to the policy are added
with a status of Approved and begin to install on applicable devices without
having to be reviewed or approved by an admin.
Use an automatic approval policy when you want to ensure the drivers on
your devices remain current with an OEMs latest recommended update.
All other updates that aren’t a recommended driver update are added to the
policies other driver list with a status of Needs review. Like updates added to a
policy that use manual approval, before Windows Update can install them, an
admin must explicitly assign these updates a status of Approved and can set a
start date.
When you set a policy for automatic approvals, you must configure the
following setting that creates a deferral period for the automatically
approved updates:
Make updates available after (days) – This setting is a deferral period that
delays when Windows Update begins to deploy and install the new
recommended update that was automatically added to the policy with a
status of Approved. The delay supports from zero to 30 days and starts
from the day the update is added to the policy, not from the date the
update was made available or published by the OEM. The deferral is
intended to provide you with time to identify and if necessary, pause
deployment of the new recommended update.
For example, consider a driver update policy that uses automatic approvals and
has a deferral of three days. On June 1, WUfB-DS identifies a new recommended
driver update that applies to devices with this policy and adds the update to the
policy as approved. Due to the deferral period of three days, Windows Update
waits to offer this update to any device until June 4, three days after it was added
to the policy. If the deferral was set to zero days, Windows Update would begin
installing the update on devices immediately.
Tip
After a policy is created, you won’t be able to edit the policy to change the
approval type. If the approval type is automatic, you can edit the value for
Make updates available after (days).
Tip
6. For Review + create, review the policy configuration, and then select Create. When
you select Create, your changes are saved, and the profile is assigned. The profile is
also shown in the policy list.
Device assignments: If the device assignment for a policy changes, the driver
updates that are available through the policy can change to reflect the devices
now assigned to the policy. Changing device assignments can add driver updates
or new versions of updates to the policy and remove updates from the policy when
they no longer apply to any device assigned to that policy.
Driver updates age out: Once all applicable devices have installed a driver update
version, that version is no longer applicable to install on a device with that policy,
and the update is removed from the policies driver lists.
New driver update versions are available: When an OEM releases a driver update
version that supersedes a driver update found in a policy, the new update is added
to that policy.
For policies with manual approvals, all new driver updates are added to the
policy with a status of Needs review. This status applies to updates added to
both the recommended drivers and other drivers lists. An admin must approve all
updates in a manual approval policy before they can deploy to devices.
When you're viewing the list of Windows driver update policies, any policies that
have new driver updates that require manual approval display a yellow warning
icon and a count of driver updates ‘to review’. This warning appears in the Drivers
to review column of the policy list. To learn more about managing driver updates,
see Identify policies with newly added driver updates in this article.
Plan to periodically review your device driver update policies to identify policies that
have had new drivers added.
For more information on manually approving updates, see Manage the status of driver
updates later in this article.
7 Note
An exception to this is new recommended driver updates that are added to a policy
set for automatic approval. Recommended driver updates that are the newest or
latest recommended driver update are added to the policy and approved
automatically, and never have their status set to Needs review.
To look for policies that have new driver updates pending a review, in the admin center
go to Devices > Windows 10 and later updates > Driver Updates tab.
In the list of Windows driver update policies, review the Drivers to review column for
entries that indicate there are new updates that have been added to the policy that you
might want to review and approve for deployment. In the following screen capture of
the Driver updates page, two policies have new driver updates. One displays 1 to review
while another displays that it has 3 to review:
The two policies that have new driver updates won't deploy those new updates until an
admin explicitly approves them. You can also review the other policies that haven’t
received new updates should you seek to modify the approved updates for those
policies.
Policies continue to display a count of new updates until each update has been
approved or declined. After all the current updates are managed, the count drops to zero
(0) until new updates are identified and added to the policy.
The first tab displays the policies Properties, where you can review and edit the
policy configuration.
The other two tabs comprise the policies driver list.
You can use the driver list to review the driver updates that WUfB-DS identifies as
applicable for one or more devices that receive that policy. From the list, you can view
and manage the approval status of each update.
Tip
The driver list is not a record of the driver versions currently installed on devices
assigned to the policy. Instead, it is a list of driver updates identified by and
collected by WUfB-DS, which can be installed on devices to upgrade their existing
drivers to a newer version. Intune does not collect an inventory of installed drivers.
Recommended drivers – Recommended drivers are the best match for the
'required' driver updates that Windows Update can identify for a device. To be a
recommended update, the OEM or driver publisher must mark the update as
required and the update must be the most recent update version marked as
required. These updates are the same ones available through Windows Update
and are almost always the most current update version for a driver.
When an OEM releases a newer update version that qualifies to be the new
recommended driver, it replaces the previous update as the recommended driver
update. If the older update version is still applicable to a device in the policy, it's
moved to the Other drivers tab. If the older version was previously approved, it
remains approved.
Other drivers – Other driver updates are updates that are available from the
original equipment manufacturer (OEM) aside from the current recommended
driver update. These updates remain in a policy as long as they're newer than the
driver version that's installed on at least one device with the policy.
These updates can be managed and deployed through policies for Windows driver
updates, but not through classic client Windows Update for Business (WUfB)
policies.
Tip
When a driver update is no longer needed by any device in the policy, that update
version is removed from the driver list, and the policy. Policies retain only the driver
update versions that can be used to update a driver on a device with that policy.
In the following screen capture, we’ve opened the policy namedTest Manual and
selected the Recommended drivers tab:
This policy requires manual approval, and currently has three driver updates that are
pending review.
For comparison, the following screen capture shows the contents of the Other drivers
tab for this same policy.
Each driver list displays the following details for updates in the policy. Most of the
following details are based on information obtained from the driver update from the
OEM or driver manufacturer:
Driver name – The driver update name. It's not uncommon for subsequent
versions of an update from an OEM or manufacturer to have identical names. Use
the update Version and Release date to differentiate between update instances.
Driver class - The driver class is determined from the details authored by the driver
publisher, and usually represents the drivers hardware class. This information isn't
always easily determined or consistent across updates from different OEM sources
or manufacturers. When a driver's class can't be identified, it's assigned to the
Other hardware class.
Release date – The date the OEM made this driver update available.
Status – The current status of the driver update in this policy. You can modify the
status for individual updates by selecting the name of the driver update from the
list. There are four status options available for updates:
Needs review
Approved
Declined
Paused
For more information about these four status types and how to manage them in a
policy, see Manage the status of updates in this article.
Applicable devices – This number indicates how many devices can install a certain
version of an update. The same device can be reported for multiple versions of a
driver update from both the Recommended drivers and Other drivers tabs. Devices
report multiple times when there's more than one newer version available for a
driver that is still being used by the device.
Select the update from the driver list to open its Manage driver pane. In the following
screen capture, we’ve selected the first driver update. That driver’s Manage driver pane is
open on the right side.
The following are rules for managing the status of a driver update:
Only new driver updates can be assigned the status Needs review. However, a new
recommended update that is added to a policy set for Automatic approval is added
as Approved.
A driver update that Needs review can be Approved or Declined.
An Approved update can be Paused.
A Paused update can be Approved.
After an update is Approved, it can never be Declined, but you can Pause it
indefinitely.
Needs review – This status is used to identify new drivers that have been added to
a policy.
For policies that use manual approval, Needs review applies to both new
recommended drivers and new other drivers. Unless an admin explicitly approves
the new updates, they won't deploy to devices.
Tip
Windows Update will only install a driver update on a device if the updates
version is newer than the version of the driver that’s currently on the device.
Consequently, there is no risk of a policy installing an older version of a driver
and downgrading a device’s driver version.
Policies with automatic approval: All new Recommended driver updates are
automatically configured as Approved and replace any existing Recommended
driver updates for the same driver. After being automatically approved, the
update is subject to the deferral period of the policy before it can be installed
on a device.
Policies with manual approval: For policies that require manual approval, you
must edit the policy and manage new updates to configure them as Approved.
Once set to Approved, you can configure a setting called Make available in
Windows Update. Here, you must specify a date that indicates when the update
is available for installation on applicable devices. If you leave this field blank, the
update is approved for installation on devices immediately.
) Important
Any time a driver update’s status is manually changed to Approved, the
availability of that update (which is when Windows Update will begin to
deploy it to devices) is defined by the date you assign for Make available in
Windows Update.
Paused – When an update is set to Paused, it's put on hold and isn't deployed to
any more devices through this policy until its status is manually changed back to
Approved. Pausing an update doesn't roll back a completed installation of the
update but can stop an active install of an update that is currently underway.
When you pause the most recent version of an approved update, Windows Update
no longer makes that update available to devices the next time they scan for
updates. However, if the policy has an earlier update version for the same driver
that remains approved, Windows Update begins to install that older version on
applicable devices.
Consider the following scenario: You have a policy with automatic approvals, for
which the recommended update for the device’s printer is version 3. This driver
update is successful on all devices where it has been installed and has been
available for longer than the policies new driver deferral period.
Before all devices install the version 3 update, a newer version of the update is
released, which is version 4. The new driver update version 4 is a recommended
driver, which is automatically approved in the policy.
When version 4 becomes the new recommended driver, the version 3 update is
moved to the other drivers list but remains approved. Because version 4 is the
newest version, this policy will deploy version 4 to devices, and begins to do so
when the policies deferral period for new drivers ends. Until that deferral period
is reached to allow deployment of version 4, the previous update version that
remains approved continues to deploy to devices.
Later, you choose to pause the version 4 update. Windows Update stops
deploying version 4 immediately and starts to deploy version 3 to devices that
don't yet have the driver update version 3 or later version. This deployment
happens because version 3 remains approved and is now the latest approved
version of the print driver in the policy. Deployment of version 3 doesn't need
to wait for a deferral period to end as it was previously approved for longer
than the policies’ current deferral configuration.
Setting an update to declined doesn’t remove it from the policy, and you can
change it back to Approved if you would like the update to deploy to applicable
devices.
Next steps
Use Windows driver update overview
Use Windows driver update reports
Rollout options for Windows Updates in
Microsoft Intune
Article • 02/22/2023
Use rollout options in Microsoft Intune policies for Feature updates for Windows 10 and
later. With rollout options, you configure schedule options for Windows Update that
result in the gradual rollout of updates to devices that receive your policies.
Tip
You configure rollout options when creating Feature Updates policy by selecting one of
the following options:
Make update available as soon as possible - With this option, there's no delay in
making the update available to devices. This selection is the default behavior for
Windows Update.
Make update available on a specific date - With this option you can select a day
on which the update in the policy will become available to install. Windows Update
won’t make the update available to devices with this configuration until that day is
reached.
Make update available gradually - This process helps distribute the availability of
the update across a range of time that you configure, with Windows Update
making an update available to different subsets of the devices targeted by the
policy, at different times. This option can reduce the effect to your network when
compared to offering the update to all devices at the same time. The following
section explains how to use this option in more detail.
To configure this option, you set the following values. Windows Update uses these
values to determine how many offer groups to use based on the number of devices that
are targeted by the policy, when to offer the update to the first group, and how long to
wait until the update is made available to the next offer group:
First group availability – Configure the first day that Windows Update will offer the
update to devices that receive this policy.
This date must be at least two days in the future from when you configure this
policy. The delay enables Windows Update time to identify the devices that are
targeted by the policy, how many offer groups to use, and to assign devices to
those offer groups. If you select a date that isn’t at least two days in the future,
Intune prompts you to reenter the date and displays the first valid date you can
use.
Final group availability – Configure the last day that Windows Update makes the
update available to what will be the final offer group. The last offer group includes
all remaining devices that haven’t already received the offer. Depending on the
number of days between groups, the last offer might not occur on the last day of
the schedule. Devices that are assigned this policy after the final group availability
date will receive the offer immediately.
Days between groups – Windows Update uses this value to determine how many
offer groups to use when making the update available to devices.
For example, you set the first group availability to be January 1, and the final group
of availability to be January 10. Then you set three days between groups. The
results are that Windows Update creates four groups to use for making the update
available. Windows Update then makes the update available to devices in the first
group on January 1, available to devices in the next group on January 4, and so on.
The update is offered to devices in the last group on the 10th. In this example, a
quarter of the devices that receive the policy are assigned to each group, and
devices can only receive the update offer after the group they're assigned to
becomes eligible.
If you edit a policy to change the date for the first or final group availability, or
change the number of days between groups for the policy:
Windows Update recalculates the number of groups to use, if necessary.
For devices that haven't been offered the update, Windows Update adjusts
group membership. This adjustment can change when a device is offered the
update.
If the date of the final group availability is changed to be in the past, all
remaining devices are offered the update as soon as possible.
If the date of the first group availability is changed to the future, devices that
were already offered the update retain that offer, and new devices won’t receive
an offer until that new start date.
If the policy assignment changes to add or remove devices from receiving the
policy:
New devices are distributed to the remaining offer groups.
For devices that are no longer targeted by the policy but were offered the
update, Windows Update will attempt to retract the offer. However, the offer
can’t be retracted if the device has started processing that offer.
Intelligent rollouts
To enhance your use of gradual rollouts, you can configure Intelligent rollouts.
With intelligent rollouts, the Windows Update for Business Deployment Service uses
data that it collects from devices to optimize the device members in the offer groups of
your gradual rollout deployments. The first offer group will include the fewest number
of devices that have the largest pool of variations in your environment. You can think of
this as a pilot ring for the deployment.
To enable intelligent rollout, you deploy a settings catalog profile for device
configuration to Allow WUfB Cloud Processing. Then, you assign the profile to the same
groups that you use with your Feature update profiles. You only need to deploy this
profile to a device a single time. The change then applies to all future deployments for
that device.
As your rollout progresses, the deployment service monitors for unexpected issues. The
service leverages insights from the Windows ecosystem and will create likely issue
safeguard holds and proactively pause deployments to devices that are likely to
encounter an issue. By applying safeguard holds to devices that are likely to have issues
with the update, devices and end users are protected from potential productivity
affecting issues.
To learn more, see Manage safeguards using the Windows Update for Business
deployment service in the Graph API documentation for device updates.
3. For Platform, select Windows 10 and later and then for Profile type, select Settings
catalog.
4. On the Configuration settings page, select Add settings, and then on the Settings
picker page, search for Allow WUfB Cloud Processing. You’ll find this setting in the
System category. Select the checkbox for this setting and then close the Settings
picker window.
6. On the Assignments page, assign the profile to the same groups you use for your
Feature update profiles, and then complete and Create this settings catalog profile,
to deploy it.
After the profile deploys, devices that use gradual rollouts for Feature update profiles
will also have intelligent optimization applied.
Next steps
Configure Feature Updates policy
App and driver compatibility reports for
Windows updates
Article • 02/22/2023
With Intune, you can deploy updates to Windows 10/11 devices by using policies for
Update rings for Windows 10 and later and Feature updates for Windows 10 and later.
To help prepare for update deployments, Intune offers integrated reports to help you
understand compatibility risks that might impact your devices during or after an update:
Windows feature update device readiness report - This report provides per-
device information about compatibility risks that are associated with an upgrade or
update to a chosen version of Windows.
To use these reports, you must first ensure that prerequisites are met and that devices
are properly configured for data collection.
Prerequisites
Licensing
The Windows feature update device readiness and Windows feature update
compatibility risks reports require users of enrolled devices to have one of the following
licenses:
Before using these reports, you must attest to having the required licenses on the
Windows data page of the Intune admin center.
Devices
To be eligible for the Windows feature update device readiness and Windows feature
update compatibility risks reports, devices must:
Run a supported version of Windows 10 or later with the latest cumulative update
Be Azure AD joined or hybrid Azure AD joined
Be managed by Intune (including co-managed devices) or a supported version of
the Configuration Manager client with tenant attach enabled
Have Windows diagnostic data enabled at the Required level or higher
Additionally, you must set the Enable features that require Windows diagnostic data in
processor configuration setting in Tenant administration > Connectors and tokens >
Windows data to On.
Users
To view these reports, users must be assigned an Intune role with the Managed devices
> View reports permission. This permission is included in the following built-in roles:
In addition, to use the Windows feature update device readiness report, users must
also have the Roles > Read permission. This permission is included in the following
built-in roles:
) Important
The insights in this report are specific to the target version of Windows you select
when generating the report. To ensure accuracy of insights, confirm that your
selected OS version matches the version of Windows you intend to deploy.
To use this report:
Click on Select Target OS and choose the version of Windows you plan to
deploy.
Click on Select Scope (Tags) and choose which devices should be in scope for
this report.
Optionally select Ownership and Readiness status to refine the report.
Click Generate report. This process can take several minutes. You'll be
notified when report generation is complete.
) Important
The data in this report is made available on-demand only. You must configure the
Target OS and Scope (Tags) settings, and then click Generate report for data to
appear in the report.
7 Note
When you generate a report, the data in the report is cached on a per-user basis.
Other Intune users in your organization will not be able to see the report you have
generated. If you'd like to regenerate the report with different settings or to pull
the latest data, follow the steps above and click Generate again.
Low risk - There are no known compatibility risks associated with the device.
Medium risk - There are only minor, or non-blocking, compatibility risks
associated with this device, such as applications that will be automatically removed
during upgrade.
High risk - There are multiple or blocking compatibility risks associated with this
device, such as applications that will block an upgrade.
Replace device - The device isn't capable of upgrading to the target OS version.
Upgraded - The device is already running a version of Windows equal to or greater
than the target OS version.
Unknown - A readiness status couldn't be determined. Ensure that the device is
properly configured to send Windows diagnostic data.
For more information about the compatibility risks that impact a specific device, select
the device name to open the details flyout. The tabs on the details flyout include:
Overview - A summary of device properties that can be used to identify the device,
and an overview of the compatibility risks impacting the device.
Applications - A table of applications with compatibility risks that are installed on
the device.
Drivers - A table of drivers with compatibility risks that are installed on the device.
Other - A table of compatibility risks that might impact this device, but aren't
associated with applications or drivers. Compatibility risks associated with device
configurations and settings, such as some Safeguard holds, fall into this category.
) Important
The insights in this report are specific to the target version of Windows you select
when generating the report. To ensure accuracy of insights, confirm that your
selected OS version matches the version of Windows you intend to deploy.
2. In the admin center, go to Reports > Windows updates > select the Reports tab >
select Windows Feature Update Compatibility Risks Report.
3. Configure settings:
Click on Select Target OS and choose the version of Windows you plan to
deploy.
Optionally select Asset type and Risk status to refine the report.
Click Generate report. This process can take several minutes. You'll be
notified when report generation is complete.
7 Note
When you generate a report, the data in the report is cached on a per-user basis.
Other Intune users in your organization will not be able to see the report you have
generated. If you'd like to regenerate the report with different settings or to pull
the latest data, follow the steps above and click Generate again.
Asset type - The type of asset that has a compatibility risk. Options include
Application, Driver, and Other.
Asset name - The name of the asset with a compatibility risk, such as the
application name.
Asset vendor - The name of the vendor who publishes the asset with a
compatibility risk.
Asset version - The version of the asset with a compatibility risk.
Affected devices - The number of enrolled devices that might be impacted by this
compatibility risk.
Risk status - A summary of the severity of the compatibility risk. Most
compatibility risks are either Medium risk if they might block the upgrade.
Issue - A description of the compatibility risk that has been identified.
For more information about a specific compatibility risk, including which devices are
potentially impacted, select the number in the Affected devices column to open the
details flyout. The tabs on the details flyout include:
Overview - A summary of the compatibility risk, including asset details and the
compatibility assessment. When available, the Guidance section provides
recommended actions to mitigate the compatibility risk.
Affected devices - A table of the devices that may be impacted by this
compatibility risk.
Issue descriptions
We use information from the Microsoft app compatibility database to describe any
existing compatibility issues for publicly available applications from Microsoft or other
publishers:
Full removal: Windows setup completely removes the app from the device during
upgrade.
Partial removal: Windows setup partially removes the app from the device. You
need to manually uninstall it after you upgrade Windows.
In both the cases, after you upgrade Windows, you can't use the app.
Blocking upgrade
Windows detected blocking issues, and can't remove the application during upgrade. It
may not work on the new OS version. Before you upgrade, remove the application,
reinstall and test it on the new OS version.
The application isn't compatible with the new OS version, but won't block the upgrade.
No action is required for the upgrade to continue. Install a compatible version of the
application on the new OS version.
Windows detected issues that may interfere with the upgrade, but needs further
investigation. Test the application's behavior during upgrade. If it blocks the upgrade,
remove it before upgrading. Then reinstall and test it on the new OS version.
Multiple
The driver won't migrate to the new OS version and Windows doesn't have a
compatible version. In this case, we recommend checking with the independent
hardware vendor (IHV) who manufactures the driver, or the original equipment
manufacturer (OEM) who provided the device.
A new driver will be installed during upgrade, and a newer version may be
available from Windows Update. If the computer automatically receives updates
from Windows Update, no action is required. Otherwise, import a new driver from
Windows Update after you upgrade Windows.
Safeguards
When an issue may result in a Windows client feature update to fail or rollback, we may
apply safeguard holds to prevent affected devices from installing the update in order to
safeguard them from these experiences. We remove these holds once a fix is found and
verified. To get additional information about safeguard holds in place, see the Windows
release health page under Known issues corresponding to the relevant release.
7 Note
The safeguard entries aren't a real asset that's installed on your devices. It's a
placeholder to help identify apps or drivers in your environment with the safeguard
compatibility tag.
Known issues
Exported csv files display numerical values
When report data is exported to a .csv file, the exported data doesn't use the friendly
names you're used to seeing in the online reports. Use the information below to map
the data in the exported file into the meaning of the value:
0 Unknown
1 Corporate
2 Personal
Readiness status:
0 Low risk
1 Medium risk
2 High risk
3 Replace device
4 Upgraded
5 Unknown
Sys req issues (Some report values map to multiple .csv values):
1, 8, 10 Processor family
2 RAM
3 BIOS
5 TPM
7 Secure boot
9 Network
14 S mode
15 Storage
7 Note
0 Device
1 Application
2 Driver
3 Other
Risk status (This column is called Readiness status in the .csv export):
0 Low risk
1 Medium risk
2 High risk
Application, 4 Disk Disable disk encryption before upgrading. You can re-
Other encryption enable it after.
blocking
upgrade.
Application, 9 Evaluation Windows may upgrade, but applications or drivers can have
Other may be issues.
required on
new OS.
Driver 2 Driver won't Driver is replaced with a new version (either inbox or via
migrate to Windows Update). No action is required for upgrade to
new OS. proceed.
7 Note
Guidance information is not included in the .csv export file. The mapping table
above includes Guidance data for each Issue type.
See also
The FastTrack Center Benefit for Windows provides access to Desktop App Assure. This
benefit is a service designed to address issues with Windows 10/11 and Microsoft 365
Apps for enterprise compatibility. For more information, see Desktop App Assure.
Next step
Configure Update rings for Windows 10 and later
Configure Feature updates for Windows 10 and later
Windows Update reports for Microsoft
Intune
Article • 06/26/2023
With Intune, you can deploy updates to Windows 10/11 devices by using policies for:
Reports for these policy types are available to help you monitor and troubleshoot
update deployments, Intune supports the following report options:
Reports in Intune:
Windows 10 update rings – Use a built-in report that's ready by default when
you deploy update rings to your devices.
Windows 10 feature updates – Use two built-in reports that work together to
gain a deep picture of update status and issues. These reports require you to
configure data collection from devices before the reports can display data about
feature updates.
Windows Driver updates – Use the built-in reports to understand which driver
updates are applicable to your devices and which of those updates have been
approved, installed, or paused.
Use Windows Update for Business reports with Intune to monitor Windows update
rollouts. Windows Update for Business reports is a free service built on Azure
Monitor and Log Analytics.
For more information, see Monitor Windows Updates with Windows Update for
Business reports in the Windows documentation.
The data in the Intune reports for Feature updates for Windows 10 and later policy is
used only for these reports and doesn't surface in other Intune reports.
Before you can use the feature updates policy reports, you must configure prerequisites
for the report.
Prerequisites
Data collection:
Before a device can send the reporting data that's used in the Windows 10 feature
updates report for Intune, you must Configure data collection:
Service-based data is collected for all feature update versions and doesn't
require you to configure data collection.
Client-based data is collected from devices only after data collection is
configured.
Service and client-based data is described in Use the Windows 10 feature updates
(Organizational) report later in this article.
Devices:
Devices must:
Meet the prerequisites for Windows 10 and later feature updates policy as
documented in Feature updates for Windows 10 and later policy in Intune.
Be Azure Active Directory Joined, or Hybrid Azure Active Directory Joined to
support submitting of data for reporting.
Run Windows 10 1903 or later, or Windows 11. Although Windows 10 and later
feature updates policy supports earlier versions of Windows, earlier versions
don't support reporting of the data that Intune uses for the feature updates
reports.
Name: Enter a descriptive name for the profile, like Intune data collection policy.
Description: Enter a description for the profile. This setting is optional, but
recommended.
In Configuration Settings:
Health Monitoring: Select Enable to collect event information from supported
Windows 10/11 devices.
Scope: Select Windows Updates.
Use the Scope tags and Applicability rules to filter the profile to specific IT groups
or devices in a group that meet a specific criteria. Only Windows 10 version 1903
and later and Windows 11 are supported for these reports.
When you complete the creation of the Windows health monitoring profile, the profile
deploys to the assigned groups, and configuration of data collection is complete.
It can take up to 24 hours after setting up Windows health monitoring with Windows
updates before the policy is applied.
Tip
If you use Endpoint Analytics, you can modify the existing configuration profile.
The same policy is used to collect data for Endpoint Analytics.
Service-based data from Windows Update – This data typically arrives in less than
an hour after an event happens in the service. Events include Alerts for a device
that can't register with Windows Update (which is viewable in the Feature update
failures report), to status updates about when Windows Update began offering an
update to clients. This data is available without configuring data collection.
Client-based data from Intune devices that are configured to send data to Intune
– This data is processed in batches and refreshes every eight hours, but is only
available after you configure data collection. The data contains information like
when a client doesn't have enough disk space to install an update. This data is also
used in the Windows 10 feature updates organizational report to show the various
installation steps a device moves through when installing feature updates.
Use the Windows 10 feature updates (Organizational)
report
The Windows 10 feature updates report provides an overview of compliance for devices
you target with a Windows feature updates policy.
) Important
Before this report can show data, you must configure data collection for the
Windows feature updates reports.
This report provides you update installation status that's based on the update state from
device and device-specific update details. The data in this report is timely, calls out the
device name and state, and other update-related details. This report also supports
filtering, searching, paging, and sorting.
2. To view a summary report across all Windows 10 and later feature updates policies:
In the admin center, go to Reports > Windows updates. The default view
displays the Summary tab:
3. To open the Windows 10 feature updates report and view device details for a
specific feature updates profile:
In the admin center, go to Reports > Windows updates > select the Reports
tab > select Windows Feature Update Report.
Select on Select a feature update profile, select a profile, and then Generate
report.
Select Update status and Ownership to refine the report.
The following list identifies the columns that are available in the view:
Service-side data:
Pending:
Validation – The update can't be offered to the device because of a
validation issue with the device and Windows Update.
Scheduled – The update isn't ready to be offered to the device but is
ready to be offered.
On hold:
Admin paused – The update is on hold because the Deployment being
paused by an explicit Administrator action.
ServicePaused – The update is on hold because of an automatic action
by Windows Update.
Canceled:
Admin Cancelled – The update offer was canceled by explicit
Administrator action.
Service Cancelled – The update was canceled by Windows Update for
one of the following reasons:
The end of service for the selected content was reached and it’s no
longer offered by Windows Update. For example, the device might
have been added to a deployment after the content’s availability
expired, or the content reached its end of service date before it could
install on the device.
The deployment content has been superseded for the device. This
can happen when the device is targeted by another deployment that
deploys newer content. For example, one deployment targets the
Windows 10 device to install version 2004 and a second deployment
targets that same device with version 21H1. In this event, 2004 is
superseded by the 21H1 deployment and Windows Update cancels
the 2004 deployment to the device.
Removed from Deployment – The update offer was canceled because
it was removed from the Deployment by explicit Administrator action.
Offering:
OfferReady – The update is currently being offered to the device by
Windows Update.
Client-side data:
On Hold:
Deferred – Windows Update for Business (WUfB) policies are causing
the device to defer the update being offered.
Offering:
Offer Received – The device scanned against Windows Update (WU)
and identifies that the update is applicable but hasn't begun to
download it.
Installing:
Download Start – The download process has begun.
Download Complete – The download process has completed.
Install Start – The pre-restart install process has started.
Install Complete – The pre-restart install process has finished. If the
update doesn't require a restart, the update process ends here.
Restart Required – A restart is required to finish update.
Restart Initiated – The device has gone into restart.
Restart Complete – The device has come back from restart.
Installed:
Update Installed – The update successfully installed.
Uninstalling:
Uninstall – The device is actively uninstalling the update.
Rollback – A rollback has been initiated to a previous update because
of a serious issue during installation.
Update Uninstalled – The update successfully uninstalled.
Rollback complete – A rollback has completed.
Cancelled:
User Cancelled – A user canceled the update.
Device Cancelled – The device canceled the update for a user. This
action is usually because the update no longer applies.
Other:
Needs attention: The device has some issue and needs attention.
) Important
Before this report can show data, you must configure data collection for the
Windows feature updates reports.
This report provides insights to update installation status, including the number of
devices with errors. It also supports drilling in for more details to help you troubleshoot
issues with the installation. This report supports filtering, searching, paging, and sorting.
2. Select Devices > Monitor, and then below Software updates select Feature update
failures.
The initial view displays a per-profile summary of how many devices have
alerts for each of your profiles with the version of Windows that the profile
targets:
Selecting a profile opens a dedicated view that contains all active Alerts for
that profile.
Select an Alert Message to open a pane that displays more details for that
alert:
The following list identifies Alert Messages, and suggested remediation actions:
Alert Message Description Recommendation
The data in the Intune reports for Windows Driver update policies is used only for these
reports and doesn't appear in other Intune reports. The following reports are available:
Windows Driver updates summary
Windows Driver updates report
Windows Driver update failures
The following screen capture displays a summary of four policies, each assigned to a
single device.
This report allows you to view the status of driver updates for each policy (Profile
column). It displays the number of devices that are up-to-date (Success), failed (Error),
paused (Paused), etc. for the driver updates in that policy. However, each device is only
represented once in a single status column, based on the worst status across all of the
updates that apply to that device.
Intune ranks the following statuses in order of priority, from best (Success) to worst
(NeedsReview):
For example: A policy might have three applicable driver updates for an assigned device.
If one of the three fails to install on that device while the other two updates install
successfully, the device is identified by adding one to the Error column. Once all three
updates install successfully, the device is represented by adding one to the Success
column and reducing the count of the Error column by one.
This report doesn’t support drilling in for more details about devices, driver updates, or
policy details.
To find this report, in the admin center go to Reports > Windows updates > Reports
tab, and then select the Windows Driver Update Report tile.
In the following screen capture, the report shows details for the driver update Microsoft
– APPLIANCES – 1.0.0.1.
1. On the Windows 10 and later Driver updates view, select Select a driver update to
open the Driver updates pane on the right.
2. The Driver updates pane displays a list of updates that are approved and applicable
for at least one device from across all your driver update policies.
3. On the Driver updates pane, select a driver, and then OK to return to the Windows
10 and later Driver updates report view that now shows information for the driver
you selected, and select Generate again to update the report.
In the following screen capture, only four drivers remain applicable to devices with
driver updates policy, and those four updates are different versions of the same driver
update.
Column details:
While most of the column details should be clear, the following warrant some
explanation:
Update State – This column presents the most recent status of the selected driver
update, as reported by each device to which it applies. Further details can be found
in the Update Substrate column.
Cancelled – The update was paused in the policy that applies to this device.
Offering – The update is approved, but the device hasn't yet installed it.
Installed – The update installed successfully.
Needs attention – There's an installation issue for the update on this device.
Policy – This column identifies the name of the policy in which the update was
approved.
Last Scan Time – This column provides insight into when a device last checked for
updates. This can help explain why approved updates haven't installed. For
instance, if the last scan time is several weeks old, it may indicate that the device is
either offline or unable to connect to scan for updates.
Data retention:
As devices across all your updates policies install the latest versions of a driver update,
older driver update versions that are no longer needed by any device drops off the
driver updates list. However, this isn't necessarily an immediate event. Reporting data for
driver updates remains available until the end of a data retention period is reached. This
period is six months since the last time an event for the update is received.
If the update is approved and all applicable devices have installed the update, then
six months after the last device updates is status, the update is removed from
reporting details.
Similarly, if an update is paused and shows no activity for the retention period, that
update is also dropped from reporting details after six months. After an updates
data ages out, if a paused update that remains applicable to a device is
reapproved, subsequent status for that update begins to appear in reports.
Previous data that aged out of reports won’t be restored or available.
When you select the report, you can view a list of your update policies and see a count
of devices in each policy that have at least one driver update error. In the previous
screen capture, only one driver has such an error.
By selecting that policy and entry, you can then view more information about the error,
including:
Device Name
Driver Name
Driver Class
Alert Message
Deployment Error Code
UPN
Intune Device ID
This view is a useful place to identify and start investigation of driver update installation
failures.
Use an Intune device configuration profile to deploy the settings to your Windows
10/11 devices.
For guidance on this solution, see Configuring Microsoft Intune devices for Windows
Update For Business reports in the Windows Update For Business reports
documentation.
Next steps
Manage software updates in Intune
Troubleshooting policies and profiles in
Microsoft Intune
Article • 05/27/2023
This article provides troubleshooting guidance for common issues related to policies
and configuration profiles in Microsoft Intune. including instructions on how to use the
built-in Intune troubleshooting feature.
Helpful links:
4. Under Devices, find the device having an issue. Review the different columns:
If Managed isn't set to MDM or EAS/MDM, then the device isn't enrolled.
It doesn't receive compliance or configuration policies until it's enrolled.
For more information, see get started with device compliance policies.
For more information, see get started with device compliance policies.
Last check in: Should be a recent time and date. By default, Intune devices
check in every 8 hours.
If Last check in is more than 24 hours, there may be an issue with the
device. A device that can't check in can't receive your policies from Intune.
To force check-in:
On the Android device, open the Company Portal app > Devices >
Choose the device from list > Check Device Settings.
On the iOS/iPadOS device, open the Company portal app > Devices >
Choose the device from list > Check Settings.
On a Windows device, open Settings > Accounts > Access Work or
School > Select the account or MDM enrollment > Info > Sync.
Policy states:
Not Applicable: This policy isn't supported on this platform. For example,
iOS/iPadOS policies don't work on Android. Samsung KNOX policies don't
work on Windows devices.
Conflict: There's an existing setting on the device that Intune can't
override. Or, you deployed two policies with the same setting using
different values.
Pending: The device hasn't checked into Intune to get the policy. Or, the
device received the policy but hasn't reported the status to Intune.
Errors: Look up errors and possible resolutions at Troubleshoot company
resource access problems.
Check tenant status
Check the Tenant Status and confirm the subscription is Active. You can also view details
for active incidents and advisories that may impact your policy or profile deployment.
2. Select Devices > All devices > select the device > Device configuration.
Every device lists its profiles. Each profile has a Status. The status applies when all
of the assigned profiles, including hardware and OS restrictions and requirements,
are considered together. Possible statuses include:
Conforms: The device received the profile and reports to Intune that it
conforms to the setting.
Not applicable: The profile setting isn't applicable. For example, email
settings for iOS/iPadOS devices don't apply to an Android device.
Pending: The profile is sent to the device, but hasn't reported the status to
Intune. For example, encryption on Android requires the user to enable
encryption, and might show as pending.
If you create policies in the Exchange On-Premises Policy workspace (Admin console),
but are using Microsoft 365, then the configured policy settings aren't enforced by
Intune. In the alert, note the policy source. Under the Exchange On-premises Policy
workspace, delete the legacy rules. The legacy rules are Global Exchange rules within
Intune for on-premises Exchange, and aren't relevant to Microsoft 365. Then, create new
policy for Microsoft 365.
Depending on the device platform, if you want to change the policy to a less secure
value, you may need to reset the security policies.
For example, in Windows 8.1, on the desktop, swipe in from right to open the Charms
bar. Choose Settings > Control Panel > User Accounts. On the left, select Reset
Security Policies link, and choose Reset Policies.
Other platforms, such as Android, and iOS/iPadOS may need to be retired and re-
enrolled to apply a less restrictive policy.
Feedback
Was this page helpful? ツ Yes ト No
This article describes what to do when your users fail to get access to resources
protected with Conditional Access, or when users can access protected resources but
should be blocked.
With Intune and Conditional Access, you can protect access to Microsoft 365 services
like Exchange Online and SharePoint Online, and various other services. This capability
allows you to make sure that only devices that are enrolled with Intune and compliant
with the Conditional Access rules that you set in Intune or Azure Active Directory have
access to your company resources.
The device must be enrolled in mobile device management (MDM) and managed
by Intune.
Both the user and the device must be compliant with the assigned Intune
compliance policies.
By default, the user must be assigned a device compliance policy. This can depend
on the configuration of the setting Mark devices with no compliance policy
assigned as which is under Device Compliance > Compliance Policy Settings in
the Intune admin portal.
Exchange ActiveSync must be activated on the device if the user is using the
device's native mail client rather than Outlook. This happens automatically for
iOS/iPadOS and Android Knox devices.
For on-premise Skype, you must configure Hybrid Modern Authentication. See
Hybrid Modern Auth Overview.
You can view these conditions for each device in the Azure portal and in the device
inventory report.
Devices appear compliant but users are still
blocked
Ensure that the user has an Intune license assigned for proper compliance
evaluation.
Non-Knox Android devices won't be granted access until the user clicks the Get
Started Now link in the quarantine email they receive. This applies even if the user
is already enrolled in Intune. If the user doesn't get the email with the link on their
phone, they can use a PC to access their email and forward it to an email account
on their device.
When a device is first enrolled, it might take some time for compliance information
to be registered for a device. Wait a few minutes and try again.
For iOS/iPadOS devices, an existing email profile might block the deployment of an
Intune admin-created email profile assigned to that user, making the device
noncompliant. In this scenario, the Company Portal app will notify the user that
they aren't compliant because of their manually configured email profile, and it
prompts the user to remove that profile. Once the user removes the existing email
profile, the Intune email profile can successfully deploy. To prevent this problem,
instruct your users to remove any existing email profiles on their device before
enrolling.
A device might get stuck in a checking-compliance state, preventing the user from
starting another check-in. If you have a device in this state:
Make sure the device is using the latest version of the Company Portal app.
Restart the device.
See if the problem persists on different networks (for example, cellular, Wi-Fi,
etc.).
An Android device that's enrolled and compliant might still be blocked and receive
a quarantine notice when first trying to access corporate resources. If this occurs,
make sure the Company Portal app isn't running, then select the Get Started Now
link in the quarantine email to trigger evaluation. This should only need to be done
when Conditional Access is first enabled.
An Android device that is enrolled might prompt the user with "No certificates
found" and not be granted access to Microsoft 365 resources. The user must
enable the Enable Browser Access option on the enrolled device as follows:
Check if the email client on the device is configured to retrieve email using Push
instead of Poll. If so, this could cause the user to miss the email. Switch to Poll and
see if the device receives the email.
If the device is selectively wiped or retired from Intune, it might continue to have
access for several hours after retirement. This is because Exchange caches access
rights for six hours. Consider other means of protecting data on retired devices in
this scenario.
Surface Hub, Bulk-Enrolled, and DEM enrolled Windows devices can support
Conditional Access when a user who is assigned a license for Intune is signed in.
However, you must deploy the compliance policy to device groups (not user
groups) for correct evaluation.
Check the assignments for your compliance policies and your Conditional Access
policies. If a user isn't in the group that's assigned the policies, or is in a group
that's excluded, the user isn't blocked. Only devices for users in an assigned group
are checked for compliance.
Review your Target and Exclusion groups. If a user isn't in the right target group or
is in the exclusion group, they won't be blocked. Only devices of users in a Target
group are checked for compliance.
If the device is listed, use the 'Get-CASmailbox -identity:'upn' | fl' cmdlet to get
detailed information about its access state, and provide that information to
Microsoft Support. For more info, see the Exchange PowerShell docs.
Feedback
Was this page helpful? ツ Yes ト No
Starting with version 6.1806.x.x, the Intune Connector Service logs events in the Event
Viewer (Applications and Services Logs > Microsoft Intune Connector). Use these
events to help troubleshoot potential issues in the configuration of the Intune Certificate
Connector. These events log successes and failures of an operation, and also contain
diagnostic codes with messages to help the IT admin troubleshoot.
Tip
To troubleshoot issues and verify Intune Certificate Connector setup, see Certificate
Authority script samples .
Diagnostic codes
Diagnostic Diagnostic Name Diagnostic Message
Code
Next steps
For further assistance, see Troubleshooting SCEP certificate profiles with Microsoft
Intune.
Feedback
Was this page helpful? ツ Yes ト No
This articles gives guidance to help you troubleshoot and resolve issues with Simple
Certificate Enrollment Protocol (SCEP) certificate profiles in Microsoft Intune. The
following sections cover these concepts:
The information in this article and related SCEP certificate troubleshooting articles
applies to using SCEP certificate profiles with Android, iOS/iPad, and Windows devices.
Similar information for macOS isn't available at this time. To troubleshoot Network
Device Enrollment Service (NDES), see the following articles:
Before proceeding, ensure you've met the prerequisites for using SCEP certificate
profiles, including the deployment of a root certificate through a trusted certificate
profile.
2. Device to NDES server communication. The device uses the URI for NDES from the
profile to contact the NDES server so it can present a challenge.
3. NDES to policy module communication. NDES forwards the challenge to the Intune
Certificate Connector policy module on the server, which validates the request.
Log files
To identify problems for the communication and certificate provisioning workflow,
review log files from both the Server infrastructure, and from devices. Later sections for
troubleshooting SCEP certificate profiles refer to log files referenced in this section.
Log files for these roles include Windows Event Viewer, Certificate consoles, and various
log files specific to the Intune Certificate Connector, NDES, or other role and operations
that are part of the on-premises infrastructure.
The following list includes logs or consoles that are referenced in the subsequent SCEP
troubleshooting articles.
NDESConnector_date_time.svclog:
This log shows communication from the Microsoft Intune Certificate Connector to
the Intune cloud service. You can use the Service Trace Viewer Tool to view this log
file.
CertificateRegistrationPoint_date_time.svclog:
This log shows the NDES policy module receiving and verifying certificate requests.
You can use the Service Trace Viewer Tool to view this log file.
NDESPlugin.log:
This log shows the passing of certificate requests to the Certificate Registration
Point, and the resulting verification of those requests.
IIS logs:
IIS logs show the certificate requests from mobile devices entering NDES.
This log is useful when investigating IIS issues, like the SCEP application pool.
Location: On the server that hosts NDES: Run eventvwr.msc to open Windows
Event Viewer
To collect the OMADM.logs from a device, see Upload and email logs using a USB cable.
1. Connect the iOS/iPadOS device to Mac, and then go to Applications > Utilities to
open the Console app.
2. Under Action, select Include Info Messages and Include Debug Messages.
3. Reproduce the problem, and then save the logs to a text file:
a. Select Edit > Select All to select all the messages on the current screen, and
then select Edit > Copy to copy the messages to the clipboard.
b. Open the TextEdit application, paste the copied logs into a new text file, and
then save the file.
The Company Portal log for iOS and iPadOS devices doesn't contain information about
SCEP certificate profiles.
On the device, open Event Viewer > Applications and Services Logs > Microsoft >
Windows > DeviceManagement-Enterprise-Diagnostics-Provider.
Next steps
Troubleshoot deployment of a SCEP certificate profile to devices in Microsoft Intune
Feedback
Was this page helpful? ツ Yes ト No
This articles gives troubleshooting guidance for issues deploying of Simple Certificate
Enrollment Protocol (SCEP) certificate profiles with Microsoft Intune. Certificate
deployment is Step 1 of the SCEP communication flow overview.
The SCEP certificate profile, and the trusted certificate profile specified in the SCEP
profile, must both be assigned to the same user, or the same device. The following table
shows the expected result of mixed assignments:
Android
SCEP certificate profiles for Android come down to the device as a SyncML and are
logged in the OMADM log.
1. Specify the user who should receive the SCEP certificate profile.
2. Review the user's group membership to ensure they are in the security group you
used with the SCEP certificate profile.
ModelName=AC_51bad41f-3854-4eb5-a2f2-
0f7a94034ee8%2FLogicalName_39907e78_e61b_4730_b9fa_d44a53e4111c%3BHash=-151830
3401
NDESUrls&gt;&lt;NDESUrl&gt;https://<server>-
contoso.msappproxy.net/certsrv/mscep/mscep.dll&lt;/NDESUrl&gt;&lt;
/NDESUrls
iOS/iPadOS
1. Specify the user who should receive the SCEP certificate profile.
2. Review the user's group Membership to ensure they are in the security group you
used with the SCEP certificate profile.
ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295
PayloadDependencyDomainCertificate
Windows
1. Specify the user who should receive the SCEP certificate profile.
2. Review the user's group membership to ensure they are in the security group you
used with the SCEP certificate profile.
2. Expand Applications and Services Logs > Microsoft > Windows >
DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
Level: Information
User: SYSTEM
Description:
Next steps
If the profile reaches the device, the next step is to review the device to NDES server
communication.
Feedback
Was this page helpful? ツ Yes ト No
Use the following information to determine if a device that received and processed an
Intune Simple Certificate Enrollment Protocol (SCEP) certificate profile can successfully
contact Network Device Enrollment Service (NDES) to present a challenge. On the
device, a private key is generated and the certificate signing request (CSR) and challenge
are passed from the device to the NDES server. To contact the NDES server, the device
uses the URI from the SCEP certificate profile.
1. On the NDES server, open the most recent IIS log file found in the following folder:
%SystemDrive%\inetpub\logs\logfiles\w3svc1
2. Search the log for entries similar to the following examples. Both examples contain
a status 200, which appears near the end:
And
operation=GetCACert&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13
Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 3567 0
3. When the device contacts IIS, an HTTP GET request for mscep.dll is logged.
Status code of 500: The IIS_IUSRS group might lack correct permissions. See
Troubleshoot status code 500, later in this article.
See Test and troubleshoot the SCEP server URL later in this article to help
validate the configuration.
See The HTTP status code in IIS 7 and later versions for information
about less common error codes.
If the connection request isn't logged at all, the contact from the device might be
blocked on the network between the device and the NDES server.
Android devices
Review the devices OMADM log. Look for entries that resemble the following examples,
which are logged when the device connects to NDES:
Output
Output
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+
(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 3909 0
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+
(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 421
iOS/iPadOS devices
Review the devices debug log. Look for entries that resemble the following examples,
which are logged when the device connects to NDES:
Output
operation=GetCACert
Attempting to retrieve issued certificate
Sending CSR via GET
operation=PKIOperation
Windows devices
On a Windows device that is making a connection to NDES, you can view the devices
Windows Event Viewer and look for indications of a successful connection. Connections
are logged as an event ID 36 in the devices DeviceManagement-Enterprise-Diagnostics-
Provide > Admin log.
2. Expand Applications and Services Logs > Microsoft > Windows >
DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
3. Look for Event 36, which resembles the following example, with the key line of
SCEP: Certificate request generated successfully:
Output
Event ID: 36
Level: Information
Keywords:
User: <UserSid>
Description:
Output
1. On the NDES server, run secpol.msc to open the Local Security Policy.
2. Expand Local Policies, and then select User Rights Assignment.
3. Double-click Impersonate a client after authentication in the right pane.
4. Select Add User or Group…, enter IIS_IUSRS in the Enter the object names to
select box, and then select OK.
5. Select OK.
6. Restart the computer, and then try the connection from the device again.
1. In Intune, edit your SCEP certificate profile and copy the Server URL. The URL
should resemble https://contoso.com/certsrv/mscep/mscep.dll .
2. Open a web browser, and then browse to that SCEP server URL. The result should
be: HTTP Error 403.0 – Forbidden. This result indicates the URL is functioning
correctly.
If you don't receive that error, select the link that resembles the error you see to
view issue-specific guidance:
I receive a general Network Device Enrollment Service message
I receive "HTTP Error 503. The service is unavailable"
I receive the "GatewayTimeout" error
I receive "HTTP 414 Request-URI Too Long"
I receive "This page can't be displayed"
I receive "500 - Internal server error"
Cause: This problem is usually an issue with the Microsoft Intune Connector
installation.
Mscep.dll is an ISAPI extension that intercepts incoming request and displays the
HTTP 403 error if it's installed correctly.
Output
If the installation fails, remove the Microsoft Intune Connector and then reinstall it.
If the installation was successful and you continue to receive the General NDES
message, run the iisreset command to restart IIS.
HTTP Error 503
When you browse to the SCEP server URL, you receive the following error:
This issue is usually because the SCEP application pool in IIS isn't started. On the NDES
server, open IIS Manager and go to Application Pools. Locate the SCEP application pool
and confirm it's started.
If the SCEP application pool isn't started, check the application event log on the server:
1. On the device, run eventvwr.msc to open Event Viewer and go to Windows Logs
> Application.
2. Look for an event that is similar to the following example, which means that the
application pool crashes when a request is received:
Output
Level: Error
Keywords: Classic
A certificate that has the same Issued to and Issued by values, is a root certificate.
Otherwise, it's an intermediate certificate.
After removing certificates and restarting the server, run the PowerShell cmdlet
again to confirm there are no intermediate certificates. If there are, check whether
a Group Policy pushes the intermediate certificates to the NDES server. If so,
exclude the NDES server from the Group Policy and remove the intermediate
certificates again.
Cause 2: The URLs in the Certificate Revocation List (CRL) are blocked or
unreachable for the certificates that are used by the Intune Certificate Connector.
1. Open Event Viewer, select View, make sure that Show Analytic and Debug
Logs option is checked.
2. Go to Applications and Services Logs > Microsoft > Windows > CAPI2 >
Operational, right-click Operational, then select Enable Log.
3. After CAPI2 logging is enabled, reproduce the problem, and examine the
event log to troubleshoot the issue.
2. In the list of certificates, find an expired certificate that satisfies the following
conditions:
The value of Intended Purposes is Client Authentication.
The value of Issued To or Common Name matches the NDES server name.
7 Note
3. Double-click the certificate. In the Certificate dialog box, select the Details
tab, locate the Thumbprint field, and then verify the value matches the value
of the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPol
icy\NDESCertThumbprint registry subkey.
5. Right-click the certificate, select All Tasks, then select Request Certificate
with New Key or Renew Certificate with New Key.
6. In the Certificate Enrollment page, select Next, select the correct SSL
template, and then select More information is required to enroll for this
certificate. Click here to configure settings.
7. In the Certificate Properties dialog box, select the Subject tab, and then
perform the following steps:
a. Under Subject name, in the Type drop-down box, select Common Name.
In the Value box, enter the fully qualified domain name (FQDN) of the
NDES server. Then select Add.
b. Under Alternative name, in the Type drop-down box, select DNS. In the
Value box, enter the FQDN of the NDES server. Then select Add.
c. Select OK to close the Certificate Properties dialog box.
8. Select Enroll, wait until the enrollment finishes successfully, and then select
Finish.
10. After you close the Certificate Connector UI, restart the Intune Connector
Service and the World Wide Web Publishing Service.
GatewayTimeout
When you browse to the SCEP server URL, you receive the following error:
Cause: The Microsoft Azure AD Application Proxy Connector service isn't started.
Solution: Run services.msc, and then make sure that the Microsoft Azure AD
Application Proxy Connector service is running and Startup Type is set to
Automatic.
Cause: IIS request filtering isn't configured to support the long URLs (queries) that
the NDES service receives. This support is configured when you configure the
NDES service for use with your infrastructure for SCEP.
1. On the NDES server, open IIS manager, select Default Web Site > Request
Filtering > Edit Feature Setting to open the Edit Request Filtering Settings
page.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Paramete
rs
Cause: This issue occurs when the SCEP external URL is incorrect in the Application
Proxy configuration. An example of this URL is
https://contoso.com/certsrv/mscep/mscep.dll .
2. Check the expired certificates on the NDES server, copy the Subject
information from the certificate.
4. Expand Personal, right-click Certificates, then select All Tasks > Request New
Certificate.
5. On the Request Certificate page, select CEP Encryption, then select More
information is required to enroll for this certificate. Click here to configure
settings.
6. In Certificate Properties, select the Subject tab, fill the Subject name with the
information that you collected during step 2, select Add, then select OK.
When you enroll for the Exchange Enrollment Agent (Offline request)
certificate, it must be done in the user context. Because the Subject Type of
this certificate template is set to User.
9. Expand Personal, right-click Certificates, then select All Tasks > Request New
Certificate.
10. On the Request Certificate page, select Exchange Enrollment Agent (Offline
request), then select More information is required to enroll for this
certificate. Click here to configure settings.
11. In Certificate Properties, select the Subject tab, fill the Subject name with the
information that you collected during step 2, select Add.
Select the Private Key tab, select Make private key exportable, then select
OK.
13. Export the Exchange Enrollment Agent (Offline request) certificate from the
current user certificate store. In the Certificate Export Wizard, select Yes,
export the private key.
14. Import the certificate to the local machine certificate store.
15. In the Certificates MMC, do the following action for each of the new
certificates:
Right-click the certificate, select All Tasks > Manage Private Keys, add Read
permission to the NDES service account.
Next steps
If the device successfully reaches the NDES server to present the certificate request, the
next step is to review the Intune Certificate Connectors policy module.
Feedback
Was this page helpful? ツ Yes ト No
This article gives guidance to help you validate and troubleshoot operation of the
Network Device Enrollment Service (NDES) policy module that installs with the Microsoft
Intune Certificate Connector. When NDES receives a request for a certificate, it forwards
the request to the policy module, which validates the request as valid for the device.
After the validation, NDES contacts the certificate authority (CA) to request the
certificate on behalf of the device.
This article applies to both Step 3 and Step 4 of SCEP communication workflow.
To confirm the validation request is submitted to the module, look for an entry that
resembles the following examples in logs on the NDES server:
IIS logs:
Output
fe80::f53d:89b8:c3e8:5fec%13 POST
/CertificateRegistrationSvc/Certificate/VerifyRequest - 443 -
NDESPlugin log:
Output
CertificateRegistrationPoint.svclog:
If you don't find these entries, start by reviewing the troubleshooting guidance for
device to NDES server communication.
If the information in that article doesn't help you resolve the issue, the following are
additional entries that can indicate problems.
Output
WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID
Modern browsers and browsers on mobile devices ignore the Common Name on an SSL
certificate if there are Subject Alternative Names present.
Solution: Issue the web server SSL certificate with the following attributes for Common
Name and Subject Alternative Name, and then bind it to port 443 in IIS:
Subject name
NDESPlugin.log:
Output
IIS log:
Output
This issue occurs if there are intermediate CA certificates in the NDES server's Trusted
Root Certification Authorities certificate store.
If a certificate has the same Issued to and Issued by values, it's a root certificate.
Otherwise, it's an intermediate certificate.
Solution: To fix the issue, identify and remove the intermediate CA certificates from the
Trusted Root Certification Authorities certificate store.
Output
Solution: On the server where the connector is installed, open the Registry Editor, locate
the HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector registry key, and then
check whether the SigningCertificate value exists.
If this value doesn't exist, restart the Intune Connector Service in services.msc, and then
check whether the value appears in registry. If the value is still missing, it's often because
of network connectivity issues between the server that NDES and the Intune service.
NDESPlugin log:
Output
IIS logs:
Output
fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+
(compatible;+Win32;+NDES+client) - 200 0 0 2713 1296
CertificateRegistrationPoint.svclog:
VerifyRequest Started.
VerifyRequest Finished with status False
2. Open the Certification Authority MMC on the CA, and select Failed Requests to
look for errors that help identify a problem. The following image is an example:
3. Review the application event log on the CA for errors. Usually you can see errors
that match what you see in the Failed Requests from the previous step. The
following image is an example:
Next steps
If the NDES policy module validates the request and the request is forwarded to the
certificate authority, the next step is to review the certificate delivery to the device.
Feedback
Was this page helpful? ツ Yes ト No
This article applies to the step 5 of the SCEP communication workflow; delivery of the
certificate to the device that submitted the certificate request.
Android
For device administrator enrolled devices, you'll see a notification similar to the
following image, which prompts you to install the certificate:
For Android Enterprise or Samsung Knox, the certificate installation is automatic, and
silent.
To view an installed certificate on Android, use a third party certificate viewing app.
You can also review the devices OMADM log. Look for entries that resemble the
following examples, which are logged when certificates install:
Root certificate:
Output
Output
iOS/iPadOS
On the iOS/iPadOS or iPadOS device, you can view the certificate under the Device
Management Profile. Drill down to see details for installed certificates.
You can also find entries that resemble the following in the iOS debug log:
Output
Windows
On a Windows device, verify the certificate was delivered:
Run eventvwr.msc to open Event Viewer. Go to Applications and Services Logs >
Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider >
Admin and look for Event 39. This Event should have a general description of:
SCEP: Certificate installed successfully.
To view the certificate on the device, run certmgr.msc to open the Certificates MMC and
verify that the root and SCEP certificates are installed correctly on the device in the
personal store:
Troubleshoot failures
Android
To troubleshoot certificate delivery, review errors that are logged in the OMA DM log.
iOS/iPadOS
To troubleshoot certificate delivery, review errors that are logged in the devices debug
log.
Windows
To troubleshoot issues with the certificate not being installed on the device, look in the
Windows Event log for errors that suggest problems:
Errors with delivery and installation of the certificate to the device are typically related to
Windows operations, and not to Intune.
Next steps
If the certificate successfully deploys to the device, but Intune doesn't report success,
see NDES reporting to Intune to troubleshoot reporting.
Feedback
Was this page helpful? ツ Yes ト No
When using SCEP certificate profiles to provision certificates to Windows devices, the
last phase is that the Intune Certificate Connector reports the deployment to Intune.
This article explains how to confirm that NDES and the Intune Certificate Connector are
successfully reporting on certificate delivery to devices.
) Important
The details in this article apply only to the PFX Certificate Connector for Microsoft
Intune and Microsoft Intune Connector. Support for both connectors ends in July
2021, when they are both replaced by the Certificate Connector for Microsoft
Intune.
If you use the new connector, see Certificate Connector for Microsoft Intune for
more information about capabilities, connector status, and log details including a
list of Log Event IDs for the newer connector.
IIS log:
fe80::f53d:89b8:c3e8:5fec%13 POST
/CertificateRegistrationSvc/Certificate/Notify - 443 -
NDESPlugin.log:
Output
CertificateRegistrationPoint.svclog:
NDESConnector.svclog:
CertificateRequestStatus:
If the certificate request is successfully processed, you'll see new files in the
Succeed folder. You can use Notepad.exe to open the files and view the data that's
uploaded to the Intune Service by the Intune Certificate Connector. Data that
uploaded includes details like CertificateSerialNumber, UserID, DeviceID, and
Thumbprint.
Verify that the Intune Connector Service is started on the NDES server. And there are no
errors in Ndesconnector.svclog.
Feedback
Was this page helpful? ツ Yes ト No
This article gives troubleshooting guidance for several common issues when deploying
Public Key Cryptography Standards (PKCS) certificates in Microsoft Intune. Before
troubleshooting, ensure you've completed the following tasks, as explained in Configure
and use PKCS certificates with Intune:
The most common source of problems for PKCS certificate profiles has been with the
configuration of the PKCS certificate profile. Review the profiles configuration and look
for typos in server names or fully qualified domain names (FQDNs), and confirm the
Certificate Authority and Certificate Authority Name are correct.
You can use the certutil command-line program on the CA to confirm the correct name
for the Certification Authority and Certification Authority Name.
Log files
To identify problems for the communication and certificate provisioning workflow,
review log files from both the Server infrastructure, and from devices. Later sections for
troubleshooting PKCS certificate profiles refer to log files referenced in this section.
Log files for these roles include Windows Event Viewer, Certificate consoles, and various
log files specific to the Intune Certificate Connector, or other role and operations that
are part of the on-premises infrastructure.
NDESConnector_date_time.svclog:
This log shows communication from the Microsoft Intune Certificate Connector to
the Intune cloud service. You can use the Service Trace Viewer Tool to view this log
file.
Location: On the server that hosts the Intune Certificate Connector: Run
eventvwr.msc to open Windows Event Viewer
To collect the OMADM.logs from a device, see Upload and email logs using a USB cable.
2. Under Action, select Include Info Messages and Include Debug Messages.
3. Reproduce the problem, and then save the logs to a text file:
a. Select Edit > Select All to select all the messages on the current screen, and
then select Edit > Copy to copy the messages to the clipboard.
b. Open the TextEdit application, paste the copied logs into a new text file, and
then save the file.
The Company Portal log for iOS and iPadOS devices doesn't contain information about
PKCS certificate profiles.
On the device, open Event Viewer > Applications and Services Logs > Microsoft >
Windows > DeviceManagement-Enterprise-Diagnostics-Provider
Antivirus exclusions
Consider adding Antivirus exclusions on servers that host the Intune Certificate
Connector when:
Certificate requests reach the server or the Intune Certificate Connector, but are
not successfully processed
Certificates are issued slowly
%program_files%\Microsoft Intune\PfxRequest
%program_files%\Microsoft Intune\CertificateRequestStatus
%program_files%\Microsoft Intune\CertificateRevocationStatus
Common errors
The following common errors are each addressed in a following section:
Output
Certification authority
Certification authority name
Solution:
The Certification authority property displays the internal FQDN of your CA server.
The Certification authority name property displays the name of your CA.
If the CA FQDN and name are correct in the PKCS certificate profile, review the Windows
Application log that's on the certificate authority server. Look for an Event ID 128 that
resembles the following example:
Output
Source: Microsoft-Windows-CertificationAuthority
Level: Warning
Details:
When the CA certificate renews, it must sign the Online Certificate Status Protocol
(OCSP) Response Signing certificate. Signing enables the OCSP Response Signing
certificate to validate other certificates by checking on their revocation status. This
signing isn't enabled by default.
Solution:
1. On the CA server, open an elevated Command Prompt and run the following
command: certutil -setreg ca\UseDefinedCACertInRequest 1
2. Restart the Certificate Services service.
After the Certificate Services service restarts, devices can receive certificates.
Output
This issue occurs if the computer that hosts the Intune Certificate Connector can't locate
a certificate enrollment policy server.
Solution:
Manually configure the name of the certificate enrollment policy server on the computer
that hosts the Intune Certificate Connector. To configure the name, use the Add-
CertificateEnrollmentPolicyServer PowerShell cmdlet.
Output
In addition, on the certificate authority server, you can see the PFX request in the
Pending Requests folder:
Solution:
Edit the Policy Module properties to set: Follow the settings in the certificate template,
if applicable. Otherwise, automatically issue the certificate.
Output
Solution:
Verify the following configurations for the PKCS profile, and then wait for the policy to
refresh on the device:
For more information, see Configure and use PKCS certificates with Intune.
Output
at
Microsoft.Management.Services.NdesConnector.MicrosoftCA.GetCertificate(PfxRe
questDataStorage pfxRequestData, String containerName, String& certificate,
String& password)
This issue occurs when the Computer Account of the server that hosts the Intune
Certificate Connector doesn't have permissions to the certificate template.
Solution:
Review the request files for errors that indicate why they failed to be processed.
1. On the server that hosts the Intune Certificate Connector, use File Explorer to
navigate to %programfiles%\Microsoft Intune\PfxRequest.
2. Review files in the Failed and Processing folders, using your favorite text editor.
3. In these files, look for entries that indicate errors or suggest problems. Using a
web-based search, look up the error messages for clues as to why the request
failed to process, and for solutions to those issues.
Solution:
1. Review your trusted certificate profile to ensure you've deployed the root
certificate from your Enterprise CA to devices.
2. Review your PKCS certificate profile to ensure it references the correct CA,
certificate type, and the trusted certificate profile that deploys the root certificate
to devices.
For more information, see Use certificates for authentication in Microsoft Intune.
Error -2146875374
CERTSRV_E_SUBJECT_EMAIL_REQUIRED
PKCS certificates fail to deploy, and the certificate console on the issuing CA displays a
message with the string -2146875374 CERTSRV_E_SUBJECT_EMAIL_REQUIRED, as seen
in the following example:
Output
Feedback
Was this page helpful? ツ Yes ト No
This article gives troubleshooting guidance to help resolve common problems with the
on-premises Intune Exchange Connector. To troubleshoot specific error messages, see
Resolve common errors for the Intune Exchange Connector.
) Important
As of July 2020, support for the Exchange Connector is deprecated, and replaced
with Exchange hybrid modern authentication (HMA).
Existing customers with an active connector will be able to continue with the
current functionality at this time. New customers and existing customers that do
not have an active connector will no longer be able to create new connectors or
manage Exchange ActiveSync (EAS) devices from Intune. For those tenants,
Microsoft recommends the use of Exchange HMA to protect access to Exchange
on-premises.
Verify that your process meets the installation requirements. See Set up the on-
premises Intune Exchange Connector.
Verify that your account has both Exchange and Intune administrator permissions.
Note the complete and exact error message text, details, and where the message is
displayed.
Determine when the problem started:
Are you setting up the connector for the first time?
Did the connector work correctly and then fail?
If it was working, what changes occurred in the Intune environment, Exchange
environment, or on the computer that runs the connector software?
What is the MDM authority?
What version of Exchange do you use?
Use PowerShell to get more data on Exchange Connector
issues
To get a list of all mobile devices for a mailbox, use Get-MobileDeviceStatistics -
mailbox mbx
To get a list of SMTP addresses for a mailbox, use Get-Mailbox -Identity user |
select emailaddresses | fl
To get detailed information about a device's access state, use Get-CASMailbox
<upn> | fl
The computer that hosts the Intune Exchange Connector and the Exchange Client
Access Server (CAS) should be domain-joined and on same LAN. Make sure that
the required permissions are added for the account that's used by the Intune
Exchange connector.
The Intune Exchange Connector sends a request to the EWS URL by using the
notification account credentials to send notification email messages together with
the Get Started link (to enroll in Intune). Use of the Get Started link to enroll is a
requirement for Android non-Knox devices. Otherwise, these devices will be
blocked by Conditional Access.
Make sure users have an Intune license. If not, the Exchange connector won't
discover their devices.
If the user's primary SMTP address is different from the user principal name (UPN)
in Azure Active Directory (Azure AD), the Exchange connector won't discover any
devices for that user. Fix the primary SMTP address to resolve the issue.
If you have both Exchange 2010 and Exchange 2013 mailbox servers in your
environment, we recommend pointing the Exchange connector to an Exchange
2013 Client Access server (CAS). If the Exchange connector is set up to
communicate with an Exchange 2010 CAS, the Exchange connector won't discover
any user devices on Exchange 2013.
For Exchange Online Dedicated environments, you must point the Exchange
connector to an Exchange 2013 CAS (not an Exchange 2010 CAS) in the dedicated
environment during the initial setup. The connector will communicate only with an
Exchange 2013 CAS when it executes PowerShell cmdlets.
Users don't receive the notification email
message
To support Conditional Access for on-premises mailboxes on devices that don't run
Android Knox, make sure Intune enrollment starts from the "Get Started Now" email
message that the Intune Exchange connector sends. Starting enrollment from the
message ensures that the device receives a unique ActiveSyncID across all platforms
(Exchange, Azure AD, Intune).
The Exchange Web Services (EWS) request to send the email message failed.
The account has an active mailbox that's hosted by your Exchange on-
premises server.
Check Autodiscover
If Autodiscover fails, try the following steps:
2. Hard-code the EWS URL in the Intune Exchange connector configuration file:
a. Determine the EWS URL. The default EWS URL for Exchange is
https://<mailServerFQDN>/ews/exchange.asmx , but your URL might differ.
Contact the Exchange administrator to verify the correct URL for your
environment.
geWebServiceURL>
3. Save the file, and then restart the computer or restart the Microsoft Intune
Exchange connector service.
7 Note
In this configuration, the Intune Exchange connector stops using Autodiscover and
instead connects directly to the EWS URL.
Feedback
Was this page helpful? ツ Yes ト No
This article can help Intune administrators resolve specific errors and messages about
the operation of the Intune Exchange Connector.
When you try to configure the Microsoft Intune Exchange Connector, you receive the
following error message:
Verify that the FQDN of the exchange server address and credentials that
you entered is correct and the server is running. The Microsoft Intune
Exchange Connector does not support Exchange server arrays.
This problem can occur if the Internet proxy settings are misconfigured.
Solution:
1. Contact the local network administrator to make sure that the proxy settings are
configured correctly.
2. Use the Netsh winhttp command to configure the proxy server and add the
required exclusion list. For example:
When you try to configure the Microsoft Intune Exchange Connector, you receive the
following error message:
This problem can occur if the account that you used to sign in to Intune isn't an Intune
Global Administrator account.
Solution:
Sign in to Intune with an account that is a Global Administrator, or add your account to
the Global Admin group. For more information, see Role-based administration control
(RBAC) with Microsoft Intune.
When you try to configure the Microsoft Intune Exchange Connector, you receive the
following error message:
Verify that you are connected to the Internet, check the Microsoft Intune
Service Status, and try to connect again.
This error can occur if a proxy server is used to connect to the Internet and is blocking
traffic to the Intune Service. To determine whether a proxy is in use, go to Control Panel
> Internet Options, select the Connection tab, and then click LAN Settings.
Solution:
Option 1 - Remove the proxy settings to allow the computer to connect to the
Internet without going through the proxy.
An iOS device fails to enroll in Intune and generates one of the following error
messages:
Date: <time>
Level: Error
Keywords: Classic
User: N/A
Computer: <computer>
Description:
Date: <time>
Level: Error
Keywords: Classic
User: N/A
Computer: <computer>
Description:
The WIEC service was unable to log on as .\WIEC_USER with the currently
configured password because of the following error:
Logon failure: the user has not been granted the requested logon type at
this computer.
Service: WIEC
This service account does not have the required user right "Log on as a
service."
This problem can occur if the WIEC_User account doesn't have the Log on as service
user right in the local policy.
Solution:
On the computer that runs the Intune Exchange Connector, assign the Log on as a
service user right to the WIEC_User service account. If the computer is a node in a
cluster, make sure to assign the Log on as a service user right to the cluster service
account on all nodes in the cluster.
To assign the Log on as a service user right to the WIEC_User service account on the
computer, follow these steps:
If the Log on as a service user right was assigned to WIEC_User but was later removed,
contact the domain administrator to determine whether a Group Policy setting is
overwriting it.
Feedback
Was this page helpful? ツ Yes ト No
This article provides guidance on how to troubleshoot BitLocker encryption on the client side.
While the Microsoft Intune encryption report can help you identify and troubleshoot common
encryption issues, some status data from the BitLocker configuration service provider (CSP)
might not be reported. In these scenarios, you will need to access the device to investigate
further.
1. An administrator configures a BitLocker policy in Intune with the desired settings, and
targets a user group or device group.
2. The policy is saved to a tenant in the Intune service.
3. A Windows 10 Mobile Device Management (MDM) client syncs with the Intune service and
processes the BitLocker policy settings.
4. The BitLocker MDM policy Refresh scheduled task runs on the device that replicates the
BitLocker policy settings to full volume encryption (FVE) registry key.
5. BitLocker encryption is initiated on the drives.
The encryption report will show encryption status details for each targeted device in Intune. For
detailed guidance on how to use this information for troubleshooting, see Troubleshooting
BitLocker with the Intune encryption report.
Once you have access to the device, the first step is to initiate a sync with the Intune service
manually before collecting the data. On your Windows device, select Settings > Accounts >
Access work or school > <Select your work or school account> > Info. Then under Device sync
status, select Sync.
Location: Right-click on Start Menu > Event Viewer > Applications and Service Logs >
Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-
DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
To filter this log, right-click the event log and select Filter Current Log > Critical/Error/Warning.
Then search through the filtered logs for BitLocker (press F3 and enter the text).
Errors in BitLocker settings will follow the format of the BitLocker CSP, so you will see entries like
this:
./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
or
./Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation
7 Note
You can also enable debug logging for this event log using the Event Viewer for
troubleshooting.
Usually, errors are logged here if there are hardware or software prerequisites missing that the
policy requires such as Trusted Platform Module (TPM) or Windows Recovery Environment
(WinRE).
As shown in the following example, conflicting policy settings that cannot be implemented
during silent encryption and manifest as group policy conflicts are also logged:
Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group
Policy settings. When write access to drives not protected by BitLocker is denied, the use of
a USB startup key cannot be required. Please have your system administrator resolve these
policy conflicts before attempting to enable BitLocker.
Solution: Configure the compatible TPM startup PIN to Blocked. This will resolve conflicting
Group Policy settings when using silent encryption.
You must set the PIN and TPM startup key to Blocked if silent encryption is required.
Configuring the TPM startup PIN and startup key to Allowed and other startup key and PIN
setting to Blocked for user interaction and will result in a conflicting Group Policy error in
BitLocker-AP event log. Also, if you configure TPM startup PIN or startup key to require user
interaction, it will cause silent encryption to fail.
Configuring any of the compatible TPM settings to Required will cause silent encryption to fail.
Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this
computer.
Solution: Ensure there is a TPM available on the device and if it is present, check the status via
TPM.msc or the PowerShell cmdlet get-tpm.
If the BitLocker-API log displays the following status, it means that Windows has detected an
attached Direct memory access (DMA)-capable device that might expose a DMA threat.
Solution: To remediate this issue, first verify that the device has no external DMA ports with the
original equipment manufacturer (OEM). Then follow these steps to add the device to the
allowed list. Note: Only add a DMA device to the allowed list if it is an internal DMA
interface/bus.
Location: Right-click on Start Menu > Event Viewer > Windows Logs > System
File system location: C:\Windows\System32\winevt\Logs\System.evtx
Filter on these event sources to help identify any hardware-related issues that the device may be
experiencing with the TPM and check with the OEM manufacturer whether there are any
firmware updates available.
Location: Event Viewer > Applications and Service Logs > Microsoft > Windows >
TaskScheduler
File system location: C:\Windows\System32\winevt\Logs\Microsoft-Windows-
TaskScheduler%4Operational.evtx
) Important
You must manually enable this event log before logging any data because the log will
identify any problems running the BitLocker MDM policy Refresh scheduled task.
1. To enable this log, right-click on Start Menu > Event Viewer > Applications and Services
> Microsoft > Windows > TaskScheduler > Operational.
2. Then enter task scheduler in the Windows search box, and select Task Scheduler >
Microsoft > Windows > BitLocker. Right-click on BitLocker MDM policy Refresh and
choose Run.
3. When the run is complete, inspect the Last Run Result column for any error codes and
examine the task schedule event log for errors.
In the example above, 0x0 has run successfully. The error 0x41303 this means the task has
never previously run.
7 Note
For more information about Task Scheduler error messages, see Task Scheduler Error and
Success Constants.
For a tutorial of this process, see the YouTube video How to create an Intune MDM diagnostic
report on Windows devices
You can also use the MDM Diagnostic Report to identify whether a policy has been successfully
sent to the device with the settings the administrator configured. By using the BitLocker CSP as a
reference, you can decipher which settings have been picked up when syncing with the Intune
service. You can use the report to determine if the policy is targeting the device and use the
BitLocker CSP documentation to identify what settings have been configured.
MSINFO32
MSINFO32 is an information tool that contains device data you can use to determine if a device
satisfies BitLocker prerequisites. The required prerequisites will depend on BitLocker policy
settings and the required outcome. For example, silent encryption for TPM 2.0 requires a TPM
and Unified Extensible Firmware Interface (UEFI).
Location: In the Search box, enter msinfo32, right-click System Information in the search
results, and select Run as administrator.
File system location: C:\Windows\System32\Msinfo32.exe.
However, if this item doesn't meet the prerequisites, it doesn't necessarily mean that you can't
encrypt the device using an Intune policy.
If you have configured the BitLocker policy to encrypt silently and the device is using TPM
2.0, it is important to verify that BIOS mode is UEFI. If the TPM is 1.2, then having the BIOS
mode in UEFI is not a requirement.
Secure boot, DMA protection, and PCR7 configuration are not required for silent
encryption but might be highlighted in Device Encryption Support. This is to ensure
support for automatic encryption.
BitLocker policies that are configured to not require a TPM and have user interaction rather
than encrypt silently will also not have prerequisites to check in MSINFO32.
TPM.MSC file
TPM.msc is a Microsoft Management Console (MMC) Snap-in file. You can use TPM.msc to
determine whether your device has a TPM, to identity the version, and whether it is ready for
use.
Location: In the Search box, enter tpm.msc, and then right-click and select Run as
administrator.
File system location: MMC Snap-in C:\Windows\System32\mmc.exe.
TPM is not a prerequisite for BitLocker but is highly recommended due to the increased security
it provides. However, TPM is required for silent and automatic encryption. If you're trying to
encrypt silently with Intune and there are TPM errors in the BitLocker-API and system event logs,
TPM.msc will help you understand the problem.
The following example shows a healthy TPM 2.0 status. Note the specification version 2.0 in the
bottom right and that the status is ready for use.
This example shows an unhealthy status when the TPM is disabled in the BIOS:
Configuring a policy to require a TPM and expecting BitLocker to encrypt when the TPM is
missing or unhealthy is one of the most common issues.
Get-Tpm cmdlet
A cmdlet is a lightweight command in the Windows PowerShell environment. In addition to
running TPM.msc, you can verify the TPM using the Get-Tpm cmdlet. You will need to run this
cmdlet with administrator rights.
Location: In the Search box enter cmd, and then right-click and select Run as
administrator > PowerShell > get-tpm.
In the example above, you can see that the TPM is present and active in the PowerShell window.
The values equal True. If the values were set to False, it would indicate a problem with the TPM.
BitLocker will not be able to use the TPM until it is present, ready, enabled, activated, and
owned.
Location: In the Search box, enter cmd, right-click and select Run as administrator, and
then enter manage-bde -status.
File system location: C:\Windows\System32\manage-bde.exe.
You can use manage-bde to discover the following information about a device:
Is it encrypted? If reporting in the Microsoft Intune admin center indicates a device is not
encrypted, this command-line tool can identify the encryption status.
Which encryption method has been used? You can compare information from the tool to
the encryption method in the policy to make sure they match. For example, if the Intune
policy is configured to XTS-AES 256-bit and the device is encrypted using XTS-AES 128-bit,
this will result in errors in Microsoft Intune admin center policy reporting.
What specific protectors are being used? There are several combinations of protectors.
Knowing which protector is used on a device will help you understand if the policy has
been applied correctly.
Location: Right-click on Start > Run and then enter regedit to open the Registry Editor.
Default file system location:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker
The MDM agent registry key will help you identify the Globally Unique Identifier (GUID) in the
PolicyManager that contains the actual BitLocker policy settings.
The GUID is highlighted in the above example. You can include the GUID (it will be different for
each tenant) in the following registry subkey to troubleshoot BitLocker policy settings:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers<GUID>\
default\Device\BitLocker
This report shows the BitLocker policy settings that have been picked up by the MDM agent
(OMADM client). These are the same settings that you will see in the MDM Diagnostic report, so
this is an alternative way of identifying settings that the client has picked up.
Example of SystemDrivesRecoveryOptions:
Use the BitLocker CSP documentation to decode all of the setting names in the registry.
Location: Right-click on Start > Run, enter cmd. Then right-click cmd and select Run as
administrator > reagentc /info.
File system location: C:\Windows\System32\ReAgentC.exe.
Tip
If you see error messages in the BitLocker-API about WinRe not being enabled, run the
reagentc /info command on the device to determine the WinRE status.
If the WinRE status is disabled, run the reagentc /enable command as an administrator to
enable it manually:
Summary
When BitLocker fails to enable on a Windows 10 device using an Intune policy, in most cases,
the hardware or software prerequisites are not in place. Examining the BitLocker-API log will
help you identify which prerequisite is not satisfied. The most common issues are:
Policy misconfiguration can also cause encryption failures. Not all Windows devices can encrypt
silently so think about the users and devices that you're targeting.
Configuring a startup key or PIN for a policy intended for silent encryption will not work because
of the user interaction required when enabling BitLocker. Keep this in mind when configuring
the BitLocker policy in Intune.
Verify whether the policy settings have been picked up by the device to determine whether the
targeting has been successful.
It is possible to identify the policy settings using MDM diagnostics, registry keys, and the device
management enterprise event log to verify if settings were successfully applied. The BitLocker
CSP documentation can help you decipher these settings to understand whether they match
what has been configured in the policy.
Feedback
Was this page helpful? ツ Yes ト No
This article helps Intune administrators understand and troubleshoot problems with
integration of Jamf Pro for macOS with Microsoft Intune. Each of the following sections
describes a common issue, and offers a potential cause and troubleshooting steps for a
resolution.
) Important
Starting from September 1, 2024, the platform that Jamf Pro's Conditional Access
feature is built on will no longer be supported.
If you use Jamf Pro's Conditional Access integration for macOS devices, follow
Jamf's documented guidelines to migrate your devices from macOS Conditional
Access to macOS Device Compliance .
If you have questions or need help, contact Jamf Customer Success . For more
information, see Transitioning Jamf macOS devices from Conditional Access to
Device Compliance .
Prerequisites
Before you start troubleshooting, collect some basic information to clarify the problem
and reduce the time to find a resolution. For example, when you encounter a Jamf-
Intune integration-related issue, always verify that prerequisites have been met.
Consider the following before you start troubleshooting:
Review the prerequisites from the following articles, depending on how you
configure Jamf Pro integration with Intune:
Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
Integrate Jamf Pro with Intune
All users must have Microsoft Intune and Microsoft Azure Active Directory (Azure
AD) Premium P1 licenses
You must have a user account that has Microsoft Intune Integration permissions in
the Jamf Pro console.
You must have a user account that has Global Admin permissions in Azure.
Collect the following information when investigating Jamf Pro integration with Intune:
Solution
After a device is marked as Unresponsive by Jamf Pro, the enrolled user of the device
must sign in to correct the non-responsive state. It must be the user who has workplace-
joined the account as they have the identity from Intune in their keychain.
Microsoft Teams wants to sign using key "Microsoft Workplace Join Key" in your
keychain.
To allow this, enter the "login" keychain password
Cause: These prompts are generated by Jamf Pro for each applicable app that requires
Azure AD registration.
Solution
At the prompt, the user must provide their device password to sign in to Azure AD.
Options include:
Selecting Always Allow for one app only approves that app for future sign-in. Additional
apps prompt for authentication until they also are set as Always Allow. Cached
credentials for one app can't be used by another app.
Solution
Review and if necessary correct the permissions for the Jamf app. If you use the Jamf Pro
Cloud Connector, this app was created for you. If you manually configured the
integration, you created the app in Azure AD. For the app permissions, see Create an
application (for Jamf) in Azure AD.
Cause 2 - Wrong tenant or account
The Jamf Native macOS Connector app wasn't created in your Azure AD tenant or
consent for the connector was signed by an account that doesn't have global admin
rights.
Solution
See the Configuring macOS Intune Integration section in Integrating with Microsoft
Intune on docs.jamf.com.
Solution
Jamf license: Contact Jamf for assistance to obtain a new license for Jamf.
Intune license: Assign the user a valid license or contact Microsoft or your Partner
for information about how to obtain a current license.
To determine which service the device used to enroll and register, look in the Company
Portal app on the device. When registered through Jamf, you should receive a
notification to open the Self-Service app to make changes.
In the Company Portal app, the user might see Not registered , and an entry similar to
the following example might appear in the Company Portal logs:
Solution
To change the registration source from Intune to Jamf:
1. Remove the macOS device from Intune. To avoid further complications for devices
that aren't fully removed from Intune, see Cause 6 below.
2. On the device, use Jamf Self Service to open the Company Portal app, and then
register the device with Azure AD. This task requires you to have already
completed the following tasks:
3. When the portal opens, the first screen you see prompts you to sign in. Use your
work or school account
4. The Company Portal confirms your account information and shows your Device
Enrollment and Device Compliance statuses. Yellow triangles highlight the actions
you need to take to secure your macOS device for school or work. Click Begin to
start enrollment.
It might take a few minutes to register your device. You'll receive a message after the
registration is completed to let you know you're done.
Invalid command line input Registration-only command line flag (-r) can only be
used when partner management is enabled in Intune. Please contact your IT admin.
The Jamf Pro server sends a pulse to the Intune servers when integration is turned off
that tells Intune that integration is disabled.
Solution
Re-enable Intune integration within Jamf Pro. See the following depending on how you
configure integration:
Use the Jamf Cloud Connector to integrate Jamf Pro with Intune
Manually configure Microsoft Intune Integration in Jamf Pro.
Cause 6 - The device was previously enrolled in Intune
If a device is unenrolled from Jamf but not correctly removed from Intune (if it had been
enrolled previously), or if the user has made several registration attempts, you might see
multiple instances of the same device in the portal. This causes Jamf enrollment to fail.
Solution
/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info
/Library/Application Support/com.microsoft.CompanyPortal
/Library/Application Support/com.jamfsoftware.selfservice.mac
/Library/Saved Application State/com.jamfsoftware.selfservice.mac.savedState
/Library/Saved Application State/com.microsoft.CompanyPortal.savedState
/Library/Preferences/com.microsoft.CompanyPortal.plist
/Library/Preferences/com.jamfsoftware.selfservice.mac.plist
/Library/Preferences/com.jamfsoftware.management.jamfAAD.plist
/Users/<username>/Library/Cookies/com.microsoft.CompanyPortal.binarycookies
/Users/<username>/Library/Cookies/com.jamf.management.jamfAAD.binarycookies
com.microsoft.CompanyPortal
com.microsoft.CompanyPortal.HockeySDK
enterpriseregistration.windows.net
https://device.login.microsoftonline.com
https://device.login.microsoftonline.com/
7. Remove anything from the keychain on the device that references Microsoft,
Intune, or Company Portal, including DeviceLogin.microsoft.com certificates.
Remove JAMF references except for JAMF public and private key.
) Important
Removing the public and private key will break device enrollment.
11. Go to portal.manage.microsoft.com and delete out all the instances of the Mac
device. Wait at least 30 minutes before you go to the next step.
JamfAAD wants to access key "Microsoft Workplace Join Key" in your keychain. To
allow this, enter the "login" keychain password
Solution
To successfully register the device with Azure AD, Jamf requires the user to provide their
account password, and select Allow.
This request is similar to the request for Mac devices prompt for keychain sign-in when
you open an app.
Mac device shows compliant in Intune but
noncompliant in Azure
Cause: The following conditions can cause a device to show as compliant in Intune but
not as compliant in Azure:
Solution
To resolve this issue, follow the steps in Cause 6.
When a device is removed from Intune and Jamf Pro integration, some data can be left
behind which can cause successive registrations to create duplicate entries.
Solution
To resolve this issue, follow the steps in Cause 6.
Solution
Modify compliance policy for macOS devices to be assigned to user groups.
Could not retrieve the access token for Microsoft Graph API. Check the
Cause 1
There's a permission issue with the Jamf Pro application in Azure. While registering the
Jamf Pro app in Azure, one of the following conditions occurred:
Solution
See the resolution for Cause 1 for Devices fail to register, earlier in this article.
Cause 2
A license required for Jamf-Intune integration has expired.
Solution See the resolution for Cause 3 for Devices fail to register.
Cause 3
The required ports aren't open on your network.
Solution Review the information for network ports in Prerequisites for integrating Jamf
Pro with Intune.
Feedback
Was this page helpful? Yes No
In Microsoft Intune, you can add third-party certificate authorities (CA), and have these
CAs issue and validate certificates using the Simple Certificate Enrollment Protocol
(SCEP). Add third-party certification authority provides an overview of this feature, and
describes the Administrator tasks in Intune.
There are also some developer tasks that use an open-source library that Microsoft
published in GitHub.com. The library includes an API that:
Using this API, your third-party SCEP server integrates with the Intune SCEP
management solution for MDM devices. The library abstracts aspects such as
authentication, service location, and the ODATA Intune Service API from its users.
Devices that check-in with Intune are assigned the SCEP profile, and are configured with
these parameters. A dynamically-generated SCEP challenge password is created by
Intune, and then assigned to the device.
Intune encrypts this information, signs the encrypted blob, and then packages these
details into the SCEP challenge password.
Devices contacting the SCEP server to request a certificate then give this SCEP challenge
password. The SCEP server sends the CSR and encrypted SCEP challenge password to
Intune for validation. This challenge password and CSR must pass validation for the
SCEP server to issue a certificate to the device. When an SCEP challenge is validated, the
following checks happen:
The SCEP management solution also includes reporting. An administrator can get
information on the deployment status of the SCEP profile, and about the certificates
issued to the devices.
Integrating the library into your products includes the following steps. These steps
require knowledge on working with GitHub repositories, and creating solutions and
projects in Visual Studio.
5. Include the library in the project that builds your SCEP server
7. Complete integration testing (in this article), and address any issues
How the SCEP Server needs to be onboarded in the Microsoft Intune admin
center
How to get the Azure Application Identifier and Azure Application Key
needed to configure the library
For guidance on registering an application, and getting the IDs and keys, see Use portal
to create an AAD application and service principal to access resources.
IntuneScepServiceClient class
The IntuneScepServiceClient class includes the methods used by the SCEP service to
validate SCEP passwords, to notify Intune about certificates that are created, and to list
any errors.
IntuneScepServiceClient constructor
Signature:
Java
IntuneScepServiceClient(
Properties configProperties)
Description:
Parameters:
Throws:
) Important
It's best to instantiate an instance of this class, and use it to process multiple SCEP
requests. Doing so reduces overhead, as it caches authentication tokens and service
location information.
Security notes
The SCEP server implementer must protect the data entered in the configuration
properties persisted to storage against tampering and disclosure. It's recommended to
use proper ACLs and encryption to secure the information.
ValidateRequest method
Signature:
Java
void ValidateRequest(
String transactionId,
String certificateRequest)
Description:
Parameters:
Throws:
) Important
Exceptions thrown by this method should be logged by the server. Note that the
IntuneScepServiceException properties have detailed information on why the
Security notes:
If this method throws an exception, the SCEP server must not issue a certificate to
the client.
SCEP certificate request validation failures may indicate a problem in the Intune
infrastructure. Or, they could indicate that an attacker is trying to get a certificate.
SendSuccessNotification method
Signature:
Java
void SendSuccessNotification(
String transactionId,
String certificateRequest,
String certThumbprint,
String certSerialNumber,
String certExpirationDate,
String certIssuingAuthority)
Description:
Parameters:
Throws:
) Important
Exceptions thrown by this method should be logged by the server. Note that the
IntuneScepServiceException properties have detailed information on why the
Security notes:
If this method throws an exception, the SCEP server must not issue a certificate to
the client.
SCEP certificate request validation failures may indicate a problem in the Intune
infrastructure. Or, they could indicate that an attacker is trying to get a certificate.
SendFailureNotification method
Signature:
Java
void SendFailureNotification(
String transactionId,
String certificateRequest,
long hResult,
String errorDescription)
Description:
Notifies Intune that an error occurred while processing a SCEP request. This method
shouldn't be invoked for exceptions thrown by the methods of this class.
Parameters:
Throws:
) Important
Exceptions thrown by this method should be logged by the server. Note that the
IntuneScepServiceException properties have detailed information on why the
certificate request validation failed.
Security notes:
If this method throws an exception, the SCEP server must not issue a certificate to
the client.
SCEP certificate request validation failures may indicate a problem in the Intune
infrastructure. Or, they could indicate that an attacker is trying to get a certificate.
SetSslSocketFactory method
Signature:
Java
void SetSslSocketFactory(
SSLSocketFactory factory)
Description:
Use this method to inform the client that it must use the specified SSL socket factory
(instead of the default) when communicating with Intune.
Parameters:
factory - The SSL socket factory that the client should use for HTTPS requests
Throws:
7 Note
The SSL Socket factory must be set if required prior to executing the other methods
of this class.
Integration testing
Validating and testing that your solution is properly integrated with Intune is a must.
The following lists an overview of the steps:
See also
Add 3rd party CA overview
Setup Intune
Device enrollment
Configure SCEP certificate profiles (the Microsoft NDES Server\Connector setup
isn't used for this scenario)
Device Compliance settings for Android
device administrator in Intune
Article • 02/21/2023
This article lists the compliance settings you can configure on Android device
administrator devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to mark rooted devices as not compliant, set an allowed
threat level, enable Google Play Protect, and more.
Select the maximum allowed machine risk score for devices evaluated by Microsoft
Defender for Endpoint. Devices that exceed this score get marked as
noncompliant.
Not configured (default)
Clear
Low
Medium
High
Device Health
Devices managed with device administrator
Rooted devices
Prevent rooted devices from having corporate access. (This compliance check is
supported for Android 4.0 and above.)
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Block - Mark rooted devices as not compliant.
Use this setting to take the risk assessment from a connected Mobile Threat
Defense service as a condition for compliance.
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Secured - This option is the most secure, as the device can't have any threats. If
the device is detected with any level of threats, it's evaluated as noncompliant.
Low - The device is evaluated as compliant if only low-level threats are present.
Anything higher puts the device in a noncompliant status.
Medium - The device is evaluated as compliant if existing threats on the device
are low or medium level. If the device is detected to have high-level threats, it's
determined to be noncompliant.
High - This option is the least secure, and allows all threat levels. It may be
useful if you're using this solution only for reporting purposes.
) Important
Google Play services allows security updates, and is a base-level dependency for
many security features on certified-Google devices.
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Require that the Google Play services app is installed and enabled.
Up-to-date security provider
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Require that an up-to-date security provider can protect a device
from known vulnerabilities.
7 Note
7 Note
To configure Google Play Protect settings using app protection policies, see Intune
app protection policy settings on Android.
Device Properties
When a device doesn't meet the minimum OS version requirement, it's reported as
noncompliant. A link with information about how to upgrade is shown. The end
user can choose to upgrade their device, and then get access to company
resources.
When a device is using an OS version later than the version specified in the rule,
access to company resources is blocked. The user is asked to contact their IT
admin. Until a rule is changed to allow the OS version, this device can't access
company resources.
System Security
Encryption
Encryption of data storage on a device
Device Security
Block apps from unknown sources
Supported on Android 4.0 to Android 7.x. Not supported by Android 8.0 and later
Not configured (default) - this setting isn't evaluated for compliance or non-
compliance.
Block - Block devices with Security > Unknown Sources enabled sources
(supported on Android 4.0 through Android 7.x. Not supported on Android 8.0 and
later.).
) Important
Side-loading applications require that the Block apps from unknown sources
setting is enabled. Enforce this compliance policy only if you're not side-
loading Android apps on devices.
Require - Choose Require to confirm the Company Portal app meets all the
following requirements:
Has the default runtime environment installed
Is properly signed
Isn't in debug-mode
Select the oldest security patch level a device can have. Devices that aren't at least
at this patch level are noncompliant. The date must be entered in the YYYY-MM-DD
format.
Restricted apps
Enter the App name and App bundle ID for apps that should be restricted, and
then select Add. A device with at least one restricted app installed is marked as
non-compliant.
Password
The available settings for passwords vary by the version of Android on the device.
This setting specifies the length of time without user input after which the mobile
device screen is locked. Options range from 1 Minute to 8 Hours. The
recommended value is 15 Minutes.
Not configured (default)
Android 10 and later
The following settings are supported on Android 10 or later, but not on Knox.
Password complexity
The following settings are supported on Android 9.0 and earlier, and any version of
Samsung Knox.
This setting specifies whether to require users to enter a password before access is
granted to information on their mobile devices. Recommended value: Require
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Users must enter a password before they can access their device.
Based on the configuration of this setting, one or more of the following options
are available:
Enter the minimum number of digits or characters that the user's password
must have.
Enter the idle time before the user must reenter their password. When you
choose Not configured (default), this setting isn't evaluated for compliance or
non-compliance.
Select the number of days before the password expires and the user must
create a new password.
Enter the number of recent passwords that can't be reused. Use this setting to
restrict the user from creating previously used passwords.
Next steps
Add actions for noncompliant devices and use scope tags to filter policies.
Monitor your compliance policies.
See the compliance policy settings for Android Enterprise devices.
Device compliance settings for Android
(AOSP) in Intune
Article • 02/22/2023
This article lists the compliance settings you can configure for Android (AOSP) devices in
Intune. Use these settings as part of your mobile device management (MDM) solution to
define your organization's standards for:
Device health
Device properties
System security
Devices are also governed by tenant-wide compliance policy settings. To manage the
tenant-wide compliance policy settings in your tenant, sign in to Microsoft Intune admin
center and go to Endpoint security > Device compliance > Compliance policy settings.
To learn more about compliance policies, and what they do, see get started with device
compliance.
Android (AOSP)
Device health
Rooted devices
Device properties
Minimum OS version
When a device doesn't meet the minimum OS version requirement, it's reported as
noncompliant. A link with information about how to upgrade is shown. The end
user can choose to upgrade their device, and then get access to company
resources.
Maximum OS version
When a device is using an OS version later than the version specified in the rule,
access to company resources is blocked. The user is asked to contact their IT
admin. Until a rule is changed to allow the OS version, this device can't access
company resources.
Enter the oldest security patch level a device can have. Devices that aren't at least
at this patch level are noncompliant. The date must be entered in the YYYY-MM-DD
format.
System security
If you don't configure password requirements, the use of a device password is optional
and left up to the users to configure.
7 Note
There is a known issue that prevents Password required, no restriction
from working on Android (AOSP) devices.
The following password types are listed as options but are not supported
for Android (AOSP) devices: alphabetic, alphanumeric, and alphanumeric
with symbols.
Enter the maximum idle time allowed, from 1 minute to 8 hours, before the user
must re-enter their password to get back into their device. When you choose Not
configured (default), this setting isn't evaluated for compliance or non-compliance.
Encryption
Encryption of data storage on a device
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Encrypt data storage on your devices. Devices are encrypted when
you choose the Require a password to unlock mobile devices setting.
Next steps
Add actions for noncompliant devices.
Set device restrictions for AOSP devices.
Device compliance settings for Android
Enterprise in Intune
Article • 02/21/2023
This article lists and describes the different compliance settings you can configure on
Android Enterprise devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to mark rooted devices as not compliant, set an allowed
threat level, enable Google Play Protect, and more.
Android Enterprise
) Important
On Android Enterprise dedicated devices that are enrolled without Azure AD shared
device mode, users of the device will be unable to sign into resources protected by
Conditional Access policies, even if the device is compliant in Intune. To learn more
about shared device mode, see Overview of shared device mode in the Azure AD
documentation.
The security configuration framework is organized into distinct configuration levels that
provide guidance for personally owned and supervised devices, with each level building
off the previous level. The available levels and settings in each level vary by enrollment
mode:
When ready to proceed, create a compliance policy. For Platform, select Android
Enterprise.
Select the maximum allowed machine risk score for devices evaluated by Microsoft
Defender for Endpoint. Devices that exceed this score get marked as
noncompliant.
Not configured (default)
Clear
Low
Medium
High
7 Note
Microsoft Defender for Endpoint may not be supported on all Android Enterprise
enrollment types. Learn more about what scenarios are supported.
Device Health
Require the device to be at or under the Device Threat Level
Select the maximum allowed device threat level evaluated by your mobile threat
defense service. Devices that exceed this threat level are marked noncompliant. To
use this setting, choose the allowed threat level:
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Secured - This option is the most secure, and means that the device can't have
any threats. If the device is detected with any level of threats, it's evaluated as
noncompliant.
Low: - The device is evaluated as compliant if only low-level threats are present.
Anything higher puts the device in a noncompliant status.
Medium - The device is evaluated as compliant if the threats that are present on
the device are low or medium level. If the device is detected to have high-level
threats, it's determined to be noncompliant.
High - This option is the least secure, as it allows all threat levels. It may be
useful if you're using this solution only for reporting purposes.
7 Note
All the Mobile Threat Defense (MTD) providers are supported on Android
Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile
deployments using app configuration. Check with your MTD provider for the exact
configuration needed to support Android Enterprise Fully Managed, Dedicated, and
Corporate-Owned Work Profile platforms on Intune.
) Important
Devices operating in regions or countries where Google Mobile Services are not
available will fail Google Play Protect compliance policy setting evaluations. For
more information, see Managing Android devices where Google Mobile Services
are not available .
Device Properties
When a device doesn't meet the minimum OS version requirement, it's reported as
non-compliant. A link with information on how to upgrade is shown. The end user
can upgrade their device, and then access organization resources.
Maximum OS version
When a device is using an OS version later than the version in the rule, access to
organization resources is blocked. The user is asked to contact their IT
administrator. Until a rule is changed to allow the OS version, this device can't
access organization resources.
Select the oldest security patch level a device can have. Devices that aren't at least
at this patch level are noncompliant. The date must be entered in the YYYY-MM-
DD format.
System Security
Require a password to unlock mobile devices
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Users must enter a password before they can access their device.
Depending on the password type you select, the following settings are available:
Enter the minimum length the password must have, between 4 and 16
characters.
Enter the number of characters the password must have, between 0 and 16
characters.
Enter the number of uppercase characters the password must have, between 0
and 16 characters.
Enter the number of non-letters (anything other than letters in the alphabet) the
password must have, between 0 and 16 characters.
Enter the number of numeric characters ( 1 , 2 , 3 , and so on) the password must
have, between 0 and 16 characters.
Enter the number of symbol characters ( & , # , % , and so on) the password must
have, between 0 and 16 characters.
Enter the idle time before the user must reenter their password. Options include
the default of Not configured, and from 1 Minute to 8 hours.
Enter the number of days, between 1-365, until the device password must be
changed. For example, to change the password after 60 days, enter 60 . When
the password expires, users are prompted to create a new password.
Enter the number of recent passwords that can't be reused, between 1-24. Use
this setting to restrict the user from creating previously used passwords.
Encryption
You don't have to configure this setting because Android Enterprise devices
enforce encryption.
Select the maximum allowed machine risk score for devices evaluated by Microsoft
Defender for Endpoint. Devices that exceed this score get marked as
noncompliant.
Not configured (default)
Clear
Low
Medium
High
Select the maximum allowed device threat level evaluated by your mobile threat
defense service. Devices that exceed this threat level are marked noncompliant. To
use this setting, choose the allowed threat level:
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Secured - This option is the most secure, and means that the device can't have
any threats. If the device is detected with any level of threats, it's evaluated as
noncompliant.
Low - The device is evaluated as compliant if only low-level threats are present.
Anything higher puts the device in a noncompliant status.
Medium - The device is evaluated as compliant if the threats that are present on
the device are low or medium level. If the device is detected to have high-level
threats, it's determined to be noncompliant.
High - This option is the least secure, as it allows all threat levels. It may be
useful if you're using this solution only for reporting purposes.
This setting is only available when SafetyNet device attestation is set to either Check
basic integrity or Check basic integrity & certified devices.
Select the evaluation type you want to use to compute the SafetyNet device
attestation response.
Not configured (defaults to basic evaluation) – (default)
Hardware-backed key – Require that hardware-backed key attestation is used
for SafetyNet evaluation. Devices that don’t support hardware-backed key
attestation are marked as not compliant.
For more information about SafetyNet and which devices support hardware-
backed key attestation, see Evaluation types in the SafetyNet documentation for
Android.
7 Note
Minimum OS version
When a device doesn't meet the minimum OS version requirement, it's reported as
non-compliant. A link with information on how to upgrade is shown. The end user
can upgrade their device, and then access organization resources.
Maximum OS version
When a device is using an OS version later than the version in the rule, access to
organization resources is blocked. The user is asked to contact their IT
administrator. Until a rule is changed to allow the OS version, this device can't
access organization resources.
You don't have to configure this setting because Android Enterprise devices
enforce encryption.
) Important
Side-loading applications require that the Block apps from unknown sources
setting is enabled. Enforce this compliance policy only if you're not side-
loading Android apps on devices.
You don't have to configure this setting as Android Enterprise devices always
restrict installation from unknown sources.
You don't have to configure this setting because USB debugging is already
disabled on Android Enterprise devices.
Select the oldest security patch level a device can have. Devices that aren't at least
at this patch level are noncompliant. The date must be entered in the YYYY-MM-
DD format.
This setting applies at the device level. If you only need to require a password at
the Personally-Owned Work Profile level, then use a configuration policy. See
Android Enterprise device configuration settings.
Enter the number of days, between 1-365, until the device password must be
changed. For example, to change the password after 60 days, enter 60 . When the
password expires, users are prompted to create a new password.
Enter the number of recent passwords that can't be reused. Use this setting to
restrict the user from creating previously used passwords.
Enter the idle time before the user must reenter their password. Options include
the default of Not configured, and from 1 Minute to 8 hours.
Password complexity
Use this setting to set the password complexity requirements. Your options:
None - This setting isn't evaluated for compliance or non-compliance.
Low - A pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468)
sequences are allowed.
Medium - PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
are blocked. The length, alphabetic length, or alphanumeric length must be at
least 4 characters.
High - PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences are
blocked. The length must be at least 8 characters. The alphabetic or
alphanumeric length must be at least 6 characters.
On personally owned devices with a work profile, there are two passwords affected
by this Password complexity setting:
The device password that unlocks the device
The work profile password that allows users to access the work profile
If the device password complexity is too low, then the device password is
automatically changed to require a High complexity. The end users must update
the device password to meet the complexity requirements. Then, they sign into the
work profile and are prompted to update the work profile complexity configured in
the Password complexity setting in your policy.
) Important
If the Required password type setting is changed from the Device default
value in a policy, then:
If the Required password type setting isn't changed from the Device
default value in a policy, then no password policy is automatically applied
to newly enrolled Android Enterprise 12+ devices.
) Important
Depending on the Required password type you select, the following setting is available:
Enter the minimum length the password must have, between 4 and 16 characters.
Next steps
Add actions for noncompliant devices and use scope tags to filter policies.
Monitor your compliance policies.
See the compliance policy settings for Android devices.
Device Compliance settings for
iOS/iPadOS in Intune
Article • 03/02/2023
This article lists and describes the different compliance settings you can configure on
iOS/iPadOS devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to require an email, mark rooted (jailbroken) devices as not
compliant, set an allowed threat level, set passwords to expire, and more.
iOS
iPadOS
The security configuration framework is organized into distinct configuration levels that
provide guidance for personally owned and supervised devices, with each level building
off the previous level.
For personally owned and for supervised devices, see iOS/iPadOS device
compliance security configurations
Email
Unable to set up email on the device
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - A managed email account is required. If the user already has an email
account on the device, the email account must be removed so Intune can set
one up correctly. If no email account exists on the device, the user should
contact the IT administrator to configure a managed email account.
For details about email profiles, see configure access to organization email using email
profiles with Intune.
Device Health
Jailbroken devices
Use this setting to take the risk assessment as a condition for compliance. Choose
the allowed threat level:
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Secured - This option is the most secure, and means that the device can't have
any threats. If the device is detected with any level of threats, it's evaluated as
non-compliant.
Low - The device is evaluated as compliant if only low-level threats are present.
Anything higher puts the device in a non-compliant status.
Medium - The device is evaluated as compliant if the threats that are present on
the device are low or medium level. If the device is detected to have high-level
threats, it's determined to be non-compliant.
High - This option is the least secure, as it allows all threat levels. It may be
useful if you're using this solution only for reporting purposes.
Device Properties
When a device doesn't meet the minimum OS version requirement, it's reported as
non-compliant. A link with information on how to upgrade is shown. The end user
can choose to upgrade their device. After that, they can access organization
resources.
Maximum OS version
When a device uses an OS version later than the version in the rule, access to
organization resources is blocked. The end user is asked to contact their IT
administrator. The device can't access organization resources until a rule changes
to allow the OS version.
When Apple publishes security updates, the build number is typically updated, not
the OS version. Use this feature to specify a minimum allowed build number on the
device. For Apple Rapid Security Response updates, enter the supplemental build
version, such as 20E772520a .
When Apple publishes security updates, the build number is typically updated, not
the OS version. Use this feature to enter a maximum allowed build number on the
device. For Apple Rapid Security Response updates, enter the supplemental build
version, such as 20E772520a .
Select the maximum allowed machine risk score for devices evaluated by Microsoft
Defender for Endpoint. Devices that exceed this score get marked as
noncompliant.
Not configured (default)
Clear
Low
Medium
High
System Security
Password
7 Note
Simple passwords
Enter the minimum number of digits or characters that the password must have.
Enter the minimum number of special characters, such as & , # , % , ! , and so on,
that must be in the password.
Setting a higher number requires the user to create a password that is more
complex.
Specify how soon after the screen is locked before a user must enter a password to
access the device. Options include the default of Not configured, Immediately, and
from 1 Minute to 4 hours.
Enter the idle time before the device locks its screen. Options include the default of
Not configured, Immediately, and from 1 Minute to 15 Minutes.
Select the number of days before the password expires, and they must create a
new one.
Device Security
Restricted apps
You can restrict apps by adding their bundle IDs to the policy. If a device has the
app installed, the device is marked as non-compliant.
App name - Enter a user-friendly name to help you identify the bundle ID.
App Bundle ID - Enter the unique bundle identifier assigned by the app
provider. To find the bundle ID, see Bundle IDs for native iOS and iPadOS
apps at Support.apple.com, or contact the software vendor of the app.
7 Note
This article lists and describes the different compliance settings you can configure for
Linux devices in Intune.
For Linux, compliance settings are available from the settings catalog instead of from a
pre-determined template as seen for other platforms. Therefore, when configuring a
compliance policy for Linux you choose the settings you want to include in your policy
by browsing the catalog and selecting them.
To learn more about compliance policies, and what they do, see get started with device
compliance.
Linux
Allowed Distros
Add entries that define a maximum and minimum OS version for a Linux distribution
type.
Users of devices that fail to meet the defined criteria need to install a different version or
distribution of Linux to bring the device into compliance.
Custom Compliance
Add the settings in this category when you use custom compliance settings for Linux.
For information about the available settings for custom compliance and how to use
them, see Use custom compliance policies and settings for Linux and Windows devices
with Microsoft Intune.
Device Encryption
Add settings to manage disk encryption.
Users of devices that aren’t encrypted receive a message that they must encrypt
the drives to bring the device into compliance.
There are several options for disk and partition encryption on Linux operating
systems. At this time, Intune recognizes any encryption system that uses the
underlying dm-crypt subsystem that has been standard on Linux systems for
some time.
The preferred method of setting up dm-crypt is to use the LUKS format with the
cryptsetup tool.
Password Policy
Enforce common password requirements for Linux devices:
Users that fail to meet password complexity requirements can receive a message that
they must use a strong password to bring the device into compliance.
If the Microsoft Intune app is still running, on the apps device details page or the
compliance issues page, select the Refresh link. The device starts a new check-in.
If the Microsoft Intune app isn't running, start the app and sign in. Signing in starts
a new check-in.
By default, the Microsoft Intune app periodically uses a background task to checks
in while the computer is on and logged in.
Next steps
Add actions for noncompliant devices and use scope tags to filter policies.
Monitor your compliance policies.
Device Compliance settings for macOS
settings in Intune
Article • 05/08/2023
This article lists and describes the different compliance settings you can configure on
macOS devices in Intune. As part of your mobile device management (MDM) solution,
use these settings to set a minimum or maximum OS version, set passwords to expire,
and more.
macOS
7 Note
Device Health
Require a system integrity protection
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Require macOS devices to have System Integrity Protection (opens
Apple's web site) enabled.
Device Properties
Minimum OS required
When a device doesn't meet the minimum OS version requirement, it's reported as
non-compliant. A link with information on how to upgrade is shown. The device
user can choose to upgrade their device. After that, they can access organization
resources.
When a device uses an OS version later than the version in the rule, access to
organization resources is blocked. The device user is asked to contact their IT
administrator. The device can't access organization resources until a rule changes
to allow the OS version.
When Apple publishes security updates, the build number is typically updated, not
the OS version. Use this feature to enter a minimum allowed build number on the
device. For Apple Rapid Security Response updates, enter the supplemental build
version, such as 22E772610a .
When Apple publishes security updates, the build number is typically updated, not
the OS version. Use this feature to enter a maximum allowed build number on the
device. For Apple Rapid Security Response updates, enter the supplemental build
version, such as 22E772610a .
Password
Require a password to unlock mobile devices
Not configured (default)
Require Users must enter a password before they can access their device.
Simple passwords
Not configured (default) - Users can create passwords simple like 1234 or 1111.
Block - Users can't create simple passwords, such as 1234 or 1111.
Enter the minimum number of digits or characters that the password must have.
Password type
Enter the minimum number of special characters, such as & , # , % , ! , and so on,
that must be in the password.
Setting a higher number requires the user to create a password that is more
complex.
Enter the idle time before the user must reenter their password.
Select the number of days before the password expires, and they must create a
new one.
) Important
Encryption
Encryption of data storage on a device
Not configured (default)
Require - Use Require to encrypt data storage on your devices.
Device Security
Firewall protects devices from unauthorized network access. You can use Firewall to
control connections on a per-application basis.
Firewall
Not configured (default) - This setting leaves the firewall turned off, and
network traffic is allowed (not blocked).
Enable - Use Enable to help protect devices from unauthorized access. Enabling
this feature allows you to handle incoming internet connections, and use stealth
mode.
Incoming connections
Not configured (default) - Allows incoming connections and sharing services.
Block - Block all incoming network connections except the connections required
for basic internet services, such as DHCP, Bonjour, and IPSec. This setting also
blocks all sharing services, including screen sharing, remote access, iTunes
music sharing, and more.
Stealth Mode
Not configured (default) - This setting leaves stealth mode turned off.
Enable - Turn on stealth mode to prevent devices from responding to probing
requests, which can be made my malicious users. When enabled, the device
continues to answer incoming requests for authorized apps.
Gatekeeper
For more information, see Gatekeeper on macOS (opens Apple's web site).
Next steps
Add actions for noncompliant devices and use scope tags to filter policies.
Monitor your compliance policies.
See the compliance policy settings for iOS devices.
Device Compliance settings for
Windows 10/11 in Intune
Article • 02/21/2023
This article lists and describes the different compliance settings you can configure on
Windows devices in Intune. As part of your mobile device management (MDM) solution,
use these settings to require BitLocker, set a minimum and maximum operating system,
set a risk level using Microsoft Defender for Endpoint, and more.
Windows 10/11
Windows Holographic for Business
Surface Hub
Device Health
Windows BitLocker Drive Encryption encrypts all data stored on the Windows
operating system volume. BitLocker uses the Trusted Platform Module (TPM) to
help protect the Windows operating system and user data. It also helps confirm
that a computer isn't tampered with, even if its left unattended, lost, or stolen. If
the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock
the encryption keys that protect the data. As a result, the keys can't be accessed
until the TPM verifies the state of the computer.
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - The device can protect data that's stored on the drive from
unauthorized access when the system is off, or hibernates.
Device HealthAttestation CSP - BitLockerStatus
7 Note
If using a device compliance policy in Intune, be aware that the state of this
setting is only measured at boot time. Therefore, even although BitLocker
encryption may have completed - a reboot will be required in order for the
device detect this and become compliant. For more information, see the
following Microsoft support blog on Device Health Attestation .
7 Note
Code integrity is a feature that validates the integrity of a driver or system file each
time it's loaded into memory.
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Require code integrity, which detects if an unsigned driver or system
file is being loaded into the kernel. It also detects if a system file is changed by
malicious software or run by a user account with administrator privileges.
More resources:
For details about how the Health Attestation service works, see Health Attestation
CSP.
Support Tip: Using Device Health Attestation Settings as Part of Your Intune
Compliance Policy .
Device Properties
Minimum OS version:
When a device has an earlier version than the OS version you enter, it's reported as
noncompliant. A link with information on how to upgrade is shown. The end user
can choose to upgrade their device. After they upgrade, they can access company
resources.
Maximum OS version:
When a device is using an OS version later than the version entered, access to
organization resources is blocked. The end user is asked to contact their IT
administrator. The device can't access organization resources until the rule is
changed to allow the OS version.
When a device has an earlier version that the OS version you enter, it's reported as
noncompliant. A link with information on how to upgrade is shown. The end user
can choose to upgrade their device. After they upgrade, they can access company
resources.
Specify a list of minimum and maximum operating system builds. Valid operating
system builds provides additional flexibility when compared against minimum and
maximum OS versions. Consider a scenario where minimum OS version is set to
10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to
10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10
1903 device that doesn't have recent cumulative updates installed to be identified
as compliant. Minimum and maximum OS versions might be suitable if you have
standardized on a single Windows 10 release, but might not address your
requirements if you need to use multiple builds, each with specific patch levels. In
such a case, consider leveraging valid operating system builds instead, which
allows multiple builds to be specified as per the following example.
Example:
The following table is an example of a range for the acceptable operating systems
versions for different Windows 10 releases. In this example, three different Feature
Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions
of Windows and which have applied cumulative updates from June to September
2020 will be considered to be compliant. This is sample data only. The table
includes a first column that includes any text you want to describe the entry,
followed by the minimum and maximum OS version for that entry. The second and
third columns must adhere to valid OS build versions in the
major.minor.build.revision number format. After you define one or more entries,
you can Export the list as a comma-separated values (CSV) file.
System Security
Password
Require a password to unlock mobile devices:
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Users must enter a password before they can access their device.
Simple passwords:
Not configured (default) - Users can create simple passwords, such as 1234 or
1111.
Block - Users can't create simple passwords, such as 1234 or 1111.
Password type:
Password complexity:
Your options:
Require digits and lowercase letters (default)
Require digits, lowercase letters, and uppercase letters
Require digits, lowercase letters, uppercase letters, and special characters
Tip
Enter the minimum number of digits or characters that the password must have.
Enter the idle time before the user must reenter their password.
Enter the number of days before the password expires, and they must create a new
one, from 1-730.
Require password when device returns from idle state (Mobile and Holographic):
Not configured (default)
Require - Require device users to enter the password every time the device
returns from an idle state.
) Important
Encryption
Encryption of data storage on a device:
7 Note
The Encryption of data storage on a device setting generically checks for the
presence of encryption on the device, more specifically at the OS drive level.
Currently, Intune supports only the encryption check with BitLocker. For a
more robust encryption setting, consider using Require BitLocker, which
leverages Windows Device Health Attestation to validate Bitlocker status at
the TPM level. However, when leveraging this setting, be aware that a reboot
may be required before the device will reflect as compliant.
Device Security
Firewall:
Not configured (default) - Intune doesn't control the Microsoft Defender
Firewall, nor change existing settings.
Require - Turn on the Microsoft Defender Firewall, and prevent users from
turning it off.
Firewall CSP
7 Note
Antispyware:
Not configured (default) - Intune doesn't check for any antispyware solutions
installed on the device.
Require - Check compliance using antispyware solutions that are registered
with Windows Security Center , such as Symantec and Microsoft Defender.
Defender
The following compliance settings are supported with Windows 10/11 Desktop.
Controls the Windows Security virus and threat protection updates on the devices.
Not configured (default) - Intune doesn't enforce any requirements.
Require - Force the Microsoft Defender security intelligence be up-to-date.
For more information, see Security intelligence updates for Microsoft Defender
Antivirus and other Microsoft antimalware .
Real-time protection:
Not configured (default) - Intune doesn't control this feature, nor change
existing settings.
Require - Turn on real-time protection, which scans for malware, spyware, and
other unwanted software.
Use this setting to take the risk assessment from your defense threat services as a
condition for compliance. Choose the maximum allowed threat level:
Not configured (default)
Clear -This option is the most secure, as the device can't have any threats. If the
device is detected as having any level of threats, it's evaluated as non-
compliant.
Low - The device is evaluated as compliant if only low-level threats are present.
Anything higher puts the device in a non-compliant status.
Medium - The device is evaluated as compliant if existing threats on the device
are low or medium level. If the device is detected to have high-level threats, it's
determined to be non-compliant.
High - This option is the least secure, and allows all threat levels. It may be
useful if you're using this solution only for reporting purposes.
To set up Microsoft Defender for Endpoint as your defense threat service, see
Enable Microsoft Defender for Endpoint with Conditional Access.
To verify device encryption on the Microsoft HoloLens, see Verify device encryption.
Surface Hub
Surface Hub uses the Windows 10 and later platform. Surface Hubs are supported for
both compliance and Conditional Access. To enable these features on Surface Hubs, we
recommend you enable Windows automatic enrollment in Intune (requires Azure Active
Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface
Hubs are required to be Azure AD joined for compliance and Conditional Access to
work.
Special consideration for Surface Hubs running Windows 10/11 Team OS:
Surface Hubs that run Windows 10/11 Team OS do not support the Microsoft Defender
for Endpoint and Password compliance policies at this time. Therefore, for Surface Hubs
that run Windows 10/11 Team OS set the following two settings to their default of Not
configured:
In the category Password, set Require a password to unlock mobile devices to the
default of Not configured.
In the category Microsoft Defender for Endpoint, set Require the device to be at
or under the machine risk score to the default of Not configured.
Next steps
Add actions for noncompliant devices and use scope tags to filter policies.
Monitor your compliance policies.
See the compliance policy settings for Windows 8.1 devices.
Device Compliance settings for
Windows 8.1 in Intune
Article • 02/21/2023
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
This article lists and describes the different compliance settings you can configure on
Windows 8.1 devices in Intune. As part of your mobile device management (MDM)
solution, use these settings to block simple passwords, set a minimum and maximum OS
version, and more.
Device Properties
Minimum OS version:
Enter the minimum allowed version. When a device doesn't meet the minimum OS
version requirement, it's reported as non-compliant. A link with information on
how to upgrade is shown. The device user can choose to upgrade their device, and
then get access to company resources.
Maximum OS version:
Enter the maximum allowed version. When a device is using an OS version later
than the version entered in the rule, access to organization resources is blocked.
The device user is asked to contact their IT administrator. The device can't access
organizational resources until a rule changes to allow the OS version.
Windows 8.1 PCs return a version of 3. If the OS version rule is set to Windows 8.1 for
Windows, then the device is reported as non-compliant even if the device has Windows
8.1.
System Security
Password
Require a password to unlock mobile devices:
Not configured (default) - This setting isn't evaluated for compliance or non-
compliance.
Require - Users must enter a password before they can access their device.
Simple passwords:
Not configured (default) - Users can create simple passwords like 1234 or 1111.
Block - Users can't create simple passwords, such as 1234 or 1111.
Enter the minimum number of digits or characters that the password must have.
For devices that run Windows and are accessed with a Microsoft account, the
compliance policy fails to evaluate correctly if either of the following conditions is
met:
Minimum password length is greater than eight characters
Minimum number of character sets is more than two
Password type:
When the password type is set to Alphanumeric, specify the minimum number
of character sets that the password must contain. Options include 0 to 4 sets,
with a default of 1.
Setting a higher number requires the user to create a password that is more
complex. For devices that are accessed with a Microsoft account, the
compliance policy fails to evaluate correctly if either of the following conditions
is met:
Minimum password length is greater than eight characters
Minimum number of character sets is more than two
Enter the idle time before the user must reenter their password.
Select the number of days before the password expires, and users must create a
new one.
Encryption
Encryption of data storage on device:
Not configured (default)
Require - Use Require to encrypt data storage on your devices.
Next steps
Add actions for noncompliant devices and use scope tags to filter policies.
Monitor your compliance policies.
See the compliance policy settings for Windows 10/11 devices.
Settings for Microsoft Defender for
Endpoint for Mac in Microsoft Intune
Article • 02/21/2023
View the Antivirus profile settings you can configure for Microsoft Defender for
Endpoint for Mac in Microsoft Intune. For more information about these settings, see
Microsoft Defender for Endpoint for Mac in the Windows documentation.
Cloud-delivered protection
Sends sample files to Microsoft to help protect device users and your organization
from potential threats.
Not configured (default) - The setting is restored to the system default.
Enabled - Cloud-delivered protection is turned on. Device users can't change
this setting.
Disabled - The setting is disabled. Device users can't change this setting.
Diagnostic data collection
Select Add and then specify file extensions to ignore during a scan.
View details about the endpoint security antivirus policy settings you can configure for
the Microsoft Defender Antivirus profile for Windows 10 and later in Microsoft Intune.
7 Note
This article details the settings you can find in Microsoft Defender Antivirus and
Microsoft Defender Antivirus Exclusions profiles created before April 5, 2022, for
the Windows 10 and later platform for endpoint security Antivirus policy. On April 5,
2022, the Windows 10 and later platform was replaced by the Windows 10,
Windows 11, and Windows Server platform. Profiles created after that date use a
new settings format as found in the Settings Catalog. With this change you can no
longer create new versions of the old profile and they are no longer being
developed. Although you can no longer create new instances of the older profile,
you can continue to edit and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
The following settings details for Windows profiles apply to those deprecated
profiles.
Cloud protection
Turn on cloud-delivered protection
CSP: AllowCloudProtection
CSP: CloudBlockLevel
CSP: CloudExtendedTimeout
CSP: Configuration/DisableLocalAdminMerge
This setting controls if exclusion list settings that are configured by a local
administrator merge with managed settings from Intune policy. This setting applies
to lists such as threats and exclusions.
Not configured (default) - Unique items defined in preference settings that are
configured by a local administrator merge into the resulting effective policy. If
there are conflicts, management settings from Intune policy override local
preference settings.
No - Behavior is the same as Not configured.
Yes - Only items defined by management are used in the resulting effective
policy. Managed settings override preference settings that are configured by
the local administrator.
For each setting in this group, you can expand the setting, select Add, and then specify
a value for the exclusion.
CSP: ExcludedProcesses
Specify a list of files opened by processes to ignore during a scan. The process
itself isn't excluded from the scan.
CSP: ExcludedExtensions
CSP: ExcludedPaths
Real-time protection
These settings are available in the following profiles:
Settings:
CSP: AllowRealtimeMonitoring
CSP: AllowOnAccessProtection
CSP: Defender/RealTimeScanDirection
Configure this setting to determine which NTFS file and program activity is
monitored.
Monitor all files (default)
Only monitor incoming files
Only monitor outgoing files
CSP: AllowBehaviorMonitoring
CSP: EnableNetworkProtection
Protect device users using any app from accessing phishing scams, exploit-hosting
sites, and malicious content on the Internet. Protection includes preventing third-
party browsers from connecting to dangerous sites.
Not configured (default) - The setting is restored to the system default.
No - The setting is disabled. Device users can't change this setting.
Yes - Network protection is turned on. Device users can't change this setting.
CSP: AllowIOAVProtection
CSP: AllowScriptScanning
CSP: AllowScanningNetworkFiles
Scan emails
CSP: AllowEmailScanning
Remediation
These settings are available in the following profiles:
Settings:
CSP: DaysToRetainCleanedMalware
Specify the number of days from zero to 90 that the system stores quarantined
items before they're automatically removed. A value of zero keeps items in
quarantine and doesn't automatically remove them.
CSP: PUAProtection
CSP: ThreatSeverityDefaultAction
Specify the action that Defender takes for detected malware based on the
malware's threat level.
Defender classifies malware that it detects as one of the following severity levels:
Low severity
Moderate severity
High severity
Severe severity
For each level, specify the action to take. The default for each severity level is Not
configured.
Not configured
Clean - The service tries to recover files and try to disinfect.
Quarantine - Moves files to quarantine.
Remove - Removes files from the device.
Allow - Allows the file and doesn't take other actions.
User defined - The device user makes the decision on which action to take.
Block - Blocks file execution.
Scan
These settings are available in the following profiles:
Settings:
CSP: AllowArchiveScanning
CSP: EnableLowCPUPriority
CSP: DisableCatchupFullScan
Configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is
run because a regularly scheduled scan was missed. Usually these scheduled scans
are missed because the computer was turned off at the scheduled time.
Not configured (default) - The setting is returned to client default, which is to
disable catch-up scans for full scans.
No - The setting is disabled. Device users can't change this setting.
Yes - Catch-up scans for scheduled full scans are enforced and the user can't
disable them. If a computer is offline for two consecutive scheduled scans, a
catch-up scan is started the next time someone signs in to the computer. If
there's no scheduled scan configured, there will be no catch-up scan run. Device
users can't change this setting.
CSP: DisableCatchupQuickScan
Configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that
is run because a regularly scheduled scan was missed. Usually these scheduled
scans are missed because the computer was turned off at the scheduled time.
Not configured (default) - The setting is returned to client default, which is to
disable catch-up scans for full scans.
No - The setting is disabled. Device users can't change this setting.
Yes - Catch-up scans for scheduled quick scans are enforced and the user can't
disable them. If a computer is offline for two consecutive scheduled scans, a
catch-up scan is started the next time someone signs in to the computer. If
there's no scheduled scan configured, there will be no catch-up scan run. Device
users can't change this setting.
CSP: AvgCPULoadFactor
Specify as a percent from zero to 100, the average CPU load factor for the
Defender scan.
CSP: AllowFullScanOnMappedNetworkDrives
CSP: ScheduleQuickScanTime
Select the time of day that Defender quick scans run. This setting applies only
when a device runs a quick scan and doesn't interact with the following three
settings:
Scan type
Day of week to run a scheduled scan
Time of day to run a scheduled scan
Scan type
CSP: ScanParameter
Select the type of scan that Defender runs. This setting interacts with the settings
Day of week to run a scheduled scan and Time of day to run a scheduled scan.
Not Configured (default)
Quick scan
Full scan
Updates
These settings are available in the following profiles:
Settings:
Enter how often (0-24 hours) to check for security intelligence updates
CSP: SignatureUpdateInterval
Specify the interval from zero to 24 (in hours) that is used to check for signatures.
A value of zero results in no check for new signatures. A value of 2 will check every
two hours, and so on.
CSP: SignatureUpdateFallbackOrder
Manage locations, like a UNC file share, as a download source location to get
definition updates. After definition updates successfully download from a specified
source, the remaining sources in the list won't be contacted.
You can Add individual locations, or Import a list of locations as a .csv file.
CSP: SignatureUpdateFileSharesSources
Specify in which order to contact source locations you've specified, to get
definition updates. After definition updates have successfully downloaded from
one specified source, the remaining sources in the list won't be contacted.
User experience
These settings are available in the following profiles:
Settings:
CSP: AllowUserUIAccess
Not Configured (default) - The setting returns to client default in which UI and
notifications are allowed.
No - The Defender User Interface (UI) is inaccessible and notifications ware
suppressed.
Yes
Settings for Microsoft Defender
Antivirus policy for tenant attached
devices in Microsoft Intune
Article • 02/21/2023
View the Microsoft Defender Antivirus settings you can manage with the Microsoft
Defender Antivirus Policy (ConfigMgr) profile from Intune. The profile is available when
you configure Intune Endpoint security Antivirus policy, and the policy deploys to
devices you manage with Configuration Manager when you've configured the tenant
attach scenario.
Cloud protection
Turn on cloud-delivered protection
CSP: AllowCloudProtection
CSP: CloudBlockLevel
CSP: CloudExtendedTimeout
Defender Antivirus automatically blocks suspicious files for 10 seconds so it can
scan the files in the cloud to make sure they're safe. With this setting, you can add
up to 50 more seconds to this timeout.
CSP: ExcludedProcesses
Specify a list of files opened by processes to ignore during a scan. The process
itself isn't excluded from the scan.
CSP: ExcludedExtensions
CSP: ExcludedPaths
Real-time protection
Turn on real-time protection
CSP: AllowRealtimeMonitoring
CSP: AllowOnAccessProtection
CSP: Defender/RealTimeScanDirection
Configure this setting to determine which NTFS file and program activity is
monitored.
Monitor all files (bi-directional) (default)
Monitor incoming files
Monitor outgoing files
CSP: AllowBehaviorMonitoring
CSP: EnableNetworkProtection
CSP: AllowScriptScanning
CSP: AllowScanningNetworkFiles
Configure Defender to scan network files.
Not configured (default) - The setting is restored to the system default.
Not allowed Turns off scanning of network files.
Allowed Scans network files.
Scan emails
CSP: AllowEmailScanning
Remediation
Number of days (0-90) to keep quarantined malware
CSP: DaysToRetainCleanedMalware
Specify a number of days from zero to 90 that the system stores quarantined items
before they're automatically removed. A value of zero keeps items in quarantine
and does not automatically remove them.
CSP: PUAProtection
CSP: ThreatSeverityDefaultAction
Specify the action that Defender takes for detected malware based on the
malware's threat level.
Defender classifies malware that it detects as one of the following severity levels:
Low threat
Moderate threat
High threat
Severe threat
For each level, specify the action to take. The default for each severity level is Not
configured.
Not configured (default)
Clean - The service tries to recover files and try to disinfect.
Quarantine - Moves files to quarantine.
Remove - Removes files from the device.
Allow - Allows the file and doesn't take other actions.
User defined - The device user makes the decision on which action to take.
Block - Blocks file execution.
Scan
Scan archive files
CSP: AllowArchiveScanning
CSP: EnableLowCPUPriority
CSP: DisableCatchupFullScan
Configure catch-up scans for scheduled full scans. A catch-up scan is a scan that
starts because a regularly scheduled scan was missed. Usually these scheduled
scans are missed because the computer was turned off at the scheduled time.
Not configured (default) - The setting is returned to client default, which is to
enable catch-up scans for full scans, however the user can turn them off.
Disabled
Enabled
CSP: DisableCatchupQuickScan
Configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that
starts because a regularly scheduled scan was missed. Usually these scheduled
scans are missed because the computer was turned off at the scheduled time.
Not configured (default) - The setting is returned to client default, which is to
enable catch-up quick scans, however the user can turn them off.
Disabled
Enabled
CSP: AvgCPULoadFactor
Specify as a percent from zero to 100, the average CPU load factor for the
Defender scan.
CSP: AllowFullScanOnMappedNetworkDrives
CSP: ScheduleQuickScanTime
Scan type
CSP: ScanParameter
Updates
Enter how often (0-24 hours) to check for security intelligence updates
CSP: SignatureUpdateInterval
Specify the interval from zero to 24 (in hours) that is used to check for signatures.
A value of zero results in no check for new signatures. A value of 2 will check every
two hours, and so on.
Signature Update Fallback Order (Device)
User experience
Block user access to Microsoft Defender app
Not Configured (default)
Not allowed Prevents users from accessing UI.
Allowed Lets users access UI.
Show notifications messages on the client computer when the user needs to run
a full scan, update security intelligence, or run Windows Defender Offline
Not Configured (default)
Yes
No
7 Note
View the Windows Security experience settings you can manage with the Windows
Security experience (preview) profile from Intune.
The profile is available when you configure Intune Endpoint security Antivirus policy.
This profile supports devices you manage with Configuration Manager after configuring
the tenant attach scenario for Intune.
Windows Security
Enable tamper protection to prevent Microsoft Defender being disabled
CSP: DisableAccountProtectionUI
Not configured (default)
(Disable) The users can see the display of the Account protection area in
Windows Defender Security Center.
(Enable) The users can see the display of the Account protection area in
Windows Defender Security Center.
Hide the App and browser control area in the Windows Security app
CSP: DisableAppBrowserUI
Not configured (default)
(Disable) The users can see the display of the app and browser protection area
in Windows Defender Security Center.
(Enable) The users cannot see the display of the app and browser protection
area in Windows Defender Security Center.
CSP: DisableClearTpmButton
Not configured (default)
(Disable) The security processor troubleshooting page shows a button that
initiates the process to clear the security processor (TPM).
(Enable) The security processor troubleshooting page will not show a button
that initiates the process to clear the security processor (TPM).
CSP: DisableFamilyUI
Not configured (default)
(Disable) The users can see the display of the family options area in Windows
Defender Security Center.
(Enable) The users cannot see the display of the family options area in Windows
Defender Security Center.
CSP: DisableDeviceSecurityUI
Not configured (default)
(Disable) The users can see the display of the Device security area in Windows
Defender Security Center.
(Enable) The users cannot see the display of the Device security area in
Windows Defender Security Center.
Hide the Device performance and health area in the Windows Security app
CSP: DisableHealthUI
Not configured (default)
(Disable) The users can see the display of the device performance and health
area in Windows Defender Security Center.
(Enable) The users cannot see the display of the device performance and health
area in Windows Defender Security Center.
Hide the Firewall and network protection area in the Windows Security app
CSP: DisableNetworkUI
Not configured (default)
(Disable) The users can see the display of the firewall and network protection
area in Windows Defender Security Center.
(Enable) The users cannot see the display of the firewall and network protection
area in Windows Defender Security Center.
CSP: HideWindowsSecurityNotificationAreaControl
Not configured (default)
Enabled
Hide the Ransomware data recovery option in the Windows Security app
CSP: HideRansomwareDataRecovery
Not configured (default)
(Disable) The Ransomware data recovery area will be visible.
(Enable) The Ransomware data recovery area is hidden.
Hide the Virus and threat protection area in the Windows Security app
CSP: DisableVirusUI
Not configured (default)
(Disable) The users can see the display of the virus and threat protection area in
Windows Defender Security Center.
(Enable) The users cannot see the display of the virus and threat protection area
in Windows Defender Security Center.
CSP: DisableTpmFirmwareUpdateWarning
Not configured (default)
(Disabled or Not configured) A warning will be displayed if the firmware of the
security processor (TPM) should be updated for TPMs that have a vulnerability.
(Enabled) No warning will be displayed if the firmware of the security processor
(TPM) should be updated.
CSP: EnableCustomizedToasts
CSP: EnableCustomizedToasts
CSP: EnableCustomizedToasts
CSP: EnableCustomizedToasts
Disable Notifications
CSP: DisableNotifications
Not configured (default)
(Disable) The users can see the display of Windows Defender Security Center
notifications.
(Enable) The users cannot see the display of Windows Defender Security Center
notifications.
Disable Enhanced Notifications
CSP: DisableEnhancedNotifications
Not configured (default)
(Disable) Windows Defender Security Center will display critical and non-critical
notifications to users.
(Enable) Windows Defender Security Center only displays notifications that are
considered critical on clients.
Settings for the Windows Security
experience profile in Microsoft Intune
Article • 02/21/2023
7 Note
This article details the settings in the Windows Security experience profile for the
Windows 10 and later platform for endpoint security Antivirus policy. Beginning on
April, 5 2022, the Windows 10 and later platform was replaced by the Windows 10,
Windows 11, and Windows Server platform. Although you can no longer create new
instances of the original profile, you can continue to edit and use your existing
profiles.
View details about the endpoint security antivirus policy settings you can configure for
the Windows Security Experience profile for Windows 10 and later in Microsoft Intune.
Windows Security
Hide the Virus and threat protection area in the Windows Security app
CSP: DisableVirusUI
Not configured (default) - The setting returns to the client default, which is to
allow user access and notifications.
Yes - The virus and threat protection area in the Windows Security app is hidden
from end-users. Virus and threat protection-related notifications are
suppressed.
No - Behavior is the same as Not configured.
CSP: HideRansomwareDataRecovery
This setting is only available when Hide the Virus and threat protection area in
the Windows Security app is set to No or Not configured.
Not configured (default) - The setting returns to the client default, which is
to allow user access and notifications.
Yes - The ransomware data recovery area in the Windows Security app is
hidden from end-users. Ransomware related notifications are suppressed.
No - Behavior is the same as Not configured.
CSP: DisableAccountProtectionUI
Not configured (default) - The setting returns to the client default, which is to
allow user access and notifications.
Yes - The account protection area in the Windows Security app is hidden from
end-users. Account protection-related notifications are suppressed.
No - Behavior is the same as Not configured.
Hide the Firewall and network protection area in the Windows Security app
CSP: DisableNetworkUI
Not configured (default) - The setting returns to the client default, which is to
allow user access and notifications.
Yes - The firewall and network protection area in the Windows Security are
hidden from end-users. Firewall and network protection-related notifications are
suppressed.
No - Behavior is the same as Not configured.
Hide the App and browser control area in the Windows Security app
CSP: DisableAppBrowserUI
Not configured (default) - The setting returns to the client default, which is to
allow user access and notifications.
Yes - The app and browser control area in the Windows Security is hidden from
end-users. App and browser control related notifications are suppressed.
No - Behavior is the same as Not configured.
CSP: DisableDeviceSecurityUI
Not configured (default) - The setting returns to the client default, which is to
allow user access and notifications.
Yes - The hardware protection area in the Windows Security app is hidden from
end-users. Hardware protection-related notifications will be suppressed.
No - Behavior is the same as Not configured.
Hide the Device performance and health area in the Windows Security app
CSP: DisableHealthUI
Not configured (default) - The setting returns to the client default, which is to
allow user access and notifications.
Yes - The device performance and health area in the Windows Security app are
hidden from end-users. Device performance and health-related notifications
ware suppressed
No - Behavior is the same as Not configured.
CSP: DisableFamilyUI
Not configured (default) - The setting returns to the client default, which is to
allow user access and notifications.
Yes - The family options area in the Windows Security app is hidden from end-
users. Also, notifications related to family options are suppressed.
No - Behavior is the same as Not configured.
CSP: DisableNotifications
Use this setting to block Windows Security notifications to your users for all of the
preceding feature settings. Alternatively, you can manage the Windows Security
app notifications per feature by using the proceeding settings.
Not configured (default) - This setting doesn't enforce a block of any settings
and all Windows Security app notifications that are not controlled by another
setting are allowed.
Block non-critical notification - Notifications such as scan completions are
blocked.
Block all notifications - Critical and non-critical notifications are blocked for all
Windows Security features.
CSP: HideWindowsSecurityNotificationAreaControl
For this setting to take effect, the user needs to either sign out and back in, or
reboot the computer.
Not configured (default) - The setting returns the client to the default, which is
to show the icon.
Yes - Hide the Windows Security icon from the notification area.
No - Behavior is the same as Not configured.
Disable the Clear TPM option in the Windows Security app
CSP: DisableClearTpmButton
Not configured (default) - The setting returns to the client default, which allows
access to the button.
Yes - Disable access to the clear TPM button in the Windows Security app.
No - Behavior is the same as Not configured.
CSP: DisableTpmFirmwareUpdateWarning
Not configured (default) - The setting returns to the client default, which is to
not prompt users.
Yes - Allow Windows to prompt end-users when a potential vulnerability is
found in their TPM firmware. Users are then encouraged to run firmware
updates to resolve the vulnerability.
No - Behavior is the same as Not configured.
CSP: EnableCustomizedToasts
Declare where you would like your IT organization information displayed in the
Windows Security app and notifications.
Not configured (default)
Display in app and in notifications
Display only in app
Display only in notifications
Disk encryption policy settings for
endpoint security in Intune
Article • 07/31/2023
View the settings you can configure in profiles for Disk Encryption policy in the Endpoint
security node of Intune as part of an Endpoint security policy.
Applies to:
macOS
Windows 10/11
macOS:
Profile: FileVault
Windows 10 and later:
Profile: BitLocker
FileVault
Encryption
Enable FileVault
Yes - Enable Full Disk Encryption using XTS-AES 128 with FileVault on devices that
run macOS 10.13 and later. FileVault is enabled when the user signs off of the
device.
When set to Yes, you can configure additional settings for FileVault.
Recovery key type Personal key recovery keys are created for devices. Configure
the following settings for the personal key:
Personal recovery key rotation
Specify how frequently the personal recovery key for a device will rotate. You
can select the default of Not configured, or a value of 1 to 12 months.
Escrow location description of personal recovery key
Specify a short message to the user that explains how they can retrieve their
personal recovery key. The user sees this message on their sign in screen
when prompted to enter their personal recovery key if a password is
forgotten.
BitLocker
7 Note
This article details the settings you can find in BitLocker profiles created before
June 19, 2023, for the Windows 10 and later platform for endpoint security Disk
encryption policy. On June 19, 2023, the Windows 10 and later profile was updated
to use a new settings format as found in the Settings Catalog. With this change you
can no longer create new versions of the old profile and they are no longer being
developed. Although you can no longer create new instances of the older profile,
you can continue to edit and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
The following settings details for Windows profiles apply to those deprecated
profiles.
If the drive was encrypted before this policy applied, no extra action is taken. If the
encryption method and options match that of this policy, configuration should
return success. If an in-place BitLocker configuration option doesn't match this
policy, configuration will likely return an error.
To apply this policy to a disk already encrypted, decrypt the drive and reapply the
MDM policy. Windows default is to not require BitLocker drive encryption.
However, on Azure AD Join and Microsoft Account (MSA) registration/login
automatic encryption can apply enabling BitLocker at XTS-AES 128-bit encryption.
Not configured (default) - No BitLocker enforcement takes place.
Yes - Enforce use of BitLocker.
This setting only applies to Windows Mobile and Mobile Enterprise SKU devices.
Not configured (default) - The setting returns to the OS default, which is to not
require storage card encryption.
Yes - Encryption on storage cards is required for mobile devices.
7 Note
Support for Windows 10 Mobile and Windows Phone 8.1 ended in
August of 2020.
By default, the BitLocker setup wizard prompts users to confirm that no third-party
encryption is in place.
Not configured (default) – The BitLocker setup wizard displays a warning and
prompts users to confirm no third-party encryption is present.
Yes - Hide the BitLocker setup wizards prompt from users.
If BitLocker silent enable features are required, the third-party encryption warning
must be hidden as any required prompt breaks silent enablement workflows.
When set to Yes, you can then configure the following setting:
For non-silent enablement and Autopilot scenarios, the user must be a local
admin to complete the BitLocker setup wizard.
Add Work Account (AWA, formally Workplace Joined) devices aren't supported for
key rotation.
Not configured (default) – The client won’t rotate BitLocker recovery keys.
Disabled
Azure AD-joined devices
Azure AD and Hybrid-joined devices
Configure the encryption method and cipher strength for fixed data-drives
disks. XTS- AES 128-bit is the Windows default encryption method and the
recommended value.
Not configured (default)
AES 128bit CBC
AES 256bit CBC
AES 128bit XTS
AES 256bit XTS
It's recommended to require a TPM for BitLocker. This setting only applies
when first enabling BitLocker and has no effect if BitLocker is already
enabled.
Blocked (default) - BitLocker doesn’t use the TPM.
Required - BitLocker enables only if a TPM is present and usable.
Allowed - BitLocker uses the TPM if it's present.
For silent enable scenarios, you must set this to Blocked. Silent enable
scenarios (including Autopilot) won't be successful when user interaction is
required.
For silent enable scenarios, you must set this to Blocked. Silent enable
scenarios (including Autopilot) won't be successful when user interaction is
required.
Compatible TPM startup key and PIN
CSP: BitLocker - SystemDrivesRequireStartupAuthentication
Blocked (default) - Block the use of a startup key and PIN combination.
Required - Require BitLocker have a startup key and PIN present to
become enabled.
Allowed - BitLocker uses the TPM if it's present and allows a startup key)
and PIN combination.
For silent enable scenarios, you must set this to Blocked. Silent enable
scenarios (including Autopilot) won't be successful when user interaction is
required.
This setting only applies when first enabling BitLocker and has no effect if
BitLocker is already enabled.
Not configured (default)
Yes - Block BitLocker from being configured without a compatible TPM
chip.
Specify the minimum startup PIN length when TPM + PIN is required during
BitLocker enablement. The PIN length must be between 4 and 20 digits.
If you don't configure this setting, users can configure a startup PIN of any
length (between 4 and 20 digits)
This setting only applies when first enabling BitLocker and has no effect if
BitLocker is already enabled.
Configure the encryption method and cipher strength for OS drives. XTS- AES
128-bit is the Windows default encryption method and the recommended value.
Not configured (default)
AES 128bit CBC
AES 256bit CBC
AES 128bit XTS
AES 256bit XTS
Next steps
Endpoint security policy for disk encryption
Firewall policy settings for endpoint
security in Intune
Article • 02/22/2023
View the settings you can configure in profiles for Firewall policy in the endpoint
security node of Intune as part of an Endpoint security policy.
Applies to:
macOS
Windows 10
Windows 11
7 Note
Beginning on April 5, 2022, the Firewall profiles for the Windows 10 and later
platform were replaced by the Windows 10, Windows 11, and Windows Server
platform and new instances of those same profiles. Profiles created after that date
use a new settings format as found in the Settings Catalog. With this change you
can no longer create new versions of the old profile and they are no longer being
developed. Although you can no longer create new instances of the older profile,
you can continue to edit and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
The settings details for Windows profiles in this article apply to those deprecated
profiles.
macOS:
Profile: macOS firewall
Firewall
The following settings are configured as Endpoint Security policy for macOS Firewalls
Enable Firewall
Not configured (default)
Yes - Enable the firewall.
Firewall apps
Expand the dropdown and then select Add to then specify apps
and rules for incoming connections for the app.
CSP: MdmStore/Global/DisableStatefulFtp
Not configured (default)
Allow - The firewall performs stateful File Transfer Protocol (FTP) filtering to
allow secondary connections.
Disabled - Stateful FTP is disabled.
CSP: MdmStore/Global/SaIdleTime
Specify a time in seconds between 300 and 3600, for how long the security
associations are kept after network traffic isn't seen.
If you don't specify any value, the system deletes a security association after it's
been idle for 300 seconds.
CSP: MdmStore/Global/PresharedKeyEncoding
If you don't require UTF-8, preshared keys are initially encoded using UTF-8. After
that, device users can choose another encoding method.
Not configured (default)
None
UTF8
Not configured (default) - When not configured, you'll have access to the
following IP sec exemption settings that you can configure individually.
Yes - Turn off all Firewall IP sec exemptions. The following settings aren't
available to configure.
CSP: MdmStore/Global/IPsecExempt
Not configured (default)
Yes - Firewall IPsec exemptions allow neighbor discovery.
CSP: MdmStore/Global/IPsecExempt
Not configured (default)
Yes - Firewall IPsec exemptions allow ICMP.
CSP: MdmStore/Global/IPsecExempt
Not configured (default)
Yes - Firewall IPsec exemptions allow router discovery.
Firewall IP sec exemptions allow DHCP
CSP: MdmStore/Global/IPsecExempt
Not configured (default)
Yes - Firewall IP sec exemptions allow DHCP
CSP: MdmStore/Global/CRLcheck
Require keying modules to only ignore the authentication suites they don’t
support
CSP: MdmStore/Global/OpportunisticallyMatchAuthSetPerKM
Not configured (default)
Disabled
Enabled - Keying modules ignore unsupported authentication suites.
Packet queuing
CSP: MdmStore/Global/EnablePacketQueue
Specify how to enable scaling for the software on the receive side for the
encrypted receive and clear text forward for the IPsec tunnel gateway scenario.
This ensures the packet order is preserved.
Not configured (default) - Packet queuing is returned to the client default,
which is disabled.
Disabled
Queue Inbound
Queue Outbound
Queue Both
CSP: EnableFirewall
Not configured (default) - The client returns to its default, which is to enable the
firewall.
Yes - The Microsoft Defender Firewall for the network type of domain is turned
on and enforced. You also gain access to additional settings for this network.
No - Disable the firewall.
Additional settings for this network, when set to Yes:
CSP: DisableStealthMode
CSP: Shielded
Not configured (default) - Use the client default, which is to disable shielded
mode.
Yes - The machine is put into shielded mode, which isolates it from the
network. All traffic is blocked.
No
CSP: DisableUnicastResponsesToMulticastBroadcast
Not configured (default) - The setting returns to the client default, which is
to allow unicast responses.
Yes - Unicast responses to multicast broadcasts are blocked.
No - Enforce the client default, which is to allow unicast responses.
CSP DisableInboundNotifications
Not configured (default) - The setting returns to the client default, which is
to allow the user notification.
Yes - User notification is suppressed when an application is blocked by an
inbound rule.
No - User notifications are allowed.
CSP: DefaultInboundAction
CSP: AuthAppsAllowUserPrefMerge
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - Authorized application firewall rules in the local store are ignored.
No - Authorized application firewall rules are honored.
CSP: GlobalPortsAllowUserPrefMerge
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - Global port firewall rules in the local store are ignored.
No - The global port firewall rules are honored.
CSP: IPsecExempt
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - All firewall rules in the local store are ignored.
No - The firewall rules in the local store are honored.
CSP: EnableFirewall
Not configured (default) - The client returns to its default, which is to enable the
firewall.
Yes - The Microsoft Defender Firewall for the network type of private is turned
on and enforced. You also gain access to additional settings for this network.
No - Disable the firewall.
CSP: DisableStealthMode
CSP: Shielded
Not configured (default) - Use the client default, which is to disable shielded
mode.
Yes - The machine is put into shielded mode, which isolates it from the
network. All traffic is blocked.
No
CSP: DisableUnicastResponsesToMulticastBroadcast
Not configured (default) - The setting returns to the client default, which is
to allow unicast responses.
Yes - Unicast responses to multicast broadcasts are blocked.
No - Enforce the client default, which is to allow unicast responses.
CSP DisableInboundNotifications
Not configured (default) - The setting returns to the client default, which is
to allow the user notification.
Yes - User notification is suppressed when an application is blocked by an
inbound rule.
No - User notifications are allowed.
CSP: DefaultInboundAction
CSP: AuthAppsAllowUserPrefMerge
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - Authorized application firewall rules in the local store are ignored.
No - Authorized application firewall rules are honored.
CSP: GlobalPortsAllowUserPrefMerge
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - Global port firewall rules in the local store are ignored.
No - The global port firewall rules are honored.
CSP: IPsecExempt
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - All firewall rules in the local store are ignored.
No - The firewall rules in the local store are honored.
CSP: EnableFirewall
Not configured (default) - The client returns to its default, which is to enable the
firewall.
Yes - The Microsoft Defender Firewall for the network type of public is turned
on and enforced. You also gain access to additional settings for this network.
No - Disable the firewall.
CSP: DisableStealthMode
CSP: Shielded
Not configured (default) - Use the client default, which is to disable shielded
mode.
Yes - The machine is put into shielded mode, which isolates it from the
network. All traffic is blocked.
No
CSP: DisableUnicastResponsesToMulticastBroadcast
Not configured (default) - The setting returns to the client default, which is
to allow unicast responses.
Yes - Unicast responses to multicast broadcasts are blocked.
No - Enforce the client default, which is to allow unicast responses.
CSP DisableInboundNotifications
Not configured (default) - The setting returns to the client default, which is
to allow the user notification.
Yes - User notification is suppressed when an application is blocked by an
inbound rule.
No - User notifications are allowed.
CSP: DefaultInboundAction
CSP: AuthAppsAllowUserPrefMerge
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - Authorized application firewall rules in the local store are ignored.
No - Authorized application firewall rules are honored.
CSP: GlobalPortsAllowUserPrefMerge
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - Global port firewall rules in the local store are ignored.
No - The global port firewall rules are honored.
CSP: IPsecExempt
Not configured (default) - The setting returns to the client default, which is
to honor the local rules.
Yes - All firewall rules in the local store are ignored.
No - The firewall rules in the local store are honored.
The following settings are configured as Endpoint Security policy for Windows Firewalls.
Name
Specify a friendly name for your rule. This name will appear in the list of rules to
help you identify it.
Description
Direction
Not configured (default) - This rule defaults to outbound traffic.
Out - This rule applies to outbound traffic.
In - This rule applies to inbound traffic.
Action
Not configured (default) - The rule defaults to allow traffic.
Blocked - Traffic is blocked in the Direction you've configured.
Allowed - Traffic is allowed in the Direction you've configured.
Network type
Specify the network type to which the rule belongs. You can choose one or more
of the following. If you don't select an option, the rule applies to all network types.
Domain
Private
Public
Not configured
Application settings
Applications targeted with this rule:
Get-AppxPackage
File path
CSP: FirewallRules/FirewallRuleName/App/FilePath
To specify the file path of an app, enter the apps location on the client device. For
example: C:\Windows\System\Notepad.exe
Service name
FirewallRules/FirewallRuleName/App/ServiceName
Use a Windows service short name when a service, not an application, is sending or
receiving traffic. Service short names are retrieved by running the Get-Service
command from PowerShell.
Protocol
CSP: FirewallRules/FirewallRuleName/Protocol
Interface types
Specify the interface types to which the rule belongs. You can choose one or more
of the following. If you don't select an option, the rule applies to all interface types:
Remote access
Wireless
Local area network
Not configured
Authorized users
FirewallRules/FirewallRuleName/LocalUserAuthorizationList
Specify a list of authorized local users for this rule. A list of authorized users can't
be specified if Service name in this policy is set as a Windows service. If no
authorized user is specified, the default is all users.
IP address settings
Specifies the local and remote addresses to which this rule applies:
Not configured (default) - Use the following setting, Local address ranges* to
configure a range of addresses to support.
Yes - Support any local address and don't configure an address range.
CSP: FirewallRules/FirewallRuleName/LocalAddressRanges
Not configured (default) - Use the following setting, Remote address ranges* to
configure a range of addresses to support.
Yes - Support any remote address and don't configure an address range.
CSP: FirewallRules/FirewallRuleName/RemoteAddressRanges
Next steps
Endpoint security policy for firewalls
Firewall policy settings for tenant
attached devices in Microsoft Intune
Article • 02/21/2023
View the Microsoft Windows Defender Firewall settings you can manage with the
Microsoft Defender Firewall (ConfigMgr) (preview) profile from Intune. The profile is
available when you configure Intune Firewall policy, and the policy deploys to devices
you manage with Configuration Manager when you've configured the tenant attach
scenario.
CSP: MdmStore/Global/CRLcheck
CSP: MdmStore/Global/DisableStatefulFtp
Not configured (default)
True - Stateful FTP is disabled
False - The firewall performs stateful File Transfer Protocol (FTP) filtering to
allow secondary connections.
CSP: MdmStore/Global/EnablePacketQueue
Select from the following options to configure scaling for the software on the
receive side for the encrypted receive and clear text forward for the IPsec tunnel
gateway scenario. This ensures the packet order is preserved. By default, no
options are selected.
Disabled
Queue Inbound
Queue Outbound
IPsec Exceptions (Device)
CSP: MdmStore/Global/IPsecExempt
CSP: OpportunisticallyMatchAuthSetPerKM
Not configured (default)
True
False
CSP: MdmStore/Global/PresharedKeyEncoding
Not configured (default)
None
UTF8
CSP: MdmStore/Global/SaIdleTime
Specify a time in seconds between 300 and 3600, for how long the security
associations are kept after network traffic isn't seen.
If you don't specify any value,
the system deletes a security association after it's been idle for 300 seconds.
Domain Profile
Enable Domain Network Firewall (Device)
CSP: EnableFirewall
Not configured (default) - The client returns to its default, which is to enable the
firewall.
True - The Microsoft Defender Firewall for the network type of domain is turned
on and enforced.
False - Disable the firewall.
When set to True, you can then configure the following settings for this firewall
profile type:
CSP: AllowLocalIpsecPolicyMerge
Not configured (default)
True
False - Connection security rules from the local store are ignored and not
enforced.
CSP: AllowLocalPolicyMerge
Not configured (default)
True
False - Firewall rules from the local store are ignored and not enforced.
CSP: AuthAppsAllowUserPrefMerge
Not configured (default)
True
False
CSP: DefaultInboundAction
Not configured (default)
Allow
Block
CSP: DefaultOutboundAction
Allow
Block
CSP: DisableInboundNotifications
Not configured (default)
True - The firewall won't display a notification to the user when an
application is blocked from listening on a port.
False - The firewall might display a notification to the user when an
application is blocked from listening on a port.
CSP: DisableStealthMode
Not configured (default)
True
False - The server operates in stealth mode. The firewall rules used to enforce
stealth mode are implementation-specific.
Disable Unicast Responses To Multicast Broadcast (Device)
CSP: DisableUnicastResponsesToMulticastBroadcast
Not configured (default)
True - Unicast response to multicast broadcast traffic is blocked.
False
CSP: GlobalPortsAllowUserPrefMerge
Not configured (default)
True
False - Global port firewall rules in the local store are ignored and not
enforced.
Shielded (Device)
CSP: Shielded
Not configured (default)
True - The server blocks all incoming traffic regardless of other policy
settings.
False
Private Profile
Enable Private Network Firewall (Device)
CSP: EnableFirewall
Not configured (default) - The client returns to its default, which is to enable the
firewall.
True - The Microsoft Defender Firewall for the network type of private is turned
on and enforced.
False - Disable the firewall.
When set to True, you can then configure the following settings for this firewall
profile type:
CSP: AllowLocalIpsecPolicyMerge
Not configured (default)
True
False - Connection security rules from the local store are ignored and not
enforced.
CSP: AllowLocalPolicyMerge
Not configured (default)
True
False - Firewall rules from the local store are ignored and not enforced.
CSP: AuthAppsAllowUserPrefMerge
Not configured (default)
True
False
CSP: DefaultInboundAction
Not configured (default)
Allow
Block
CSP: DefaultOutboundAction
Allow
Block
CSP: DisableInboundNotifications
Not configured (default)
True - The firewall won't display a notification to the user when an
application is blocked from listening on a port.
False - The firewall might display a notification to the user when an
application is blocked from listening on a port.
CSP: DisableStealthMode
Not configured (default)
True
False - The server operates in stealth mode. The firewall rules used to enforce
stealth mode are implementation-specific.
CSP: DisableUnicastResponsesToMulticastBroadcast
Not configured (default)
True - Unicast response to multicast broadcast traffic is blocked.
False
Global Ports Allow User Pref Merge (Device)
CSP: GlobalPortsAllowUserPrefMerge
Not configured (default)
True
False - Global port firewall rules in the local store are ignored and not
enforced.
Shielded (Device)
CSP: Shielded
Not configured (default)
True - The server blocks all incoming traffic regardless of other policy
settings.
False
Public Profile
Enable Public Network Firewall (Device)
CSP: EnableFirewall
Not configured (default) - The client returns to its default, which is to enable the
firewall.
True - The Microsoft Defender Firewall for the network type of public is turned
on and enforced.
False - Disable the firewall.
When set to True, you can then configure the following settings for this firewall
profile type:
CSP: AllowLocalIpsecPolicyMerge
Not configured (default)
True
False - Connection security rules from the local store are ignored and not
enforced.
CSP: AllowLocalPolicyMerge
Not configured (default)
True
False - Firewall rules from the local store are ignored and not enforced.
CSP: AuthAppsAllowUserPrefMerge
Not configured (default)
True
False
CSP: DefaultInboundAction
Not configured (default)
Allow
Block
CSP: DefaultOutboundAction
Allow
Block
CSP: DisableInboundNotifications
Not configured (default)
True - The firewall won't display a notification to the user when an
application is blocked from listening on a port.
False - The firewall might display a notification to the user when an
application is blocked from listening on a port.
CSP: DisableStealthMode
Not configured (default)
True
False - The server operates in stealth mode. The firewall rules used to enforce
stealth mode are implementation-specific.
CSP: DisableUnicastResponsesToMulticastBroadcast
Not configured (default)
True - Unicast response to multicast broadcast traffic is blocked.
False
CSP: GlobalPortsAllowUserPrefMerge
Not configured (default)
True
False - Global port firewall rules in the local store are ignored and not
enforced.
Shielded (Device)
CSP: Shielded
Not configured (default)
True - The server blocks all incoming traffic regardless of other policy
settings.
False
Next steps
Endpoint security policy for firewalls
Endpoint detection and response policy
settings for endpoint security in Intune
Article • 02/21/2023
7 Note
This article details the settings in the Endpoint detection and response profile for
the Windows 10 and later platform for endpoint security Endpoint detection and
response policy. Beginning on April 5, 2022, the Windows 10 and later platform was
replaced by the Windows 10, Windows 11, and Windows Server platform. Although
you can no longer create new instances of the original profile, you can continue to
edit and use your existing profiles. The settings details in this article apply to those
deprecated profiles.
View the settings you can configure in profiles for Endpoint detection and response
policy in the endpoint security node of Intune.
Applies to:
Windows 10
Windows 11
Windows 10 and later: Use this platform for policy you deploy to Windows 10 and
Windows 11 devices managed with Intune.
Profile: Endpoint detection and response (MDM)
Windows 10, Windows 11, and Windows Server (ConfigMgr): Use this platform for
policy you deploy to devices managed by Configuration Manager.
Profile: Endpoint detection and response (ConfigMgr)
Upload a signed configuration package that will be used to onboard the Microsoft
Defender for Endpoint client.
Not configured (default)
Onboarding blob
Offboarding blob
When set to Onboarding blob, you can configure the following settings:
Defender for Endpoint onboarding blob
Click Select onboarding file to open the Select onboarding File pane, where you
specify a .onboarding file.
When set to Offboarding blob, you can configure the following settings:
Defender for Endpoint offboarding blob
Click Select offboarding file to open the Select offboarding File pane, where you
specify a .offboarding file.
Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration
parameter. Sample Sharing sends a file to Microsoft for deep analysis.
Organizations can disable sample sharing on specific devices that are considered
too sensitive.
Not configured (default)
Yes
Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration
parameter.
Not configured (default)
Yes
View the settings you can configure in profiles for Attack surface reduction policy in the
endpoint security node of Intune as part of an Endpoint security policy.
Applies to:
Windows 11
Windows 10
Windows 10 and later - Use this platform for policy you deploy to devices
managed with Intune.
Profile: App and browser isolation
Profile: Application control
Profile: Attack surface reduction rules
Profile: Device control
Profile: Exploit protection
Profile: Web protection (Microsoft Edge Legacy)
Windows 10 and later (ConfigMgr): Use this platform for policy you deploy to
devices managed by Configuration Manager.
Profile: Exploit Protection(ConfigMgr)(preview)
Profile: Web Protection (ConfigMgr)(preview)
Windows 10, Windows 11, and Windows Server: Use this platform for policy you
deploy to devices managed through Security Management for Microsoft Defender
for Endpoint.
Profile: Attack Surface Reduction Rules
7 Note
This section details the settings in App and browser isolation profiles created
before April 18, 2023. Profiles created after that date use a new settings format as
found in the Settings Catalog. With this change you can no longer create new
versions of the old profile and they are no longer being developed. Although you
can no longer create new instances of the older profile, you can continue to edit
and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
CSP: AllowWindowsDefenderApplicationGuard
Not configured (default) - Microsoft Defender Application Guard isn't
configured for Microsoft Edge or isolated Windows environments.
Enabled for Edge - Application Guard opens unapproved sites in a Hyper-V
virtualized browsing container.
Enabled for isolated Windows environments - Application Guard is turned on
for any applications enabled for App Guard within Windows.
Enabled for Edge AND isolated Windows environments - Application Guard is
configured for both scenarios.
7 Note
If you are deploying Application Guard for Microsoft Edge via Intune,
Windows network isolation policy must be configured as a prerequisite.
Network isolation may be configured via various profiles, including App and
broswer isolation under the Windows network isolation setting.
When set to Enabled for Edge or Enabled for Edge AND isolated Windows
environments, the following settings are available, which apply to Edge:
Clipboard behavior
CSP: ClipboardSettings
Choose what copy and paste actions are allowed from the local PC and an
Application Guard virtual browser.
Not configured (default)
Block copy and paste between PC and browser
Allow copy and paste from browser to PC only
Allow copy and paste from PC to browser only
Allow copy and paste between PC and browser
CSP: BlockNonEnterpriseContent
Not configured (default)
Yes - Block content from unapproved websites from loading.
Collect logs for events that occur within an Application Guard browsing
session
CSP: AuditApplicationGuard
Not configured (default)
Yes - Collect logs for events that occur within an Application Guard virtual
browsing session.
CSP: AllowPersistence
Not configured (default)
Yes - Allow user data that is created during an Application Guard virtual
browsing session to be saved. Examples of user data include passwords,
favorites, and cookies.
CSP: AllowVirtualGPU
Not configured (default)
Yes - Within the Application Guard virtual browsing session, use a virtual
graphics processing unit to load graphics-intensive websites faster.
CSP: SaveFilesToHost
Not configured (default)
Yes - Allow users to download files from the virtualized browser onto the
host operating system.
CSP: AllowCameraMicrophoneRedirection
Not configured (default) - Applications inside Microsoft Defender
Application Guard can't access the camera and microphone on the user’s
device.
Yes - Applications inside Microsoft Defender Application Guard can access
the camera and microphone on the user’s device.
No - Applications inside Microsoft Defender Application Guard can't access
the camera and microphone on the user’s device. This is the same behavior
as Not configured.
Application Guard allow use of Root Certificate Authorities from the user's
device
CSP: CertificateThumbprints
To add thumbprints one at a time, select Add. You can use Import to specify a .CSV
file that contains multiple thumbprint entries that are all added to the profile at the
same time. When you use a .CSV file, each thumbprint must be separated by a
comma. For example:
b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cd
a924
All entries that are listed in the profile are active. You don't need to select a
checkbox for a thumbprint entry to make it active. Instead, use the checkboxes to
help you manage the entries that have been added to the profile. For example, you
can select the checkbox of one or more certificate thumbprint entries and then
Delete those entries from the profile with a single action.
IP ranges
Expand the dropdown, select Add, and then specify a lower address and then an
upper address.
Cloud resources
Expand the dropdown, select Add, and then specify an IP address or FQDN and
a Proxy.
Network domains
Expand the dropdown, select Add, and then specify Network domains.
Proxy servers
Expand the dropdown, select Add, and then specify Proxy servers.
Expand the dropdown, select Add, and then specify Internal proxy servers.
Neutral resources
Expand the dropdown, select Add, and then specify Neutral resources.
7 Note
After the profile is created, any devices to which the policy should apply will have
Microsoft Defender Application Guard enabled. Users might have to restart their
devices in order for protection to be in place.
CSP: AppLocker
Not configured (default)
Enforce Components and Store Apps
Audit Components and Store Apps
Enforce Components, Store Apps, and Smartlocker
Audit Components, Store Apps, and Smartlocker
CSP: SmartScreen/PreventOverrideForFilesInShell
Not configured (default) - Users can ignore SmartScreen warnings for files and
malicious apps.
Yes - SmartScreen is enabled and users can't bypass warnings for files or
malicious apps.
CSP: SmartScreen/EnableSmartScreenInShell
Not configured (default) - Return the setting to Windows default, which is to
enable SmartScreen, however users may change this setting. To disable
SmartScreen, use a custom URI.
Yes - Enforce the use of SmartScreen for all users.
7 Note
This section details the settings in Attack Surface Reduction Rules profiles created
before April 5, 2022. Profiles created after that date use a new settings format as
found in the Settings Catalog. With this change you can no longer create new
versions of the old profile and they are no longer being developed. Although you
can no longer create new instances of the older profile, you can continue to edit
and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
Block persistence through WMI event subscription
This attack surface reduction (ASR) rule is controlled via the following GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file
system, and to gain periodic execution control. Some threats can abuse the WMI
repository and event model to stay hidden.
Not configured (default) – The setting returns to the Windows default, which is
off and persistence isn't blocked.
Block – Persistence through WMI is blocked.
Audit – Evaluate how this rule affects your organization if it's enabled (set to
Block).
Disable - Turn this rule off. Persistence is not blocked.
To learn more about this setting, see Block persistence through WMI event
subscription.
Block credential stealing from the Windows local security authority subsystem
(lsass.exe)
This attack surface reduction (ASR) rule is controlled via the following GUID:
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Not configured (default) - The setting returns to the Windows default, which is
off.
User defined
Enable - Attempts to steal credentials via lsass.exe are blocked.
Audit mode - Users aren't blocked from dangerous domains and Windows
events are raised instead.
Warn - For Windows 10 version 1809 or later and Windows 11, the device user
receives a message that they can bypass Block of the setting. On devices that
run earlier versions of Windows 10, the rule enforces the Enable behavior.
Block executable files from running unless they meet a prevalence, age, or
trusted list criteria
CSP: EnableControlledFolderAccess
Not configured (default) - This setting returns to its default, which is no read or
writes are blocked.
Enable - For untrusted apps, Defender blocks attempts to modify or delete files
in protected folders, or write to disk sectors. Defender automatically determines
which applications can be trusted. Alternatively, you can define your own list of
trusted applications.
Audit mode - Windows events are raised when untrusted applications access
controlled folders, but no blocks are enforced.
Block disk modification - Only attempts to write to disk sectors are blocked.
Audit disk modification - Windows events are raised instead of blocking
attempts to write to disk sectors.
CSP: ControlledFolderAccessProtectedFolders
Define a list of disk locations that will be protected from untrusted applications.
CSP: ControlledFolderAccessAllowedApplications
CSP: AttackSurfaceReductionOnlyExclusions
Expand the dropdown and then select Add to define a Path to a file or folder to
exclude from your attack surface reduction rules.
Device Control
7 Note
This section details the settings found in Device control profiles created before May
23, 2022. Profiles created after that date use a new settings format as found in the
Settings Catalog. Although you can no longer create new instances of the original
profile, you can continue to edit and use your existing profiles.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
CSP: AllowInstallationOfMatchingDeviceIDs
Not configured (default)
Yes - Specify a list of Plug and Play hardware IDs and compatible IDs for devices
that Windows is prevented from installing. This policy takes precedence over
any other policy setting that allows Windows to install a device. If you enable
this policy setting on a remote desktop server, the policy setting affects
redirection of the specified devices from a remote desktop client to the remote
desktop server.
No
Block list - Use Add, Import, and Export to manage a list of device identifiers.
CSP: AllowInstallationOfMatchingDeviceSetupClasses
Not configured (default)
Yes - Specify a list of device setup class globally unique identifiers (GUIDs) for
device drivers that Windows is prevented from installing. This policy setting
takes precedence over any other policy setting that allows Windows to install a
device. If you enable this policy setting on a remote desktop server, the policy
setting affects redirection of the specified devices from a remote desktop client
to the remote desktop server.
No
Block list - Use Add, Import, and Export to manage a list of device identifiers.
If you enable this policy setting on a remote desktop server, the policy setting
affects redirection of the specified devices from a remote desktop client to the
remote desktop server.
Not configured (default)
Yes - Specify a list of Plug and Play hardware IDs and compatible IDs for devices
that Windows is prevented from installing. This policy takes precedence over
any other policy setting that allows Windows to install a device. If you enable
this policy setting on a remote desktop server, the policy setting affects
redirection of the specified devices from a remote desktop client to the remote
desktop server.
No
Block list - Use Add, Import, and Export to manage a list of device identifiers.
CSP: RemovableDiskDenyWriteAccess
Not configured (default)
Yes - Write access is denied to removable storage.
No - Write access is allowed.
CSP: Defender/AllowFullScanRemovableDriveScanning
Not configured (default) - The setting returns to client default, which scans
removable drives, however the user can disable this scan.
Yes - During a full scan, removable drives (like USB flash drives) are scanned.
CSP: DataProtection/AllowDirectMemoryAccess
This policy setting is only enforced when BitLocker or device encryption is enabled.
Not configured (default)
Yes - block direct memory access (DMA) for all hot pluggable PCI downstream
ports until a user logs into Windows. After a user logs in, Windows enumerates
the PCI devices connected to the host plug PCI ports. Every time the user locks
the machine, DMA is blocked on hot plug PCI ports with no children devices
until the user logs in again. Devices that were already enumerated when the
machine was unlocked will continue to function until unplugged.
Enumeration of external devices incompatible with Kernel DMA Protection
CSP: DmaGuard/DeviceEnumerationPolicy
This policy can provide additional security against external DMA capable devices. It
allows for more control over the enumeration of external DMA capable devices
incompatible with DMA Remapping/device memory isolation and sandboxing.
This policy only takes effect when Kernel DMA Protection is supported and
enabled by the system firmware. Kernel DMA Protection is a platform feature that
must be supported by the system at the time of manufacturing. To check if the
system supports Kernel DMA Protection, check the Kernel DMA Protection field in
the Summary page of MSINFO32.exe.
Not configured - (default)
Block all
Allow all
CSP: Bluetooth/AllowDiscoverableMode
Not configured (default)
Yes - Block bluetooth connections to and from the device.
CSP: Bluetooth/AllowDiscoverableMode
Not configured (default)
Yes - Prevents the device from being discoverable by other Bluetooth-enabled
devices.
CSP: Bluetooth/AllowPrepairing
Not configured (default)
Yes - Prevents specific Bluetooth devices from automatically pairing with the
host device.
CSP: Bluetooth/AllowAdvertising
Not configured (default)
Yes - Prevents the device from sending out Bluetooth advertisements.
CSP: Bluetooth/AllowPromptedProximalConnections
Block users from using Swift
Pair and other proximity-based scenarios
Not configured (default)
Yes - Prevents a device user from using Swift Pair and other proximity-based
scenarios.
Bluetooth/AllowPromptedProximalConnections CSP
CSP: Bluetooth/ServicesAllowedList.
For more information on the service list, see ServicesAllowedList usage guide
Add - Specify allowed Bluetooth services and profiles as hex strings, such as
{782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF} .
Import - Import a .csv file that contains a list of bluetooth services and profiles,
as hex strings, such as {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}
Removable storage
CSP: Storage/RemovableDiskDenyWriteAccess
Block (default) - Prevent users from using external storage devices, like SD cards
with the device.
Not configured
CSP: Connectivity/AllowUSBConnection
Block - Prevent use of a USB connection between the device and a computer to
sync files, or to use developer tools to deploy or debug applications. USB
charging isn't affected.
Not configured (default)
Exploit protection
7 Note
This section details the settings you can find in Exploit protection profiles created
before April 5, 2022. Profiles created after that date use a new settings format as
found in the Settings Catalog. With this change you can no longer create new
versions of the old profile and they are no longer being developed. Although you
can no longer create new instances of the older profile, you can continue to edit
and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of
each setting by name. Instead, the name of each setting, its configuration options,
and its explanatory text you see in the Microsoft Intune admin center are taken
directly from the settings authoritative content. That content can provide more
information about the use of the setting in its proper context. When viewing a
settings information text, you can use its Learn more link to open that content.
Upload XML
CSP: ExploitProtectionSettings
Enables the IT admin to push out a configuration representing the desired system
and application mitigation options to all the devices in the organization. The
configuration is represented by an XML file. Exploit protection can help protect
devices from malware that use exploits to spread and infect. You use the Windows
Security app or PowerShell to create a set of mitigations (known as a
configuration). You can then export this configuration as an XML file and share it
with multiple machines on your network so they all have the same set of mitigation
settings. You can also convert and import an existing EMET configuration XML file
into an exploit protection configuration XML.
Choose Select XML File, specify the XML filet upload, and then click Select.
Not configured (default)
Yes
CSP: DisallowExploitProtectionOverride
Not configured (default) - Local users can make changes in the exploit
protection settings area.
Yes - Prevent users from making changes to the exploit protection settings area
in the Microsoft Defender Security Center.
CSP: EnableNetworkProtection
Not configured (default) - The setting returns to the Windows default, which is
disabled.
User defined
Enable - Network protection is enabled for all users on the system.
Audit mode - Users aren't blocked from dangerous domains and Windows
events are raised instead.
Require SmartScreen for Microsoft Edge
CSP: Browser/AllowSmartScreen
Yes - Use SmartScreen to protect users from potential phishing scams and
malicious software.
Not configured (default)
CSP: Browser/PreventSmartScreenPromptOverride
Yes - Block users from ignoring the Microsoft Defender SmartScreen Filter
warnings and block them from going to the site.
Not configured (default)
CSP: Browser/PreventSmartScreenPromptOverrideForFiles
Yes - Block users from ignoring the Microsoft Defender SmartScreen Filter
warnings and block them from downloading unverified files.
Not configured (default)
Exploit Protection
Upload XML
CSP: ExploitProtectionSettings
Enables the IT admin to push out a configuration representing the desired system
and application mitigation options to all the devices in the organization. The
configuration is represented by an XML file. Exploit protection can help protect
devices from malware that use exploits to spread and infect. You use the Windows
Security app or PowerShell to create a set of mitigations (known as a
configuration). You can then export this configuration as an XML file and share it
with multiple machines on your network so they all have the same set of mitigation
settings. You can also convert and import an existing EMET configuration XML file
into an exploit protection configuration XML.
Choose Select XML File, specify the XML filet upload, and then click Select.
CSP: DisallowExploitProtectionOverride
Not configured (default)
(Disable) Local users are allowed to make changes in the exploit protection
settings area.
(Enable) Local users cannot make changes to the exploit protection settings
area
Web Protection
Enable Network Protection (Device)
CSP: EnableNetworkProtection
Not configured (default)
Disabled
Enabled (block mode)
Enabled (audit mode)
CSP: Browser/AllowSmartScreen
Not configured (default)
Block
Allow
CSP: Browser/PreventSmartScreenPromptOverride
Not configured (default)
Disabled
Enabled
CSP: Browser/PreventSmartScreenPromptOverrideForFiles
Not configured (default)
Disabled
Enabled
Next steps
Endpoint security policy for ASR
Account protection policy settings for
endpoint security in Intune
Article • 02/23/2023
View the settings you can configure in profiles for Account protection policy in the
endpoint security node of Intune as part of an Endpoint security policy.
Windows 10
Windows 11
Account protection
Block Windows Hello for Business
Windows Hello for Business is an alternative method for signing into Windows by
replacing passwords, Smart Cards, and Virtual Smart Cards.
Not configured (default) - Devices provision Windows Hello for Business.
Disabled - Devices provision Windows Hello for Business.
Enabled - Devices don't provision Windows Hello for Business for any user
) Important
Due to how Intune determines the scope and applicability of Windows Hello for
Business policy, the device may log Event ID 454 as a result of applying policy. This
can be safely ignored when policy is being successful applied (and enforced).
Enable Windows Hello security key as a sign-in credential for all PCs in the tenant.
Not configured (default)
Yes
Turn on credential guard
CSP: []DeviceGuard
Next steps
Endpoint security policy for Account protection
List of the settings in the Windows 10/11
MDM security baseline in Intune
Article • 02/23/2023
This article is a reference for the settings that are available in the different versions of
the Windows 10/11 MDM security baseline that you can deploy with Microsoft Intune.
You can use the tabs below to select and view the settings in the current baseline
version and a few older versions that might still be in use.
For each setting you’ll find the baselines default configuration, which is also the
recommended configuration for that setting provided by the relevant security team.
Because products and the security landscape evolve, the recommended defaults in one
baseline version might not match the defaults you find in later versions of the same
baseline. Different baseline types, like the MDM security and the Defender for Endpoint
baselines, could also set different defaults.
When the Intune UI includes a Learn more link for a setting, you’ll find that here as well.
Use that link to view the settings policy configuration service provider (CSP) or relevant
content that explains the settings operation.
When a new version of a baseline becomes available, it replaces the previous version.
Profiles instances that you’ve created prior to the availability of a new version:
Become read-only. You can continue to use those profiles but can't edit them to
change their configuration.
Can be updated to the latest version. After you update a profile to the current
baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see Use security baselines. In that article
you'll also find information about how to:
Change the baseline version for a profile to update a profile to use the latest
version of that baseline.
Above Lock
Voice activate apps from locked screen:
Learn More
Block display of toast notifications:
Learn More
App Runtime
Microsoft accounts optional for Microsoft store apps:
Learn more
Application Management
Block app installations with elevated privileges:
Learn more
Learn more
Learn more
Audit
Audit settings configure the events that are generated for the conditions of the setting.
Auto Play
Auto play default auto run behavior:
Learn more
Learn more
Learn more
BitLocker
BitLocker removable drive policy:
Learn more
Block write access to removable data-drives not protected by BitLocker:
Learn more
Browser
Block Password Manager:
Learn more
Require SmartScreen for Microsoft Edge Legacy:
Learn more
Learn more
Learn more
Learn more
Connectivity
Configure secure access to UNC paths:
Baseline default: Configure Windows to only allow access to the specified UNC paths
after fulfilling additional security requirements
Learn more
Hardened UNC path list:
Baseline default: Not configured by default. Manually add one or more hardened
UNC paths.
Learn more
Block Internet download for web publishing and online ordering wizards:
Learn more
Credentials Delegation
Remote host delegation of non-exportable credentials:
Learn more
Credentials UI
Enumerate administrators:
Learn more
Data Protection
Block direct memory access:
Learn more
Device Guard
Virtualization based security:
Learn more
Learn more
Device Installation
Block hardware device installation by setup classes:
Learn more
Block list:
Baseline default: Not configured by default. Manually add one or more Identifiers.
Device Lock
Require password:
Learn more
Required password:
Learn more
Baseline default: 60
Learn more
Baseline default: 3
Learn more
Baseline default: 24
Learn more
Baseline default: 8
Learn more
Baseline default: 10
Learn more
Learn more
Baseline default: 1
Learn more
Learn more
Learn more
DMA Guard
Enumeration of external devices incompatible with Kernel DMA Protection:
Learn more
Learn more
Learn more
Experience
Block Windows Spotlight:
Learn more
Learn more
Learn more
File Explorer
Block data execution prevention:
Learn more
Learn more
Firewall
For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols
documentation.
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Learn more
Learn more
Internet Explorer
Internet Explorer encryption support:
Learn more
Learn more
Internet Explorer restricted zone script Active X controls marked safe for
scripting:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone copy and paste via script:
Learn more
Internet Explorer internet zone drag and drop or copy and paste files:
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone allow only approved domains to use ActiveX
controls:
Learn more
Internet Explorer internet zone allow only approved domains to use tdc ActiveX
controls:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone do not run antimalware against ActiveX controls:
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone drag content from different domains across
windows:
Learn more
Internet Explorer internet zone drag content from different domains within
windows:
Learn more
Learn more
Internet Explorer internet zone include local path when uploading files to server:
Learn more
Internet Explorer internet zone initialize and script Active X controls not marked
as safe:
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone navigate windows and frames across different
domains:
Learn more
Internet Explorer internet zone run .NET Framework reliant components signed
with Authenticode:
Learn more
Internet Explorer internet zone security warning for potentially unsafe files:
Learn more
Learn more
Internet Explorer intranet zone do not run antimalware against Active X controls:
Learn more
Internet Explorer intranet zone initialize and script Active X controls not marked
as safe:
Learn more
Learn more
Internet Explorer local machine zone do not run antimalware against Active X
controls:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer remove run this time button for outdated Active X controls:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer restricted zone drag and drop or copy and paste files:
Baseline default: Disable
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer restricted zone allow only approved domains to use Active X
controls:
Learn more
Internet Explorer restricted zone allow only approved domains to use tdc Active
X controls:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer restricted zone drag content from different domains across
windows:
Learn more
Internet Explorer restricted zone drag content from different domains within
windows:
Learn more
Internet Explorer restricted zone include local path when uploading files to
server:
Learn more
Internet Explorer restricted zone initialize and script Active X controls not
marked as safe:
Learn more
Learn more
Learn more
Learn more
Internet Explorer restricted zone navigate windows and frames across different
domains:
Learn more
Learn more
Internet Explorer restricted zone run .NET Framework reliant components signed
with Authenticode:
Learn more
Learn more
Internet Explorer restricted zone security warning for potentially unsafe files:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer trusted zone do not run antimalware against Active X controls:
Learn more
Internet Explorer trusted zone initialize and script Active X controls not marked
as safe:
Learn more
Learn more
Learn more
Learn more
Minutes of lock screen inactivity until screen saver activates:
Baseline default: 15
Learn more
Learn more
Learn more
Prevent clients from sending unencrypted passwords to third party SMB servers:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Authentication level:
Learn more
Minimum session security for NTLM SSP based clients:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Microsoft Defender
Block Adobe Reader from creating child processes:
Learn more
Learn more
Enter how often (0-24 hours) to check for security intelligence updates
Baseline default: 4
Learn more
Scan type
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Scan incoming mail messages:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Block credential stealing from the Windows local security authority subsystem
(lsass.exe):
Baseline default: Enable
Learn more
Learn more
Block untrusted and unsigned processes that run from USB:
Learn more
Learn more
Learn more
MS Security Guide
SMB v1 client driver start configuration:
Learn more
Learn more
Learn more
SMB v1 server:
Learn more
Digest authentication:
Learn more
MSS Legacy
Network IPv6 source routing protection level:
Learn more
Learn more
Network ignore NetBIOS name release requests except from WINS servers:
Learn more
Learn more
Power
Require password on wake while on battery:
Learn more
Learn more
Learn more
Learn more
Remote Assistance
Remote Assistance solicited:
Learn more
Learn more
Learn more
Learn more
Learn more
Remote Management
Block client digest authentication:
Learn more
Learn more
Learn more
Basic authentication:
Learn more
Learn more
Unencrypted traffic:
Learn more
Learn more
Search
Disable indexing encrypted items:
Learn more
Smart Screen
Turn on Windows SmartScreen
Learn more
Learn more
System
System boot start driver initialization:
Learn more
Wi-Fi
Block Automatically connecting to Wi-Fi hotspots:
Learn more
Learn more
Learn more
Windows Ink Workspace
Ink Workspace:
Learn more
Windows PowerShell
PowerShell script block logging:
Learn more
Next steps
Learn about security baselines
Avoid conflicts
Troubleshoot policies and profiles in Intune
List of the settings in the Microsoft
Defender for Endpoint security baseline
in Intune
Article • 02/23/2023
This article is a reference for the settings that are available in the different versions of
the Microsoft Defender for Endpoint security baseline that you can deploy with
Microsoft Intune. You can use the tabs below to select and view the settings in the
current baseline version and a few older versions that might still be in use.
For each setting you’ll find the baselines default configuration, which is also the
recommended configuration for that setting provided by the relevant security team.
Because products and the security landscape evolve, the recommended defaults in one
baseline version might not match the defaults you find in later versions of the same
baseline. Different baseline types, like the MDM security and the Defender for Endpoint
baselines, could also set different defaults.
When the Intune UI includes a Learn more link for a setting, you’ll find that here as well.
Use that link to view the settings policy configuration service provider (CSP) or relevant
content that explains the settings operation.
When a new version of a baseline becomes available, it replaces the previous version.
Profiles instances that you’ve created prior to the availability of a new version:
Become read-only. You can continue to use those profiles but can't edit them to
change their configuration.
Can be updated to the latest version. After you update a profile to the current
baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see Use security baselines. In that article
you'll also find information about how to:
Change the baseline version for a profile to update a profile to use the latest
version of that baseline.
The Microsoft Defender for Endpoint baseline is available when your environment meets
the prerequisites for using Microsoft Defender for Endpoint.
This baseline is optimized for physical devices and isn't recommended for use on virtual
machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive
sessions on virtualized environments. For more information, see Increase compliance to
the Microsoft Defender for Endpoint security baseline in the Windows documentation.
Attack surface reduction rules from the following profiles are evaluated for each
device the rules apply to:
Devices > Configuration policy > Endpoint protection profile > Microsoft
Defender Exploit Guard > Attack Surface Reduction
Endpoint security > Attack surface reduction policy > Attack surface reduction
rules
Endpoint security > Security baselines > Microsoft Defender for Endpoint
Baseline > Attack Surface Reduction Rules.
Settings that don't have conflicts are added to a superset of policy for the device.
When two or more policies have conflicting settings, the conflicting settings aren't
added to the combined policy, while settings that don’t conflict are added to the
superset policy that applies to a device.
Only the configurations for conflicting settings are held back.
To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint
documentation.
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Block credential stealing from the Windows local security authority subsystem
(lsass.exe)
Learn more
Learn more
Learn more
Learn more
Learn more
BitLocker
BitLocker system drive policy
Learn more
Startup authentication required
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
This setting is available when BitLocker fixed drive policy is set to Configure.
Learn more
BitLocker removable drive policy
Learn more
Learn more
Learn more
Device Guard
Turn on credential guard
Learn more
Device Installation
Block hardware device installation by setup classes:
Learn more
Block list
Baseline default: Not configured by default. Manually add one or more setup class
globally unique identifiers.
DMA Guard
Enumeration of external devices incompatible with Kernel DMA Protection
Learn more
Firewall
Stateful File Transfer Protocol (FTP)
Learn more
Learn more
Learn more
Learn more
Packet queuing
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled
Learn more
Authorized application rules from group policy not merged
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled
Learn more
Learn more
Policy rules from group policy not merged
Learn more
Microsoft Defender
Turn on real-time protection
Learn more
Baseline default: 0
Learn more
Learn more
Scan type
Learn more
Learn more
Learn more
Learn more
Learn more
Turn on cloud-delivered protection
Learn more
Smart Screen
Block users from ignoring SmartScreen warnings
Learn more
Learn more
Learn more
Learn more
Learn more
Next steps
Learn about security baselines
Avoid conflicts
Troubleshoot policies and profiles in Intune
Microsoft 365 Apps for Enterprise
security baseline settings reference for
Microsoft Intune
Article • 05/24/2023
This article is a reference for the settings that are available in the Microsoft 365 Apps for
Enterprise security baseline for Microsoft Intune and applies to versions of that baseline
that released in May 2023 or later.
The details that are displayed in this article are based on baseline version that is selected
at the top of the article. For each selection, this article displays:
When a new version of a baseline becomes available, it replaces the previous version.
Profile instances that you’ve created prior to the availability of a new version:
Become read-only. You can continue to use those profiles but can't edit them to
change their configuration.
Can be updated to the latest version. After you update a profile to the current
baseline version, you can edit the profile to modify settings.
For more information about the following settings that are included in this baseline,
download the Microsoft Security Compliance Toolkit 1.0 from the Microsoft Download
Center, and review the Microsoft 365 Apps for Enterprise-2206-FINAL.zip file.
Block macros from running in Office files from the Internet (User)
Disable Trust Bar Notification for unsigned application add-ins and block them
(User)
Application Settings > Security > Trust Center > Trusted Locations
Do not show data extraction options when opening corrupt workbooks (User)
Block macros from running in Office files from the Internet (User)
Excel Options > Security > Trust Center > External Content
Always prevent untrusted Microsoft Query files from opening (User)
Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User)
Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel (User)
Excel Options > Security > Trust Center > File Block Settings
Excel Options > Security > Trust Center > Protected View
Do not open files from the Internet zone in Protected View (User)
Turn off Protected View for attachments opened from Outlook (User)
Excel Options > Security > Trust Center > Trusted Locations
Security Settings
Baseline default: 6
Allow VBA to load typelib references by path from untrusted intranet locations
(User)
Baseline default: ;
Behavior: (User)
Disable additional security checks on VBA library references that may refer to
unsafe locations on the local machine (User)
Encryption type for password protected Office Open XML files (User)
Baseline default: 1
Protect document metadata for rights managed Office Open XML Files (User)
Server Settings
Disable the Office client from polling the SharePoint Server for published links
(User)
Add-on Management
mse7.exe (Device)
msaccess.exe (Device)
powerpnt.exe (Device)
visio.exe (Device)
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
winword.exe (Device)
excel.exe (Device)
onent.exe (Device)
winproj.exe (Device)
exprwd.exe (Device)
spDesign.exe (Device)
groove.exe (Device)
excel.exe (Device)
spDesign.exe (Device)
outlook.exe (Device)
Baseline default: True
mspub.exe (Device)
visio.exe (Device)
onent.exe (Device)
pptview.exe (Device)
winproj.exe (Device)
powerpnt.exe (Device)
mse7.exe (Device)
msaccess.exe (Device)
groove.exe (Device)
winword.exe (Device)
groove.exe (Device)
onent.exe (Device)
mse7.exe (Device)
excel.exe (Device)
visio.exe (Device)
exprwd.exe (Device)
spDesign.exe (Device)
winword.exe (Device)
mspub.exe (Device)
msaccess.exe (Device)
powerpnt.exe (Device)
outlook.exe (Device)
Baseline default: True
winproj.exe (Device)
Information Bar
excel.exe (Device)
mspub.exe (Device)
msaccess.exe (Device)
outlook.exe (Device)
Baseline default: True
winproj.exe (Device)
spDesign.exe (Device)
onent.exe (Device)
powerpnt.exe (Device)
winword.exe (Device)
exprwd.exe (Device)
groove.exe (Device)
visio.exe (Device)
mse7.exe (Device)
powerpnt.exe (Device)
mspub.exe (Device)
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
excel.exe (Device)
exprwd.exe (Device)
groove.exe (Device)
visio.exe (Device)
winword.exe (Device)
msaccess.exe (Device)
spDesign.exe (Device)
onent.exe (Device)
winproj.exe (Device)
winword.exe (Device)
excel.exe (Device)
powerpnt.exe (Device)
exprwd.exe (Device)
groove.exe (Device)
visio.exe (Device)
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
mspub.exe (Device)
mse7.exe (Device)
msaccess.exe (Device)
spDesign.exe (Device)
winproj.exe (Device)
Navigate URL
visio.exe (Device)
mse7.exe (Device)
groove.exe (Device)
onent.exe (Device)
pptview.exe (Device)
spDesign.exe (Device)
outlook.exe (Device)
Baseline default: True
winproj.exe (Device)
excel.exe (Device)
exprwd.exe (Device)
msaccess.exe (Device)
winword.exe (Device)
mspub.exe (Device)
pptview.exe (Device)
winproj.exe (Device)
exprwd.exe (Device)
winword.exe (Device)
spDesign.exe (Device)
mse7.exe (Device)
mspub.exe (Device)
powerpnt.exe (Device)
onent.exe (Device)
outlook.exe (Device)
Baseline default: True
msaccess.exe (Device)
visio.exe (Device)
groove.exe (Device)
spDesign.exe (Device)
groove.exe (Device)
winproj.exe (Device)
outlook.exe (Device)
Baseline default: True
mspub.exe (Device)
visio.exe (Device)
powerpnt.exe (Device)
excel.exe (Device)
mse7.exe (Device)
winword.exe (Device)
onent.exe (Device)
pptview.exe (Device)
exprwd.exe (Device)
powerpnt.exe (Device)
spDesign.exe (Device)
onent.exe (Device)
pptview.exe (Device)
excel.exe (Device)
mspub.exe (Device)
visio.exe (Device)
exprwd.exe (Device)
outlook.exe (Device)
Baseline default: True
winproj.exe (Device)
winword.exe (Device)
groove.exe (Device)
msaccess.exe (Device)
mse7.exe (Device)
groove.exe (Device)
visio.exe (Device)
winproj.exe (Device)
msaccess.exe (Device)
spDesign.exe (Device)
excel.exe (Device)
powerpnt.exe (Device)
mspub.exe (Device)
exprwd.exe (Device)
outlook.exe (Device)
Baseline default: True
pptview.exe (Device)
winword.exe (Device)
mspub.exe (Device)
outlook.exe (Device)
Baseline default: True
winword.exe (Device)
excel.exe (Device)
msaccess.exe (Device)
powerpnt.exe (Device)
onent.exe (Device)
groove.exe (Device)
exprwd.exe (Device)
mse7.exe (Device)
spDesign.exe (Device)
pptview.exe (Device)
winproj.exe (Device)
onent.exe (Device)
winword.exe (Device)
exprwd.exe (Device)
mspub.exe (Device)
outlook.exe (Device)
Baseline default: True
powerpnt.exe (Device)
groove.exe (Device)
mse7.exe (Device)
msaccess.exe (Device)
excel.exe (Device)
spDesign.exe (Device)
pptview.exe (Device)
winproj.exe (Device)
Baseline default: ;
Do not allow Outlook object model scripts to run for public folders (User)
Use Unicode format when dragging e-mail message to file system (User)
Baseline default: ;
Do not allow Outlook object model scripts to run for shared folders (User)
Block macros from running in Office files from the Internet (User)
PowerPoint Options > Security > Trust Center > File Block Settings
PowerPoint Options > Security > Trust Center > Protected View
Do not open files from the Internet zone in Protected View (User)
Turn off Protected View for attachments opened from Outlook (User)
PowerPoint Options > Security > Trust Center > Trusted Locations
Block macros from running in Office files from the Internet (User)
Visio Options > Security > Trust Center > File Block Settings
Block macros from running in Office files from the Internet (User)
Word Options > Security > Trust Center > File Block Settings
Word Options > Security > Trust Center > Protected View
Do not open files from the Internet zone in Protected View (User)
Turn off Protected View for attachments opened from Outlook (User)
Word Options > Security > Trust Center > Trusted Locations
Administrative Templates
MS Security Guide
Outlook: (Device)
Excel: (Device)
PowerPoint: (Device)
OneNote: (Device)
Publisher: (Device)
Access: (Device)
Visio: (Device)
Project: (Device)
Word: (Device)
This article is a reference for the settings that are available in the Microsoft Edge security
baseline for Microsoft Intune and applies to versions of that baseline that released in
May 2023 or later.
If you use a security baseline for Edge version 85 or earlier, see List of the settings in the
Microsoft Edge security baseline in Intune.
7 Note
Beginning in May 2023, all new security baseline versions use a new settings format
that replaces previous versions. While the last version instance for a baseline that
uses the older setting format remains available to use, the older format will no
longer receive updates for new settings, or updated default configurations.
The details that are displayed in this article are based on baseline version that is selected
at the top of the article. For each selection, this article displays:
When a new version of a baseline becomes available, it replaces the previous version.
Profile instances that you’ve created prior to the availability of a new version:
Become read-only. You can continue to use those profiles but can't edit them to
change their configuration.
Tip
Because the new baselines versions introduced in May 2023 or later exist side-
by-side with the last baseline version from the older format, baselines for the
last available version of that older format remain accessible to use and to edit.
Can be updated to the latest version. After you update a profile to the current
baseline version, you can edit the profile to modify settings.
Microsoft Edge
Microsoft Edge baseline for May 2023 (Edge version 112)
For more information about the following settings that are included in this baseline,
download the Microsoft Security Compliance Toolkit 1.0 from the Microsoft Download
Center, and review the Microsoft Edge v112 Security Baseline.zip file.
Extensions:
Baseline default: *
HTTP authentication:
Learn more
Native Messaging:
Learn more
Learn more
Learn more
Learn more
Next steps
Learn about security baselines
Avoid conflicts
Troubleshoot policies and profiles in Intune
List of the settings in the Microsoft Edge
security baseline in Intune
Article • 02/23/2023
This article is a reference for the settings that are available in the different versions of
the Microsoft Edge security baseline that you can deploy with Microsoft Intune. You can
use the tabs below to select and view the settings in the current baseline version and a
few older versions that might still be in use.
For each setting you’ll find the baselines default configuration, which is also the
recommended configuration for that setting provided by the relevant security team.
Because products and the security landscape evolve, the recommended defaults in one
baseline version might not match the defaults you find in later versions of the same
baseline. Different baseline types could also set different defaults.
Although the settings in the Intune UI for this baseline omit Learn more links, this article
includes links to relevant content.
When a new version of a baseline becomes available, it replaces the previous version.
Profiles instances that you’ve created prior to the availability of a new version:
Become read-only. You can continue to use those profiles but can't edit them to
change their configuration.
Can be updated to the latest version. After you update a profile to the current
baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see Use security baselines. In that article
you'll also find information about how to:
Change the baseline version for a profile to update a profile to use the latest
version of that baseline.
Microsoft Edge
Supported authentication schemes
Baseline default: Enabled
Learn more
Supported authentication schemes
Baseline defaults: Two items: NTLM and Negotiate
Default Adobe Flash setting
Learn more
Default Adobe Flash setting
Learn more
Baseline default: Not configured by default. Manually add one or more Extension
IDs
Learn more
Learn more
Learn more
Microsoft Edge also supports IsolateOrigins policy that can isolate additional, finer-
grained origins. Intune doesn't support configuring the IsolateOrigins policy.
Learn more
This policy is available only on Windows instances that are joined to a Microsoft
Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are
enrolled for device management.
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
This policy is available only on Windows instances that are joined to a Microsoft
Active Director domain, or on Windows 10/11 Pro or Enterprise instances that are
enrolled for device management.
Learn more
Allow certificates signed using SHA-1 when issued by local trust anchors
(deprecated)
) Important
Next steps
Learn about security baselines
Avoid conflicts
Troubleshoot policies and profiles in Intune
List of the settings in the Windows 365
Cloud PC security baseline in Intune
Article • 02/23/2023
This article is a reference for the settings that are available in the Windows 365 Cloud PC
security baseline that you can deploy with Microsoft Intune.
For each setting you’ll find the baselines default configuration, which is also the
recommended configuration for that setting provided by the relevant security team.
Because products and the security landscape evolve, the recommended defaults in one
baseline version might not match the defaults you find in later versions of the same
baseline. Different baseline types, like the MDM security and the Defender for Endpoint
baselines, could also set different defaults.
When the Intune UI includes a Learn more link for a setting, you’ll find that here as well.
Use that link to view the settings policy configuration service provider (CSP) or relevant
content that explains the settings operation.
When a new version of a baseline becomes available, it replaces the previous version.
Profiles instances that you’ve created prior to the availability of a new version:
Become read-only. You can continue to use those profiles but can't edit them to
change their configuration.
Can be updated to the latest version. After you update a profile to the current
baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see Use security baselines. In that article
you'll also find information about how to:
Change the baseline version for a profile to update a profile to use the latest
version of that baseline.
Above Lock
Voice activate apps from locked screen:
Learn more
Block display of toast notifications:
Learn more
App Runtime
Microsoft accounts optional for Microsoft store apps:
Learn more
Application management
Block app installations with elevated privileges:
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Block credential stealing from the Windows local security authority subsystem
(lsass.exe):
Baseline default: Enable
Learn more
Learn more
Learn more
Learn more
Learn more
Audit
Audit settings configure the events that are generated for the conditions of the setting.
Auto Play
Auto play default auto run behavior:
Learn more
Learn more
Learn more
Browser
Block Password Manager:
Learn more
Learn more
Learn more
Learn more
Learn more
Connectivity
Configure secure access to UNC paths:
Baseline default: Configure Windows to only allow access to the specified UNC paths
after fulfilling additional security requirements
Learn more
Hardened UNC path list:
Not configured by default. Manually add one or more hardened UNC paths.
Learn more
Block Internet download for web publishing and online ordering wizards:
Learn more
Credentials Delegation
Remote host delegation of non-exportable credentials:
Learn more
Credentials UI
Enumerate administrators:
Learn more
Device Guard
Virtualization based security:
Learn more
Learn more
Device Installation
Block hardware device installation by setup classes
Learn more
Block list
DMA Guard
Enumeration of external devices incompatible with Kernel DMA Protection
Learn more
System log maximum file size in KB
Learn more
Learn more
Experience
Block Windows Spotlight
Learn more
File Explorer
Block data execution prevention
Learn more
Learn more
Firewall
For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols
documentation.
Learn more
Learn more
Learn more
Inbound notifications blocked:
Learn more
Firewall enabled:
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Learn more
Learn more
Learn more
Learn more
Firewall enabled:
Learn more
Learn more
Learn more
Internet Explorer
View the full list of Internet Explorer CSPs.
Learn more
Learn more
Internet Explorer restricted zone script Active X controls marked safe for
scripting
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer Active X controls in protected mode
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone drag and drop or copy and paste files
Learn more
Learn more
Learn more
Internet Explorer internet zone .NET Framework reliant components
Learn more
Internet Explorer internet zone allows only approved domains to use ActiveX
controls
Learn more
Internet Explorer internet zone allows only approved domains to use tdc ActiveX
controls
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone do not run antimalware against ActiveX controls
Learn more
Learn more
Learn more
Learn more
Internet Explorer internet zone drag content from different domains across
windows
Learn more
Internet Explorer internet zone drag content from different domains within
windows
Learn more
Learn more
Internet Explorer internet zone include local path when uploading files to server
Learn more
Internet Explorer internet zone initialize and script Active X controls not marked
as safe
Learn more
Learn more
Learn more
Internet Explorer internet zone logon options
Learn more
Internet Explorer internet zone navigate windows and frames across different
domains
Learn more
Internet Explorer internet zone run .NET Framework reliant components signed
with Authenticode
Learn more
Internet Explorer internet zone security warning for potentially unsafe files
Learn more
Learn more
Internet Explorer intranet zone do not run antimalware against Active X controls
Learn more
Internet Explorer intranet zone initialize and script Active X controls not marked
as safe
Learn more
Learn more
Internet Explorer local machine zone do not run antimalware against Active X
controls
Learn more
Learn more
Internet Explorer locked down internet zone smart screen
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer remove run this time button for outdated Active X controls
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer restricted zone drag and drop or copy and paste files
Learn more
Learn more
Learn more
Learn more
Internet Explorer restricted zone .NET Framework reliant components
Learn more
Internet Explorer restricted zone allows only approved domains to use Active X
controls
Learn more
Internet Explorer restricted zone allows only approved domains to use tdc Active
X controls
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer restricted zone drag content from different domains across
windows
Learn more
Internet Explorer restricted zone drag content from different domains within
windows
Learn more
Internet Explorer restricted zone include local path when uploading files to
server
Learn more
Internet Explorer restricted zone initialize and script Active X controls not
marked as safe
Learn more
Learn more
Learn more
Internet Explorer restricted zone logon options
Learn more
Internet Explorer restricted zone navigate windows and frames across different
domains
Learn more
Learn more
Internet Explorer restricted zone run .NET Framework reliant components signed
with Authenticode
Learn more
Learn more
Internet Explorer restricted zone security warning for potentially unsafe files
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Internet Explorer trusted zone do not run antimalware against Active X controls
Learn more
Internet Explorer trusted zone initialize and script Active X controls not marked
as safe
Learn more
Learn more
Learn more
Learn more
Baseline default: 15
Learn more
Learn more
Learn more
Prevent clients from sending unencrypted passwords to third party SMB servers
Learn more
Require server digitally signing communications always
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Authentication level
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Microsoft Defender
Turn on real-time protection
Learn more
Learn more
Baseline default: 50
Learn more
Learn more
Scan type
Learn more
Learn more
Learn more
Learn more
Learn more
Learn more
Baseline defaults: Not configured by default. Manually add one or more entries.
Baseline defaults: Not configured by default. Manually add one or more entries.
Baseline default: Not configured by default. Manually add one or more entries.
Microsoft Edge
Control which extensions cannot be installed
Baseline default: Not configured by default. Manually add one or more IDs
MS Security Guide
SMB v1 client driver start configuration
Learn more
Apply UAC restrictions to local accounts on network logon
Learn more
Learn more
SMB v1 server
Learn more
Digest authentication
Learn more
MSS Legacy
Network IPv6 source routing protection level
Learn more
Learn more
Network ignore NetBIOS name release requests except from WINS servers
Learn more
Learn more
Remote Assistance
Remote Assistance solicited
Baseline default: Disable Remote Assistance
Learn more
Learn more
Learn more
Learn more
Learn more
Remote Management
Block client digest authentication
Learn more
Learn more
Learn more
Basic authentication
Learn more
Learn more
Unencrypted traffic
Learn more
Remote Procedure Call
RPC unauthenticated client options
Learn more
Search
Disable indexing encrypted items
Learn more
Smart Screen
Turn on Windows SmartScreen
Learn more
Learn more
System
System boot start driver initialization
Learn more
Learn more
Learn more
Windows PowerShell
PowerShell script block logging
Learn more
Windows Security
Enable tamper protection to prevent Microsoft Defender being disabled
Learn more
Reference for Microsoft Tunnel Gateway
Article • 02/21/2023
The information in this reference for Microsoft Tunnel Gateway is provided to support
installation and maintenance of the tunnel installation in your environment.
Command-line interface:
Commands:
agent - Operate on the agent component.
Commands:
logs - Show the agent logs (-h for more information).
status - Show the agent status.
--tail uint - Output the specified number of LINES at the end of the logs.
Defaults to zero (0), which prints all lines.
-t, --timestamps - Output the timestamps in the log.
mst-cli agent status - The following returns are examples of results you might
see:
State: running
Health: healthy
mst-cli agent stop - Stops the agent. Must be started manually after stopped.
Commands:
logs - Show the server logs. Use -h for more information.
Flags:
-f, --follow - Follow log output. The default is false.
--since string - Show logs since TIMESTAMP
--tail uint - Output the specified number of LINES at the end of the logs.
Defaults to zero (0), which prints all lines.
-t, --timestamps - Output the timestamps in the log.
mst-cli server status - The following returns are examples of results you might
see:
State: running
Health: healthy
show ip ban points - Prints all the known IP addresses that have points.
show iroutes - Prints the routes provided by users of the server.
Environment variables
Following are environment variables you might want to configure when you install the
Microsoft Tunnel Gateway software on the Linux server. These variables are found in the
environment file /etc/mstunnel/env.sh:
Data Paths
Path/File Description Permissions
/…/mstunnel/admin- Contains the settings for the server install. This file is
settings.json managed by Intune and shouldn't be edited manually.
/…/mstunnel/certs The directory where the TLS certificate is stored. Owner root,
Group
mstunnel
Path/File Description Permissions
/…/mstunnel/private The directory where the Intune Agent certificate and the Owner root,
TLS private key are stored. Group
mstunnel
admin-settings.json:
Contains the serialized Server configuration from Intune.
Created after the server has enrolled.
agent-info.json:
Created when the enrollment is complete.
AgentId, IntuneTenantId, AADTenantId, and the agent certificate RenewalDate.
Updated on agent certificate renewal.
private/agent.p12:
PFX certificate used for agent authentication to Intune.
Automatically renewed.
version-info.json:
Contains version information for the various components.
ConfigVersion, DockerVersion, AgentImageHash, AgentCreateDate,
ServerImageHash, ServerCreateDate.
ocserv.conf:
Server configuration
Images_configured
agentImageDigest
serverImageDigest
Example of admin-settings.json
JSON
"Network": "169.100.0.0/16",
"DNSServers": ["168.63.129.16"],
"DefaultDomainSuffix":
"nmqjwlanybmubp4imht0k2b4qd.xx.internal.cloudapp.net",
"RoutesInclude": ["default"],
"RoutesExclude": [],
"ListenPort": 443
PolicyName The name of the settings policy. You can choose the name.
DisplayName The short display name. You can choose the name.
Description The description of the policy. You can choose the description.
Network The network with mask that will be used to assign clients virtual addresses.
This doesn't need to change unless you have a conflict. This setting will
support 64,000 clients.
DNSServers The list of DNS servers that the client should use. These servers can resolve
the addresses of internal resources.
DefaultDomainSuffix The Domain suffix that a client appends to the host name when trying to
resolve resources.
RoutesInclude The list of routes that will be routed via the VPN. The default is all routes.
ListenPort The port that the VPN server will receive traffic on.
Docker commands
The following are common commands for Docker that can be of use if you must
investigate problems on a tunnel server.
7 Note
Most Linux distributions use Docker. However, some like Red Hat Enterprise Linux
(RHEL) 8.4 do not support Docker. Instead, these distributions use Podman. See
Linxu servers in the prerequisites for more details about supported distributions
and the Docker or Podman requirements of each.
The references and command lines that are written for Docker can be used with
Podman by replacing docker with podman.
Command-line interface:
To restart Docker:
systemctl restart docker
Podman commands
The following are commands for Podman that can be of use if you must investigate
problems on a tunnel server. For additional commands you can use with Podman, see
Docker commands.
sudo podman stats - Display container CPU utilization, MEM usage, Network and
Block IO.
sudo podman port mstunnel-server - List the port mappings from tunnel-server to
the local Linux host.
Linux commands
The following are common Linux commands you might use with a tunnel server.
sudo su – Makes you root on the box. Use this command before running the
from the root directory to the etc subfolder > to the test subfolder > and then to
the stuff folder.
cp <source> <destination> - Useful for copying the certs to the right location.
Create a config file that will load the ip_tables into kernel when the server boots:
echo ip_tables > /etc/modules-load.d/mstunnel_iptables.conf
When you use Intune policies for Update rings, you're configuring the Windows settings
that manage how and when devices will install Windows updates. If a Windows update
setting has a Windows 10 or Windows 11 version dependency, the version dependency
is noted in the settings details.
Following are the Windows Update settings for Windows 10 and Windows 11 Updates
that you can manage with update rings with Microsoft Intune.
Update settings
Update settings control what bits a device will download, and when. For more
information about the behavior of each setting, see the Windows reference
documentation.
Windows drivers
Default: Allow
Windows Update CSP: Update/ExcludeWUDriversInQualityUpdate
Allow - Select Allow include Windows Update drivers during updates.
Block - Select Block to prevent scanning for drivers.
Specify the number of days from 0 to 30 for which Quality Updates are deferred.
This period is in addition to any deferral period that is part of the service channel
you select. The deferral period begins when Microsoft releases the update.
Quality Updates are typically fixes and improvements to existing Windows
functionality.
Specify the number of days for which Feature Updates are deferred. This period is
in addition to any deferral period that is part of the service channel you select. The
deferral period begins when Microsoft releases the update.
When set to Yes, eligible Windows 10 devices will upgrade to the most current
Windows 11 release. For more information on eligibility, see Windows 11 Specs
and System Requirements | Microsoft .
After this period expires, the previous update bits are removed from the device,
and it can no longer uninstall to a previous update version.
For example, consider an update ring with a feature update uninstall period of 20
days. After 25 days, you decide to roll back the latest feature update and use the
Uninstall option. Devices that installed the feature update over 20 days ago can't
uninstall it as they've removed the necessary bits as part of their maintenance.
However, devices that only installed the feature update up to 19 days ago can
uninstall the update if they successfully check in to receive the uninstall command
before exceeding the 20-day uninstall period.
When configuring Update ring settings, you can choose to enable Enable pre-
release builds. Devices that receive this setting as Enabled will move to the pre-
release build you specify, and will also reboot. When enabled, specify one of the
following prerelease builds:
Windows Insider - Release Preview (default)
Beta Channel
Dev Chanel
Choose how automatic updates are installed and, if necessary, when to restart the
device.
Supported options:
Notify download - Notify the user before downloading the update. Users
choose to download and install updates.
) Important
If the user takes no action, the update will not install until the deadline you
have configured is reached.
This option can restart a device automatically after the update installs. Use the
Active hours settings to define a period during which the automatic restarts are
blocked:
Active hours start - Specify a start time for suppressing restarts due to
update installations.
Default: 8 AM
Windows Update CSP: Update/ActiveHoursStart
Active hours end - Specify an end time for suppressing reboots due to
update installations.
Default: 5 PM
Windows Update CSP: Update/ActiveHoursEnd
This option can restart a device automatically after the update installs. Use of
the Active hours settings aren't described in Windows Update settings but are
used by Intune to define a period during which the automatic restarts are
blocked:
Active hours start - Specify a start time for suppressing restarts due to
update installations.
Default: 8 AM
Windows Update CSP: Update/ActiveHoursStart
Active hours end - Specify an end time for suppressing reboots due to
update installations.
Default: 5 PM
Windows Update CSP: Update/ActiveHoursEnd
Auto install and restart at scheduled time - Specify an installation day and
time. If unspecified, installation runs at 3 AM daily, followed by a 15-minute
countdown to a restart. Logged on users can delay countdown and restart.
Windows Update CSP: Update/AllowAutoUpdate
When set to Auto install and restart at scheduled time, you can configure the
following settings:
Scheduled install day - Specify on which day of the week you want updates
to install.
Default: Any Day
Scheduled install time - Specify the time of day when you want updates to
install.
Default: 3 AM
) Important
The device might not complete the installation at the specified time
because of power policies, user absence, and so on. In this case, it will
not attempt installation until the specified time occurs again or until a
deadline you have specified is reached.
Reset to default - Restore the original auto update settings on machines that
run the Windows 10 October 2018 Update or later, and that run Windows 11.
When you reset to default, Windows will automatically determine active hours
for the device. Using the active hours, Windows then schedules the best time to
install updates and restart the system after updates install.
Restart checks
Default: Allow
Windows Update CSP: Update/SetEDURestart
Allow - Perform restart checks: Battery level = 40%, User presence, Display
Needed, Presentation mode, Full screen mode, phone call state, game mode
etc.
Skip - Will restrict updates to download and install outside of Active Hours.
Updates will be allowed to start even if there is a signed-in user or the device is
on battery power, providing there is more than 70% battery capacity. Windows
will schedule the device to wake from sleep 1 hour after the Active Hours End
time with a 60-minute random delay. Devices will reboot immediately after the
updates are installed. If there are still pending updates, the device will continue
to retry every hour for 4 hours.
This option is designed for education devices that remain in carts overnight that
are left in sleep mode. It is not designed for 1:1 devices.
Option to pause Windows updates
Default: Enable
Windows Update CSP: Update/SetDisablePauseUXAccess
Enable - Allow device users to pause the installation of an update for a certain
number of days.
Disable - Prevent device users from pausing the installation of an update.
Specify what level of Windows Update notifications users see. This setting doesn't
control how and when updates are downloaded and installed.
Supported options:
Not configured
Use the default Windows Update notifications
Turn off all notifications, excluding restart warnings
Turn off all notifications, including restart warnings
When set to Allow, you can configure the following settings for deadlines:
Specifies the number of days a user has before feature updates are installed on
their devices automatically (2-30).
Specifies the number of days a user has before quality updates are installed on
their devices automatically (2-30).
Grace period
Default: Not configured Windows Update CSP:
Update/ConfigureDeadlineGracePeriod
The following table lists the Intune Update Agent error codes. If you can't find a specific error
code in this table, see Windows Update error code list .
0x80cf0008 OM_E_ITEMNOTFOUND The key for the queried item could not be
found.
0x80cf0036 OM_E_INVALID_OPERATION The object's current state did not allow the
operation.
0x80cf0439 OM_E_PT_INVALID_FORMAT The data received does not meet the data
contract expectations.
0x80cf4015 OM_E_PT_REFRESH_CACHE_REQUIRED The reply from the server indicates that the
server was changed or the cookie was
invalid. Refresh the internal cache and
retry.
Error code Symbolic name More information
) Important
Beginning on July 29, 2021, the Certificate Connector for Microsoft Intune
replaces the use of PFX Certificate Connector for Microsoft Intune and Microsoft
Intune Connector. The new connector includes the functionality of both previous
connectors. Support for the previous connectors that are described in this article,
ended on 9/22/2021 with the release of version 6.2109.51.0 of the Certificate
Connector for Microsoft.
If you need to install a new certificate connector, or reinstall a connector, install the
newer Certificate Connector for Microsoft Intune. For more information, see
Certificate Connector for Microsoft Intune.
To support the use of certificates for authentication and the signing and encryption of
email using S/MIME, Intune requires the use of a certificate connector. A certificate
connector is software you install on an on-premises server. The connector enables
cloud-managed devices to provision certificates from on-premises infrastructure, like an
issuing Certificate Authority.
Available connectors
There are two certificate connectors for Intune. Each has its own uses and requirements.
Tip
Prior to the August update for this connector (version 6.2008.60.607), PKCS #12
certificate requests were handled by the Intune Certificate Connector. With the
August update, the functionality for all PKCS certificate requests was consolidated
in the PFX Certificate Connector, which supports auto-update of the connector to
new versions, and requires use of .NET Framework version 4.7.2.
This connector also supports the following three platforms, that aren’t supported
through the Microsoft Intune Connector:
The functionality of the Microsoft Intune Connector isn't deprecated and you can
continue use it with PKCS certificate profiles for some platforms. However, if you do
not use SCEP or otherwise require use of NDES, you can switch to the PFX
Certificate Connector and remove NDES from your servers.
Supports multiple instances of this connector for each Intune tenant. Each instance
of the connector must install on a Windows Server and have access to the private
key used to encrypt the passwords of the uploaded PFX files.
7 Note
All connectors need to have the same permissions and be able to connect
with all the certification authorities defined later in the PKCS profiles.
Any instance of this connector can retrieve pending PKCS requests from the
Intune Service queue, as such it's not possible to define which connector
handles each request.
Can install on the same server that hosts an instance of the Microsoft Intune
Connector.
Supports up to 100 instances of this connector per tenant, with each instance on a
separate Windows server. When you use multiple connectors:
All instances of the PFX Certificate Connector in your environment should be at
the same version.
Your infrastructure supports redundancy and load balancing, as any available
connector instance can process your certificate requests.
Supports automatic updates to new versions. To automatically install new versions,
the computer that hosts the connector must contact autoupdate.msappproxy.net
on port 443. If the connector fails to automatically update, you can manually
update the connector.
For more information, see Network endpoints for Microsoft Intune, and Intune
network configuration requirements and bandwidth.
For guidance installation of this connector, see Download, install, and configure the PFX
Certificate Connector.
When you use SCEP with a Microsoft CA, you must also configure the Network Device
Enrollment Service (NDES). For that reason, this connector is often referred to as the
NDES Certificate Connector.
If you use a third-party Certification Authority, you don’t need to use this connector and
NDES isn’t required.
Can be used to issue PKCS certificates to most device platforms, but not all. This
connector doesn't support issuing of PKCS certificates to:
Android Enterprise – Fully Managed
Android Enterprise – Dedicated
Android Enterprise – Corporate-Owned Work Profile
To support those platforms, use the PFX Certificate Connector, which supports
issuing PKCS certificates to all device platforms. If you don’t use SCEP, you can
then uninstall this connector, and use only the PFX Certificate Connector.
7 Note
With PKCS, all connectors need to have the same permissions and be able to
connect with all the certification authorities defined later in the PKCS profiles.
Any instance of this connector can retrieve pending PKCS requests from the
Intune Service queue, as such it's not possible to define which connector
handles each request.
Installs on a Windows server, which can also host an instance of the PFX Certificate
Connector.
Supports up to 100 instances of this connector per tenant, with each instance on a
separate Windows server. When you use multiple connectors:
All instances of the Microsoft Intune Connector in your environment should be at
the same version.
Your infrastructure supports redundancy and load balancing, as any available
connector instance can process your certificate requests.
Requires a manual update to install the new version of the connector. Manual
update requires you to uninstall the current connector, and then install the new
version of the connector. Additional actions shouldn't be required.
Supports Federal Information Processing Standard (FIPS) mode. FIPS isn't required.
When FIPS is enabled, you can issue and revoke certificates.
For more information, see Network endpoints for Microsoft Intune, and Intune
network configuration requirements and bandwidth.
For more information about NDES, see Network Device Enrollment Service
Guidance.
Connector Lifecycle
) Important
Beginning on July 29, 2021, the Certificate Connector for Microsoft Intune
replaces the use of PFX Certificate Connector for Microsoft Intune and Microsoft
Intune Connector. The new connector includes the functionality of both previous
connectors.
When a new version releases, support for the previous version is deprecated with a
limited grace period for its continued use. After the grace period expires, support for
that deprecated version ends, and it can stop functioning at any time. The grace period
is six months.
Plan to update a connector to the latest version at the first opportunity. Each connector
has a different update path:
PFX Certificate Connector for Microsoft Intune - Supports automatic updates.
Microsoft Intune Connector - Requires manual update.
Automatic update
When supported by the connector type and your environment, Intune can automatically
update the connector to the latest version shortly after that connector version is
released.
To update automatically, the server that hosts the connector must access the Azure
update service:
Port: 443
Endpoint: autoupdate.msappproxy.net
Manual update
The process to manually update a certificate connector is the same for reinstalling a
connector.
You can manually update a certificate connector even when it supports automatic
updates. For example, you can manually update the connector when your network
configuration blocks an automatic update.
2. To install the new version, use the procedure to install a new version of the
connector. Be sure to check for any new or updated prerequisites when installing a
newer version of a connector:
Connector status
In the Microsoft Intune admin center, you can select a certificate connector to view
information about its status:
Deprecated connectors will show with a Warning. After the six-month grace
period, the warning changes to an Error.
Connectors that are beyond the grace period show an Error. These connectors are
no longer supported and can stop working at any time.
Logging
The following logging details are available beginning with connector version 6.2101.13.0.
Logs for the PFX Certificate Connector are available as Event logs on the server where
the connector is installed:
Event Viewer > Application and Service Logs > Microsoft > Intune > Certificate
Connectors
The following logs are available and default to 50 MB, with automatic archiving enabled:
Admin Log - This log contains one log event per request to the connector. Events
include either a success with information about the request, or an error with
information about the request and the error.
Operational Log - This log displays additional information than is found in the
Admin log, and can be of use in debugging issues. This log also displays a ongoing
operations for the PFX Certificate connector instead of single events.
Event IDs
All events have one of the following IDs:
PKCS
Admin
PkcsRequestSuccess - Successfully fulfilled and uploaded a PKCS Request to
Intune.
PkcsRequestFailure - Failed to fulfill or upload a PKCS Request to Intune.
Operational
PkcsDownloadSuccess - Successfully downloaded PKCS requests from Intune
PkcsDownloadFailure - A failure occurred when downloading PKCS requests
from Intune
PkcsDownloadedRequest - Details of a single downloaded request from Intune
PkcsIssuedSuccess - Issued a certificate for a request
PkcsIssuedFailedAttempt - A failure occurred while issuing a certificate for a
request
PkcsIssuedFailure - Failed to issue a certificate for a Request
PkcsUploadSuccess - Details of successful request that was uploaded to Intune
PkcsUploadFailure - A failure occurred when uploading requests to Intune
PkcsUploadedRequest - Details of an uploaded request to Intune
PKCS Import
Admin
PkcsImportRequestSuccess - Successfully downloaded PKCS Import requests
from Intune
PkcsImportRequestFailure - A failure occurred when downloading PKCS Import
requests from Intune
Operational
PkcsImportDownloadSuccess - Successfully downloaded PKCS Import requests
from Intune
PkcsImportDownloadFailure - A failure occurred when downloading PKCS
Import requests from Intune
PkcsImportDownloadedRequest - Details of a single downloaded request from
Intune
PkcsImportReencryptSuccess - Re-encrypted an imported certificate
PkcsImportReencryptFailedAttempt - A failure occurred while re-encrypting an
imported certificate
PkcsImportReencryptFailure - Failed to re-encrypt an imported certificate
PkcsImportUploadFailure - A failure occurred when uploading requests to Intune
PkcsImportUploadedRequest - Details of an uploaded request to Intune
Revocation
Admin
RevokeRequestSuccess - Successfully downloaded Revocation requests from
Intune
RevokeRequestFailure - A failure occurred when downloading Revocation
requests from Intune
Operational
RevokeDownloadSuccess - Successfully downloaded Revocation requests from
Intune
RevokeDownloadFailure - A failure occurred when downloading Revocation
requests from Intune
RevokeDownloadedRequest - Details of a single downloaded request from Intune
RevokeSuccess - Successfully revoked certificate
RevokeFailure - A failure occurred while revoking a certificate
RevokeFailedAttempt - Failed to revoke a certificate
RevokeUploadSuccess - Details of successful request that was uploaded to
Intune
RevokeUploadFailure - A failure occurred when uploading requests to Intune
RevokeUploadedRequest - Details of an uploaded request to Intune
) Important
Starting April 2022, certificate connectors earlier than version 6.2101.13.0 will be
deprecated and will show a status of Error. This status does not affect functionality.
Starting June 2022, such connectors will not be able to issue certificates. See the
note at the to start of this article for details on moving to the new Certificate
Connector for Microsoft.
Version 6.2101.13.0. This new connector version adds improvements for logging to the
PFX Connector:
New location for Event Logs, with logs broken down into Admin, Operational &
Debug
Admin & Operational logs default to 50 MB - with auto archiving enabled.
EventIDs for PKCS Import, PKCS Create and Revocation.
October 2, 2020
Fixed an issue with PKCS certificate delivery to Android Enterprise Fully Managed
devices. The issue required the cryptography Key Storage Provider (KSP) be a
legacy provider. You can now use a Cryptographic Next Generation (CNG) Key
Storage Provider as well.
Changes to CA Account tab of the PFX Certificate Connector: The Username and
password (credentials) that you specify are now used to issue certificates and to
revoke certificates. Previously these credentials were used only for certificate
revocation.
Microsoft Intune Connector release history
April 2, 2019
Version 6.1904.1.0 - Changes in this release:
Fixed an issue where the connector might fail to enroll to Intune after signing in to
the connector with a global administrator account.
Includes reliability fixes to certificate revocation.
Includes performance fixes to increase how quickly PKCS certificate requests are
processed.
Next steps
Create SCEP, PKCS, or PKCS imported certificate profiles for each platform you want to
use. To continue, see the following articles:
If you want to give employees access to their work email without the overhead of
setting up a device management system, you can. You can give access to Microsoft 365
Exchange Online through Intune. To complete the necessary steps, confirm you have
licenses for Microsoft 365, or Azure Active Directory (premium) and Intune. Employees
need to have a supported iOS/iPadOS or Android device.
If you decide to set up a device management system, you can. This type of app
protection works independently of device management.
Action plan
1. Learn about Conditional Access.
2. Learn about app-based Conditional Access.
3. Set up app-based Conditional Access policies for Exchange Online.
4. Block apps that can't be managed. Specifically, block apps that don't use the
Microsoft Authentication Library (MSAL).
5. (Optional) Set up app-based Conditional Access policies for SharePoint Online.
These policies block access to your company data from apps that cannot be
managed and secured. The policies also limit access through SharePoint mobile.
Next steps
You have used app-based Conditional Access to increase the security of company data.
As part of next steps, you can learn more about the other ways you can increase the
protection of your company's data, including:
Setting up Conditional Access based on device compliance, device risk, location,
and user attributes in Active Directory and Azure Active Directory.
Setting up app protection policies to help you protect your company data against
intentional or unintentional data leaks.
Leveraging Azure Information Protection to protect company data outside your
network.
Want help enabling this or other EMS or Microsoft 365 scenarios? If you have at least
150 licenses for Microsoft 365, Enterprise Mobility + Security, or Azure Active Directory
Premium, use your FastTrack benefits.
Prevent unauthorized access to
company data using Microsoft Intune
Article • 07/12/2023
You can classify, label, and protect Microsoft 365 documents and emails so only
authorized users have access to the data. The settings are managed automatically after
IT administrators or users set the rules and conditions. Alternatively, the IT team can
provide recommended settings for users to follow. Administrators and users can also
revoke access to data already shared with others without assistance from another
authority. The result of this work is to control who opens or updates protected data,
even when the data leaves the company's network.
Action plan
Complete the quick start tutorial for Azure Information Protection.
Next steps
As part of next steps, you can learn more about the other ways you can increase the
protection of your company's data, including:
If you allow access to company data hosted by Microsoft 365, you can control how users
share and save data without risking intentional or accidental data leaks. Microsoft Intune
provides app protection policies that you set to secure your company data on user-
owned devices. The devices do not need to be enrolled in the Intune service.
App protection policies set up with Intune also work on devices managed with a non-
Microsoft device management solution. The personal data on the devices is not
touched; only company data is managed by the IT department.
You can set app protection policies for Office mobile apps on devices running Windows,
iOS/iPadOS, or Android to protect company data. These policies let you set policies such
as app-based PIN or company data encryption, or more advanced settings to restrict
how your cut, copy, paste, and save-as features are used by users between managed
and unmanaged apps. You can also remotely wipe company data without requiring
users enroll devices.
Intune app protection policies are independent of device management. App protection
policies let you manage Office mobile apps on both unmanaged and Intune-managed
devices, as well as device managed by non-Microsoft MDM solutions.
Action plan
For iOS/iPadOS and Android devices:
Next steps
Want help enabling this or other EMS or Microsoft 365 scenarios? If you have at least
150 licenses for Microsoft 365, Enterprise Mobility + Security, or Azure Active Directory
Premium, use your FastTrack benefits.
Apply features and settings on your
devices using device profiles in
Microsoft Intune
Article • 03/23/2023
Microsoft Intune includes settings and features you can enable or disable on different
devices within your organization. These settings and features are added to
"configuration profiles". You can create profiles for different devices and different
platforms, including iOS/iPadOS, Android device administrator, Android Enterprise, and
Windows. Then, use Intune to apply or "assign" the profile to the devices.
As part of your mobile device management (MDM) solution, use these configuration
profiles to complete different tasks. Intune has many templates that include groups of
settings that are specific to a feature, such as certificates, VPN, email, and more.
This article gives an overview of the different types of profiles you can create. Use these
profiles to allow or prevent some features on the devices.
Group Policy analytics analyzes your on-premises GPOs, and shows which policy settings
are supported, deprecated, and more.
Certificates
Certificates configure trusted, SCEP, and PKCS certificates that are assigned to devices.
These certificates authenticate WiFi, VPN, and email profiles.
Custom profile
Custom settings let administrators assign device settings that aren't built in to Intune.
On Android devices, you can enter OMA-URI values. For iOS/iPadOS devices, you can
import a configuration file you created in the Apple Configurator.
Delivery optimization
Delivery optimization provides a better experience to delivery software updates. These
settings are replacing the Software Updates > Windows 10 update ring settings.
Use these settings to control how software updates are downloaded to devices in your
organization. For example, you can let users get their own updates, or get updates using
the delivery optimization cloud services in a device profile.
Windows 11
Windows 10
Derived credential
Derived credentials are certificates on smart cards that can authenticate, sign, and
encrypt. In Intune, you can create profiles with these credentials to use in apps, email
profiles, connecting to VPN, S/MIME, and Wi-Fi.
Android Enterprise
iOS/iPadOS
Device features
Device features controls features on iOS/iPadOS and macOS devices, such as AirPrint,
notifications, and lock screen messages.
iOS/iPadOS
macOS
Device restrictions
Device restrictions controls security, hardware, data sharing, and more settings on the
devices. For example, create a device restriction profile that prevents iOS/iPadOS device
users from using the device camera.
Domain join
Domain join configures on-premises Active Directory domain information. This
information is deployed to hybrid Azure AD joined devices when provisioned using
Windows Autopilot and Intune. This profile tells devices which domain and OU to join.
Windows 11
Windows 10
Windows 11
Windows 10
Education
Education settings - Windows 10 configure options for the Windows Take a Test app.
When you configure these options, no other apps can run on the device until the test is
complete.
Education settings - iOS/iPadOS uses the iOS/iPadOS Classroom app to guide learning,
and control student devices in the classroom. You can configure iPad devices so many
students can share a single device.
Email
Email settings creates, assigns, and monitors Exchange ActiveSync email settings on the
devices. Email profiles help with consistency, reduce support calls, and let end-users
access company email on their personal devices, without any required setup on their
part.
Endpoint protection
Endpoint protection configures BitLocker and Microsoft Defender settings for Windows
client devices. On macOS devices, you can also configure the firewall, gateway, and
other resources.
To onboard Microsoft Defender for Endpoint with Microsoft Intune, see Configure
endpoints using Mobile Device Management (MDM) tools.
macOS
Windows 11
Windows 10
Extensions
macOS system extensions and kernel extensions allows administrators to add features or
programs that extend the native capabilities of the operating system. Configure these
settings to trust all extensions from a specific developer or partner, or allow specific
extensions.
macOS
Identity protection
Identity protection controls the Windows Hello for Business experience on Windows
client devices. Configure these settings to make Windows Hello for Business available to
users and devices, and to specify requirements for device PINs and gestures.
Windows 11
Windows 10
Windows Holographic for Business
Kiosk
Kiosk settings profile configures a device to run one app, or run many apps. You can also
customize other features on your kiosk, including a start menu and a web browser.
Kiosk settings also available as device restrictions for Android, Android Enterprise, and
iOS/iPadOS.
MX profile (Zebra)
Mobility extensions (MX) expand on the built-in Intune settings to customize or add
more settings specific to Zebra devices. Zebra devices are commonly used on factory
floors, and retail environments. If you have hundreds or thousands of Zebra devices, you
can use Intune to configure and manage these devices.
Windows 11
Windows 10
Network boundary
Network boundary creates a list of sites that are trusted by your organization. This
feature is used with Microsoft Defender Application Guard and Microsoft Edge to help
protect your devices.
Windows 11
Windows 10
OEMConfig
On Android Enterprise devices, OEMConfig is a standard. It allows OEMs (original
equipment manufacturers) and EMMs (enterprise mobility management) to build and
support OEM-specific features in a standardized way. With OEMConfig, an OEM creates
a schema that defines OEM-specific management features, and embeds it in an app
uploaded to Google Play. Intune reads the schema from the app, and allows Intune
administrators to configure the settings in the schema.
Preference file
Preference files on macOS devices include information about apps. For example, you
can use preference files to control web browser settings, customize apps, and more.
macOS
Tip
macOS settings are continually being added to the settings catalog. Some of these
settings can replace preference files. For more information, go to Tasks you can
complete using the Settings Catalog in Intune.
Settings catalog
The settings catalog lists the settings you can configure. It's not template, or a logical
grouping of settings.
On Windows, there are thousands of settings available, including many settings not
found in the templates. When you want a complete list of all the settings, use the
settings catalog to create your policy. If you want to use a logical grouping of settings,
then continue to use the templates.
On macOS, you can configure Microsoft Edge version 77 and newer using the settings
catalog. In your policy, you configure individual settings. It doesn't require a preference
file.
iOS/iPadOS
macOS
Windows 11
Windows 10
These shared multi-user device settings allow administrators to control some of the
device features, and manage these shared devices using Intune.
Windows 11
Windows 10
Windows Holographic for Business
Shell scripts
On Linux devices, you can add existing Bash scripts to customize settings and features
on these devices. This concept is similar to creating a custom device configuration
profile, and deploying the policy to your devices. With Linux, you're using existing Bash
scripts to configure features and settings that aren't built into Intune.
On macOS devices, you can add existing shell scripts, and then deploy these scripts to
your macOS devices.
On Windows devices, you can use the Intune Management Extension to upload your
PowerShell scripts in Intune, and then run these scripts on your devices. Also see what's
required to use the extension, how to add them to Intune, and other important
information.
Linux
macOS
Windows 11
Windows 10
Update policies
iOS/iPadOS update policies shows you how to create and assign iOS/iPadOS policies to
install software updates on your iOS/iPadOS devices. You can also review the installation
status.
For update policies on Windows devices, see Delivery optimization.
iOS/iPadOS
VPN
VPN settings assigns VPN profiles to users and devices in your organization, so they can
easily and securely connect to the network.
Virtual private networks (VPNs) give users secure remote access to your company
network. Devices use a VPN connection profile to start a connection with your VPN
server.
Wi-Fi
Wi-Fi settings assigns wireless network settings to users and devices. When you assign a
WiFi profile, users get access to your corporate WiFi without having to configure it
themselves.
Windows 11
Windows 10
Wired networks
Wired networks let you create and manage 802.1x wired connections for macOS and
Windows desktop computers and devices. In your profile, you choose the network
interface, select the accepted EAP types, and enter the server trust settings, including
PKCS and SCEP certificates.
When you assign the profile, users get access to your corporate wired network without
having to configure it themselves.
macOS
Windows 11
Windows 10
Next steps
Choose a profile, and get started.
Create a device profile in Microsoft
Intune
Article • 03/02/2023
Device profiles allow you to add and configure settings, and then push these settings to
devices in your organization. You have some options when creating policies:
Settings catalog: On Windows 10/11 devices, use the settings catalog to see all the
available settings, and in one location. For example, you can see all the settings
that apply to BitLocker, and create a policy that just focuses on BitLocker. On
macOS devices, use the settings catalog to configure Microsoft Edge version 77
and settings.
For more information, including the available templates, see Apply features and
settings on your devices using device profiles.
This article:
Lists the steps to create a profile.
Shows you how to add a scope tag to "filter" your policies.
Describes applicability rules on Windows client devices, and shows you how to
create a rule.
Has more information on the check-in refresh cycle times when devices receive
profiles and any profile updates.
Overview: Lists the status of your profiles, and provides more details on the
profiles you assigned to users and devices.
Monitor: Check the status of your profiles for success or failure, and also view logs
on your profiles.
By platform: Create and view policies and profiles by your platform. This view may
also show features specific to the platform. For example, select Windows. You'll see
Windows-specific features, such as Windows Update Rings and PowerShell
scripts.
Policy: Create device profiles, upload custom PowerShell scripts to run on devices,
and add data plans to devices using eSIM.
When you create a profile (Configuration profiles > Create profile), choose your
platform:
Then, choose the profile. Depending on the platform you choose, the settings you can
configure are different. The following articles describe the different profiles:
For example, if you select iOS/iPadOS for the platform, your options look similar to the
following profile:
If you select Windows 10 and later for the platform, your options look similar to the
following profile:
Scope tags
After you add the settings, you can also add a scope tag to the profile. Scope tags filter
profiles to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment . And,
are used in distributed IT.
For more information about scope tags, and what you can do, see Use RBAC and scope
tags for distributed IT.
Applicability rules
Applies to:
Windows 11
Windows 10
Applicability rules allow administrators to target devices in a group that meet specific
criteria. For example, you create a device restrictions profile that applies to the All
Windows 10/11 devices group. And, you only want the profile assigned to devices
running Windows Enterprise.
To do this task, create an applicability rule. These rules are great for the following
scenarios:
You use Windows 10 Education (EDU). At Bellows College, you want to target all
Windows 10 EDU devices between RS3 and RS4.
You want to target all users in Human Resources at Contoso, but only want
Windows 10 Professional or Enterprise devices.
Create a devices group that includes all devices at Bellows College. In the profile,
add an applicability rule so it applies if the OS minimum version is 16299 and the
maximum version is 17134 . Assign this profile to the Bellows College devices
group.
When it's assigned, the profile applies to devices between the minimum and
maximum versions you enter. For devices that aren't between the minimum and
maximum versions you enter, their status shows as Not applicable.
Create a users group that includes all users in Human Resources (HR) at Contoso.
In the profile, add an applicability rule so it applies to devices running Windows 10
Professional or Enterprise. Assign this profile to the HR users group.
When it's assigned, the profile applies to devices running Windows 10 Professional
or Enterprise. For devices that aren't running these editions, their status shows as
Not applicable.
If there are two profiles with the exact same settings, then the profile without an
applicability rule is applied.
For example, ProfileA targets the Windows 10 devices group, enables BitLocker,
and doesn't have an applicability rule. ProfileB targets the same Windows 10
devices group, enables BitLocker, and has an applicability rule to only apply the
profile to Windows 10 Enterprise.
When both profiles are assigned, ProfileA is applied because it doesn't have an
applicability rule.
When you assign the profile to the groups, the applicability rules act as a filter, and only
target the devices that meet your criteria.
Add a rule
1. Select Applicability Rules. You can choose the Rule, and Property:
2. In Rule, choose if you want to include or exclude users or groups. Your options:
Assign profile if: Includes users or groups that meet the criteria you enter.
Don't assign profile if: Excludes users or groups that meet the criteria you
enter.
OS edition: In the list, check the Windows client editions you want to include
(or exclude) in your rule.
OS version: Enter the min and max Windows client version numbers of you
want to include (or exclude) in your rule. Both values are required.
For example, you can enter 10.0.16299.0 (RS3 or 1709) for minimum version
and 10.0.17134.0 (RS4 or 1803) for maximum version. Or, you can be more
granular and enter 10.0.16299.001 for minimum version and 10.0.17134.319
for maximum version.
At any time, users can open the Company Portal app, and sync the device to
immediately check for profile updates.
Recommendations
When creating profiles, consider the following recommendations:
Name your policies so you know what they are, and what they do. All compliance
policies and configuration profiles have an optional Description property. In
Description, be specific and include information so others know what the policy
does.
Profile name: Admin template - OneDrive configuration profile for all Windows 10
users
Profile description: OneDrive admin template profile that includes the minimum
and base settings for all Windows 10 users. Created by user@contoso.com to
prevent users from sharing organizational data to personal OneDrive accounts.
Profile description: VPN profile that includes the minimum and base settings for
all iOS/iPadOS users to connect to Contoso VPN. Created by user@contoso.com so
users automatically authenticate to VPN, instead of prompting users for their
username and password.
Create your profile by its task, such as configure Microsoft Edge settings, enable
Microsoft Defender anti-virus settings, block iOS/iPadOS jailbroken devices, and so
on.
The following image shows an example of a setting that can apply to users, apply
to devices, or apply to both:
Every time you create a restrictive policy, communicate this change to your users.
For example, if you're changing the passcode requirement from four (4) characters
to six (6) characters, let your users know before your assign the policy.
Next steps
Assign the profile and monitor its status.
Monitor device configuration profiles in
Microsoft Intune
Article • 02/22/2023
Intune includes some features to help monitor and manage your device configuration
profiles. For example, you can check the status of a profile, see which devices are
assigned, and update the properties of a profile.
All of your profiles are shown. You also see the platform, the type of profile, and if the
profile is assigned.
7 Note
For additional reporting information about device configuration profiles, see Intune
reports.
1. In Devices > Configuration profiles, select an existing profile. For example, select a
macOS profile.
2. Select the Overview tab. In this view, the Profile assignment status includes the
following statuses:
3. The top graphical chart shows the number of devices assigned to the device
profile. For example, if the configuration device profile applies to macOS devices,
the chart lists the count of the macOS devices.
When you monitor a Windows profile, the count in the Profile assignment status is
per device per user. So, if two users sign in to the same device, then that device is
counted twice.
4. Select the top graphical chart. Or, select Device status. Device status opens.
The devices assigned to the profile are listed, and it shows the deployment status.
Also note that it only lists the devices with the specific platform (for example,
macOS).
5. Select the circle in the bottom graphical chart. Or, select User status. User status
opens.
The users assigned to the profile are listed, and it shows the deployment status.
Also note that it only lists the users with the specific platform (for example,
macOS).
Device and user check-in status: Shows the number of all users or devices
that checked-in with the profile. If one device has multiple users, this report
shows the status for each user. When the user or devices check-in, they
receive the settings in your profile.
Select View report to see the following information:
The devices that received the profile
The user names with devices that received the profile
The check-in status and the last time the user/device checked in with the
profile
You can also select a specific device to get more details and use the filter
column to see the assignment filter options.
Device assignment status: Shows information for the user that last checked-
in. Select Generate report to see the latest profile assignment states for the
devices that received the profile. You can also filter the assignment status to
see only errors, conflicts, and more.
It's normal for the numbers in the Device and user check-in status and
Device assignment status reports to be different.
Per setting status: Shows the individual settings in the profile, and their
status.
Tip
Intune reports is a great resource, and describes all the reporting features you can
use.
View conflicts
In Devices > All devices, you can see any settings that are causing a conflict. When
there's a conflict, you also see all the configuration profiles that contain this setting.
Administrators can use this feature to help troubleshoot, and fix any discrepancies with
the profiles.
1. In Intune, select Devices > All Devices > select an existing device in the list. An end
user can get the device name from their Company Portal app.
2. Select Device configuration. All configuration policies that apply to the device are
listed.
3. Select the policy. It shows you all the settings in that policy that apply to the
device. If a device has a Conflict state, select that row. In the new window, you see
all the profiles, and the profile names that have the setting causing the conflict.
Now that you know the conflicting setting, and the policies that include that setting, it
should be easier to resolve the conflict.
Tip
In Devices > Monitor, a list of all policies are shown. The Assignment failures
(preview) report helps troubleshoot errors and conflicts for configuration profiles
that are assigned. For more information on the available reporting data, see Intune
reports.
With your DFCI profile settings, you may see the following states:
Compliant: This state shows when a setting value in the profile matches the setting
on the device. This state can happen in the following scenarios:
The DFCI profile successful configured the setting in the profile.
The device doesn't have the hardware feature controlled by the setting, and the
profile setting is Disabled.
UEFI doesn't allow DFCI to disable the feature, and the profile setting is
Enabled.
The device lacks the hardware to disable the feature, and the profile setting is
Enabled.
Not Applicable: This state shows when a setting value in the profile is Enabled or
Allowed, and the matching setting on the device isn't found. This state can happen
if the device hardware doesn't have the feature.
Noncompliant: This state shows when a setting value in the profile doesn't match
the setting on the device. This state can happen in the following scenarios:
UEFI doesn't allow DFCI to disable a setting, and the profile setting is Disabled.
The device lacks the hardware to disable the feature, and the profile setting is
Disabled.
The device doesn't have the latest DFCI firmware version.
DFCI was disabled before being enrolled in Intune using a local "opt-out"
control in the UEFI menu.
The device was enrolled to Intune outside of Autopilot enrollment.
The device wasn't registered to Autopilot by a Microsoft CSP, or registered
directly by the OEM.
Next steps
Common questions, issues, and resolutions with device profiles
Settings catalog lists all the settings you can configure, and all in one place. This feature
simplifies how you create a policy, and how you see all the available settings. More
settings are continually being added. For a list of the settings in the settings catalog, go
to the IntunePMFiles / DeviceConfig GitHub repository .
If you prefer to configure settings at a granular level, similar to on-premises GPO, then
the settings catalog is a natural transition to cloud-based policy.
When you create the policy, you start from scratch. You add only the settings you want
to control and manage. For example, you can use the settings catalog to create a
BitLocker policy with all BitLocker settings, and all in one place in Intune.
Use the settings catalog as part of your mobile device management (MDM) solution to
manage and secure devices in your organization.
iOS/iPadOS
Includes device settings that are directly generated from Apple Profile-Specific
Payload Keys. More settings and keys are continually being added. To learn more
about profile-specific payload keys, go to Profile-Specific Payload Keys (opens
Apple's website).
Apple's declarative device management (DDM) is built into the settings catalog.
When you configure settings from the settings catalog on iOS/iPadOS 15+ devices
enrolled using User Enrollment, you're automatically using DDM. If DDM doesn't
work for any reason, then these devices use Apple's standard MDM protocol. All
other iOS/iPadOS devices continue to use Apple's standard MDM protocol.
macOS
Includes device settings that are directly generated from Apple Profile-Specific
Payload Keys. More settings and keys are continually being added. To learn more
about profile-specific payload keys, go to Profile-Specific Payload Keys (opens
Apple's website).
Windows 10/11
There are thousands of settings, including settings that haven't been available
before. These settings are directly generated from the Windows configuration
service providers (CSPs). You can also configure Administrative Templates, and
have more Administrative Template settings available. As Windows adds or
exposes more settings to MDM providers, these settings are added quicker to
Microsoft Intune for you to configure.
Tip
This article lists the steps to create a policy, and shows how to search and filter the
settings in Intune. When you create the policy, it creates a device configuration profile.
You can then assign or deploy this profile to devices in your organization.
For information on some features you can configure using the settings catalog, go to
Tasks you can complete using the Settings Catalog in Intune.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is macOS:
MSFT Edge settings or Win10: BitLocker settings for all Win10 devices.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
For example, select Windows 10 and later, then select Authentication to see all the
settings in this category:
For example, select macOS. The Microsoft Edge - All category lists all the settings
you can configure, including any new settings. The other categories include
settings that are obsolete, or settings that apply to older versions:
Tip
Use the Learn more link in the tooltip to see if a setting is obsolete, and
to see the supported versions.
8. Select any setting you want to configure. Or, choose Select all these settings:
After you add your settings, close the settings picker. All the settings are shown,
and configured with a default value, such as Block or Allow. These defaults values
are the same default values in the OS. If you don't want to configure a setting, then
select the minus:
Intune doesn't change or update this setting. The minus is the same as Not
configured. When set to Not configured, the setting is no longer managed.
The setting is removed from the policy. The next time you open your policy,
the setting isn't shown. You can add it again.
The next time devices check in, the setting is no longer locked. It can be
changed by another policy or by the device user.
Tip
You can add multiple values in a single field, but you may experience a
character limit.
9. Select Next.
10. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC roles and scope tags for distributed IT.
Select Next.
11. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
12. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time the device checks for configuration updates, the settings you configured
are applied.
In your policy, use Add settings > Search to find specific settings. You can search
by category, such as browser , search for a keyword, such as office or google , and
search for specific settings.
For example, search for internet explorer . All the settings with internet explorer
are shown. Select a category to see the available settings:
In your policy, use Add settings > Add filter. Select the key, operator, and value.
When you filter on OS Edition, you can filter the settings that apply to specific
Windows editions:
7 Note
For the Edge, Office, and OneDrive settings, the OS version or edition doesn't
determine if the settings apply. So, if you filter to a specific edition, like
Windows Professional, then the Edge, Office, and OneDrive settings aren't
shown.
You can also filter the settings by device or user scope. For more information on
user scope and device scope, go to Device scope vs. user scope settings (in this
article):
Copy a profile
Select Duplicate to create a copy of an existing profile. Duplicating is useful when you
need a profile that's similar yet distinct from the original one. The copy contains the
same setting configurations and scope tags as the original profile, but doesn't have
assignments attached to it. After you give the new profile a name, you can edit the
profile to adjust the settings and add assignments.
1. In the Intune admin center , select Devices > Device configuration profiles. In
the list, select the policy you created using the Settings Catalog. The Profile type
column shows Settings Catalog:
2. When you select the policy, the device status shows. It shows a summary of your
policy state and the policy properties. You can also change or update your policy in
the Configuration settings section:
3. Select View report. The report shows detailed information, including the device
name, the policy status, and more. You can also filter on the deployment status,
and Export the report to a .csv file:
4. You can also look at the states of each setting using the per-setting status. This
status shows the total number of devices affected by each setting in the policy.
You can:
See the number of devices with the setting successfully applied, in conflict, or
in error.
Select the number of devices in compliance, conflict, or error. And, see a list
of users or devices in that state.
Search, sort, filter, export, and go to the next and previous pages.
5. In the admin center, select Devices > Monitor > Assignment failures. If your
Settings Catalog policy failed to deploy because of an error or conflict, it will show
in this list. You can also Export to a .csv file.
6. Select the policy to see the devices. Then, select a specific device to see the setting
that failed, and a possible error code.
Tip
Intune reports is a great resource, and describes all the reporting features you can
use. For information on all the reporting data you can view, go to Intune reports.
Conflicts
Conflicts happen when the same setting is updated to different values. Conflicts can also
happen with policies configured using the settings catalog. For more information on
conflict resolution, see:
The Settings catalog lists all the available settings. If you want to see all the available
Firewall settings, or all the available BitLocker settings, then use this option. Also, use
this option if you're looking for specific settings.
For more information on user scope and device scope, see the Policy CSP.
Device and user groups are used when you assign your policies. Device and user scopes
describe how a policy is enforced.
When a device checks in to Intune, the device always presents a deviceID . The device
may or may not present a userID , depending on the check-in timing and if a user is
signed in.
The following list includes some possible combinations of scope, assignment, and the
expected behavior:
If a device scope policy is assigned to a device, then all users on that device have
that setting applied.
If a device scoped policy is assigned to a user, once that user signs in and an
Intune sync occurs, then the device scope settings apply to all users on the device.
If a user scope policy is assigned to a device, then all users on that device have that
setting applied. This behavior is like a loopback set to merge.
If a user scoped policy is assigned to a user, then only that user has that setting
applied.
There are some settings that are available in the user scope and the device scope.
If one of these settings is assigned to both user and device scope, then user scope
takes precedence over device scope.
If there isn't a user hive during initial check-ins, then you may see some user scope
settings marked as not applicable. This behavior happens in the early moments of a
device before a user is present.
Next steps
Tasks you can complete using the Settings Catalog in Intune
Create a Universal Print policy in Microsoft Intune
Be sure to assign the profile, and monitor its status.
Tasks you can complete using the
Settings Catalog in Intune
Article • 02/28/2023
Using the settings catalog in the Microsoft Intune admin center , you can access many
settings that manage apps and features on your devices.
This article lists and describes some of the features you can configure in the settings
catalog.
For more information on the settings catalog, and what it is, go to Use the settings
catalog to configure settings on Windows and macOS devices. To see all the settings
you can configure, create a settings catalog policy.
iOS/iPadOS
macOS
Windows 11
Windows 10
macOS
Windows 11
Windows 10
These web browser settings are built in, and can be configured & deployed to your
managed devices. On Windows devices, you can also configure Google Chrome.
Previously, to configure Google Chrome settings on Windows devices, you created a
custom OMA-URI device configuration policy.
Windows 11
Windows 10 and later
You can create a universal print policy, add printers, and then deploy this printer list to
your managed users. When the policy is deployed, it automatically installs the printers
you added. Users can see these printers, and select a printer from your list.
Previously, to configure Universal Print settings, you used the Universal Print printer
provisioning tool, which requires more manual steps, and has some limitations.
macOS
On macOS, you can use property list (plist) files to configure features and settings that
aren't built in to Intune. Some of these feature settings are now available in the settings
catalog:
Microsoft Edge version 77 and newer: For a list of the settings you can configure,
go to Microsoft Edge - Policies (opens another Microsoft website).
Previously, you had to use a property list (plist) file to configure Microsoft Edge
(opens another Microsoft website).
Microsoft Defender for Endpoint: For a list of the settings you can configure, go
to Set preferences for Microsoft Defender for Endpoint on macOS (opens another
Microsoft website).
Previously, you had to use a property list (plist) file to configure Microsoft
Defender for Endpoint (opens another Microsoft website).
Microsoft AutoUpdate (MAU), Microsoft Office and Microsoft Outlook: For a list
of the settings you can configure, go to:
Use preferences to manage privacy controls for Office for Mac - Deploy Office
For a list of apps that support MAU, go to Update Microsoft applications for
Mac by using msupdate.
Previously, you had to use a property list (plist) file to configure these features for
Mac (opens another Microsoft website).
Be sure macOS is listed as a supported platform. If some settings aren't available in the
settings catalog, then it's recommended to continue using the preference file.
Learn more
Use the settings catalog to configure settings on Windows and macOS devices
Create a Universal Print policy in Microsoft Intune
Create a Universal Print policy in
Microsoft Intune
Article • 05/24/2023
Many organizations are moving their printer infrastructure to the cloud. Universal Print
is a cloud-based printing solution in Microsoft 365. It uses built-in cloud printers, built-
in legacy printers, and runs entirely in Microsoft Azure.
Using the settings catalog in Intune, you can create a printer policy, and deploy the
policy to your managed users and devices. Then, on their devices, end users select the
printer from a list of registered Universal Print printers to print.
Windows 11
Windows 10 21H2 with July 2022 update and later
This article shows you how to create a Universal Print policy in Microsoft Intune. To learn
more about Universal Print and onboarding, go to What is Universal Print and Set up
Universal Print.
Tip
The PrintProvisioning tool and the printers.csv file process is deprecated. Be sure
to use the steps in this article to install universal printers.
Every printer must be registered in the Universal Print service (UP), which uses
Azure AD. To create the Intune policy, you need the device ID, printer shared ID,
and printer shared name.
For more specific information, go to What is printer registration?
If the profile is assigned to an Azure AD user/user group that can't access the
printers because of permissions, then Intune grants the assigned user/user group
the permissions.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Win11:
Universal Print policy.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, select Add settings. In the settings picker, select Printer
Provisioning, and select the settings you want to configure.
Action: Select Install to install a printer. When users receive the policy, the
printer will automatically install. Select Uninstall to uninstall a printer.
Cloud Device ID: Enter the printer ID. This ID is created when the printer is
registered in Azure AD using the Universal Print service. To get the ID, use the
Universal Print portal.
Printer Shared ID: Enter the Shared ID of the printer. To get the ID, use the
Universal Print portal.
Printer Shared Name: Enter the Shared Name of the printer. To get the name,
use the Universal Print portal.
10. In Scope tags (optional), assign a tag to filter the profile to specific IT groups. For
more information about scope tags, see Use RBAC roles and scope tags for
distributed IT.
Select Next.
11. In Assignments, select the users that will receive your profile.
These user accounts need access rights to the printer and the Universal Print
service. If the profile is assigned to an Azure AD user/user group that can't access
the printers because of permissions, then Intune grants the assigned user/user
group the permissions.
log
For more information on assigning profiles in Intune, go to Assign user and device
profiles. For more information on user scope vs. device scope in the settings
catalog, go to Use the settings catalog to configure settings: Device scope vs. user
scope settings.
Select Next.
12. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
For information on all the reporting data you can view, go to Intune reports.
Common issues
When you deploy the printer policy, you might get a Error 0x8007007f
(ERROR_PROC_NOT_FOUND) message.
To resolve this error, make sure your Windows OS client version is supported. The
supported versions are listed at the top of this article.
Make sure the printer is discoverable on the device. If users can't discover or install
the printer manually, then the Intune policy will also fail to install the printer.
For more information and possible steps, go to Unable to discover printers on the
client .
Make sure the SharedID and PrinterID are entered correctly in the Intune policy.
In some cases, the PrinterID and SharedID are reversed, which prevents the printer
from being discovered. For more information on these settings, go to Create the
policy (in this article).
The Application event log may shows errors related to Universal Print.
Enable tracing
If the common issues (in this article) don't resolve your issue, you can use Fiddler
tracing, the Print-Collect script, and UPPrinterInstaller.exe to resync the Intune
installation of the universal printer. You can review these logs for possible issues. You
can also work with the Intune support team to review and analyze these logs.
For more information and specific steps, go to Universal Print troubleshooting guide -
Use PrintCollect, Fiddler, and UPPrinterInstaller.
Learn more
What is Universal Print
Use the settings catalog to configure settings on Windows and macOS devices
Create a profile with custom settings in
Intune
Article • 02/22/2023
Custom settings are configured differently for each platform. For example, to control
features on Android and Windows devices, you can enter Open Mobile Alliance Uniform
Resource Identifier (OMA-URI) values. For Apple devices, you can import a file you
created with the Apple Configurator or Apple Profile Manager .
For more information on configuration profiles, see What are Microsoft Intune device
profiles?.
This article shows you how to create a custom profile for Android device administrator,
Android Enterprise, iOS/iPadOS, macOS, and Windows. You can also see all the available
settings for the different platforms.
4. Select Create.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is Windows 10/11:
Custom profile that enables AllowVPNOverCellular custom OMA-URI.
Description: Enter a description for the policy. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Choose your platform for detailed settings:
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Example
In the following example, the Connectivity/AllowVPNOverCellular setting is enabled.
This setting allows a Windows client device to open a VPN connection when on a
cellular network.
Next steps
The profile is created, but it may not be doing anything yet. Next, assign the profile and
monitor its status.
Use WDAC and Windows PowerShell to
allow or blocks apps on HoloLens 2
devices with Microsoft Intune
Article • 05/24/2023
Using Windows PowerShell and Microsoft Intune, you can use the WDAC CSP to allow or
block specific apps from opening on Microsoft HoloLens 2 devices. For example, you
may want to allow or prevent the Cortana app from opening on HoloLens 2 devices in
your organization.
The WDAC CSP is based on the Windows Defender Application Control (WDAC) feature.
You can also use multiple WDAC policies.
In Intune, you must create a custom configuration profile to use the Windows Defender
Application Control (WDAC) CSP.
Use the steps in this article as a template to allow or deny specific apps from opening
on HoloLens 2 devices.
Prerequisites
Be familiar with Windows PowerShell.
For more information on Intune roles, go to Role-based access control (RBAC) with
Intune.
Create a user group or devices group with your HoloLens 2 devices. For more
information on groups, go to User groups vs. device groups.
Example
This example uses Windows PowerShell to create a Windows Defender Application
Control (WDAC) policy. The policy prevents specific apps from opening. Then, use Intune
to deploy the policy to HoloLens 2 devices.
PowerShell
PowerShell
PowerShell
$package1
PowerShell
Name : Microsoft.MicrosoftEdge
Architecture : Neutral
ResourceId :
Version : 44.20190.1000.0
PackageFullName :
Microsoft.MicrosoftEdge_44.20190.1000.0_neutral__8wekyb3d8bbwe
InstallLocation :
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
IsFramework : False
PackageFamilyName : Microsoft.MicrosoftEdge_8wekyb3d8bbwe
PublisherId : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle : False
IsDevelopmentMode : False
NonRemovable : True
IsPartiallyStaged : False
SignatureKind : System
Status : Ok
3. Create a WDAC policy, and add the app package to the DENY rule:
PowerShell
4. Repeat steps 2 and 3 for any other applications you want to DENY:
PowerShell
PowerShell
7 Note
You can block apps that are only installed on HoloLens devices. For more
information, go to package family names for apps on HoloLens.
PowerShell
XML
<Deny ID="ID_DENY_D_1"
FriendlyName="Microsoft.WindowsStore_8wekyb3d8bbwe FileRule"
PackageFamilyName="Microsoft.WindowsStore_8wekyb3d8bbwe"
PackageVersion="65535.65535.65535.65535" />
Allow: Enter PackageVersion, 0.0.0.0 , which means "Allow this version and
above".
Deny: Enter PackageVersion, 65535.65535.65535.65535 , which means "Deny
this version and below".
6. If you plan to deploy and run any apps that didn't originate from the Microsoft
Store, such as line of business apps (see App Management), then explicitly allow
these apps by adding their signer to the WDAC policy.
7 Note
Using WDAC and LOB apps is currently only available in Windows Insiders
features for HoloLens.
PowerShell
7. Merge newPolicy.xml with the default policy that's on your desktop computer. This
step creates mergedPolicy.xml. For example, allow the Windows, WHQL signed
drivers, and Store signed apps to run:
PowerShell
Merge-CIPolicy -PolicyPaths
.\newPolicy.xml,C:\Windows\Schemas\codeintegrity\examplepolicies\Defaul
tWindows_Audit.xml -o mergedPolicy.xml
8. Disable the Audit mode rule in mergedPolicy.xml. When you merge, audit mode is
automatically turned on:
PowerShell
PowerShell
Set-RuleOption -o 15 .\mergedPolicy.xml
For more information on these rules, go to Understand WDAC policy rules and file
rules.
PowerShell
a. In the Microsoft Intune admin center , create a Windows 10/11 custom device
configuration profile.
For the specific steps, go to Create a custom profile using OMA-URI in Intune.
OMA-URI: Enter
./Vendor/MSFT/ApplicationControl/Policies/<PolicyGUID>/Policy . Replace
<PolicyGUID> with the PolicyTypeID node in the mergedPolicy.xml file you
created in step 6.
The policy GUID must match the PolicyTypeID node in the mergedPolicy.xml
file (created in step 6).
The OMA-URI uses the ApplicationControl CSP. For more information on the
nodes in this CSP, go to ApplicationControl CSP.
Data type: Set to Base64 file. It automatically converts the file from bin to
base64.
Certificate file: Upload the compiledPolicy.bin binary file (created in step 10).
12. When the profile is assigned to your HoloLens 2 group, check the profile status.
After the profile successfully applies, reboot the HoloLens 2 devices.
Next steps
Assign the profile, and monitor its status.
) Important
Using Microsoft Intune, you can add or create custom configuration settings for your
Linux devices using custom Bash scripts. They're designed to add device settings and
features that aren't built in to Intune.
In Intune, you import an existing Bash script, and then assign the script policy to your
Linux users and devices. Once assigned, the settings are distributed. They also create a
baseline or standard for Linux in your organization.
This article lists the steps to add an existing script and has a GitHub repo with some
sample scripts.
Prerequisites
Linux Ubuntu Desktop: For a list of the supported versions, go to Supported
operating systems and browsers in Intune.
Linux devices are enrolled in Intune. For more information on Linux enrollment, go
to Enrollment guide: Enroll Linux desktop devices in Microsoft Intune.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later.
Description: Enter a description for the policy. This setting is optional, but
recommended.
4. Select Next.
Execution context: Select the context the script is executed in. Your options:
User (default): When a user signs in to the device, the script runs. If a user
never signs into the device, or there isn't any user affinity, then the script
doesn't run.
Root: The script will always run (with or without users logged in) at the
device level.
Execution frequency: Select how frequently the script is executed. The default
is Every 15 minutes.
Execution retries: If the script fails, enter how many times Intune should retry
running the script. The default is No retries.
Execution Script: Select the file picker to upload an existing Bash script. Only
add .sh files.
Bash Script: After you add an existing Bash script, the script text is shown.
You can edit this script.
6. Select Next.
7. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
8. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
9. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
You can also run shell scripts on macOS and Windows.
Configure device restriction settings in
Microsoft Intune
Article • 02/22/2023
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Intune includes device restriction policies that help administrators control Android,
iOS/iPadOS, macOS, and Windows devices. These restrictions let you control a wide
range of settings and features to protect your organization's resources. For example,
administrators can:
These features are available in Intune, and are configurable by the administrator. Intune
uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, you can then push or
deploy the profile to devices in your organization.
Profile: Select Device restrictions. Or, select Templates > Device restrictions.
4. Select Create.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is iOS/iPadOS:
Block camera on devices.
Description: Enter a description for the policy. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Choose your platform for detailed settings:
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
After the profile is created, it's ready to be assigned. Be sure to assign the profile and
monitor its status.
Add email settings to devices using
Intune
Article • 04/25/2023
Microsoft Intune includes different email settings you can deploy to devices in your
organization. Email device configuration profiles include the connection settings used by
your email app to access organization email.
Most platforms have a native or built-in email app on the device. Using Intune, you can
configure the built-in email app or deploy other email apps that connect to your email
system, like Microsoft Exchange. End users then connect, authenticate, and synchronize
their organizational email accounts on their devices.
By creating and deploying an email profile, you can confirm settings are standard across
many devices. And, help reduce support calls from end users who don't know the
correct email settings.
You can use email profiles to configure email settings for the following devices:
This article shows you how to create an email profile in Microsoft Intune. It also includes
links to the different platforms for more specific settings.
Email is based on identity and user settings. Email profiles are typically assigned to
user groups, not device groups. Some considerations:
If the email profile includes user certificates, then assign the email profile to
user groups. You may have multiple user certificate profiles that are assigned.
These multiple profiles create a chain of profile deployments. Deploy this profile
chain to user groups.
Device groups are typically used when there's not a primary user, or if you don't
know who the user will be. Email profiles targeted to device groups (not user
groups) may not be delivered to the device.
For example, your email profile targets an all iOS/iPadOS devices group. Be sure
all these devices have a user.
If any device doesn't have a user, then the email profile may not deploy. You
limit the profile, and could miss some devices.
If the device has a primary user, then deploying to device groups should
work.
For more information on possible issues with using device groups, see Common
issues with email profiles.
After the email app is deployed, then you can create and deploy an email device
configuration profile, if it's needed. Depending on the platform and email app you
choose, you can use an app configuration policy or an email device configuration profile
to preconfigure the email app with your organization settings.
This section describes some of the common email apps you can use, and the policy or
profile type you can use for each platform.
Android Enterprise
In Intune, you can use organization owned devices and personally owned devices:
Android Enterprise organization owned devices: These devices are owned by the
organization, are enrolled in Intune, and are fully managed by you.
These devices have a built-in email app that's typically hidden when the device
enrolls in Intune. This behavior also depends on the OEM, so it can be different on
your devices.
The built-in email app is also considered a system app. For more information on
system apps and Intune, go to Manage Android Enterprise system apps in
Microsoft Intune.
Android Enterprise personally owned devices with a work profile: These devices
are owned by end users. Users enroll their devices and a work profile is
automatically created. You manage the work profile, including apps and data in the
work profile.
These personal devices have a built-in email app that isn't typically used for
organization email. Organizations that use conditional access (CA) can create CA
policies to block native mail apps, or only allow specific apps.
On both types of Android Enterprise devices, you can add and deploy an email app.
Your options:
Outlook
The Microsoft Outlook app is available in the managed Play Store. To use Outlook
as the email app, add the Outlook app to Intune, and assign the app to your users
or user groups. The app also installs.
If you don't want to customize Outlook or preconfigure it for your users, you
don't have to. After Outlook is installed, users need to enter the information
that connects to their work or school account, like the email server link and
more.
For more information on app configuration policies, go to:
Tip
When you create an app configuration policy, you select the enrollment type –
Managed devices or Managed apps. Be sure you know what to choose.
iOS/iPadOS
In Intune, you can use organization owned devices and personally owned devices:
Organization owned devices: These devices are owned by the organization, are
enrolled in Intune, and are fully managed by you.
Personally owned devices: These devices are owned by end users. Users can enroll
their entire devices in Intune to be fully managed by you. Or, they can enroll only
the apps that will access organization data.
Depending on the enrollment method for personal devices, it's also recommended
to use app protection policies on the email app.
Outlook
The Microsoft Outlook app is available in the App Store. To use Outlook as the
email app, add the Outlook app to Intune, and assign the app to your users or user
groups. The app also installs.
If you don't want to customize Outlook or preconfigure it for your users, you
don't have to. After Outlook is installed, users need to enter the information
that connects to their work or school account, like the email server link and
more.
Tip
When you create an app configuration policy, you select the enrollment type –
Managed devices or Managed apps. Be sure you know what to choose.
Windows client
In Intune, you can use organization owned devices and personally owned devices:
Organization owned devices: These devices are owned by the organization, are
enrolled in Intune, and are fully managed by you.
Personally owned devices: These devices are owned by end users. Users can enroll
their entire devices in Intune to be fully managed by you.
For more information on the enrollment options for personal devices, go to
Deployment guide: Enroll Windows devices - BYOD: User enrollment.
On all Windows devices, you can add and deploy an email app. Your options:
Outlook
The Microsoft Outlook app is available in the Microsoft 365 Apps suite. To use
Outlook as the email app, add the Outlook app to Intune, and assign the app to
your users or user groups. The app also installs.
If you don't want to customize Outlook or preconfigure it for your users, you
don't have to. After Outlook is installed, users need to enter the information
that connects to their work or school account, like the email server link and
more.
4. Select Create.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is Windows 10/11:
Email settings for all Windows 10/11 devices.
Description: Enter a description for the policy. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Select your platform for detailed settings:
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or device groups that will receive your profile. For
more information on assigning profiles, see Before you begin (in this article).
Assign user and device profiles also some guidance.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Option 1: Open the email profile (Devices > Configuration profiles > select your
profile), and select Assignments. The Include tab shows the groups that are
assigned the profile. Right-click the group > Remove. Be sure to Save your
changes.
Option 2: Wipe or retire the device. You can use these actions to selectively or fully
remove data and settings.
Certificates: When you create the email profile, you select a certificate profile
previously created in Intune. This certificate is known as the identity certificate. It
authenticates against a trusted certificate profile or a root certificate to confirm a
user's device is allowed to connect. The trusted certificate is assigned to the
computer that authenticates the email connection. Typically, this computer is the
native mail server.
If you use certificate-based authentication for your email profile, then deploy the
email profile, certificate profile, and trusted root profile to the same groups. This
deployment makes sure each device can recognize the legitimacy of your
certificate authority.
For more information about how to create and use certificate profiles in Intune, see
How to configure certificates with Intune.
User name and password: The end user authenticates to the native mail server by
entering a user name and password. The password doesn't exist in the email
profile. So, the end user enters the password when connecting to email.
Android Enterprise personally owned work profiles: Intune provides two Android
work email apps that you can configure: Gmail and Nine Work. These apps are
available in the Google Play Store, and install in the personally owned work profile.
These apps don't create duplicate profiles. To use email connectivity, deploy one of
these email apps to your user devices. Then, create and deploy the email profile.
You can also use certificate profiles on Gmail and Nine Work. Any Gmail or Nine
Work device configuration policies that you create continue to apply to the device.
It's not necessary to move them to app configuration policies. Email apps, such as
Nine Work, may not be free. Review the app's licensing details, or contact the app
company with any questions.
Windows: An existing, duplicate email profile is detected based on host name and
email address. Intune overwrites the existing email profile created by the end user.
Next steps
Once the profile is created, it isn't doing anything yet. Next, assign the profile and
monitor its status.
Troubleshooting common issues with
email profiles in Microsoft Intune
Article • 05/27/2023
This article gives troubleshooting guidance for common issues with email profiles in
Microsoft Intune.
If the email profile chain is assigned to user groups, be sure your certificate profiles are
also assigned to user groups.
For example, you want to deploy a certificate-based email profile to only Surface
devices, not desktops. In this scenario, device groups might make sense. Know that
these devices may show as not compliant, may return errors, and may not get your
email profiles immediately.
In this example, you create the email profile, and assign the profile to device
groups. The device restarts, and there's a delay before a user signs in. During this
delay, your PKCS certificate profile, which is assigned to user groups, is deployed.
Since there's no user yet, the PKCS certificate profile causes the device to be not
compliant. The Event Viewer may also show errors on the device.
To get compliant, the user signs in to the device, and syncs with Intune to receive
the policies. Users can resync manually, or wait for the next sync.
For example, you're using dynamic groups. If Azure AD doesn't update the
dynamic groups immediately, then these devices may show as uncompliant.
In these scenarios, you decide if it's more important to use device groups, or more
important to show all policies as compliant.
The user should remove their email profile so the Intune profile can be deployed.
To prevent this issue, instruct your users to enroll, and allow Intune to deploy the
email profile. Then, users can create their email profile.
Samsung KNOX doesn't use hostname to identify the profile. We recommend you don't
create multiple email profiles to deploy to the same email address on different hosts, as
they overwrite each other.
Review the configuration of your EAS profile for Samsung KNOX and source policy. The
Samsung Notes sync option is no longer supported, and that option shouldn't be
selected in your profile. Be sure devices have enough time to process the policy, up to
24 hours.
Feedback
Was this page helpful? ツ Yes ト No
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Virtual private networks (VPNs) give users secure remote access to your organization
network. Devices use a VPN connection profile to start a connection with the VPN
server. VPN profiles in Microsoft Intune assign VPN settings to users and devices in your
organization. Use these settings so users can easily and securely connect to your
organizational network.
iOS/iPadOS
macOS
Windows 10
Windows 11
) Important
For Windows 11 devices, there is an issue between the Windows 11 client and
the Windows VPNv2 CSP. A device with one or more Intune VPN profiles loses
its VPN connectivity when the device processes multiple changes to VPN
profiles for the device simultaneously. When the device checks-in with Intune
a second time, it processes the VPN profile changes, and connectivity is
restored.
The following changes can cause a loss of VPN functionality:
Changes to a VPN profile that was previously processed by the Windows
11 device. This action deletes the original profile, and applies the updated
profile.
Two new VPN profiles apply to the device at the same time.
An active VPN profile is removed at the same time a new VPN profile is
assigned.
This issue and warning remain until Windows updates the Windows 11 client
that resolves this issue.
For example, you want to configure all iOS/iPadOS devices with the required settings to
connect to a file share on the organization network. You create a VPN profile that
includes these settings. You assign this profile to all users who have iOS/iPadOS devices.
The users see the VPN connection in the list of available networks, and can connect with
minimal effort.
This article lists the VPN apps you can use, shows you how to create a VPN profile, and
includes guidance on securing your VPN profiles. You must deploy the VPN app before
you create the VPN profile. If you need help with deploying apps using Microsoft Intune,
see What is app management in Microsoft Intune?.
User enrollment for iOS/iPadOS and macOS only support per-app VPN.
You can use Intune custom configuration policies to create VPN profiles for the
following platforms:
Android 4 and later
Enrolled devices that run Windows 8.1 and later
Enrolled devices that run Windows 10/11
Windows Holographic for Business
There are different VPN apps available. On user devices, you deploy the VPN app your
organization uses. After the VPN app is deployed, then you create and deploy a VPN
device configuration profile that configures the VPN server settings, including the VPN
server name (or FQDN) and authentication method.
Some platforms and VPN apps require an app configuration policy to preconfigure the
VPN app, instead of a VPN device configuration profile. This section also lists the
platforms and VPN apps that must use an app configuration policy.
To help you assign the app using Intune, see Add apps to Microsoft Intune.
Automatic
Windows 10/11
Cisco AnyConnect
Android device administrator
Android Enterprise personally owned devices with a work profile
Android Enterprise fully managed and corporate-owned work profile
iOS/iPadOS
macOS
Windows 10/11
Cisco (IPSec)
iOS/iPadOS
Citrix SSO
Android device administrator
Android Enterprise personally owned devices with a work profile: Use app
configuration policy
Android Enterprise fully managed and corporate-owned work profiles: Use app
configuration policy
iOS/iPadOS
Windows 10/11
Custom VPN
iOS/iPadOS
macOS
Create custom VPN profiles using URI settings in Create a profile with custom
settings.
F5 Access
Android device administrator
Android Enterprise personally owned devices with a work profile
Android Enterprise fully managed and corporate-owned work profile
iOS/iPadOS
macOS
Windows 10/11
Windows 8.1
IKEv2
iOS/iPadOS
Windows 10/11
L2TP
Windows 10/11
Microsoft Tunnel
Android Enterprise personally owned devices with a work profile
Android Enterprise fully managed and corporate-owned work profile
iOS/iPadOS
) Important
As of June 14, 2021, both the standalone tunnel app and standalone client
connection type for Android are deprecated and drop from support after
October 26, 2021.
) Important
Plan for change. On April 29, 2022 both the Microsoft Tunnel connection type
and Microsoft Defender for Endpoint as the tunnel client app became generally
available. With this general availability, the use of the Microsoft Tunnel
(standalone client)(preview) connection type and the standalone tunnel client
app are deprecated and soon will drop from support.
On July 29, 2022, the standalone tunnel client app will no longer be
available for download. Only the generally available version of Microsoft
Defender for Endpoint will be available as the tunnel client app.
On August 1, 2022, the Microsoft Tunnel (standalone client) (preview)
connection type will cease to connect to Microsoft Tunnel.
To avoid a disruption in service for Microsoft Tunnel, plan to migrate your use
of the deprecated tunnel client app and connection type to those that are
now generally available.
NetMotion Mobility
Android Enterprise personally owned devices with a work profile
Android Enterprise fully managed and corporate-owned work profile
iOS/iPadOS
macOS
Palo Alto Networks GlobalProtect
Android Enterprise personally owned devices with a work profile: Use app
configuration policy
Android Enterprise fully managed and corporate-owned work profile: Use app
configuration policy
iOS/iPadOS
Windows 10/11
PPTP
Windows 10/11
Pulse Secure
Android device administrator
Android Enterprise personally owned devices with a work profile
Android Enterprise fully managed and corporate-owned work profile
iOS/iPadOS
Windows 10/11
Windows 8.1
Zscaler
Android Enterprise personally owned devices with a work profile: Use app
configuration policy
Android Enterprise fully managed and corporate-owned work profile: Use app
configuration policy
iOS/iPadOS
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is VPN
profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Select your platform for detailed settings:
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the user or groups that receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Certificates
When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you
previously created in Intune. This profile is known as the identity certificate. It's used to
authenticate against a trusted certificate profile (or root certificate) that you create to
allow the user's device to connect. The trusted certificate is assigned to the computer
that authenticates the VPN connection, typically, the VPN server.
If you use certificate-based authentication for your VPN profile, then deploy the VPN
profile, certificate profile, and trusted root profile to the same groups. This assignment
makes sure each device recognizes the legitimacy of your certificate authority.
For more information about how to create and use certificate profiles in Intune, see How
to configure certificates with Microsoft Intune.
7 Note
Certificates added using the PKCS imported certificate profile aren't supported for
VPN authentication. Certificates added using the PKCS certificates profile are
supported for VPN authentication.
Next steps
Assign the profile and monitor its status.
You can also create and use per-app VPNs on Android device
administrator/Android Enterprise and iOS/iPadOS devices.
Use a Microsoft Intune custom profile to
create a per-app VPN profile for
Android devices
Article • 05/24/2023
You can create a per-app VPN profile for Android 8.0 and later devices that are enrolled
in Intune. First, create a VPN profile that uses either the Pulse Secure or Citrix
connection type. Then, create a custom configuration policy that associates the VPN
profile with specific apps.
To use per-app VPN on Android Enterprise devices, use an app configuration policy. App
configuration policies support more VPN client apps. On Android Enterprise devices,
you can use the steps in this article. But, it's not recommended, and you're limited to
only Pulse Secure and Citrix VPN connections.
After you assign the policy to your Android device or user groups, users should start the
Pulse Secure or Citrix VPN client. Then, the VPN client allows only traffic from the
specified apps to use the open VPN connection.
7 Note
Only the Pulse Secure and Citrix connection types are supported for Android device
administrator. On Android Enterprise devices, use an app configuration policy.
4. Select Create.
5. In Basics, enter the following properties:
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Android
DA per-app VPN profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
Take note of the Connection Name value you enter when creating the VPN profile.
This name is needed in the next step. In this example, the connection name is
MyAppVpnProfile.
8. Select Next, and continue creating your profile. For more information, go to Create
a VPN profile.
4. Select Create.
Name: Enter a descriptive name for the custom profile. Name your profiles so
you can easily identify them later. For example, a good profile name is
Custom OMA-URI Android VPN profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings > OMA-URI Settings, select Add. Enter the following
OMA-URI values:
8. Select Next, and continue creating your profile. For more information, go to Create
a VPN profile.
Next steps
For a list of all the Android device administrator VPN settings, go to Android
device settings to configure VPN.
To learn more about VPN settings and Intune, go to configure VPN settings in
Microsoft Intune.
Set up per-app Virtual Private Network
(VPN) for iOS/iPadOS devices in Intune
Article • 07/31/2023
In Microsoft Intune, you can create and use Virtual Private Networks (VPNs) assigned to
an app. This feature is called "per-app VPN". You choose the managed apps that can use
your VPN on devices managed by Intune. When you use per-app VPNs, end users
automatically connect through the VPN, and get access to organizational resources,
such as documents.
Check your VPN provider's documentation to see if your VPN supports per-app VPN.
This article shows you how to create a per-app VPN profile, and assign this profile to
your apps. Use these steps to create a seamless per-app VPN experience for your end
users. For most VPNs that support per-app VPN, the user opens an app, and
automatically connects to the VPN.
Some VPNs allow username and password authentication with per-app VPN. Meaning,
users need to enter a username and password to connect to the VPN.
) Important
If you have a per-app VPN profile set up for Zscaler, then opening one of the associated
apps doesn't automatically connect to ZPA. Instead, the user needs to sign into the
Zscaler app. Then, remote access is limited to the associated apps.
Prerequisites for per-app VPN
) Important
Your VPN vendor may have other requirements for per-app VPN, such as specific
hardware or licensing. Be sure to check with their documentation, and meet those
prerequisites before setting up per-app VPN in Intune.
To prove its identity, the VPN server presents the certificate that must be accepted
without a prompt by the device. To confirm the automatic approval of the certificate,
create a trusted certificate profile. This trusted certificate profile must include the VPN
server's root certificate issued by the Certification Authority (CA).
3. Export the trusted root certificate file. It has a .cer extension, and you add it when
creating a trusted certificate profile.
4. Add the name of the CA that issued the certificate for authentication to the VPN
server.
If the CA presented by the device matches a CA in the Trusted CA list on the VPN
server, then the VPN server successfully authenticates the device.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is
iOS/iPadOS trusted certificate VPN profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, select the folder icon, and browse to your VPN
certificate ( .cer file) that you exported from your VPN administration console.
8. Select Next, and continue creating your profile. For more information, go to Create
a VPN profile.
To configure and assign the client authentication certificate, go to one of the following
articles:
Be sure to configure the certificate for client authentication. You can set client
authentication directly in SCEP certificate profiles (Extended key usage list > Client
authentication). For PKCS, set client authentication in the certificate template in the
certificate authority (CA).
Create a per-app VPN profile
This VPN profile includes the SCEP or PKCS certificate that has the client credentials, the
VPN connection information, and the per-app VPN flag that enables the per-app VPN
used by the iOS/iPadOS application.
1. In the Microsoft Intune admin center , select Devices > Configuration profiles >
Create profile.
2. Select Devices > Configuration profiles > Create profile.
4. Select Create.
Name: Enter a descriptive name for the custom profile. Name your profiles so
you can easily identify them later. For example, a good profile name is
iOS/iPadOS per-app VPN profile for myApp.
Description: Enter a description for the profile. This setting is optional, but
recommended.
Base VPN: Configure your settings. iOS/iPadOS VPN settings describes all the
settings. When using per-app VPN, be sure you configure the following
properties as listed:
Authentication method: Select Certificates.
Authentication certificate: Select an existing SCEP or PKCS certificate >
OK.
Split tunneling: Select Disable to force all traffic to use the VPN tunnel
when the VPN connection is active.
For information on the other settings, go to iOS/iPadOS VPN settings.
1. In the Microsoft Intune admin center , select Apps > All apps.
2. Select an app from the list > Properties > Assignments > Edit.
4. Select Add group > Select the group you created (in this article) > Select.
5. In VPNs, select the per-app VPN profile you created (in this article).
6. Select OK > Save.
When all of the following conditions exist, an association between an app and a profile
is removed during the next device check-in:
When all of the following conditions exist, an association between an app and a profile
remains until the user requests a reinstall from the Company Portal app:
The device doesn't ask you to trust the VPN server. Meaning, the user doesn't see
the Dynamic Trust dialog box.
The user doesn't have to enter credentials.
When the user opens one of the associated apps, the user's device is connected to
the VPN.
Next steps
To review iOS/iPadOS settings, go to VPN settings for iOS/iPadOS devices in
Microsoft Intune.
To learn more about VPN setting and Intune, go to configure VPN settings in
Microsoft Intune.
Add and use Wi-Fi settings on your
devices in Microsoft Intune
Article • 02/22/2023
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
Wi-Fi is a wireless network that's used by many mobile devices to get network access.
Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and
devices in your organization. This group of settings is called a "profile", and can be
assigned to different users and groups. Once assigned, your users get access your
organization's Wi-Fi network without configuring it themselves.
For example, you install a new Wi-Fi network named Contoso Wi-Fi. You then want to
set up all iOS/iPadOS devices to connect to this network. Here's the process:
1. Create a Wi-Fi profile that includes the settings that connect to the Contoso Wi-Fi
wireless network.
2. Assign the profile to a group that includes all users of iOS/iPadOS devices.
3. On their devices, users find the new Contoso Wi-Fi network in the list of wireless
networks. They can then connect to the network, using the authentication method
of your choosing.
This article lists the steps to create a Wi-Fi profile. It also includes links that describe the
different settings for each platform.
Tip
For Android Enterprise devices running as a dedicated device (kiosk),
choose Fully Managed, Dedicated, and Corporate-Owned Work
Profile > Wi-Fi.
For Windows 8.1 and newer, you can choose Wi-Fi import. This
option lets you import Wi-Fi settings as an XML file that you
previously exported from a different device.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is WiFi
profile for entire company.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Select your platform for detailed settings:
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Tip
If you use certificate based authentication for your Wi-Fi profile, deploy the Wi-Fi
profile, certificate profile, and trusted root profile to the same groups to ensure that
each device can recognize the legitimacy of your certificate authority. For more
information, see How to configure certificates with Microsoft Intune.
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile, and
monitor its status..
Troubleshoot Wi-Fi profiles in Intune.
Import Wi-Fi settings for Windows
devices in Intune
Article • 03/27/2023
) Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows
8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then we recommend moving to Windows 10/11
devices. Microsoft Intune has built-in security and device features that manage
Windows 10/11 client devices.
On Windows devices, you can export Wi-Fi settings to an XML file, and then import
these settings in Intune. Using these imported settings, you can create a Wi-Fi profile,
and then deploy it to your devices.
Windows 11
Windows 10
Windows Holographic for Business
Windows 8.1 and newer
This article shows you how to export Wi-Fi settings from a Windows device, and then
import these settings in to Intune.
7 Note
On Windows 10/11, you can create a Wi-Fi profile directly in Intune. You
don't have to import a file.
For Windows 8.1 devices, you must export and import Wi-Fi settings to create
and deploy Wi-Fi profiles.
) Important
If you're exporting a Wi-Fi profile that includes a pre-shared key, you must
add key=clear to the command. The key must be exported in plain text to
successfully use the profile. For example, enter:
If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is
protected. The key is in plain text. It's your responsibility to protect the key.
Even though you select Windows 8.1, this feature still applies to Windows
10/11 and Windows Holographic.
4. Select Create.
6. Select Next.
Connection name: Enter a name for the Wi-Fi connection. This name is
shown to users when they browse available Wi-Fi networks. For example,
enter ContosoWiFi .
Profile XML: Select the browse button, and select the XML file that contains
the Wi-Fi profile settings you want to import.
File contents: Shows the XML code for the XML file you selected.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
The profile is created, but may not be doing anything. Be sure to assign the profile, and
monitor its status..
Pre-shared keys (PSK) are typically used to authenticate users in WiFi networks, or
wireless LANs. With Intune, you can create a WiFi profile using a preshared key. To
create the profile, use the Custom device profiles feature within Intune. This article also
includes some examples of how to create an EAP-based Wi-Fi profile.
) Important
4. Select Create.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is Custom OMA-
URI Wi-Fi profile for Android DA.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, select Add. Enter a new OMA-URI setting with the
following properties:
7 Note
SSID is the SSID for which you're creating the policy. For example, if the Wi-Fi is
named Hotspot-1 , enter ./Vendor/MSFT/WiFi/Profile/Hotspot-1/Settings . If the
Wi-Fi is named Contoso WiFi , enter
./Vendor/MSFT/WiFi/Profile/Contoso%20WiFi/Settings (with the %20 escape
space).
d. Data Type: Select String.
e. Value: Paste your XML code. See the examples in this article. Update each value
to match your network settings. The comments section of the code includes
some pointers.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or user group that will receive your profile. For
more information on assigning profiles, go to Assign user and device profiles.
7 Note
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time each device checks in, the policy is applied, and a Wi-Fi profile is created
on the device. The device can then connect to the network automatically.
device to expect an encrypted password, and then try to decrypt it; which may
result in a failed connection.
<hex>53534944</hex> should be set to the hexadecimal value of <name><SSID of
XML has special characters, such as the & (ampersand). Using special characters
may prevent the XML from working as expected.
Example
XML
<!--
<Name of wifi profile> = Name of profile shown to users. For example, enter
<name>ContosoWiFi</name>.
<SSID of wifi profile> = Plain text of SSID. Does not need to be escaped. It
could be <name>Your Company's Network</name>.
<nonBroadcast><true/false></nonBroadcast>
-->
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<SSIDConfig>
<SSID>
<hex>53534944</hex>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication><Type of authentication></authentication>
<encryption><Type of encryption></encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>password</keyMaterial>
</sharedKey>
<keyIndex>0</keyIndex>
</security>
</MSM>
</WLANProfile>
XML
<WLANProfile
xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>testcert</name>
<SSIDConfig>
<SSID>
<hex>7465737463657274</hex>
<name>testcert</name>
</SSID>
<nonBroadcast>true</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
<FIPSMode
xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
</authEncryption>
<PMKCacheMode>disabled</PMKCacheMode>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>false</cacheUserData>
<authMode>user</authMode>
<EAPConfig>
<EapHostConfig
xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type
xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId
xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config
xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap
xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValid
ation>
<ServerNames></ServerNames>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">f
alse</PerformServerValidation>
<AcceptServerName
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">f
alse</AcceptServerName>
<TLSExtensions
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<AllPurposeEnabled>true</AllPurposeEnabled>
<CAHashList Enabled="true">
<IssuerHash>75 f5 06 9c a4 12 0e 9b db bc a1 d9
9d d0 f0 75 fa 3b b8 78 </IssuerHash>
</CAHashList>
<EKUMapping>
<EKUMap>
<EKUName>Client Authentication</EKUName>
<EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true"/>
<AnyPurposeEKUList Enabled="false">
<EKUMapInList>
<EKUName>Client Authentication</EKUName>
</EKUMapInList>
</AnyPurposeEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>
1. Create a local folder for the exported W-Fi- profiles, such as c:\WiFi.
3. Run netsh wlan show profiles . The names of all the profiles are listed.
key=clear exports the key in plain text, which is required to successfully use
the profile.
After you have the XML file, copy and paste the XML syntax into OMA-URI settings >
Data type. Create a custom profile (in this article) lists the steps.
Tip
\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{guid} also includes all the
Best practices
Before you deploy a Wi-Fi profile with PSK, confirm that the device can connect to
the endpoint directly.
When rotating keys (passwords or passphrases), expect downtime and plan your
deployments. Consider pushing new Wi-Fi profiles during non-working hours. Also,
warn users that connectivity may be affected.
For a smooth transition, be sure the end user's device has an alternate connection
to the Internet. For example, the end user can switch back to Guest WiFi (or some
other WiFi network) or have cellular connectivity to communicate with Intune. The
extra connection allows the user to receive policy updates when the corporate WiFi
Profile is updated on the device.
Next steps
Be sure to assign the profile, and monitor its status.
Troubleshooting Wi-Fi device
configuration profiles in Microsoft
Intune
Article • 05/27/2023
In Intune, you can create device configuration profiles that include connection settings
for your WiFi network. Use these settings to connect users' Android, iOS/iPadOS, and
Windows devices to the organization network.
This article shows what a Wi-Fi profile looks like when it successfully applies to devices.
It also includes log information, common issues, and more. Use this article to help
troubleshoot your Wi-Fi profiles.
For more information on Wi-Fi profiles in Intune, see Add and use Wi-Fi settings on your
devices.
7 Note
The examples in this article use SCEP certificate authentication for the Intune
profiles. It also assumes that the Trusted Root and SCEP profiles work correctly on
the device.
This situation doesn't occur on Android Enterprise and Samsung Knox devices.
For more information, see Manage Android work profile devices and
Remove SCEP and PKCS certificates.
In the following example, use CMTrace to read the logs, and search for "wifimgr":
The following log shows your search results, and shows the Wi-Fi profile successfully
applied:
log
2019-08-01T19:22:46.7340000 VERB
com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142
Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.7490000 VERB
com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Starting to parse OneX from Wifi XML.
2019-08-01T19:22:46.8100000 VERB
com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Completed parsing OneX from Wifi XML.
2019-08-01T19:22:46.8209999 VERB
com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142
Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.8240000 INFO
com.microsoft.omadm.utils.CertificateSelector 15118 04142 Selected
ca certificate with alias: 'user:205xxxxx.0' and thumbprint '<thumbprint>'.
2019-08-01T19:22:47.0990000 VERB
com.microsoft.omadm.platforms.android.certmgr.CertificateChainBuilder
15118 04142 Complete certificate chain built with Complete certs.
2019-08-01T19:22:47.1110000 INFO
com.microsoft.omadm.utils.CertificateSelector 15118 04142 Selected
client cert with alias 'User<ID>' and requestId 'ModelName=
<ModelName>%2FLogicalName_<LogicalName>;Hash=-912418295'.
2019-08-01T19:22:47.4240000 VERB
com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.4910000 VERB
com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.4970000 VERB
com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142
Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5080000 VERB
com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.5820000 VERB
com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.5900000 VERB
com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118 04142
Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5910000 INFO
com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager 15118
04142 Applied profile <profile ID>
1. Connect the iOS/iPadOS device to Mac. Go to Applications > Utilities, and open
the Console app.
2. Under Action, select Include Info Messages and Include Debug Messages:
3. Reproduce the scenario, and save the logs to a text file:
a. Select all the messages on the current screen: Edit > Select All.
b. Copy the messages: Edit > Copy.
c. Paste the log data in a text editor, and save the file.
4. Search the saved log file to see detailed information. When the profile successfully
installs, your output looks similar to the following log:
log
To see the Wi-Fi connection, go to Settings > Network & Internet > Wi-Fi:
Review event viewer logs
On Windows devices, the details about Wi-Fi profiles are logged in the Event Viewer:
log
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-
Provider
Level: Information
Keywords: (2)
User: SYSTEM
Description:
Common issues
This section provides troubleshooting guidance for the following scenarios:
The Wi-Fi profile isn't deployed to the device
The Wi-Fi profile is deployed to the device, but the device can't connect to the
network
Users don't get new profile after changing password on existing profile
All Wi-Fi profiles report as failing
A Wi-Fi profile reports as failing, but seems to be working
In the Intune, select Troubleshooting + Support. Confirm the device can sync with
Intune by checking the Last check in time.
If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, confirm both
profiles are deployed to the device. The Wi-Fi profile has a dependency on these
profiles.
On Windows 10 and newer devices, review the MDM Diagnostic Information log:
4. A window opens that shows the path to the log files. Select Export.
Tip
On Android devices, if the Trusted Root and SCEP profiles aren't installed on the
device, you see the following entry in the Company Portal app Omadmlog file:
log
2019-08-01T19:18:13.5120000 INFO
com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager
15118 04105 Skipping Wifi profile <profile ID> because it is
pending certificates.
When the Trusted Root and SCEP profiles are on the Android device and
compliant, the Wi-Fi profile might not be on the device. This issue happens
when the CertificateSelector provider from the Company Portal app doesn't
find a certificate that matches the specified criteria. The specific criteria can be
in the Certificate Template or in the SCEP profile.
If the matching certificate isn't found, the certificates on the device aren't
installed. The Wi-Fi profile isn't applied because it doesn't have the correct
certificate. In this scenario, you see the following entry in the Company Portal
app Omadmlog file:
log
2018-11-27T21:10:37.6390000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding
cert with alias User<ID1> and requestId <requestID1> as it does not
have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 Excluding
cert with alias User<ID2> and requestId <requestID2> as it does not
have any purpose EKU.
2018-11-27T21:10:37.6400000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 0 cert(s)
matched criteria:
2018-11-27T21:10:37.6400000 VERB
com.microsoft.omadm.utils.CertUtils 14210 00948 2 cert(s)
excluded by criteria:
2018-11-27T21:10:37.6400000 INFO
com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager
14210 00948 Skipping Wifi profile <profile ID>
because it is pending certificates.
The following sample shows the SCEP profile entered the Any Purpose EKU. But,
it's not entered in the Certificate Template on the certificate authority (CA). To fix
the issue, add the Any Purpose option to the certificate template. Or, remove
the Any Purpose option from the SCEP profile.
Confirm that all required certificates in the complete certificate chain are on the
Android device. Otherwise, the Wi-Fi profile can't be installed on the device. For
more information, see Missing intermediate certificate authority (opens
Android's web site).
For example, use CMTrace to read the logs. Use the search string to filter
"wifimgr":
If you see an error in the log, copy the time stamp of the error and unfilter the
log. Then, use the "find" option with the time stamp to see what happened right
before the error.
Manually connect to the network using a certificate with the same criteria that's in
the Wi-Fi profile.
If you can connect, look at the certificate properties in the manual connection.
Then, update the Intune Wi-Fi profile with the same certificate properties.
Connectivity errors are usually logged in the Radius server log. For example, it
should show if the device tried to connect with the Wi-Fi profile.
To mitigate this issue, set up guest Wi-Fi. If the corporate Wi-Fi fails, users can connect
to the guest Wi-Fi. Be sure to enable any automatically connect settings. Deploy the
guest Wi-Fi profile to all users.
Feedback
Was this page helpful? ツ Yes ト No
Tip
Looking for on-premises GPO analysis? There are tools available in the Microsoft
Security Compliance Toolkit.
Microsoft Intune has many of the same settings as your on-premises GPOs. Group
Policy analytics is a tool in Microsoft Intune that:
If your organization uses on-premises GPOs to manage Windows 10/11 devices, then
Group Policy analytics can help. With Group Policy analytics, it's possible Intune can
replace your on-premises GPOs. Windows 10/11 devices are inherently cloud native. So
depending on your configuration, these devices might not require access to an on-
premises Active Directory.
If you're ready to remove the dependency to on on-premises AD, then analyzing your
GPOs with Group Policy analytics is a good first step. Some older settings aren't
supported, or don't apply to cloud native Windows devices. After you analyze your
GPOs, you'll know which settings might still be valid.
Windows 11
Windows 10
This article shows you how to export your GPOs, import the GPOs into Intune, and
review the analysis and results. To migrate or transfer your imported GPOs to an Intune
policy, go to Create a Settings Catalog policy using your imported GPOs in Microsoft
Intune.
Before you begin
In the Microsoft Intune admin center , sign in as the Intune administrator or with a role
that has the Security Baselines permission.
For example, the Endpoint Security Manager role has the Security Baselines
permission. For more information on the built-in roles, see role-based access control.
4. Right-click the GPO you want to migrate and choose Save report:
5. Select an easily accessible folder for your export. In Save as type, select XML File.
In another step, you add this file to group policy analytics in Intune.
Make sure that the file is less than 4 MB and has a proper Unicode encoding. If the
exported file is greater than 4 MB, then reduce the number of settings in the group
policy object.
Import GPOs and run analytics
1. In the Microsoft Intune admin center , select Devices > Group Policy analytics.
Check the sizes of your individual GPO XML files. A single GPO can't be bigger
than 4 MB. If a single GPO is larger than 4 MB, then the import fails. XML files
without the appropriate unicode ending also fail.
3. In Scope tags, select the existing scope tag you want to apply to the imported
GPO. If you don't select an existing scope tag, then the Default scope tag is
automatically used:
Only admins included in the scope tags you select can see the imported GPO. For
more information on scope tags on your imported GPOs, go to Select a scope tag
when you import (in this article).
When you select Create, Intune automatically analyzes the GPO in the XML file.
5. After the analysis runs, the GPO you imported is listed with the following
information:
7 Note
Unknown Settings: There are some CSPs that can't be analyzed. Unknown
Settings lists the GPOs that can't be analyzed.
You can Import more GPOs for analysis, Refresh the page, and Filter the output.
You can also Export this view to a .csv file:
6. Select the MDM Support percentage for a listed GPO. More detailed information
about the GPO is shown:
Group Policy Setting Category: Shows the setting category for ADMX
settings, such as Internet Explorer and Microsoft Edge. Not all settings have a
setting category.
MDM Support:
Yes means there's a matching setting available in Intune. You can
configure this setting in the Settings Catalog.
No means there isn't a matching setting available to MDM providers,
including Intune.
Value: Shows the value imported from the GPO. It shows different values,
such true , 900 , Enabled , false , and so on.
For example, if a policy setting shows 18362 , then the setting supports build
18362 and newer builds.
The CSP reference lists the available CSPs, shows the supported OS editions,
and more.
CSP Mapping: Shows the OMA-URI path for the on-premises policy. You can
use the OMA-URI in a custom device configuration profile. For example, you
may see ./Device/Vendor/MSFT/BitLocker/RequireDeviceEnryption .
7. For the settings that have MDM support, you can create a Settings Catalog policy
with these settings. For the specific steps, go to Create a Settings Catalog policy
using your imported GPOs in Microsoft Intune.
This behavior applies to any scope tag you select when you import a GPO. Admins only
see the imported GPOs if they have one of the same scope tags selected during the
import. If an admin doesn't have the scope tag, then they don't see the imported GPO in
the reporting or in the list of GPOs.
For example, admins have "Charlotte", "London", or "Boston" scope tags assigned to
their role:
For admins to see the analytics or migrate the imported GPO to an Intune policy, these
admins must have one of the same scope tags selected during the import.
For more information on scope tags, go to RBAC and scope tags for distributed IT.
Policy CSP
PassportForWork CSP
BitLocker CSP
Firewall CSP
AppLocker CSP
Group Policy Preferences
If your imported GPO has settings that aren't in the supported CSPs and Group Policies,
then the settings may be listed in the Unknown Settings column. This behavior means
the settings were identified in your GPO.
Even though Group Policy analytics can parse the CSPs, there are some things you
should know when migrating your imported GPOs. For more information, go to Migrate
your imported GPO to a Settings Catalog policy - What you need to know.
Ready for migration: The policy has a matching setting in Intune, and is
ready to be migrated to Intune.
Not supported: The policy doesn't have a matching setting. Typically, policy
settings that show this status aren't exposed to MDM providers, including
Intune.
Deprecated: The policy may apply to older Windows versions, older Microsoft
Edge versions, and more policies that aren't used anymore.
7 Note
When the Microsoft Intune product team updates the mapping logic,
your imported GPOs are automatically updated. You don't need to
reimport your GPOs.
3. Select the Reports tab > Group policy migration readiness. In this report, you can:
See the number of settings in your GPO that can be configured in a device
configuration profile. It also shows if the settings can be in a custom profile,
aren't supported, or are deprecated.
Filter the report output using the Migration Readiness, Profile type, and CSP
Name filters.
Select Generate report or Generate again to get current data.
See the list of settings in your GPO.
Use the search bar to find specific settings.
Get a time stamp of when the report was last generated.
7 Note
After you add or remove your imported GPOs, it can take about 20 minutes to
update the Migration Readiness reporting data.
Known issues
Currently, the Group Policy analytics tool only supports non-ADMX settings in the
English language. If you import a GPO with settings in languages other than English,
then your MDM Support percentage is inaccurate.
You received errors during GPO import or analytics, and you need more specific
information.
How easy is it to use Group Policy analytics to find the supported group policies in
Microsoft Intune?
Will this tool help you move some workloads to Intune? If yes, what workloads are
you considering?
To get information on the customer experience, the feedback is aggregated, and sent to
Microsoft. Entering an email is optional, and may be used to get more information.
Next steps
Create a Settings Catalog policy using your imported GPOs in Microsoft Intune
See also
Learn more about Configuration Service Providers (CSP).
Create a Settings Catalog policy using
your imported GPOs in Microsoft Intune
(public preview)
Article • 08/02/2023
You can import your on-premises Group Policy Objects (GPOs), and create an Intune
policy using these imported settings. This policy can be deployed to users and devices
managed by your organization.
With Group Policy Analytics, you import your on-premises GPOs. It analyzes your
imported GPOs, and shows the settings that are also available in Microsoft Intune. For
the settings that are available, you can create a Settings Catalog policy, and then deploy
the policy to your managed devices.
Windows 11
Windows 10
This article shows you how to create the policy from your imported GPOs. For more
information and an overview on Group Policy Analytics, go to Analyze your on-premises
group policy objects (GPO) using Group Policy analytics in Microsoft Intune.
OR
A role that has the Security baselines permission and the Device
configurations/Create permission
For more information about the permissions included with the built-in Intune roles,
go to built-in admin roles. For information on custom roles, go to assign
permissions to custom roles.
Only admins scoped to the GPO can create a settings catalog policy from that
imported GPO. Scope tags are first applied during import of the GPO and can be
edited. If a scope tag isn't or wasn't selected during the GPO import, then the
Default scope tag is automatically used.
1. In the Microsoft Intune admin center , select Devices > Group Policy analytics.
2. In the list, your imported GPOs are shown. Next to the GPO you want in your
Settings Catalog profile, select the Migrate checkbox. You can select one GPO or
many GPOs:
4. In the Settings to migrate tab, select the Migrate column for the settings you want
to include in your Settings Catalog profile:
To help you pick the settings, you can use the built-in features:
Select all on this page: Select this option if you want all settings on the
existing page to be included in your Settings Catalog profile.
Search by setting name: Enter the setting name to find the settings you want:
Tip
If you haven't already, review your Group Policy settings. It's possible some
settings don't apply to cloud-based policy management or don't apply to
cloud native endpoints, like Windows 10/11 devices. It's not recommended to
include all your Group Policy settings without reviewing them.
Select Next.
5. In Configuration, your settings and their values are shown. The values are the
same values in the on-premises Group Policy. Review these settings and their
values.
After you create the Settings Catalog policy, you can change any values.
Select Next.
Name: Enter a descriptive name for the Setting Catalog profile. Name your
profiles so you can easily identify them later. For example, a good profile
name is Windows 10/11: Imported Microsoft Edge GPOs.
Description: Enter a description for the profile. This setting is optional, but
recommended.
Select Next.
7. In Scope tags, optionally assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope
tags, go to Use RBAC roles and scope tags for distributed IT.
8. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, including advice and guidance, go to Assign user
and device profiles in Intune.
Select Next.
When you select Create, your changes are saved, and the profile is assigned. The
policy is shown in the Devices > Configuration profiles list.
The next time any device within your assigned groups checks for configuration updates,
the settings you configured are applied.
Conflicts are detected for the following settings: <setting name>. Select only one
version with the value you prefer in order to continue.
To resolve the conflict, uncheck a conflicting setting, and continue the migration.
When you create the Settings Catalog profile, any settings that can be included in the
profile are included. There can be some differences with the imported settings and the
settings in Settings Catalog.
If you import AppLocker settings or Firewall rule settings, then the Migrate option
is disabled and grayed out. Instead, configure these settings using the Endpoint
Security workload in the Intune admin center.
If you have GPOs that focus on endpoint security, then you should look at the
features available in Endpoint Security, including Security Baselines and mobile
threat defense.
Some settings don't migrate exactly, and may use a different setting
In some scenarios, some GPO settings don't migrate to the exact same setting in
the Settings Catalog. Intune shows an alternate setting that has a similar effect.
For example, you may see this behavior if you import GPOs that include older
Office Administrative Template settings or older Google Chrome settings.
It's possible some errors can happen when the settings are migrating. When the
profile is being created, settings that return an error are shown in Notifications:
Next steps
Analyze your on-premises group policy objects (GPO) using Group Policy analytics
in Microsoft Intune
Use Windows 10/11 Administrative Templates to configure group policy settings in
Microsoft Intune
Use the settings catalog to configure settings on Windows and macOS devices
Use Windows 10/11 templates to
configure group policy settings in
Microsoft Intune
Article • 05/03/2023
Windows 11
Windows 10
The Intune templates are 100% cloud-based, are built in to Intune (no downloading),
and don't require any customizations, including using OMA-URI. They offer a straight-
forward way to configure the settings, and find the settings you want:
The Windows settings are similar to group policy (GPO) settings in on-premises
Active Directory (AD). These settings are built in to Windows, and are ADMX-
backed settings that use XML.
The Office, Microsoft Edge, and Visual Studio settings are ADMX-ingested, and
use the same administrative template files that you would download in on-
premises environments.
You can import custom and third party ADMX and ADML files. For more
information, including the steps, go to Import custom or partner ADMX files.
When managing devices in your organization, you want to create groups of settings that
apply to different device groups. You also want a simple view of the settings you can
configure. You can complete this task using Administrative Templates in Microsoft
Intune.
As part of your mobile device management (MDM) solution, use these template settings
as a one-stop shop to manage your Windows client devices.
This article lists the steps to create a template for Windows client devices, and shows
how to filter all the available settings in Intune. When you create the template, it creates
a device configuration profile. You can then assign or deploy this profile to Windows
client devices in your organization.
The Windows settings use the Windows policy CSPs. The CSPs work on different
editions of Windows, such as Home, Professional, Enterprise, and so on. To see if a
CSP works on a specific edition, go to Windows policy CSPs.
For the specific steps to use the Settings Catalog, see Use the settings catalog to
configure settings.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is ADMX:
Windows 10/11 admin template that configures xyz settings in Microsoft
Edge.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, select All settings to see an alphabetical list of all the
settings. Or, configure settings that apply to devices (Computer configuration),
and settings that apply to users (User configuration):
7 Note
If you're using the Settings catalog, then select Add settings, and expand
Administrative Templates. Select any setting to see what you can configure.
For more information on creating policies using the Settings Catalog, see Use
the settings catalog to configure settings.
8. When you select All settings, every setting is listed. Scroll down to use the before
and next arrows to see more settings:
9. Select any setting. For example, filter on Office, and select Activate Restricted
Browsing. A detailed description of the setting is shown. Choose Enabled,
Disabled, or leave the setting as Not configured (default). The detailed description
also explains what happens when you choose Enabled, Disabled, or Not
configured.
Tip
10. When you select Computer configuration or User configuration, the setting
categories are shown. You can select any category to see the available settings.
For example, select Computer configuration > Windows components > Internet
Explorer to see all the device settings that apply to Internet Explorer:
11. Select OK to save your changes.
Continue to go through the list of settings, and configure the settings you want in
your environment. Here are some examples:
Use the VBA Macro Notification Settings setting to handle VBA macros in
different Microsoft Office programs, including Word and Excel.
Use the Allow file downloads setting to allow or prevent downloads from
Internet Explorer.
Use Require a password when a computer wakes (plugged in) to prompt
users for a password when devices wake from sleep mode.
Use the Download unsigned ActiveX controls setting to block users from
downloading unsigned ActiveX controls from Internet Explorer.
Use the Turn off System Restore setting to allow or prevent users from
running a system restore on the device.
Use the Allow importing of favorites setting to allow or block users from
importing favorites from another browser into Microsoft Edge.
And much more...
13. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
Select Next.
14. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles in Intune.
If the profile is assigned to user groups, then configured ADMX settings apply to
any device that the user enrolls, and signs in to. If the profile is assigned to device
groups, then configured ADMX settings apply to any user that signs into that
device. This assignment happens if the ADMX setting is a computer configuration
( HKEY_LOCAL_MACHINE ), or a user configuration ( HKEY_CURRENT_USER ). With some
settings, a computer setting assigned to a user may also impact the experience of
other users on that device.
For more information, see User groups vs. device groups when assigning policies.
Select Next.
15. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time the device checks for configuration updates, the settings you configured
are applied.
In your template, select the Settings, State, Setting type, or Path columns to sort
the list. For example, select the Path column, and use the next arrow to see the
settings in the Microsoft Excel path.
In your template, use the Search box to find specific settings. You can search by
setting, or path. For example, select All settings, and search for copy . All the
settings with copy are shown:
In another example, search for microsoft word . You see the settings you can set for
the Microsoft Word program. Search for explorer to see the Internet Explorer
settings you can add to your template.
You can also narrow your search by only selecting Computer configuration or User
configuration.
For example, to see all the available Internet Explorer user settings, select User
configuration, and search for Internet Explorer . Only the IE settings that apply to
users are shown:
Known Issue Rollback: Helping you keep Windows devices protected and
productive
How to use on-premises Group Policy or Intune to deploy a Known Issue Rollback
Next steps
The template is created, but may not be doing anything yet. Be sure to assign the
template (also called a profile) and monitor the policy status.
You can import custom and third party/partner ADMX and ADML templates into the
Intune admin center. Once imported, you can create a device configuration policy using
these settings, and then assign the policy to your managed devices.
Windows 11
Windows 10
This article shows you how to import custom ADMX and ADML files in the Intune admin
center. For more information on administrative templates in Intune, go to Use ADMX
templates to configure policy settings in Microsoft Intune.
Tip
The settings catalog has many settings natively built-in to Intune, including Google
Chrome. For more information, go to:
For example, to import Mozilla Firefox ADMX and ADML files, you:
1. Import the mozilla.admx and mozilla.adml files. Make sure the status shows
Available.
2. Import the firefox.admx and firefox.adml files.
If you upload firefox.admx before mozilla.adml , then the import will fail.
To see if your ADMX has a dependency, open the ADMX file in a text editor and
look for using prefix in the policyNamespaces node. Any dependencies will be
listed.
In the following example, the kerberos.admx file requires the Windows.admx file:
XML
<policyNamespaces>
To remove a dependency prerequisite, delete the associated ADMX file first. Then, delete
the dependency prerequisite. In our Mozilla Firefox example, delete firefox.admx and
then delete mozilla.admx .
Some files may require Windows.admx as a prerequisite. This file must be uploaded
first. In a future release (no ETA), this namespace will be automatically included and
eventually not be required.
Currently, the combo box setting type isn't supported. ADMX files with the combo
box setting type will fail to import. All other setting types are supported.
Not all areas of the registry can be set using custom ADMX. For more information
on the registry locations that can be used, go to Win32 and Desktop Bridge app
ADMX policy Ingestion Overview.
providers (CSPs).
Don't import these built-in settings if your intent is to configure them. Instead,
use the settings catalog or a custom profile.
Do import these built-in settings if they're a required parent namespace of
another file.
For a list of the ADMX backed CSP settings, go to ADMX-backed policies in Policy
CSP.
Adobe Reader
Mozilla Firefox
Zoom
2. Select Devices > Configuration profiles > Import ADMX > Import:
Alternatively, you can also import from Devices > Windows > Configuration
profiles > Import ADMX.
4. Select Next.
5. In Review + Create, review your changes. Select Create to import the files.
When the import completes, your ADMX templates are shown in the list. You can also:
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is ADMX:
Mozilla Firefox for Windows 10/11 devices.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, select and configure the settings you want in your
policy. When finished, select Next.
8. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
Select Next.
9. In Assignments, select the user or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles in Intune.
If the profile is assigned to user groups, then configured ADMX settings apply to
any device that the user enrolls, and signs in to. If the profile is assigned to device
groups, then configured ADMX settings apply to any user that signs into that
device. This assignment happens if the ADMX setting is a computer configuration
( HKEY_LOCAL_MACHINE ), or a user configuration ( HKEY_CURRENT_USER ). With some
settings, a computer setting assigned to a user may also impact the experience of
other users on that device.
For more information, see User groups vs. device groups when assigning policies.
Select Next.
10. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
For example, if you upload a different version of an ADMX file that has the same settings
as the original ADMX file, then the upload will fail with a namespace error.
To update existing ADMX files that are imported, you have the following options:
To replace an existing ADMX file with the same settings, you can use the following
steps:
1. Create another version of the ADMX file with the same namespace as the
original ADMX file.
2. Add the new and different settings to this ADMX file.
3. Import the new ADMX and ADML files.
Next steps
Overview: Use ADMX templates to configure policy settings in Microsoft Intune
Use Update Channel and Target Version
settings to update Microsoft 365 with
Microsoft Intune Administrative
Templates
Article • 05/17/2023
In Intune, you can use Windows ADMX templates to configure group policy settings.
This article shows you how to update Microsoft 365 using an administrative template in
Intune. It also gives guidance on confirming your policies apply successfully. This
information also helps when troubleshooting.
In this scenario, you create an administrative template in Intune that updates Microsoft
365 on your devices.
Applies to:
Windows 11
Windows 10
Microsoft 365
Prerequisites
Be sure to enable Microsoft 365 Apps Automatic Updates for your Office apps. You can
do this using group policy, or the Intune Office 2016 ADMX template:
7 Note
2. Be sure to assign the policy to your Windows client devices. To test your policy
sooner, you can also sync the policy:
<Provider
ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates .
Tip
The <Provider ID> in the registry key changes. To find the provider ID for
your device, open the Registry Editor app, and go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalle
d . The provider ID is shown.
When the policy is applied, you see the following registry keys:
L_UpdateBranch
L_UpdateTargetVersion
Looking at the following example, you see L_UpdateBranch has a value similar to
<enabled /><data id="L_UpdateBranchID" value="Deferred" /> . This value means
Tip
Manage Microsoft 365 Apps with Configuration Manager lists the values,
and what they mean. The registry values are based on the distribution channel
selected:
is monthly:
This example means the policy isn't applied yet, as it's still set to monthly, instead
of semi-annual.
This registry key is updated when the Task Scheduler > Office Automatic Updates 2.0
runs, or when a user signs into the device. To confirm, open the Office Automatic
Updates 2.0 task > Triggers. Depending on your triggers, it can take at least a day and
more before the UpdateChannel registry key is updated.
It should be updated with the value set in the policy. In our example, the value
should be set to http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-
f9dd17fd3114 .
At this point, the Office update channel is successfully changed on the device. You can
open a Microsoft 365 app for a user that receives this update to check status.
2. In your Intune administrative template, go to the Target Version setting, and enter
the version you want.
ID>\default\Device\office16~Policy~L_MicrosoftOfficemachine~L_Updates .
2. Look at the L_UpdateTargetVersion value. Once the policy applies, the value is set
to the version you entered, such as <enabled /><data
id="L_UpdateTargetVersionID" value="16.0.10730.20344" /> .
3. Next, you can force Office to update. Open an Office app, such as Excel. Choose to
update now (possibly in the Account menu).
The update takes several minutes. You can confirm Office is trying to get the
version you enter:
a. On the device, go to C:\Program Files (x86)\Microsoft
Office\Updates\Detection\Version .
4. After the update is installed, the Office app should show the new version (for
example, on the Account menu)
Next steps
Update channel values for Microsoft 365 clients
Overview of the Office cloud policy service for Microsoft 365 Apps
Use Windows 10/11 templates to configure group policy settings (ADMX templates) in
Microsoft Intune
Configure Microsoft Edge policy
settings in Microsoft Intune
Article • 02/22/2023
Using Administrative Templates in Microsoft Intune, you can create and manage
Microsoft Edge policy settings on your Windows client devices. Administrative
Templates use the ADMX templates for Microsoft Edge.
You can configure specific Microsoft Edge settings, such as adding download
restrictions, using autofill, showing the favorites bar, and more. These settings are
created in an Intune policy, and then deployed to Windows client devices in your
organization.
Windows 11
Windows 10
For Microsoft Edge version 45 and earlier, see Microsoft Edge Browser device
restrictions.
7 Note
Additional ADMX settings for Edge 96 and Edge updater have been added to
Administrative Templates. This includes support for "Target Channel override" which
allows customers to opt into the Extended Stable release cycle option at any
point using Group Policy or through Intune.
When you use Intune to manage and enforce policies, it's similar to using Active
Directory group policy, or configuring local Group Policy Object (GPO) settings on user
devices. But, Intune is 100% cloud.
This article shows you how to configure Microsoft Edge policy settings using
administrative templates in Microsoft Intune.
Tip
For information on adding the Microsoft Edge version 77+ app on Windows
client, see Add Edge app on Windows client devices.
For information on adding and configuring Microsoft Edge version 77+ app
on macOS, see Add Edge app, and Configure Edge app using plist.
For a list of the Microsoft Edge updates, including new policies, see the
Release notes for Microsoft Edge.
Prerequisites
Windows 11
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is ADMX:
Configure Edge on Windows 10/11 devices.
Description: Enter a description for the profile. This setting is optional, but
recommended.
8. Select Computer Configuration > Microsoft Edge > Allow download restrictions.
The policy description and values are shown:
7 Note
See Microsoft Edge – Policies and Microsoft Edge – Update policies for the
list of the available settings.
9. Close the policy description. Use search to find a specific setting you want to
configure. For example, search for "home page":
10. Select Configure the home page URL > Enabled, and set its value to
https://www.bing.com :
11. Select OK. The State now shows Enabled:
12. Select Next. In Scope tags, select Next.
Scope tags are optional, and this example doesn't use them. To learn more about
scope tags, and what they do, see Use role-based access control (RBAC) and scope
tags for distributed IT.
Assignments are optional, and this example doesn't use them. In production, select
Add groups. Select an Azure Active Directory (Azure AD) group that includes users
or devices that should receive this policy. For information and guidance on
assigning policies, see Assign user and device profiles in Intune.
14. In Review + create, see the summary of your changes. Select Create.
When you create the profile, your policy is automatically assigned to the users or
groups you chose. If you didn't choose any users or groups, then your policy is
created, but it's not deployed.
Next steps
Microsoft Edge Enterprise landing page
Manage web access by using Microsoft Edge with Microsoft Intune
Use Windows 10/11 templates to configure group policy settings in Microsoft
Intune
Deploy Microsoft Edge using Microsoft Intune
Restrict USB devices and allow specific
USB devices using Administrative
Templates in Microsoft Intune
Article • 02/22/2023
Many organizations want to block specific types of USB devices, such as USB flash drives
or cameras. You may also want to allow specific USB devices, such as a keyboard or
mouse.
You can use Administrative Templates (ADMX) templates to configure these settings in a
policy, and then deploy this policy to your Windows devices. For more information on
Administrative Templates, and what they are, see Use Windows 10/11 templates to
configure group policy settings in Microsoft Intune.
This article shows you how to create an ADMX policy with USB settings, and use a log
file to troubleshoot devices that shouldn't be blocked.
Applies to:
Windows 11
Windows 10
4. Select Create.
Name: Enter a descriptive name for the profile. For example, enter Restrict
USB devices.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
Allow installation of devices using drivers that match these device setup
classes: Select Enabled. Then, add the class GUID of the device classes you
want to allow.
In the following example, the Keyboard, Mouse, and Multimedia classes are
allowed:
Select OK.
Allow installation of devices that match any of these Device IDs: Select
Enabled. Then, add the device/hardware IDs for devices you want to allow:
To get the device/hardware ID, you can use Device Manager, find the device,
and look at the properties. For the specific steps, see find the hardware ID on
a Windows device.
Select OK.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
Select Next.
10. In Assignments, select the device groups that will receive the profile. Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved and the profile is assigned.
If a USB device is blocked from installing, then you see a message similar to the
following message:
The installation of this device is forbidden by system policy. Contact your system
administrator.
In the following example, the iPad is blocked because its device ID isn't in the allowed
device ID list:
In the following example, in the Allow installation of devices using drivers that match
these device setup classes setting, the Multimedia class GUID is entered, and the
camera is blocked:
Resolution:
2. In the file:
b. In this section, find the Class GUID of device changed to: {GUID} text. This
{GUID} needs added to your policy.
In the following example, you see the Class GUID of device changed to:
{36fc9e60-c465-11cf-8056-444553540000} text:
log
dvi: InfFile -
c:\windows\system32\driverstore\filerepository\usb.inf_amd64_9646056
539e4be37\usb.inf
4. If the issue continues, repeat these steps to add the other class GUIDs until the
device is successfully installed.
In our example, the following class GUIDs are added to the device profile:
Cameras, headphones and microphones: Add the following GUIDs to the device
profile:
USB Bus devices (hubs and host controllers): {36fc9e60-c465-11cf-8056-
444553540000}
7 Note
Next steps
Learn more about ADMX templates in Microsoft Intune
Use Device Firmware Configuration
Interface (DFCI) profiles on Windows
devices in Microsoft Intune
Article • 03/02/2023
When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS)
settings after they're enrolled using the Device Firmware Configuration Interface (DFCI).
For an overview of benefits, scenarios, and prerequisites, see Overview of DFCI .
DFCI enables Windows to pass management commands from Intune to UEFI (Unified
Extensible Firmware Interface).
In Intune, use this feature to control BIOS settings. Typically, firmware is more resilient to
malicious attacks. It limits end users control over the BIOS, which is good in a
compromised situation.
For example, you use Windows client devices in a secure environment, and want to
disable the camera. You can disable the camera at the firmware-layer, so it doesn't
matter what the end user does. Reinstalling the OS or wiping the computer won't turn
the camera back on. In another example, lock down the boot options to prevent users
from booting up another OS, or an older version of Windows that doesn't have the
same security features.
When you reinstall an older Windows version, install a separate OS, or format the hard
drive, you can't override DFCI management. This feature can prevent malware from
communicating with OS processes, including elevated OS processes. DFCI's trust chain
uses public key cryptography, and doesn't depend on local UEFI (BIOS) password
security. This layer of security blocks local users from accessing managed settings from
the device's UEFI (BIOS) menus.
Devices manually registered for Autopilot, such as imported from a csv file, aren't
allowed to use DFCI. By design, DFCI management requires external attestation of
the device's commercial acquisition through an OEM or a Microsoft CSP partner
registration to Windows Autopilot.
Once your device is registered, its serial number is shown in the list of Windows
Autopilot devices.
Human Resources (HR) has different Windows devices. For security reasons, you
don't want anyone in this group to use the camera on the devices. In this scenario,
you can create an HR security users group so the policy applies to users in the HR
group, whatever the device type.
On the manufacturing floor, you have 10 devices. On all devices, you want to
prevent booting the devices from a USB device. In this scenario, you can create a
security devices group, and add these 10 devices to the group.
For more information on creating groups in Intune, see Add groups to organize users
and devices.
Tip
Configuring and assigning DFCI profiles can lock the device beyond repair. So, pay
attention to the values you configure.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your policies so you
can easily identify them later. For example, a good profile name is Windows:
Configure DFCI settings on Windows devices.
Description: Enter a description for the profile. This setting is optional, but
recommended.
Select Next.
6. In Configuration settings, configure the settings you want to control in the UEFI
firmware layer. For a list of all the settings, and what they do, go to:
Select Next.
7. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
8. In Assignments, select the users or user group that will receive your profile. For
more information on assigning profiles, see Assign user and device profiles.
Select
Next.
9. In Review + create, review your settings and select Create. When you select
Create, your changes are saved, and the profile is assigned. The policy is also
shown in the profiles list.
The next time each device checks in, the policy is applied.
When the device runs the Windows Autopilot, during the Enrollment Status page, DFCI
may force a reboot. This first reboot enrolls UEFI to Intune.
If you want to confirm the device is enrolled, you can reboot the device again, but it's
not required. Use the device manufacturer's instructions to open the UEFI menu, and
confirm UEFI is now managed.
The next time the device syncs with Intune, Windows receives the DFCI settings. Reboot
the device. This third reboot is required for UEFI to receive the DFCI settings from
Windows.
You can also signal devices to check in. After a successful sync, signal to reboot.
7 Note
Deleting the DFCI profile, or removing a device from the group assigned to the
profile doesn't remove DFCI settings or re-enable the UEFI (BIOS) menus. If you
want to stop using DFCI, then update your existing DFCI profile. For more
information on the steps, see retire the device in this article.
Conflicts
When you create the DFCI policy, you configure the Windows DFCI settings you want to
manage.
Some settings are in a logical category, like Microphones and Speakers. There's also
granular settings, like Microphones. If these settings conflict, then the following
happens:
In the first sync attempt, the granular setting is applied (Microphones) and the
category setting is non-compliant (Microphones and Speakers).
With every sync with the Intune service after the first sync, the following behavior
happens in a loop:
Intune applies the category setting (Microphones and Speakers) since it's not
compliant. The granular setting (Microphones) becomes non-compliant.
Intune applies the granular setting (Microphones) since it's not compliant. The
category setting (Microphones and Speakers) becomes non-compliant.
To avoid this looping behavior, configure the category setting or the granular settings.
For example, you want to only allow Wi-Fi radios. In this scenario, you:
Leave the category Radios (Bluetooth, Wi-Fi, NFC, etc.) setting to Not configured.
For the Wi-Fi radio setting, set it to Enable.
Set all the other granular radio settings to Disabled.
Reuse, retire, or recover the device
Reuse
If you plan to reset Windows to repurpose the device, then wipe the device. Do not
remove the Autopilot device record.
After wiping the device, move the device to the group assigned the new DFCI and
Autopilot profiles. Be sure to reboot the device to rerun Windows setup.
Retire
When you're ready to retire the device and release it from management, update the
DFCI profile to the UEFI (BIOS) settings you want at the exit state. Typically, you want all
settings enabled. For example:
These steps unlock the device's UEFI (BIOS) menus. The values remain the same as the
profile (Enabled or Disabled), and aren't set back to any default OS values.
You're now ready to wipe the device. Once the device is wiped, delete the Autopilot
record. Deleting the record prevents the device from automatically re-enrolling when it
reboots.
Tip
Recover
If you wipe a device, and delete the Autopilot record before unlocking the UEFI (BIOS)
menus, then the menus remain locked. Intune can't send profile updates to unlock it.
To unlock the device, open the UEFI (BIOS) menu, and refresh management from
network. Recovery unlocks the menus, but leaves all UEFI (BIOS) settings set to the
values in the previous Intune DFCI profile.
Next steps
After the profile is assigned, monitor its status.
Configuration Domain Join settings for
hybrid Azure AD joined devices in
Microsoft Intune
Article • 05/17/2023
Windows 11
Windows 10
Hybrid Azure AD joined devices
Hybrid deployment with Autopilot + Intune
This article shows you how to create a domain join profile for a hybrid Autopilot
deployment. You can also see the available settings.
4. Select Create.
6. Select Next.
Computer name prefix: Enter a prefix for the device name. Computer names
are 15 characters long. After the prefix, the remaining 15 characters are
randomly generated.
Domain name: Enter the Fully Qualified Domain Name (FQDN) the devices
are to join. For example, enter americas.corp.contoso.com.
Organizational unit (optional): Enter the full path (distinguished name) to the
organizational unit (OU) the computer accounts are to be created. For
example, enter OU=Mine,DC=Contoso,DC=com . Don't enter quotation marks. To
use the well-known computer object container (CN=Computers,
DC=Contoso, DC=Com), leave this property blank.
For more information and advice on this setting, go to Deploy hybrid Azure
AD-joined devices.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the device groups that will receive your profile. For more
information about assigning profiles, go to Assign user and device profiles.
If you need to join devices to different domains or OUs, create different device
groups.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
It's now ready for you to deploy hybrid Azure AD-joined devices by using Intune and
Windows Autopilot.
Next steps
After the profile is assigned, monitor its status.
Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot.
Delivery Optimization settings in
Microsoft Intune
Article • 08/08/2023
Applies to:
Windows 10
Windows 11
With Intune, use Delivery Optimization settings for your Windows devices to reduce
bandwidth consumption when those devices download applications and updates.
Configure Delivery Optimization as part of your device configuration profiles.
This article describes how to configure Delivery Optimization settings as part of a device
configuration profile. After you create a profile, you then assign or deploy that profile to
your Windows devices.
To view a list of the Delivery Optimization settings that Intune supports, see Delivery
Optimization settings for Intune.
To learn about Delivery Optimization on Windows 10 and Window 11, see Delivery
Optimization updates in the Windows documentation.
4. Select Create.
6. Select Next.
7. On the Configuration settings page, define how you want updates and apps to
download. For information about available settings, see Delivery Optimization
settings for Intune.
8. On the Scope (Tags) page, select Select scope tags to open the Select tags pane to
assign scope tags to the profile.
9. On the Assignments page, select the groups that receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
10. On the Applicability Rules page, use the Rule, Property, and Value options to
define how this profile applies within assigned groups.
11. On the Review + create page, when you're done, choose Create. The profile is
created and is shown in the list.
The next time each device checks in, the policy is applied.
Next steps
After you assign the profile, monitor its status.
As part of your mobile device management (MDM) solution, you may want to upgrade
your Windows 10/11 devices. For example, you want to upgrade your Windows 10
Professional devices to Windows 10 Enterprise. Or, you want the Windows 10 device to
switch out of S mode.
Windows 10 S mode (opens another Microsoft web site) is designed for security and
performance. You can use Intune to switch out of S mode. Switching out of S mode is
one way. And once you switch out of S mode, you can't go back to Windows 10 S mode.
See some commonly asked questions about S mode.
Windows 11
Windows 10
Windows 10 1809 and newer for S mode
Windows Holographic for Business
These features are available in Intune, and are configurable by the administrator. Intune
uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, you can then push or
deploy the profile to Windows client devices in your organization. When you deploy the
profile, Intune automatically upgrades the devices or switches out of S mode.
This article lists the supported upgrade paths, and shows you how to create the device
configuration profile. You can also see all the available upgrade and S mode settings for
Windows 10.
7 Note
If you remove the policy assignment later, the version of Windows on the device
isn't reverted. The device continues to run normally.
Prerequisites
Before you upgrade devices, be sure you have the following prerequisites:
A valid product key to install the updated Windows version on all devices that you
target with the policy (for Windows client Desktop editions). You can use either
Multiple Activation Keys (MAK) or Key Management Server (KMS) keys.
For Windows 10 Holographic editions, you can use a Microsoft license file. The
license file includes the licensing information to install the updated edition on all
devices that you target with the policy.
The Windows client devices you assign the policy are enrolled in Microsoft Intune.
4. Select Create.
Name: Enter a descriptive name for the new profile. For example, enter
something like Windows 10/11 edition upgrade profile or Windows 10 switch
off S mode .
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, enter the settings you want to configure. For a list of all
settings, and what they do, go to:
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or user group that will receive your profile. For
more information on assigning profiles, go to Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time each device checks in, the policy is applied.
Next steps
After the profile is assigned, monitor its status.
See the upgrade and S mode settings for Windows 10/11 and Windows Holographic for
Business devices.
Add and use wired networks settings on
your macOS and Windows devices in
Microsoft Intune
Article • 05/24/2023
Microsoft Intune includes built-in settings to configure wired networks for your macOS
and Windows devices. You can configure the network interface, accepted EAP types,
enter server trust settings, and more.
Wired networks are used by many organizations to give network access to desktop
computers and devices that must use a network cable.
These built-in settings can be deployed to devices in your organization using policy.
When the policy is ready, it can be assigned to different users and groups. Once
assigned, your users get access to your organization's wired network without
configuring it themselves.
As part of your mobile device management (MDM) solution, use this feature to create
802.1x profiles to manage wired networks. Then, deploy these wired networks to your
devices.
macOS
Windows 11
Windows 10
Example scenario
You have a wired network named Contoso wired network. You want to set up all macOS
desktops to connect to this network. Here's the process:
1. In Intune, create a wired network profile that includes the settings that connect to
the Contoso wired network.
2. Assign the profile to a group that includes all users macOS desktop computers. For
recommendations on using group types, go to User groups vs. device groups.
3. On their desktops, users find the Contoso wired network in the list of networks.
They can then connect to the network, using the authentication method of your
choosing.
This article lists the steps to create a wired network profile. It also includes links that
describe the different settings.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is macOS:
wired network policy.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
macOS
Windows
8. Select Next.
9. In Assignments, select the user groups or device groups that will receive your
profile. For more information on assigning profiles, go to Assign user and device
profiles.
Select Next.
10. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Tip
If you use certificate based authentication for your wired network profile, then
deploy the wired network profile, certificate profile, and trusted root profile to the
same groups. This deployment makes sure that each device can recognize the
legitimacy of your certificate authority. For more information, go to configure
certificates with Microsoft Intune.
Next steps
The profile is created, but may not be doing anything. Be sure to assign this profile, and
monitor its status.
Add iOS, iPadOS, or macOS device
feature settings in Intune
Article • 04/03/2023
Intune includes many features and settings that help administrators control iOS, iPadOS,
and macOS devices. For example, administrators can:
Intune uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, you then push or deploy
the profile to iOS/iPadOS and macOS devices in your organization.
iOS/iPadOS
macOS
This article describes the different features you can configure, and shows you how to
create a device configuration profile. You can also see all the available settings for
iOS/iPadOS and macOS devices.
Profile: Select Device features. Or, select Templates > Device features.
4. Select Create.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is macOS:
Configures login screen.
Description: Enter a description for the policy. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Choose your platform for detailed settings:
iOS/iPadOS
macOS
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Airprint
Airprint is an Apple feature that allows devices to print to files over a wireless network.
In Intune, you can add AirPrint information to devices.
For a list of the settings you can configure in Intune, see AirPrint on iOS/iPadOS and
AirPrint on macOS.
For more information on AirPrint, see About AirPrint on Apple's web site.
Applies to:
iOS 7.0 and newer
iPadOS 13.0 and newer
macOS 10.10 and newer
App notifications
Choose how apps on your iOS and iPadOS devices receive notifications. For example,
send app notifications so they show in the notification center, show on the lock screen,
or play a sound.
For a list of the settings you can configure in Intune, see App notifications on
iOS/iPadOS.
For more information on this feature, see Notifications on Apple's web site.
Applies to:
Associated domains
Associated domains allow you to create a relationship between your domains, such as
contoso.com , and your apps. This feature allows you to:
Share data and sign in credentials between apps and websites in your
organization.
Use app features that are based on your website, such as single sign-on app
extension, universal links, and password autofill.
For a list of the settings you can configure in Intune, see Associated domains on macOS.
For more information on this feature, see Setting Up an App's Associated Domains on
Apple's web site.
Applies to:
Use the Home screen settings to add apps and folders to the home screen on
devices.
Use the Dock settings to add apps or folders to the dock on the screen. For
example, show Safari and the Mail app on the device dock.
For a list of the settings you can configure in Intune, see Home screen layout on
iOS/iPadOS.
Applies to:
For a list of the settings you can configure in Intune, see Lock screen message settings
on iOS/iPadOS.
Applies to:
Login items
Use this feature to choose the apps, custom apps, files, and folders that open when
users sign in to the devices.
For a list of the settings you can configure in Intune, see Login items on macOS.
Applies to:
macOS 10.13 and newer
Login window
Control the appearance of the login screen and functions available to users before they
sign in. For example, add a banner with a custom message, choose if the sleep button is
shown, and more.
For a list of the settings you can configure in Intune, see Login window on macOS.
Applies to:
Single sign-on
Most Line of Business (LOB) apps require some level of user authentication to support
security. In many cases, the authentication requires users to enter the same credentials
repeatedly. To improve the user experience, developers can create apps that use single
sign-on (SSO). Using single sign-on reduces the number of times a user must enter
credentials.
An app that's coded to look for the user credential store in single sign-on on the
device.
Intune configured for iOS/iPadOS device single sign-on.
For a list of the settings you can configure in Intune, see Single sign-on on iOS/iPadOS.
Applies to:
In Intune, use these settings to configure an SSO app extension created by your
organization, your identity provider, Microsoft, or Apple. The SSO app extension handles
authentication for your users. These settings configure redirect-type and credential-type
SSO app extensions.
The redirect type is designed for modern authentication protocols, such as OpenID
Connect, OAuth, and SAML2. You can choose between the Microsoft Azure AD SSO
extension (Microsoft Enterprise SSO plug-in) and a generic redirect extension.
The Azure AD macOS SSO app extension should work with any third party or
partner MDM. The extension must be deployed as a kerberos SSO extension, or
deployed as a custom configuration profile with all the required properties
configured.
For a list of the settings you can configure in Intune, see iOS/iPadOS SSO app extension
and macOS SSO app extension.
For more information on developing an SSO app extension, watch Extensible Enterprise
SSO on Apple's web site. To read Apple's description of the feature, go to single sign-
on extensions payload settings .
7 Note
The Single sign-on app extension feature is different than the Single sign-on
feature:
The Single sign-on app extension settings apply to iPadOS 13.0 (and newer),
iOS 13.0 (and newer), and macOS 10.15 (and newer). Single sign-on settings
apply to iPadOS 13.0 (and newer) and iOS 7.0 and newer.
The Single sign-on app extension settings define extensions for use by
identity providers or organizations to deliver a seamless enterprise sign-on
experience. The Single sign-on settings define Kerberos account information
for when users access servers or apps.
The Single sign-on app extension uses the Apple operating system to
authenticate. So, it might provide an end-user experience that's better than
Single sign-on.
From a development perspective, with Single sign-on app extension, you can
use any type of redirect SSO or credential SSO authentication. With Single
sign-on, you can only use Kerberos SSO authentication.
The Kerberos Single sign-on app extension was developed by Apple and is
built into the iOS/iPadOS 13.0+ and macOS 10.15+ platforms. The built-in
Kerberos extension can be used to log users into native apps and websites
that support Kerberos authentication. Single sign-on is not an Apple
implementation of Kerberos.
Applies to:
Wallpaper
Add a custom .png, .jpg, or .jpeg image to your supervised iOS/iPadOS devices. For
example, use Intune to add a company logo to the lock screen on your devices.
For a list of the settings you can configure in Intune, see Wallpaper on iOS/iPadOS.
Applies to:
iOS
iPadOS 13.0 and newer
For a list of the settings you can configure in Intune, see Web content filter on
iOS/iPadOS.
Applies to:
Next steps
The profile is created, but it may not be doing anything yet. Next, assign the profile and
monitor its status.
View all the device feature settings for iOS/iPadOS and macOS devices.
Deploy the Microsoft Enterprise SSO
plug-in for Apple Devices
Article • 05/30/2023
In Microsoft Intune, there's a Microsoft Enterprise SSO plug-in. This plug-in provides
single sign-on (SSO) to iOS/iPadOS and macOS apps and websites that use Microsoft
Azure Active Directory (Azure AD) for authentication.
iOS/iPadOS
macOS
Next steps
For information about the Microsoft Enterprise SSO plug-in and Azure AD, go to
Microsoft Enterprise SSO plug-in for Apple devices.
For information from Apple on the single sign-on extension payload, go to single
sign-on extensions payload settings (opens Apple's web site).
The Microsoft Enterprise SSO plug-in provides single sign-on (SSO) to apps and
websites that use Microsoft Azure Active Directory (Azure AD) for authentication,
including Microsoft 365. This plug-in uses the Apple single sign-on app extension
framework. It reduces the number of authentication prompts users get when using
devices managed by Mobile Device Management (MDM), including any MDM that
supports configuring SSO profiles.
Once set up, apps that support the Microsoft Authentication Library (MSAL)
automatically take advantage of the Microsoft Enterprise SSO plug-in. Apps that don't
support MSAL can be allowed to use the extension, including browsers like Safari and
apps that use Safari web view APIs. Just add the application bundle ID or prefix to the
extension configuration.
For example, to allow a Microsoft app that doesn't support MSAL, add com.microsoft.
to the AppPrefixAllowList property. Be careful with the apps you allow, they'll be able to
bypass interactive sign-in prompts for the signed in user.
For more information, see Microsoft Enterprise SSO plug-in for Apple devices - apps
that don't use MSAL.
iOS/iPadOS
This article shows how to deploy the Microsoft Enterprise SSO plug-in for iOS/iPadOS
Apple devices with Intune, Jamf Pro, and other MDM solutions.
Prerequisites
To use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices:
Intune
7 Note
On iOS/iPadOS devices, Apple requires that the SSO app extension and the
Microsoft Authenticator app be installed. Users don't need to use or configure the
Microsoft Authenticator app, it just needs to be installed on the device.
The Microsoft Enterprise SSO plug-in uses the SSO Payload Type with Redirect
authentication. The SSO Redirect and Kerberos extension types can both be used on a
device at the same time. Be sure to create separate device profiles for each extension
type you plan to use on your devices.
To determine the correct SSO extension type for your scenario, use the following table:
Microsoft Enterprise SSO plug-in for Apple Single sign-on app extension with
Devices Kerberos
Uses the Microsoft Azure AD SSO app extension Uses the Kerberos SSO app extension type
type
- Microsoft 365
- Apps, websites or services integrated with
- Apps, websites or services integrated with Azure AD
AD
For more information on the single sign-on extension, go to Single sign-on app
extension.
Create a single sign-on app extension
configuration profile
Intune
4. Select Create:
Name: Enter a descriptive name for the policy. Name your policies so
you can easily identify them later. For example, a good policy name is
iOS: Microsoft Enterprise SSO plug-in.
Description: Enter a description for the policy. This setting is optional,
but recommended.
6. Select Next.
Yes: Select this option only if the targeted devices are using Azure AD
Shared device mode. For more information, go to Shared device
mode overview.
App bundle ID: Enter a list of bundle IDs for apps that don't support
MSAL and are allowed to use SSO. For more information, go to
Applications that don't use MSAL.
Tip
8. Continue creating the profile, and assign the profile to the users or groups
that will receive these settings. For the specific steps, go to Create the profile.
To check that the profile deployed correctly, in the Intune admin center, go to
Devices > Configuration Profiles > select the profile you created and generate a
report:
If you're not deploying the Microsoft Authenticator app using an app policy, then
users must install it manually. Users don't need to use the Authenticator app, it just
needs to be installed on the device.
After users sign in successfully, the extension is automatically used to sign in to any
other supported app or website.
You can test single sign-on by opening Safari in private mode (opens Apple's web
site) and opening the https://portal.office.com site. No username and password will
be required.
Tip
Learn more about how the SSO plug-in works and how to troubleshoot the
Microsoft Enterprise SSO Extension with the SSO troubleshooting guide for Apple
devices.
Next steps
For information about the Microsoft Enterprise SSO plug-in, go to Microsoft
Enterprise SSO plug-in for Apple devices.
For information from Apple on the single sign-on extension payload, go to single
sign-on extensions payload settings (opens Apple's web site).
The Microsoft Enterprise SSO plug-in provides single sign-on (SSO) to apps and
websites that use Microsoft Azure Active Directory (Azure AD) for authentication,
including Microsoft 365. This plug-in uses the Apple single sign-on app extension
framework. It reduces the number of authentication prompts users get when using
devices managed by Mobile Device Management (MDM), including any MDM that
supports configuring SSO profiles.
Once set up, apps that support the Microsoft Authentication Library (MSAL)
automatically take advantage of the Microsoft Enterprise SSO plug-in. Apps that don't
support MSAL can be allowed to use the extension, including browsers like Safari and
apps that use Safari web view APIs. Just add the application bundle ID or prefix to the
extension configuration.
For example, to allow a Microsoft app that doesn't support MSAL, add com.microsoft.
to the AppPrefixAllowList property. Be careful with the apps you allow, they'll be able to
bypass interactive sign-in prompts for the signed in user.
For more information, see Microsoft Enterprise SSO plug-in for Apple devices - apps
that don't use MSAL.
macOS
This article shows how to deploy the Microsoft Enterprise SSO plug-in for macOS Apple
devices with Intune, Jamf Pro, and other MDM solutions.
Prerequisites
To use the Microsoft Enterprise SSO plug-in on macOS devices:
Intune
The Microsoft Enterprise SSO plug-in uses the SSO Payload Type with Redirect
authentication. The SSO Redirect and Kerberos extension types can both be used on a
device at the same time. Be sure to create separate device profiles for each extension
type you plan to use on your devices.
To determine the correct SSO extension type for your scenario, use the following table:
Microsoft Enterprise SSO plug-in for Apple Single sign-on app extension with
Devices Kerberos
Uses the Microsoft Azure AD SSO app extension Uses the Kerberos SSO app extension type
type
- Microsoft 365
- Apps, websites or services integrated with
- Apps, websites or services integrated with Azure AD
AD
For more information on the single sign-on extension, go to Single sign-on app
extension.
4. Select Create:
Name: Enter a descriptive name for the policy. Name your policies so
you can easily identify them later. For example, a good policy name is
macOS: Microsoft Enterprise SSO plug-in.
Description: Enter a description for the policy. This setting is optional,
but recommended.
6. Select Next.
Tip
8. Continue creating the profile, and assign the profile to the users or groups
that will receive these settings. For the specific steps, go to Create the profile.
When the device checks in with the Intune service, it will receive this profile. For
more information, go to Policy refresh intervals.
To check that the profile deployed correctly, in the Intune admin center, go to
Devices > Configuration Profiles > select the profile you created and generate a
report:
End user experience
If you're not deploying the Company Portal app using an app policy, then users
must install it manually. Users don't need to use the Company Portal app, it just
needs to be installed on the device.
After users sign in successfully, the extension is automatically used to sign in to any
other supported app or website.
You can test single sign-on by opening Safari in private mode (opens Apple's web
site) and opening the https://portal.office.com site. No username and password will
be required.
On macOS, when users sign in to a work or school app, they're prompted to opt in or
out of SSO. They can select Don’t ask me again to opt out of SSO and block future
requests.
Users can also manage their SSO preferences in the Company Portal app for macOS. To
edit preferences, go to the Company Portal app menu bar > Company Portal >
Settings. They can select or deselect Don’t ask me to sign in with single sign-on for
this device.
Tip
Learn more about how the SSO plug-in works and how to troubleshoot the
Microsoft Enterprise SSO Extension with the SSO troubleshooting guide for Apple
devices.
Next steps
For information about the Microsoft Enterprise SSO plug-in, go to Microsoft
Enterprise SSO plug-in for Apple devices.
For information from Apple on the single sign-on extension payload, go to single
sign-on extensions payload settings (opens Apple's web site).
7 Note
macOS kernel extensions are being replaced with system extensions. For more
information, go to Support Tip: Using system extensions instead of kernel
extensions for macOS Catalina 10.15 in Intune .
On macOS devices, you can add kernel extensions and system extensions. Both kernel
extensions and system extensions allow users to install app extensions that extend the
native capabilities of the operating system. Kernel extensions execute their code at the
kernel level. System extensions run in a tightly controlled user-space.
To add extensions that are always allowed to load on your devices, use Microsoft Intune.
Intune uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, you then push or deploy
the profile to macOS devices in your organization.
This article describes system extensions and kernel extensions. It also shows you how to
create a device configuration profile using extensions in Intune.
System extensions
System extensions run in the user space, and don't access the kernel. The goal is to
increase security, provide more end user control, and limit kernel level attacks. These
extensions can be:
Driver extensions, including drivers to USB, network interface cards (NIC), serial
controllers, and human interface devices (HID)
Network extensions, including content filters, DNS proxies, and VPN clients
Endpoint security extensions, including endpoint detection, endpoint response,
and antivirus
System extensions are included in an app's bundle, and installed from the app.
For example, you have a virus scanning program that scans your device for malicious
content. You can add this virus scanning program's kernel extension as an allowed
kernel extension in Intune. Then, "assign" the extension to your macOS devices.
With this feature, administrators can allow users to override kernel extensions, add team
identifiers, and add specific kernel extensions in Intune.
) Important
Kernel extensions don't work on macOS devices with the M1 chip, which are macOS
devices running on Apple silicon. This behavior is a known issue, with no ETA. It's
possible you can get them to work, but it's not recommended. For more
information, go to Kernel extensions in macOS (opens Apple's web site).
For any macOS devices running 10.15 and newer, we recommend using system
extensions (in this article). If you use the kernel extensions settings, then consider
excluding macOS devices with M1 chips from receiving the kernel extensions
profile.
Prerequisites
This feature applies to:
macOS 10.13.2 and newer (kernel extensions)
macOS 10.15 and newer (system extensions)
From macOS 10.15 to 10.15.4, kernel extensions and system extensions can run
side by side.
Enrolled in Intune with "user approved enrollment" (Apple's term). Prepare for
changes to kernel extensions in macOS High Sierra (opens Apple's web site)
has more information.
7 Note
Apple released information regarding signing and notarization for all software. On
macOS 10.14.5 and newer, kernel extensions deployed through Intune don't have
to meet Apple's notarization policy.
For information on this notarization policy, and any updates or changes, go to the
following resources:
4. Select Create.
6. Select Next.
macOS
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, go to Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
Be sure to assign the profile and monitor its status.
Add a property list file to macOS
devices using Microsoft Intune
Article • 05/16/2023
Using Microsoft Intune, you can add a property list file (.plist) for macOS devices, or
apps on macOS devices.
Property list files include information about macOS applications. For more information,
see About Information Property List Files (Apple's website) and Custom payload
settings (Apple's website).
This article describes the different property list file settings you can add to macOS
devices. As part of your mobile device management (MDM) solution, use these settings
to add the app bundle ID ( com.company.application ), and add the app's .plist file.
These settings are added to a device configuration profile in Intune, and then assigned
or deployed to your macOS devices.
If you're not sure how to enter an app key, change the setting within the app.
Then, review the app's preference file using Xcode to see how the setting is
configured. Apple recommends removing nonmanageable settings using Xcode
before importing the file.
Only some apps work with managed preferences, and might not allow you to
manage all settings.
Be sure you upload property list files that target device channel settings, not user
channel settings. Property list files target the entire device.
If you're configuring the Microsoft Edge version 77 and newer app, then use the
Settings catalog. For a list of the settings you can configure, see Microsoft Edge -
Policies (opens another Microsoft website).
Be sure macOS is listed as a supported platform. If some settings aren't available in
the settings catalog, then it's recommended to continue using the preference file.
7 Note
Intune may support more settings than the settings listed in this article. Not all
settings are documented, and won’t be documented. To see the settings you can
configure, create a device configuration profile, and select Settings Catalog. For
more information, see Settings catalog.
Tasks you can complete using the Settings Catalog in Intune is also a good
resource.
4. Select Create.
Name: Enter a descriptive name for the policy. Name your policies so you can
easily identify them later. For example, a good policy name is macOS: Add
preference file that configures Microsoft Defender for Endpoint on devices.
Description: Enter a description for the policy. This setting is optional, but
recommended.
6. Select Next.
Property list files are typically used for web browsers (Microsoft Edge),
Microsoft Defender for Endpoint, and custom apps. When you create a
preference domain, a bundle ID is also created.
Tip
For Microsoft Edge version 77 and newer, you can use the settings
catalog. You don't have to use a preference file. For more information,
see Settings catalog.
Property list file: Select the property list file associated with your app. Be sure
it's a .plist or .xml file. For example, upload a YourApp-Manifest.plist or
YourApp-Manifest.xml file.
The key information in the property list file is shown. If you need to change
the key information, open the list file in another editor, and then reupload the
file in Intune.
Be sure your file is formatted correctly. The file should only have key value pairs,
and shouldn't be wrapped in <dict> , <plist> , or <xml> tags. For example, your
property list file should be similar to the following file:
XML
<key>SomeKey</key>
<string>someString</string>
<key>AnotherKey</key>
<false/>
...
To see some property list file examples, go to Set preferences for Microsoft
Defender for Endpoint.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or groups that will receive your profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Next steps
Assign the profile and monitor its status.
For more information on preference files for Microsoft Edge, see Configure Microsoft
Edge policy settings on macOS.
Use and manage Zebra devices with
Zebra Mobility Extensions in Microsoft
Intune
Article • 02/22/2023
Intune includes a rich set of features, including managing apps and configuring device
settings. These built-in features and settings manage Android devices manufactured by
Zebra Technologies, also known as "Zebra devices".
On Android devices, use Zebra's Mobility Extensions (MX) profiles to customize or add
more Zebra-specific settings.
Your company may use Zebra devices for retail, on the factory floor, and more. For
example, you're a retailer and your environment includes thousands of Zebra mobile
devices used by sales associates. Intune can help manage these devices as part of your
mobile device management (MDM) solution.
Using Intune, you can enroll Zebra devices to deploy your line-of-business apps to the
devices. "Device configuration" profiles let you create MX profiles to manage your
Zebra-specific settings.
This article shows you how to use Zebra Mobility Extensions (MX) on Zebra devices in
Microsoft Intune.
7 Note
By default, the Zebra MX APIs aren't locked down on devices. Before a device
enrolls in Intune, it's possible the device can be compromised in a malicious
manner. When the device is in a clean state, we suggest you lock down MX APIs
using Access Manager (AccessMgr). For example, you can choose that only the
Company Portal app and apps you trust are allowed to call MX APIs.
For more information, see Locking down your device on Zebra's web site.
Before you begin
Be sure you have the latest version of the StageNow desktop app from Zebra
Technologies.
Be sure to check Zebra's full MX feature matrix (opens Zebra's web site). Confirm
the profiles you create are compatible with the device's MX version, OS version,
and model.
Certain devices, such as TC20/25 devices, don't support all of the available MX
features in StageNow. Be sure to check Zebra's feature matrix (opens Zebra's
web site) for updated support info.
If Google Play isn't available, download the Microsoft Intune Company Portal for
Android (opens another Microsoft website), and sideload it (in this article). When
installed this way, the app doesn't receive updates or fixes automatically. Be sure to
regularly update and patch the app manually.
The following steps provide an overview. For specific details, see Zebra's documentation.
Enroll in an MDM using StageNow (opens Zebra's web site) may be a good resource.
4. In Download MDM, select Transfer/Copy File. Add the source and destination of
the Company Portal Android package (APK).
5. In Launch MDM, leave the default values as-is. Add the following details:
Continue to publish the profile, and consume it with the StageNow app on the device.
The Company Portal app is installed and opened on the device.
Tip
For more information on StageNow, and what it does, see StageNow Android
device staging (opens Zebra's web site).
If a UI isn't available, use the DevAdmin Manager in StageNow to create a profile that
manually grants Device Administrator to the Company Portal app.
The following steps provide an overview. For specific details, see Zebra's documentation.
Set battery swap mode as device administrator (opens Zebra's website) may be a
good resource.
Continue to publish the profile, and consume it with the StageNow app on the device.
The Company Portal app is granted the Device Administrator role.
When you create the profile in StageNow, on the last step, select Export to MDM. This
step generates an XML file. Save this file. You need it in a later step.
It's recommended to test the profile before you deploy it to devices in your
organization. To test, in the last step when creating profiles with StageNow on your
computer, use the Test options. Then, consume the StageNow-generated file with
the StageNow app on the device.
The StageNow app on the device shows logs generated when you test the profile.
Use StageNow logs on Zebra devices running Android in Intune has information
on using StageNow logs to understand errors.
If you reference apps, update packages, or update other files in your StageNow
profile, you want the device to get these updates. To get the updates, the device
must connect to the StageNow deployment server when the profile is applied.
Or, you can use built-in features in Intune to get these changes, including:
App management features to add, deploy, update, and monitor apps.
Manage system and app updates on devices running Android Enterprise
After you test the file, the next step is to deploy the profile to devices using Intune.
You can also export multiple StageNow profiles, and combine the settings into a
single XML file. Then, upload the XML file to Intune to deploy to your devices.
2 Warning
If multiple MX profiles are targeted to the same group, and configure the
same property, there will be conflicts on the device.
If the same property is configured multiple times in a single MX profile, the
last configuration wins.
4. Select Create.
6. Select Next.
7. In Configuration settings > Choose a valid Zebra MX XML file, add the XML
profile file you exported from StageNow (in this article).
Tip
For security reasons, you won't see the profile XML text after you save it. The
text is encrypted, and you only see asterisks ( **** ). For your reference, it's
recommended to save copies of the MX profiles before you add them to
Intune.
8. In Scope tags (optional) > Select scope tags, choose your scope tags to assign to
the profile. For more information, see Use RBAC and scope tags for distributed IT.
Select Next.
9. In Assignments, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
10. In Review + create, when you're done, choose Create. The profile is created, and
shown in the list.
The next time the device checks for configuration updates, the MX profile is deployed to
the device. Devices sync with Intune when devices enroll, and then approximately every
8 hours. You can also force a sync in Intune. Or, on the device, open the Company Portal
app > Settings > Sync.
Create an updated StageNow XML file, edit the existing Intune MX profile, and
upload the new StageNow XML file. This new file overwrites the previous policy in
the profile, and replaces the previous configuration.
Create a new StageNow XML file that configures different settings, create a new
Intune MX profile, upload the new StageNow XML file, and assign it to the same
group. Multiple profiles are deployed. If the new profile configures settings that
already exist in existing profiles, conflicts will occur.
Next steps
Assign the profile and monitor its status.
Use StageNow logs to troubleshoot Zebra devices.
Troubleshoot and see potential issues
on Android Zebra devices in Microsoft
Intune
Article • 05/17/2023
In Microsoft Intune, you can use Zebra Mobility Extensions (MX) to manage Android
Zebra devices. When using Zebra devices, you create profiles in StageNow to manage
settings, and upload them to Intune. Intune uses the StageNow app to apply the
settings on the devices. The StageNow app also creates a detailed log file on the device
that's used to troubleshoot.
For example, you create a profile in StageNow to configure a device. When you create
the StageNow profile, the last step generates a file for you test the profile. You consume
this file with the StageNow app on the device.
In another example, you create a profile in StageNow, and test it. In Intune, you add the
StageNow profile, and then assign it to your Zebra devices. When you check the status
of the assigned profile, the profile shows a high-level status.
In both these cases, you can get more details from the StageNow log file, which is saved
on the device every time a StageNow profile applies.
Some issues aren't related to the contents of the StageNow profile, and aren't reflected
in the logs.
This article shows you how to read the StageNow logs. It also lists some potential issues
with Zebra devices that may not be reflected in the logs.
Use and manage Zebra devices with Zebra Mobility Extensions has more information on
this feature.
Error types
Zebra devices include different error reporting levels:
The CSP isn't supported on device. For example, the device isn't a cellular device
and doesn't have a cellular manager.
The MX or OSX version is mismatched. Each CSP is versioned. For a full support
matrix, go to Zebra's documentation (opens Zebra's web site).
The device reports another issue or error.
Examples
For example, you have the following input profile:
XML
<wap-provisioningdoc>
<characteristic type="Clock">
</characteristic>
</wap-provisioningdoc>
In the log, the XML is identical to the input. This matching output means the profile
successfully applied to the device with no errors:
XML
<wap-provisioningdoc>
</characteristic>
</wap-provisioningdoc>
XML
<wap-provisioningdoc>
</characteristic>
</characteristic>
</wap-provisioningdoc>
The log shows an error, as it contains a <characteristic-error> tag. In this scenario, the
profile tried to install an Android package (APK) that doesn't exist in the given path:
XML
<wap-provisioningdoc>
</characteristic>
</characteristic-error>
</wap-provisioningdoc>
If the device has Google Play installed, then connect the device to the internet, and
check for updates.
If the device doesn't have Google Play installed, then get the updated version of
the component, and apply it to the devices. Or, update to the latest device OS
issued by Zebra.
Use and manage Zebra devices with Zebra Mobility Extensions in Intune
Use and manage Android Enterprise
devices with OEMConfig in Microsoft
Intune
Article • 06/05/2023
In Microsoft Intune, you can use OEMConfig to add, create, and customize OEM-specific
settings for Android Enterprise devices. OEMConfig is typically used to configure
settings that aren't built in to Intune. Different original equipment manufacturers (OEM)
include different settings. The available settings depend on what the OEM includes in
their OEMConfig app.
Android Enterprise
To manage Zebra Technologies devices using Android device administrator, use Zebra
Mobile Extensions (MX).
This article describes OEMConfig, lists the prerequisites, shows how to create a
configuration profile, and lists the supported OEMConfig apps in Intune.
Overview
OEMConfig policies are a special type of device configuration policy similar to app
configuration policy. OEMConfig is a standard defined by Google that uses app
configuration in Android to send device settings to apps written by OEMs (original
equipment manufacturers). This standard allows OEMs and enterprise mobility
management service providers (EMMs) to build and support OEM-specific features in a
standardized way. Learn more about OEMConfig (opens Google's web site).
Historically, OEMs create features. Then EMMs, like Intune, manually build support for
these OEM-specific features. This approach leads to duplicated efforts and slow
adoption.
When the OEM adds and improves management features, the OEM also updates the
app in Google Play. As an administrator, you get these new features and updates
(including fixes) without waiting for EMMs to include these updates.
Tip
You can only use OEMConfig with devices that support this feature and have a
corresponding OEMConfig app. Consult your OEM for specific details.
Intune exposes the OEMConfig app's schema so you can configure it. Intune
doesn't validate or change the schema provided by the app. So if the schema is
incorrect, or has inaccurate data, then this data is still sent to devices. If you find a
problem that originates in the schema, contact the OEM for guidance.
Intune doesn't influence or control the content of the app schema. For example,
Intune doesn't have any control over strings, language, the actions allowed, and so
on. We recommend contacting the OEM for more information on managing their
devices with OEMConfig.
At any time, OEMs can update their supported features and schemas, and upload a
new app to Google Play. Intune always syncs the latest version of the OEMConfig
app from Google Play. Intune doesn't maintain older versions of the schema or the
app. If you run into version conflicts, we recommend contacting the OEM for more
information.
On Zebra devices, you can create multiple profiles, and assign them to the same
device. For more information, go to OEMConfig on Zebra devices.
The OEMConfig model on non-Zebra devices only supports a single policy per
device. If multiple profiles are assigned to the same device, you may see
inconsistent behavior.
Prerequisites
To use OEMConfig on your devices, you need the following requirements:
Tip
OEMConfig apps are specific to the OEM. For example, a Sony OEMConfig app
installed on a Zebra Technologies device doesn't do anything.
1. Get the OEMConfig app from the Managed Google Play Store. Add Managed
Google Play apps to Android enterprise devices lists the steps.
2. Some OEMs may ship devices with the OEMConfig app preinstalled. If the app isn't
preinstalled, use Intune to add and deploy the app to devices.
4. Select Create.
6. In Associated app, select an existing OEMConfig app you previously added >
Select. Be sure to choose the correct OEMConfig app for the devices you're
assigning the policy to.
If you don't see any apps listed, then set up Managed Google Play, and get apps
from the Managed Google Play store. Add Managed Google Play apps to Android
Enterprise devices lists the steps.
) Important
If you added an OEMConfig app and synced it to Google Play, but it's not
listed as an Associated app, you may have to contact Intune to onboard the
app. See adding a new app (in this article).
7. Select Next.
Tip
Read the OEM documentation to make sure you're configuring the properties
correctly. These app properties are included by the OEM, not Intune. Intune
does minimal validation of the properties, or what you enter. For example, if
you enter abcd for a port number, the profile saves as-is, and is deployed to
your devices with the values you configure. Be sure you enter the correct
information.
Configuration designer: When you select this option, the properties available
within the app schema are shown for you to configure.
Many settings have default values supplied by the OEM. To see if there's a
default value, hover over the info icon next to the setting. A tooltip shows
the default values for that setting (if applicable), and more details provided
by the OEM.
Clicking Clear deletes a setting from the profile. If a setting isn't in the
profile, its value on the device doesn't change when the profile is applied.
Use the Locate button to look for settings. In the side panel, type in a
keyword to see all the relevant settings and their descriptions. Select any
setting to automatically add the setting to the configuration designer tree,
if it's not there already. It also automatically opens the tree so you can see
the setting.
JSON editor: When you select this option, a JSON editor opens with a
template for the full configuration schema embedded in the app. In the
editor, customize the template with values for the different settings. If you
use the Configuration designer to change your values, the JSON editor
overwrites the template with values from the configuration designer.
If you're updating an existing profile, the JSON editor shows the settings
that were last saved with the profile.
You can use the JSON editor to create a backup of your configuration.
After you configure your settings, use this feature to get the JSON settings
with your values. Copy and paste the JSON to a file, and save it. Now you
have a backup file.
Any changes made in the configuration designer are also made automatically in
the JSON editor. Likewise, any changes made in the JSON editor are automatically
made in the configuration designer. If your input contains invalid values, you can't
switch between the configuration designer and JSON editor until you fix the issues.
9. Select Next.
10. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
11. In Assignments, select the users or groups that will receive your profile. Assign one
profile to each device. The OEMConfig model only supports one policy per device.
An OEMConfig profile that exceeds 350 kb isn't assigned, and shows a "pending"
status.
For more information on assigning profiles, go to Assign user and device profiles.
Select Next.
12. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time the device checks for configuration updates, the OEM-specific settings
you configured are applied to the OEMConfig app.
1. In the Microsoft Intune admin center , select Devices > Configuration profiles. A
list of all your profiles is shown.
2. Select your OEMConfig profile. You can get more information on your profile,
including successful and failed deployments:
3. You can also see if individual settings in a profile successfully applied. To see the
per-setting status of an OEMConfig profile, select Devices > All devices, and
choose a device from the list. Then, go to App configuration, and select your
OEMConfig profile. Select an individual setting status to get more information.
7 Note
For Zebra devices, only a single setting row is shown. Selecting the row shows
details for all settings in the policy.
Archos com.archos.oemconfig
Ascom com.ascom.myco.oemconfig
Bartec com.bartec.oemconfig
Bluebird com.bluebird.android.oemconfig
Cipherlab com.cipherlab.oemconfig.common
Crosscall com.hmct.crosscalloemconfig
Datalogic com.datalogic.settings.oemconfig
Getac com.getac.app.getacoemconfig
Honeywell com.honeywell.oemconfig
Honeywell - com.honeywell.oemconfig.scanpal
Scanpal EDA
HMDGlobal - com.hmdglobal.app.oemconfig.n7_2
7.2
HMDGlobal - com.hmdglobal.app.oemconfig.n4_2
4.2
OEM Bundle ID OEM Documentation (if available)
HMDGlobal - com.hmdglobal.app.oemconfig.n5_3
5.3
HMDGlobal - com.hmdglobal.app.oemconfig
OEMConfig
imotion com.iwaylink.oemconfig
Janam com.janam.oemconfig
Kyocera jp.kyocera.enterprisedeviceconfig
Lenovo com.lenovo.oemconfig.rel
LG com.lge.android.oemconfig
Motorola com.motorolasolutions.lexoemconfig
Solutions
Panasonic com.panasonic.mobile.oemconfig
Seuic com.seuic.seuicoemconfig
Spectralink - com.spectralink.barcode.service
Barcodes
Spectralink - com.spectralink.buttons
Buttons
Spectralink - com.spectralink.slnkdevicesettings
Device
Spectralink - com.spectralink.slnklogger
Logging
Spectralink - com.spectralink.slnkvqo
VQO
Sunmi com.sunmi.oemconfig.V2S
Unitech com.unitech.oemconfig
Electronics
OEM Bundle ID OEM Documentation (if available)
Technologies
This Zebra OEMConfig Powered by MX
app supports Android 11.0 and newer.
Technologies
This Legacy Zebra OEMConfig app
supports Android 11.0 and earlier.
If you represent an OEM, and an OEMConfig application exists for your devices, but isn't
listed in the table, then email IntuneOEMConfig@microsoft.com for onboarding help.
OEMs must also register their OEMConfig apps with Google .
7 Note
OEMConfig apps must on-boarded by Google and Intune before they can be
configured with OEMConfig profiles. Once an app is supported, you don't need to
contact Microsoft about setting it up in your tenant. Just follow the instructions in
this article.
Next steps
Monitor the profile status.
Deploy OEMConfig profiles to Zebra
devices in Microsoft Intune
Article • 08/28/2023
Depending on the OEMCOnfig app you're using, on Zebra devices, you can deploy or
assign profiles to the same device. Existing OEMConfig profiles can use this feature the
next time the devices sync with Intune.
To learn more about OEMConfig, including what it does, and how to use it, go to
OEMConfig configuration profile.
This article describes deploying OEMConfig multiple profiles to Zebra devices, describes
ordering, and using the reporting features in Microsoft Intune.
Prerequisites
Create an OEMConfig configuration profile.
Zebra OEMConfig - Android 13 ❌ This new app aligns closely with Google’s standards
Powered by MX and later and only allows one profile on the device. Be sure to
(new app) - Android 11 deploy one profile with all the required configuration
settings.
Legacy Zebra - Android 11 ✔️You can split your Zebra OEMConfig settings into
OEMConfig and earlier smaller profiles. For example, create a baseline profile
that affects all devices. Then, create more profiles that
configure settings specific to a device.
7 Note
For example, you create a Zebra OEMConfig profile that applies some settings to the
device. Another Zebra OEMConfig profile includes an action that clears the clipboard.
You assign the first profile to a Zebra devices group. Later, you need to clear the
clipboard on those devices. You assign the second profile to the same devices group,
without changing the first profile. The device clipboard gets cleared without resending
or affecting the configuration settings created in the first profile.
In another example, you assigned an OEMConfig profile that configured some Zebra
device settings. Recently, users are reporting issues with a specific application, and you
want to clear the app's cache. Create a new OEMConfig profile that includes only the
"clear cache" action. Assign the profile to the devices that need it.
Multiple profiles take longer to deploy than a single profile. If the speed of delivery of
policy to the device is important, you should group settings into the smallest number of
profiles possible.
Ordering
With multiple profiles on each device, the order that profiles are deployed isn't
guaranteed. This behavior is a Google Play limitation. To run operations in sequence,
you can use Zebra's Transaction Step feature (opens Zebra's web site).
To summarize, if order matters, use Zebra's Transaction Step feature (opens Zebra's
web site). If order doesn't matter, use multiple Intune profiles.
You want to turn on Bluetooth for all newly enrolled Zebra devices before
configuring any other setting on these devices. To run operations in sequence, use
the Steps feature in Zebra's schema.
Create one Intune profile that has two Transaction Steps. The first step includes
Bluetooth settings, and the second step configures the other setting. When Zebra's
OEMConfig app receives the profile, it runs the steps in order.
For more information, go to Zebra's transaction steps (opens Zebra's web site).
You want all Zebra devices to display time in 24-hour format. For some of these
devices, you want to turn off the camera. The time and camera settings don't
depend on each other.
On Wednesday, you enroll 10 new Zebra devices with Intune. Profile 1 and Profile 2
are assigned. After the new devices sync with Intune, they receive the profiles. The
devices may get Profile 2 before getting Profile 1.
Enhanced reporting
You deploy a profile, and it's executed by the Zebra OEMConfig app on the device. The
Zebra OEMConfig app reports the profile status to Intune. In the Intune admin center,
you can see the status of deployed OEMConfig profiles, and any errors or warnings.
2. Select your Zebra OEMConfig profile > Monitor > Device status. This option
shows the devices that have your OEMConfig profile assigned.
3. Select a device > Device configuration > Select your Zebra OEMConfig profile.
This option shows the profile settings that succeeded or failed.
Select a failed row. Details are shown that have more information on why it failed.
Next steps
Learn more about OEMConfig configuration profiles.
On Android device administrator, configure Mobility Extensions (MX).
Monitor the profile status.
Windows and Windows Holographic for
Business device settings to run as a
dedicated kiosk using Intune
Article • 08/30/2023
This scenario is common for frontline workers (FLW). For more information on FLW
devices in Microsoft Intune, go to FLW device management for devices in Microsoft
Intune.
Windows 11
Windows 10
Windows Holographic for Business
To create kiosk profiles for other platforms, go to Android device administrator, Android
Enterprise, and iOS/iPadOS.
Intune supports one kiosk profile per device. If you need multiple kiosk profiles on a
single device, you can use a Custom OMA-URI.
Intune uses "configuration profiles" to create and customize these settings for your
organization's needs. After you add these features in a profile, push or deploy these
settings to groups in your organization.
This article shows you how to run one app or many apps as a Windows kiosk device
using a device configuration profile. For a list of all the settings, and what they do, go to
Windows client kiosk settings and Windows Holographic for Business kiosk settings.
4. Select Create.
6. Select Next.
7. In Configuration settings > Select a kiosk mode, choose the type of kiosk mode
supported by the policy. Options include:
Not Configured (default): Intune doesn't change or update this setting. The
policy doesn't enable kiosk mode.
Single app, full-screen kiosk: The device runs as a single user account, and
locks it to a single web browser or app. So when the user signs in, a specific
app starts. This mode also restricts users from opening new apps, or
changing the running app.
For example, you can run the Microsoft Edge browser, and only show one
site, such as Contoso.com . Or, you can run a Store app, and have the device
locked on this app.
Multi app kiosk: The device runs multiple Store apps, Win32 apps, web
browsers, or inbox Windows apps by using the Application User Model ID
(AUMID). Only the apps you add are available on the device.
7 Note
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or user group that will receive your profile. For
more information on assigning profiles, go to Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time each device checks in, the policy is applied.
Next steps
After the profile is assigned, monitor its status.
You can create kiosk profiles for devices that run the following platforms:
Devices that have multiple users are called shared devices, and are a common part of
mobile device management (MDM) solutions. Using Microsoft Intune, you can
customize shared devices running the following platforms:
Tip
For example, schools have devices that are typically used by many students. With this
setting, the school Intune administrator can turn on the Shared PC feature to allow one
user at a time. Students can't switch between different signed-in accounts on the device.
When the student signs out, you also choose to remove all user-specific settings.
End users can sign in to these shared devices with a guest account. After users sign in,
the credentials are cached. As they use the device, end-users only get access to features
you allow. For example, you choose when the device goes in to sleep mode, if users can
see and save files locally, enable or disable power management settings, and more. You
also control if the guest account deletes when the user signs-off, or delete inactive
accounts when a threshold is reached.
This article shows you how to create a configuration profile, and includes links to the
available settings with their descriptions.
When the profile is created in Intune, you deploy or assign the profile to device groups
in your organization. You can also assign this profile to device groups with mixed device
types and operating system (OS) versions.
4. Select Create.
6. Select Next.
7. In Configuration settings, depending on the platform you chose, the settings you
can configure are different. Choose your platform for detailed settings:
Windows 10/11
Windows Holographic for Business
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the devices group that will receive your profile. For more
information on assigning profiles, go to Assign user and device profiles.
Select Next.
7 Note
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time each device checks in, the policy is applied.
Next steps
See all the settings for Windows 10/11 and Windows Holographic for Business.
After the profile is assigned, monitor its status.
Use a network boundary to add trusted
sites on Windows devices in Microsoft
Intune
Article • 05/16/2023
When using Microsoft Defender Application Guard and Microsoft Edge, you can protect
your environment from sites that aren't trusted by your organization. This feature is
called a network boundary. It allows you to add network domains, IPV4 and IPv6 ranges,
proxy servers, and more to your network boundary. Items in this boundary are trusted.
In Intune, you can create a network boundary profile, and deploy this policy to your
devices.
This article shows you how to create the profile, and add trusted sites.
4. Select Create.
6. Select Next.
Neutral resources: Enter a list of domain names that can be used for work
resources or personal resources.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or user group that will receive your profile. For
more information on assigning profiles, go to Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time each device checks in, the policy is applied.
Next steps
After the profile is assigned, be sure to monitor its status.
In Intune, you can create a Windows Health Monitoring device configuration profile to
enable this data collection, and then deploy this profile to your devices.
Use this profile as part of your mobile device management (MDM) solution to optimize
your Windows devices.
This article shows you how to create the profile, and enable the monitoring.
7 Note
4. Select Create.
5. In Basics, enter the following properties:
Name: Enter a descriptive name for the profile. Name your policies so you
can easily identify them later. For example, a good profile name is Windows
devices: Windows Health Monitoring profile.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
DeviceHealthMonitoring/AllowDeviceHealthMonitoring CSP
Scope: Choose the event information you want collected and evaluated. Your
options:
Windows updates: This option configures devices to send Windows
Update data to Intune. This data is then used in a compliance policy that
reports on Windows updates.
Endpoint analytics
DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope CSP
8. Select Next.
9. In Assignments, select the devices or device groups that will receive your profile.
For more information on assigning profiles, go to Assign user and device profiles.
Select Next.
10. In Applicability Rules, use the Rule, Property, and Value options to define how this
profile applies within assigned groups. Intune applies the profile to devices that
meet the rules you enter. For more information about applicability rules, go to
Applicability rules.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time each device checks in, the policy is applied.
Related content
After the profile is assigned, be sure to monitor its status.
What is Endpoint analytics
Use the Take a Test app on Windows 10
devices in Microsoft Intune
Article • 02/22/2023
Education profiles in Intune are designed for students to take a test or exam on devices.
This feature includes the Take a Test app and settings to add a test URL, choose how
end-users sign in to the test, and more. This feature supports the following platform:
When the user signs in, the Take a Test app automatically opens with the test you
entered. No other apps can run on the device while the test is in progress. Take tests in
Windows 10 provides more details on the Take a Test app.
This article lists the steps to create a device configuration profile in Microsoft Intune. It
also includes information to read and learn about the available education settings for
your Windows 10 devices.
4. Select Create.
6. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or user group that will receive your profile. For
more information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time each device checks in, the policy is applied.
Next steps
See a list of the Windows 10 education settings and their descriptions.
eSIM decouples the secure execution environment of the plastic SIM card from the SIM
credentials it contains. The secure container is called an eUICC (embedded Universal
Integrated Circuit Card). In the same way that each physical SIM card has a unique
identity, each eUICC has a unique identity called eUICC Identifier (EID).
The credentials and associated other configuration that uniquely identify a cellular
subscription are contained in a digital (software) package called an eSIM Profile.
Multiple eSIM Profiles may be installed into an eUICC. One of the installed eSIM Profiles
is enabled (and the rest are disabled). The combination of the enabled eSIM Profile and
its eUICC container behaves exactly like a traditional SIM card.
The Mobile Plans application is well suited to the needs of consumers and businesses
with a few PCs. However, it requires user interaction on each device that is provisioned,
an effort and cost that may become significant at large scale. To support larger-scale
managed environments (such as an enterprise or an educational organization), Windows
provides eSIM provisioning through mobile device management (MDM) such as
Microsoft Intune.
When an enterprise provisions an eSIM through an MDM such as Microsoft Intune, it
also configures the eSIM deployment along with other enterprise settings and policies.
When the MDM server is enrolled to the end user's work or school account, it pushes
the configuration to the PC throughout its lifecycle. After the PC is configured with the
eSIM information, it downloads the eSIM profile from the mobile operator's download
server (SM-DP+).
Within Windows, the eUICCs Configuration Service Provider (CSP) handles eSIM
configuration. In addition, the enterprise can also configure some eSIM policies through
the CSP and each PC obtains its eSIM profile from the CSP.
Prerequisites
In addition to a Windows 11 Connected PC (eSIM-capable PC) managed through
Microsoft Intune, you need the following information:
A mobile operator who can provide eSIM profiles to a set of known devices based upon
their EIDs. This, in turn, requires some way through which an enterprise (or school)
should be able to provide the EIDs of their PCs to the operator as part of their contract
with the mobile operator.
One option is for the enterprise to obtain the EIDs of their PCs from PC packaging
and send it to the operator directly.
Alternatively, for bulk device purchases, the EIDs of their PCs could come in a
manifest file created by the device OEM or a reseller/distributor and delivered to
the enterprise with the devices or directly to the mobile operator.
After the mobile operator knows the EIDs of the customer's PCs, the mobile operator
will set up eSIM profiles for each PC on its download server (SM-DP+). The enterprise
needs to know the fully qualified domain name (FQDN) of the download server (SM-
DP+). For example, smdp.example.com. However, it doesn't need individual activation
codes. When each PC contacts the download server (SM-DP+), the download server
(SM-DP+) authenticates the PC's EID and provides it with the eSIM profile that is specific
to that device.
Process flow
The overall process flow is as follows:
7 Note
The MDM administrator creates the eSIM configuration profile pointing to the
download server (SM-DP+) provided by the mobile operator and assigns the
profile to the required group(s).
3. The end user unboxes the PC, powers it on, and goes through the initial Windows
out of box experience. As part of this process, the end user connects the PC to a
Wi-Fi network, and signs into their work or school account.
4. After the user has authenticated to the enterprise's (or school's) Azure Active
Directory, the work or school account is set up on the device. As part of this
process, the PC is enrolled to MDM, which then provisions it as configured by the
enterprise (in step 1). This configuration includes the FQDN of the operator's
download server (SM-DP+).
6. The PC installs and enables the eSIM profile. Windows recognizes the mobile
operator and configures the cellular settings such as access point name (APNs),
and the PC is now connected over cellular.
7 Note
The process flow described focuses on the initial device setup experience. However,
eSIM provisioning can also be done anytime throughout the lifecycle of the device
for managed devices.
To deploy eSIM to your devices using Intune, the following are needed:
eSIM capable devices, such as the Surface Pro 9 with 5G : See if your device
supports eSIM .
Windows 11 (version 22H2 (Build 22621) or higher) that is enrolled and MDM
managed by Intune
eSIM Download Server (SM-DP+ or SM-DS) fully qualified domain name (FQDN)
provided by your mobile operator. Contact your mobile operator for details.
After your mobile operator confirms that you need to create eSIM profiles on the
download server (SM-DP+), go to Microsoft Intune and create a profile for the EIDs tied
to the eSIM-capable Windows devices that you want to enable with eSIM.
7 Note
We recommend creating a static Azure AD device group that includes your eSIM
devices. Using a group confirms you target only eSIM devices.
Create a profile
1. Sign in to the Microsoft Intune admin center .
7. In the Configuration Settings tab, select + Add settings and search for eSIM in the
Settings Picker. After you select eSIM, you can select the settings that you want to
make available on your policy.
2 - Server Name: It's the fully qualified domain name of the SM-DP+
server that is used for profile discovery. For example, smdp.example.com
(do not include https://)
3 - Display Local UI: Determines whether eSIM settings can be viewed and
changed in the Settings app on the eSIM capable devices that are being
provisioned. True if available, false otherwise. If Display Local UI is set to
Disabled, Auto Enable must be checked.
Enter the Server Name, select the desired settings, and then select Next.
8. In the Scope tags tab, add the required tags, and select Next.
9. In the Assignments tab, select the user or device group(s) to assign your profile.
For more information on assigning the profile to a user or device group, go to
Assign device profiles in Microsoft Intune.
Also, before creating the profile, you
need to have your group(s) set up. For more information, go to Add groups to
organize users and devices.
10. In the Review + create tab, review all the details and select Create.
The current implementation only supports a single Server Name. Even if more
Server Names are added, only the first one is used.
If the Local UI isn't disabled as part of the Configuration Profile, you can change
the active profile, stop using, or remove any of the eSIM profiles stored in the
device.
As with other settings in Intune, when the deployment status shows as successful it
simply means that the settings is now applied, not necessarily that the eSIM Profile
has also been downloaded and activated.
There's currently no method to remove an eSIM profile using Intune. The profile
must be manually removed from the device.
Next steps
Configure device profiles
Configure eSIM cellular profiles using
imported activation codes in Intune
(public preview)
Article • 05/17/2023
eSIM is an embedded SIM chip, and lets you connect to the Internet over a cellular data
connection on an eSIM-capable device, such as the Surface LTE Pro . With an eSIM,
you don't need to get a SIM card from your mobile operator. As a global traveler, you
can also switch between mobile operators and data plans to always stay connected.
For example, you have a cellular data plan for work, and another data plan with a
different mobile operator for personal use. When traveling, you can get Internet access
by finding mobile operators with data plans in that area.
Windows 11
Windows 10
In Intune, you can bulk activate eSIM codes using the following options:
In Intune, you can import one time use activation codes provided by your mobile
operator. To configure cellular data plans on the eSIM module, deploy those
activation codes to your eSIM-capable devices. When Intune installs the activation
code, the eSIM hardware module uses the data in the activation code to contact
the mobile operator. Once complete, the eSIM profile is downloaded on the
device, and configured for cellular activation.
For more information on this option, go to Configure eSIM download server using
Microsoft Intune.
This article describes how to import the activation codes in bulk, and then deploy these
codes to your eSIM-capable devices. This feature is in public preview.
7 Note
You can create a custom OMA-URI profile using the eUICCs CSP. Be sure to deploy
one custom profile for each device. The profile must include the device ICCID and
matching activation code from the carrier for each device.
Prerequisites
To deploy eSIM to your devices using Intune, the following are needed:
eSIM capable devices, such as the Surface LTE: See if your device supports eSIM .
If you're unsure if your devices support eSIM, then contact your device
manufacturer. On Windows devices, you can confirm eSIM supportability. For more
information, go to Use an eSIM to get a cellular data connection on your Windows
client device .
Windows 10 Fall creators update PC (1709 or later) that is enrolled and MDM
managed by Intune
Activation codes provided by your mobile operator. These one time-use activation
codes are added to Intune, and deployed to your eSIM capable devices. Contact
your mobile operator to acquire eSIM activation codes.
2. The second and all later rows are unique one-time use activation codes that
include two values:
a. First column is the unique ICCID (the identifier of the SIM chip)
b. Second column is the Matching ID with only a comma separating them (no
comma at the end). See the following example:
3. The cellular subscription becomes the first part of the SMDP of your mobile
operator. For example, in the previous image, the first row includes the
smdp.skynet.mobile URL of the mobile operator. Intune names the cellular
subscription pool name as smdp :
) Important
You can't have two lists with the same provider. If you try to upload two lists with
the same provider, you may get a The request is invalid error message.
To add more devices with the same provider or carrier, then you must:
7 Note
4. Choose to Include groups or Exclude groups, and then select the groups.
5. When you select your groups, you're choosing an Azure AD group. To select
multiple groups, use the Ctrl key, and select the groups.
eSIM activation codes are used once. After Intune installs an activation code on a device,
the eSIM module contacts the mobile operator to download the cellular profile. This
contact finishes registering the device with mobile operator network.
1. Select Devices > eSIM cellular profiles > Select an existing subscription.
2. In the Overview tab, the top graphical chart shows the number of devices assigned
to the specific eSIM cellular subscription pool deployment.
It also shows the number of devices for other platforms that are assigned the same
device profile.
Intune shows the delivery and installation status for the activation code targeted to
devices.
Device not synced: The targeted device hasn't contacted Intune since the
eSIM deployment policy was created
Activation pending: A transient state when Intune is actively installing the
activation code on the device
Active: Activation code installation successful
Activation fail: Activation code installation failed – see troubleshooting guide.
You can monitor and view a detailed list of devices you can view in Device Status.**
1. Select Devices > eSIM cellular profiles > Select an existing subscription.
2. Select Device Status. Intune shows more details about the device:
The eSIM profile is also removed when the device is retired or unenrolled by the user, or
when the reset device remote action runs on the device.
7 Note
Removing the profile may not stop billing. Contact your mobile operator to check
the billing status for your device.
Next steps
Configure device profiles
Use custom settings for Android devices
in Microsoft Intune
Article • 05/16/2023
Using Microsoft Intune, you can add or create custom settings for your Android devices
using a "custom profile". Custom profiles are a feature in Intune. They're designed to
add device settings and features that aren't built in to Intune.
Android custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-
URI) settings to configure different features on Android devices. These settings are
typically used by mobile device manufacturers to control these features.
Using a custom profile, you can configure and assign the following Android settings.
The following settings aren't built in to Intune:
) Important
Only the settings listed can be configured by in a custom profile. Android devices
don't expose a complete list of OMA-URI settings you can configure. If you'd like to
see more settings, then vote for more settings at the Feedback for Intune site .
This article shows you how to create a custom profile for Android devices.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Android
DA custom profile.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings > OMA-URI Settings, select Add. Enter the following
settings:
Name: Enter a unique name for the OMA-URI setting so you can easily find it.
Description: Enter a description that gives an overview of the setting, and any
other important details.
Data type: Select the data type for this OMA-URI setting. Your options:
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
Value: Enter the data value you want to associate with the OMA-URI you
entered. The value depends on the data type you selected. For example, if
you select Date and time, select the value from a date picker.
8. Select Save to save your changes. Continue to add more settings as needed. After
you add some settings, you can select Export. Export creates a list of all the values
you added in a comma-separated values (.csv) file.
Select Next.
9. In Scope tags (optional) > Select scope tags, choose your scope tags to assign to
the profile. For more information, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, when you're done, choose Create. The profile is created, and
shown in the list.
Next steps
Assign the profile and monitor its status.
Create a custom profile on Android Enterprise devices.
Use custom policies in Microsoft Intune
to allow and block apps for Samsung
Knox Standard devices
Article • 05/17/2023
Use the steps in this article to create a Microsoft Intune custom policy that creates one
of the following lists:
A list of apps that are blocked from running on the device. Apps in this list are
blocked from being run, even if they were already installed when the policy was
applied.
A list of apps that users of the device are allowed to install from the Google Play
store. Only the apps you list can be installed. No other apps can be installed from
the store.
These settings can only be used by devices that run Samsung Knox Standard.
4. Select Create.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Android
Samsung Knox custom profile - blocks apps.
Description: Enter a description that gives an overview of the setting, and any
other important details. This setting is optional, but recommended.
6. Select Next.
For a list of apps that are blocked from running on the device:
s.
For a list of apps that users are allowed to install from the Google Play store while
excluding all other apps:
s.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such
as US-NC IT Team or JohnGlenn_ITDepartment . For more information about scope
tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the users or device groups that will receive your profile. For
more information on assigning profiles, go to assign user and device profiles.
Select Next.
11. In Review + create, review your settings. When you select Create, your changes are
saved, and the profile is assigned. The policy is also shown in the profiles list.
Tip
You can find the package ID of an app by browsing to the app on the Google Play
store. The package ID is contained in the URL of the app's page. For example, the
package ID of the Microsoft Word app is com.microsoft.office.word.
The next time each targeted device checks in, the app settings are applied.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and
monitor its status.
Android and Samsung Knox Standard
device restriction settings lists in Intune
Article • 02/22/2023
This article shows you all the Microsoft Intune device restrictions settings that you can
configure for devices running Android. As part of your mobile device management
(MDM) solution, use these settings to allow or disable features, set password
requirements, control security, and more.
Tip
If the settings you want are not available, you might be able to configure your
devices using a custom profile.
General
Camera: Block prevents access to the device camera. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow access to the device camera.
Intune only manages access to the device camera. It doesn't have access to
pictures or videos.
Copy and paste (Samsung Knox only): Block prevents copy-and-paste. Not
configured allows copy and paste functions on devices.
Clipboard sharing between apps (Samsung Knox only): Block prevents using the
clipboard to copy-and-paste between apps. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow copy
and paste functions on devices.
Diagnostic data submission (Samsung Knox only): Block stops users from
submitting bug reports from devices. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to
submit the data.
Wipe (Samsung Knox only): Allows users to run a wipe action on devices. When
set to Not configured (default), Intune doesn't change or update this setting.
Geolocation (Samsung Knox only): Block disables devices from using location
information. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow devices to use the location
information.
Power off (Samsung Knox only): Block prevents users from powering off device. It
also prevents the Number of sign-in failures before wiping device setting from
being configured, and from working. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to
power off devices.
Screen capture (Samsung Knox only): Block prevents screenshots. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might let users capture the screen contents as an image.
Voice assistant (Samsung Knox only): Block disables the S Voice service. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow using the S Voice service and app on devices. This
setting doesn't apply to Bixby or the voice assistant for accessibility that reads the
screen content aloud.
YouTube (Samsung Knox only): Block prevents users from using the YouTube app.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow using the YouTube app on devices.
When used in with a SCEP certificate profile, this feature allows users to share a
device with the same apps for all users. But, each user has their own SCEP user
certificate. When users sign out, all app data is cleared. This feature is limited to
LOB apps only.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might prevent multiple users from signing in to the
Company Portal app on devices using their Azure AD credentials.
Block date and time changes (Samsung Knox): Block prevents users from
changing the date and time settings on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow users to change the date and time settings.
Password
Encryption: Select Require so that files on the device are encrypted. Not all devices
support encryption. When set to Not configured (default), Intune doesn't change
or update this setting. To configure this setting, and correctly report compliance,
also configure:
7 Note
Maximum minutes of inactivity until screen locks: Enter the length of time a
device must be idle before the screen is automatically locked. For example, enter 5
to lock devices after 5 minutes of being idle. When the value is blank or set to Not
configured, Intune doesn't change or update this setting.
On a device, users can't set a time value greater than the configured time in the
profile. Users can set a lower time value. For example, if the profile is set to 15
minutes, users can set the value to 5 minutes. Users can't set the value to 30
minutes.
Number of sign-in failures before wiping device: Enter the number of wrong
passwords allowed before devices are wiped, from 4-11. 0 (zero) might disable
device wipe functionality. When the value is blank, Intune doesn't change or
update this setting.
Password: Require users to enter a password to access devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to access devices without entering a password.
7 Note
) Important
If you set Password complexity to something other than None, then also set
the Password setting to Require, which is found under the All Android devices
section. Users with passwords that don't meet your complexity requirements
receive a warning to update their password. If you don’t set the Password
setting to Require, users with weak passwords won’t receive the warning.
Android 9 and earlier, or Samsung Knox (any version)
Minimum password length: Enter the minimum number of characters required,
from 4-16. For example, enter 6 to require at least six numbers or characters in the
password length.
Password expiration (days): Enter the number of days, until the device password
must be changed, from 1-365. For example, enter 90 to expire the password after
90 days. When the password expires, users are prompted to create a new
password. When the value is blank, Intune doesn't change or update this setting.
Required password type: Enter the required password complexity level, and
whether biometric devices can be used. Your options:
Device default
Low security biometric: Strong vs. weak biometrics (opens Android's web
site)
When set to Numeric complex, and you assign the setting to devices running
an Android version earlier than 5.0, then the following behavior applies:
If the Company Portal app is running a version earlier than 1704, no PIN
policy applies to devices, and an error shows in the Microsoft Intune admin
center.
If the Company Portal app runs the 1704 version or later, only a simple PIN
can be applied. Android version earlier than 5.0 don't support this setting. No
error is shown in the Microsoft Intune admin center.
Smart Lock and other trust agents: Block prevents Smart Lock or other trust
agents from adjusting lock screen settings. If the device is in a trusted location,
then this feature, also known as a trust agent, lets you disable or bypass the device
lock screen password. For example, use this feature when devices are connected to
a specific Bluetooth device, or when devices are close to an NFC tag. You can use
this setting to prevent users from configuring Smart Lock.
When set to Not configured (default), Intune doesn't change or update this
setting.
Restricted apps
This feature is supported on Android and Samsung Knox Standard devices.
Type of restricted apps list: Create a list of apps to allow or block on devices. This
feature is supported on Android and Samsung Knox Standard devices. Your
options:
Not configured (default): Intune doesn't change or update this setting.
Prohibited apps: List the apps (not managed by Intune) that users aren't
allowed to install and run. If a user installs an app from this list, you're notified
by Intune.
Approved apps: List the apps that users are allowed to install. To stay compliant,
users must not install other apps. Apps that are managed by Intune are
automatically allowed, including the Company Portal app.
App store URL: Enter the Google Play Store URL of the app you want. For
example, to add the Microsoft Remote Desktop app for Android, enter
https://play.google.com/store/apps/details?id=com.microsoft.rdc.android .
To find the URL of an app, open the Google Play store , and search for the app.
For example, search for Microsoft Remote Desktop Play Store or Microsoft
Planner . Select the app, and copy the URL.
App name: Enter the name you want. This name is shown to users.
You can also Import a CSV file with details about the app, including the URL. Use the
<app url>, <app name>, <app publisher> format. Or, Export an existing list that
includes the restricted apps list in the same format.
) Important
Device profiles that use the restricted app settings must be assigned to user
groups, not device groups.
Browser
Web browser (Samsung Knox only): Block prevents the default web browser from
being used on devices. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow the device's default
web browser to be used.
Autofill (Samsung Knox only): Block prevents the browser from automatically
filling in text. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow Autofill.
Cookies (Samsung Knox only): Choose how to handle cookies from websites on
devices. Your options:
Allow
Block all cookies
Allow cookies from visited web sites
Allow cookies from current web site
JavaScript (Samsung Knox only): Block prevents JavaScript from running in the
browser. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow these scripts.
Pop-ups (Samsung Knox only): Block turns on Pop-up Blocker to prevent pop-ups
in the web browser. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow pop-ups.
Your options:
Apps allowed to be installed (Samsung Knox Standard only): Add apps that users
can install. Users can't install apps that aren't on the list.
Apps blocked from launching (Samsung Knox Standard only): Enter the apps that
users can't run on their device.
Apps hidden from user (Samsung Knox Standard only): Enter the apps that are
hidden on devices. Users can't discover or run these apps.
Add apps by package name: Enter the app name, and the name of the app
package. Primarily used for line-of-business apps.
Add apps by URL: Enter the app name, and its URL in the Google Play store.
Add store app: Select an app from the existing list of apps you manage in Intune.
Kiosk
Kiosk settings apply only to Samsung Knox Standard devices, and only to apps you
manage using Intune.
Add apps you want to run when the device is in kiosk mode. In kiosk mode, only
the apps you add run; apps not added don't run. Pre-installed browsers don't run
as an app when the device is in kiosk mode. If a browser is required, consider using
the Managed Browser.
Screen sleep button: Block prevents or hides the screen sleep button. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow the screen sleep wake button on devices.
Volume buttons: Block prevents users from adjusting the volume by disabling the
volume buttons. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow using the volume buttons on
devices.
Next steps
Assign the profile and monitor its status.
You can also create kiosk profiles for Android Enterprise and Windows 10 devices.
Android device settings to configure
email, authentication, and
synchronization in Intune
Article • 02/21/2023
This article describes the different email settings you can control on Android Samsung
Knox devices in Intune. As part of your mobile device management (MDM) solution, use
these settings to configure an Exchange email server, use SSL to encrypt emails, and
more. The email profile uses the native or built-in email app on the device, and allows
users to connect to their organization email.
As an Intune administrator, you can create and assign email settings to Android
Samsung Knox Standard devices. To learn more about email profiles in Intune, see
configure email settings.
Account name: Enter the display name for the email account. This name is shown
to users on their devices.
Username attribute from AAD: This name is the attribute Intune gets from Azure
Active Directory (Azure AD). Intune dynamically generates the username that's
used by this profile. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com .
User name: Gets only the name, such as user1 .
sAM Account Name: Requires the domain, such as domain\user1 . sAM account
name is only used with Android devices. Also enter:
User domain name source: Choose AAD (Azure Active Directory) or Custom.
Email address attribute from AAD: This name is the email attribute Intune gets
from Azure AD. Intune dynamically generates the email address that's used by this
profile. Make sure your users have email addresses that match the attribute you
select. Your options:
User principal name: Uses the full principal name, such as user1@contoso.com or
user1 , as the email address.
Security settings
SSL: Use Secure Sockets Layer (SSL) communication when sending emails,
receiving emails, and communicating with the Exchange server.
S/MIME: Send outgoing email using S/MIME encryption.
If you select Certificate, select a client SCEP or PKCS certificate profile that you
previously created to authenticate the Exchange connection.
Synchronization settings
Amount of email to synchronize: Choose the number of days of email that you
want to synchronize, or select Unlimited to synchronize all available email.
Sync schedule: Select the schedule for devices to synchronize data from the
Exchange server. You can also select As Messages arrive, which synchronizes data
when it arrives, or Manual, where the user of the device must initiate the
synchronization.
Content sync settings
Content type to sync: Select the content types that you want to synchronize on
the devices. Not configured disables this setting. When set to Not configured, if
an end user enables synchronization on the device, synchronization is disabled
again when the device syncs with Intune, as the policy is reinforced.
Next steps
Assign the profile and monitor its status.
You can also create email profiles for Android Enterprise, iOS/iPadOS, and Windows 10
and later.
Android device settings to configure
VPN in Intune
Article • 02/21/2023
This article describes the different VPN connection settings you can control on Android
devices. As part of your mobile device management (MDM) solution, use these settings
to create a VPN connection, choose how the VPN authenticates, select a VPN server
type, and more.
As an Intune administrator, you can create and assign VPN settings to Android devices.
To learn more about VPN profiles in Intune, see VPN profiles.
Some Microsoft 365 services, such as Outlook, may not perform well using third
party or partner VPNs. If you're using a third party or partner VPN, and experience
a latency or performance issue, then remove the VPN.
Base VPN
Connection name: Enter a name for this connection. End users see this name when
they browse their device for the available VPN connections. For example, enter
Contoso VPN .
VPN server address: Enter the IP address or fully qualified domain name (FQDN) of
the VPN server that devices connect. For example, enter 192.168.1.1 or
vpn.contoso.com .
Authentication method: Choose how devices authenticate to the VPN server. Your
options:
Username and password: When signing into the VPN server, end users are
prompted to enter their user name and password.
Derived credential: Use a certificate that's derived from a user's smart card. If
no derived credential issuer is configured, Intune prompts you to add one.
Fingerprint (Check Point Capsule VPN only): Enter the fingerprint string given to
you by the VPN vendor, such as Contoso Fingerprint Code . This fingerprint verifies
that the VPN server can be trusted.
When authenticating, a fingerprint is sent to the client so the client knows to trust
any server that has the same fingerprint. If the device doesn't have the fingerprint,
it prompts the user to trust the VPN server while showing the fingerprint. The user
manually verifies the fingerprint, and chooses to trust to connect.
Next steps
Assign the profile and monitor its status.
You can also create VPN profiles for Android Enterprise, iOS/iPadOS, macOS, and
Windows 10 and later.
Add Wi-Fi settings for devices running
Android device administrator in
Microsoft Intune
Article • 06/14/2023
You can create a profile with specific WiFi settings, and then deploy this profile to your
Android devices. Microsoft Intune offers many features, including authenticating to your
network, adding a PKCS or SCEP certificate, and more.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-
level settings. This article describes these settings.
Basic
Wi-Fi type: Choose Basic.
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
Hidden network: Choose Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Choose Disable to show this
network in the list of available networks on the device.
Enterprise
Wi-Fi type: Choose Enterprise.
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
Hidden network: Choose Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Choose Disable to show this
network in the list of available networks on the device.
EAP type: Choose the Extensible Authentication Protocol (EAP) type used to
authenticate secured wireless connections. Your options:
Server Trust - Root certificate for server validation: Select one or more
existing trusted root certificate profiles. When the client connects to the
network, these certificates are used to establish a chain of trust with the
server. If your authentication server uses a public certificate, then you don't
need to include a root certificate.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed by
the real identification sent in a secure tunnel.
Server Trust - Root certificate for server validation: Select one or more
existing trusted root certificate profiles. When the client connects to the
network, these certificates are used to establish a chain of trust with the
server. If your authentication server uses a public certificate, then you don't
need to include a root certificate.
Username and Password: Prompt the user for a user name and password
to authenticate the connection. Also enter:
Certificates: Choose the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the
device to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed
by the real identification sent in a secure tunnel.
Server Trust - Root certificate for server validation: Select one or more
existing trusted root certificate profiles. When the client connects to the
network, these certificates are used to establish a chain of trust with the
server. If your authentication server uses a public certificate, then you don't
need to include a root certificate.
Username and Password: Prompt the user for a user name and password
to authenticate the connection. Also enter:
Certificates: Choose the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the
device to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed
by the real identification sent in a secure tunnel.
Next steps
The profile is created, but it's not doing anything. Next, assign this profile.
More resources
Wi-Fi settings overview, including other platforms.
Using Android Enterprise or Android Kiosk devices? If yes, then look at Wi-Fi
settings for devices running Android Enterprise and dedicated devices.
Android (AOSP) device settings to allow
or restrict features using Intune
Article • 07/12/2023
This article describes the different settings you can control on Android (AOSP) devices.
You can use these restrictions to configure password requirements and access to device
features.
Device password
Required password type: Require users to use a certain type of password. Your
options:
Number of sign-in failures before wiping device: Enter the number of sign-in
attempts allowed, from 4 to 11, before the device is wiped. 0 (zero) might disable
the device wipe functionality. When the value is blank, Intune doesn't change or
update this setting.
Maximum minutes of inactivity until screen locks: Enter the maximum length of
time, from 1 minute to 1 hour, that devices can be idle before the screen is
automatically locked. Users must enter their credentials to regain access. For
example, enter 5 to lock the device after 5 minutes of inactivity. When the value is
blank or set to Not configured, Intune doesn't change or update this setting.
7 Note
RealWear devices currently only support device default, numeric, and numeric
complex password types.
The password type Password required, no restrictions appears as an option
but doesn't currently work on devices, which is a known issue.
General
Block access to camera: Prevents access to the camera on the device. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow access to the camera.
Intune only manages access to the device camera. It doesn't have access to
pictures or videos.
Disable factory reset: Prevents users from using the factory reset option in the
device's settings. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow external media on the device.
Block mounting of external media: Prevents users from using or connecting any
external media on the device. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to connect
external media.
Block USB file transfer: Prevents users from transferring files over USB. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to transfer files.
Block Wi-Fi setting changes: Prevents users from creating or changing any Wi-Fi
configurations. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to change the Wi-Fi
settings on the device.
Disable Bluetooth: Disables Bluetooth on the device so that users can't pair with
other devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might enable Bluetooth on the device.
Allow users to turn on debugging features: Permits users to access the debugging
features on the device. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might prevent users from using
the debugging features on the device.
Block users from turning on unknown sources: Prevents users from sideloading
apps. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to sideload apps from unknown
sources.
Next steps
Create an Android (AOSP) device compliance policy.
Add actions for noncompliant devices.
Add Wi-Fi settings for Android (AOSP)
devices in Microsoft Intune
Article • 06/14/2023
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your
Android Open Source Project (AOSP) devices. Microsoft Intune offers many features,
including authenticating to your network, using a pre-shared key, and more.
Android (AOSP)
This article describes these settings. Use Wi-Fi on your devices includes more
information about the Wi-Fi feature in Microsoft Intune.
For more information on AOSP, go to Android Open Source Project (opens Android's
website).
Basic
Wi-Fi type: Select Basic.
Network name: Enter a name for this Wi-Fi connection. End users see this name
when they browse their device for available Wi-Fi connections. For example, enter
Contoso WiFi.
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
When devices are connected to another preferred Wi-Fi connection, then they
won't automatically connect to this Wi-Fi network. If devices fail to connect
automatically when this setting is enabled, then disconnect the devices from any
existing Wi-Fi connections.
Hidden network: Select Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Select Disable to show this
network in the list of available networks on the device.
Wi-Fi type: Select the security protocol to authenticate to the Wi-Fi network. Your
options:
Open (no authentication): Only use this option if the network is unsecured.
WEP-Pre-shared key: Enter the password in Pre-shared key (PSK). When your
organization's network is set up or configured, a password or network key is
also configured. Enter this password or network key for the PSK value.
WPA-Pre-shared key: Enter the password in Pre-shared key (PSK). When your
organization's network is set up or configured, a password or network key is
also configured. Enter this password or network key for the PSK value.
Enterprise
Wi-Fi type: Select Enterprise.
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
When devices are connected to another preferred Wi-Fi connection, then they
won't automatically connect to this Wi-Fi network. If devices fail to connect
automatically when this setting is enabled, then disconnect the devices from any
existing Wi-Fi connections.
Hidden network: Select Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Select Disable to show this
network in the list of available networks on the device.
EAP type: Select the Extensible Authentication Protocol (EAP) type used to
authenticate secured wireless connections. Your options:
Also enter:
Radius server name: Enter the DNS name that's used in the certificate
presented by the Radius Server during client authentication to the Wi-Fi
access point. For example, enter Contoso.com , uk.contoso.com , or
jp.contoso.com .
If you have multiple Radius servers with the same DNS suffix in their fully
qualified domain name, then you can enter only the suffix. For example, you
can enter contoso.com .
When you enter this value, user devices can bypass the dynamic trust dialog
that's sometimes shown when connecting to the Wi-Fi network.
On Android 11 and newer, new Wi-Fi profiles may require this setting be
configured. Otherwise, the devices may not connect to your Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed by
the real identification sent in a secure tunnel.
Also enter:
Radius server name: Enter the DNS name that's used in the certificate
presented by the Radius Server during client authentication to the Wi-Fi
access point. For example, enter Contoso.com , uk.contoso.com , or
jp.contoso.com .
If you have multiple Radius servers with the same DNS suffix in their fully
qualified domain name, then you can enter only the suffix. For example, you
can enter contoso.com .
When you enter this value, user devices can bypass the dynamic trust dialog
that's sometimes shown when connecting to the Wi-Fi network.
On Android 11 and newer, new Wi-Fi profiles may require this setting be
configured. Otherwise, the devices may not connect to your Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
Certificates: Select the SCEP or PKCS client certificate profile that's also
deployed to the device. This certificate is the identity presented by the device
to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed by
the real identification sent in a secure tunnel.
Radius server name: Enter the DNS name that's used in the certificate
presented by the Radius Server during client authentication to the Wi-Fi
access point. For example, enter Contoso.com , uk.contoso.com , or
jp.contoso.com .
If you have multiple Radius servers with the same DNS suffix in their fully
qualified domain name, then you can enter only the suffix. For example, you
can enter contoso.com .
When you enter this value, user devices can bypass the dynamic trust dialog
that's sometimes shown when connecting to the Wi-Fi network.
On Android 11 and newer, new Wi-Fi profiles may require this setting be
configured. Otherwise, the devices may not connect to your Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
Certificates: Select the SCEP or PKCS client certificate profile that's also
deployed to the device. This certificate is the identity presented by the device
to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed by
the real identification sent in a secure tunnel.
Next steps
The profile is created, but might not be doing anything. Be sure to assign this profile
and monitor its status..
You can also create Wi-Fi profiles for Android Enterprise, iOS/iPadOS, macOS, and
Windows 10/11.
Using Microsoft Intune, you can add or create custom settings for your Android
Enterprise personally owned devices with a work profile using a "custom profile".
Custom profiles are a feature in Intune. They're designed to add device settings and
features that aren't built in to Intune.
Android Enterprise custom profiles use Open Mobile Alliance Uniform Resource
Identifier (OMA-URI) settings to control features on Android Enterprise devices. These
settings are typically used by mobile device manufacturers to control these features.
Intune supports the following limited number of Android Enterprise custom profiles:
some examples.
./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste : See the example in
this article. This setting is also available in the user interface. For more information,
see Android Enterprise device settings to allow or restrict features.
If you need to add more settings, then use OEMConfig for Android Enterprise.
This article shows you how to create a custom profile for Android Enterprise devices. It
also provides an example of a custom profile that blocks copy-and-paste.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, a good profile name is Android
Enterprise custom profile.
Description: Enter a description for the profile. This setting is optional, but
recommended.
6. Select Next.
7. In Configuration settings > OMA-URI Settings, select Add. Enter the following
settings:
Name: Enter a unique name for the OMA-URI setting so you can easily find it.
Description: Enter a description that gives an overview of the setting, and any
other important details.
Data type: Select the data type for this OMA-URI setting. Your options:
String
String (XML file)
Date and time
Integer
Floating point
Boolean
Base64 (file)
Value: Enter the data value you want to associate with the OMA-URI you
entered. The value depends on the data type you selected. For example, if
you select Date and time, select the value from a date picker.
After you add some settings, you can select Export. Export creates a list of all the
values you added in a comma-separated values (.csv) file.
8. Select Save to save your changes. Continue to add more settings as needed.
Select Next.
9. In Scope tags (optional) > Select scope tags, choose your scope tags to assign to
the profile. For more information, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, when you're done, choose Create. The profile is created, and
shown in the list.
Example
In this example, you create a custom profile that restricts copy and paste actions
between work and personal apps on Android Enterprise devices.
Name: Enter a descriptive name for the profile. Name your profiles so you
can easily identify them later. For example, enter AE block copy paste custom
profile.
Description: Enter a description for the profile. This setting is optional, but
recommended.
5. Select Next.
6. In Configuration settings > OMA-URI Settings, select Add. Enter the following
settings:
After you enter the settings, your environment looks similar to the following
image:
8. Select Next.
9. In Scope tags (optional) > Select scope tags, choose your scope tags to assign to
the profile. For more information, see Use RBAC and scope tags for distributed IT.
Select Next.
10. In Assignments, select the groups that will receive this profile. For more
information on assigning profiles, see Assign user and device profiles.
Select Next.
11. In Review + create, when you're done, choose Create. The profile is created and is
shown in the list.
When you assign this profile to Android Enterprise devices you manage, copy and
paste are blocked between apps in the work and personal profiles.
Next steps
Assign the profile and monitor its status.
Create a custom profile on Android device administrator devices.
Android Enterprise device settings list to
allow or restrict features on corporate-
owned devices using Intune
Article • 07/31/2023
This article describes the different settings you can control and restrict on Android
Enterprise devices owned by your organization. As part of your mobile device
management (MDM) solution, use these settings to allow or disable features, run apps
on dedicated devices, control security, and more.
Tip
When you create device restriction policies, there are many settings available. To
help determine the settings that are right for your organization, you can use the
security configuration framework guidance:
Android Enterprise fully managed, dedicated, and corporate-owned work profile
security settings
Some settings aren't supported by all enrollment types. To see which settings are
supported by the different enrollment types, sign into the Intune admin center . Each
setting is under a heading that indicates the enrollment types that can use the setting.
For corporate-owned devices with a work profile, some settings only apply in the work
profile. These settings have (work profile-level) in the setting name. For fully managed
and dedicated devices, these settings apply device-wide.
General
Camera (work profile-level): Block prevents access to the camera on the device.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow access to the camera.
Intune only manages access to the device camera. It doesn't have access to
pictures or videos.
Default permission policy (work profile-level): This setting defines the default
permission policy for requests for runtime permissions. Your options
Device default (default): Use the device's default setting.
Prompt: Users are prompted to approve the permission.
Auto grant: Permissions are automatically granted.
Auto deny: Permissions are automatically denied.
Date and Time changes: Block prevents users from manually setting the date and
time. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to the set date and time on the
device.
Roaming data services: Block prevents data roaming over the cellular network.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow data roaming when the device is on a
cellular network.
Wi-Fi access point configuration: Block prevents users from creating or changing
any Wi-Fi configurations. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to change the
Wi-Fi settings on the device.
Tethering and access to hotspots: Block prevents tethering and access to portable
hotspots. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow tethering and access to portable
hotspots.
USB file transfer: Block prevents transferring files over USB. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow transferring files.
External media: Block prevents using or connecting any external media on the
device. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow external media on the device.
Beam data using NFC (work-profile level): Block prevents using the Near Field
Communication (NFC) technology to beam data from apps. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow using NFC to share data between devices.
Developer settings: Choose Allow to let users access developer settings on the
device. When set to Not configured (default), Intune doesn’t change or update this
setting. By default, the OS might prevent users from accessing developer settings
on the device.
Factory reset protection emails: Choose Google account email addresses. Enter
the email addresses of device administrators that can unlock the device after it's
wiped. Be sure to separate the email addresses with a semi-colon, such as
admin1@gmail.com;admin2@gmail.com . These emails only apply when a non-user
factory reset is run, such as running a factory reset using the recovery menu.
When set to Not configured (default), Intune doesn't change or update this
setting.
System update: Choose an option to define how the device handles over-the-air
updates. Your options
Device Default (default): Use the device's default setting. By default, if the
device is connected to Wi-Fi, is charging, and is idle, then the OS updates
automatically. For app updates, the OS also validates if the app isn't running in
the foreground.
Postponed: Updates are postponed for 30 days. At the end of the 30 days,
Android prompts users to install the update. It's possible for device
manufacturers or carriers to prevent (exempt) important security updates from
being postponed. An exempted update shows a system notification to users on
the device.
This setting applies to operating system and Play Store app updates. Any
maintenance window takes precedence over in-progress device changes.
Use this option for dedicated devices, such as kiosks, as single-app dedicated
device foreground apps can be updated.
Freeze periods for system updates: Optional. When you set the System update
setting to Automatic, Postponed, or Maintenance window, use this setting to
create a freeze period:
Start date: Enter the start date in MM/DD format, up to 90 days long. For
example, enter 11/15 to start the freeze period on November 15.
End date: Enter the end date in MM/DD format, up to 90 days long. For example,
enter 01/15 to end the freeze period on January 15.
During this freeze period, all incoming system updates and security patches are
blocked, including manually checking for updates.
When a device's clock is outside the freeze period, the device continues to receive
updates based on your System update setting.
To set multiple annually recurring freeze periods, make sure the freeze periods are
separated by at least 60 days.
Factory reset: Block prevents users from using the factory reset option in the
device's settings. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to use this setting on the
device.
Status bar: Block prevents access to the status bar, including notifications and
quick settings. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users access to the status bar.
Wi-Fi setting changes: Block prevents users from changing Wi-Fi settings created
by the device owner. Users can create their own Wi-Fi configurations. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow users to change the Wi-Fi settings on the device.
USB storage: Choose Allow to access USB storage on the device. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might prevent access to USB storage.
Network escape hatch: Enable allows users to turn on the network escape hatch
feature. If a network connection isn't made when the device boots, then the escape
hatch asks to temporarily connect to a network and refresh the device policy. After
applying the policy, the temporary network is forgotten and the device continues
booting. This feature connects devices to a network if:
There isn't a suitable network in the last policy.
The device boots into an app in lock task mode.
Users are unable to reach the device settings.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might prevent users from turning on the network
escape hatch feature on the device.
Skip first use hints: Enable hides or skips suggestions from apps that step through
tutorials, or hints when the app starts. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might show these
suggestions when the app starts.
Dedicated devices
Power button menu: Block hides the power options when users hold down the
power button when in kiosk mode. Hiding these options prevents users from
accidentally or intentionally shutting down devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, when users hold
down the power button on a device, they're shown power options, such as Restart
and Power off.
System error warnings: Allow shows system warnings on the screen when in kiosk
mode, including unresponsive apps and system warnings. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might hide these warnings. When one of these events occurs, the system forces
the app to close.
Enabled system navigation features: Allow users to access the device home and
overview buttons when in kiosk mode. Your options:
Not configured (default): Intune doesn't change or update this setting. By
default, the OS might disable the device home and overview buttons.
Home button only: Users can see and select the home button. They can't see or
select the overview buttons.
Home and overview buttons: Users can see and select the home and overview
buttons.
System notifications and information: Allow users to access the device status bar,
and receive notifications from the status bar when in kiosk mode. Your options:
Not configured (default): Intune doesn't change or update this setting. By
default, the OS might disable the status bar, and disable notifications on the
status bar.
Show system information in device's status bar: Users can see system
information on the status bar. Users can't see or receive notifications from the
status bar.
Show system notifications and information in device's status bar: Users can
see the system information, and receive notifications from the status bar. To see
notifications, enable the device home button using the Enabled system
navigation features setting.
End-user access to device settings: Block prevents users from accessing the
Settings app. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to access the Settings app.
Search work contacts and display work contact caller-id in personal profile: In
the personal profile, Block prevents users from searching work contacts, and
showing work caller ID information.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow searching work contacts, and show work
caller IDs.
ShowWorkContactsInPersonalProfile
Copy and paste between work and personal profiles: Allow lets users copy and
paste data between the work and personal profiles.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might:
Prevent users from pasting text into the personal profile that's copied from the
work profile.
Allow users to copy text from the personal profile, and paste into the work
profile.
Allow users to copy text from the work profile, and paste into the work profile.
CrossProfileCopyPaste
Data sharing between work and personal profiles: Choose if data can be shared
between work and personal profiles. Your options:
Device default: Intune doesn't change or update this setting. By default, the OS
might prevent users from sharing data in the work profile with the personal
profile. Data in the personal profile can be shared in the work profile.
Block all sharing between profiles: Prevents users from sharing data between
the work and personal profiles.
Block sharing from work to personal profile: Prevents users from sharing data
in the work profile with the personal profile. Data in the personal profile can be
shared with the work profile.
No restrictions on sharing: Data can be shared between the work and personal
profiles.
CrossProfileDataSharing
System security
Threat scan on apps: Require (default) enables Google Play Protect to scan apps
before and after they're installed. If it detects a threat, it may warn users to remove
the app from the device. When set to Not configured, Intune doesn't change or
update this setting. By default, the OS might not enable or run Google Play Protect
to scan apps.
Common Criteria mode: Require enables an elevated set of security standards that
are most often used in highly sensitive organizations, such as government
establishments. Those settings include but aren't limited to:
AES-GCM encryption of Bluetooth Long Term Keys
Wi-Fi configuration stores
Blocks bootloader download mode, the manual method for software updates
Mandates additional key zeroization on key deletion
Prevents non-authenticated Bluetooth connections
Requires that FOTA updates have 2048-bit RSA-PSS signature
When set to Not configured (default), Intune doesn't change or update this
setting.
Device experience
Use these settings to configure a kiosk-style experience on your dedicated devices, or to
customize the home screen experiences on your fully managed devices. You can
configure devices to run one app, or run many apps. When a device is set with kiosk
mode, only the apps you add are available.
Enrollment profile type: Select an enrollment profile type to start configuring Microsoft
Launcher or the Microsoft Managed Home Screen on your devices. Your options:
Not configured: Intune doesn't change or update this setting. By default, users
might see the device's default home screen experience.
Kiosk mode: Choose if the device runs one app or runs multiple apps. Your
options:
Single app: Users can only access a single app on the device. When the
device starts, only the specific app starts. Users are restricted from opening
new apps or from changing the running app.
Select an app to use for kiosk mode: Select the Managed Google Play
app from the list.
) Important
Multi-app: Users can access a limited set of apps on the device. When the
device starts, only the apps you add start. You can also add some web links
that users can open. When the policy is applied, users see icons for the
allowed apps on the home screen.
) Important
Custom app layout: Enable lets you put apps and folders in different
places on the Managed Home Screen. When set to Not configured,
Intune doesn't change or update this setting. By default, the apps and
folders you add are shown on the home screen in alphabetical order.
Grid size: Select the size of your home screen. An app or folder takes
one place on the grid.
Home screen: Select the add button, and select an app from the list.
Select the Folder option to create a folder, enter the Folder name, and
add apps from your list to the folder.
When you add items, select the context menu to remove items, or
move them to different positions:
Add: Select your apps from the list.
If the Managed Home Screen app isn't listed, then add it from Google
Play . Be sure to assign the app to the device group created for your
dedicated devices.
You can also add other Android apps and web apps created by your
organization to the device. Be sure to assign the app to the device group
created for your dedicated devices.
) Important
Lock home screen: Enable prevents users from moving app icons and
folders. They're locked, and can't be dragged-and-dropped to different
places on the grid. When set to Not configured, Intune doesn't change or
update this setting. By default, users can move these items.
Folder icon: Select the color and shape of the folder icon that's shown on
the Managed Home Screen. Your options:
Not configured
Dark theme rectangle
Dark theme circle
Light theme rectangle
Light theme circle
App and Folder icon size: Select the size of the folder icon that's shown
on the Managed Home Screen. Your options:
Not configured
Extra small
Small
Average
Large
Extra large
Depending on the screen size, the actual icon size may be different.
App notification badges: Enable shows the number of new and unread
notifications on app icons. When set to Not configured, Intune doesn't
change or update this setting.
Virtual home button: A soft-key button that returns users to the Managed
Home Screen so users can switch between apps. Your options:
Not configured (default): A home button isn't shown. Users must use
the back button to switch between apps.
Swipe-up: A home button shows when a user swipes up on the device.
Floating: Shows a persistent, floating home button on the device.
1. Continues to select the back button until the Exit kiosk button
shows.
2. Selects the Exit kiosk button, and enters the Leave kiosk mode code
PIN.
3. When finished, select the Managed Home Screen app. This step
relocks the device into multi-app kiosk mode.
Leave kiosk mode code: Enter a 4-6 digit numeric PIN. The administrator
uses this PIN to temporarily pause kiosk mode.
7 Note
For the best experience and crisp details, it's suggested that per
device image assets be created to the display specifications.
Quick access to debug menu: This setting controls how users access the
debug menu. Your options:
Enable: Users can access the debug menu easier. Specifically, they can
swipe down, or use the Managed Settings shortcut. As always, they can
continue to select the back button 15 times.
Not configured (default): Intune doesn't change or update this setting.
By default, easy access to the debug menu is turned off. Users must
select the back button 15 times to open the debug menu.
Wi-Fi allow list: Create a list of valid wireless network names, also
known as the service set identifier (SSID). Managed Home Screen users
can only connect to the SSIDs you enter.
Wi-Fi SSIDs are case sensitive. If the SSID is valid but the capitalization
you enter doesn't match the network name, then the network isn't
shown.
SSID: You can also enter the Wi-Fi network names (SSID) that Managed
Home Screen users can connect to. Be sure to enter valid SSIDs.
) Important
In the October 2020 release, the Managed Home Screen API was
updated to be compliant with the Google Play Store requirements.
The following changes impact Wi-Fi configuration policies in the
Managed Home Screen:
) Important
For devices running on Android 10+ and using Managed Home Screen,
for Bluetooth pairing to successfully work on devices that require a
pairing key, admins must enable the following Android system apps:
Android System Bluetooth
Android System Settings
Android System UI
Media volume control: Enable shows the media volume control on the
Managed Home Screen, and allows users to adjust the device's media
volume using a slider. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might not show
the media volume control on Managed Home Screen. It prevents users
from adjusting the device's media volume while using the Managed Home
Screen, unless their hardware buttons support it.
Set custom screen saver image: Enter the URL to a custom PNG, JPG,
JPEG, GIF, BMP, WebP, or ICOimage. If you don't enter a URL, then the
device's default image is used, if there's a default image.
www.contoso.com/image.bmp
https://www.contoso.com/image.webp
Tip
7 Note
Fully managed: Configures the Microsoft Launcher app on fully managed devices.
Make Microsoft Launcher the default launcher: Enable sets Microsoft Launcher
as the default launcher on the home screen. If you make Launcher the default,
users can't use another launcher. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the Microsoft Launcher isn't
forced as the default launcher.
Configure custom wallpaper: In the Microsoft Launcher app, Enable lets you
apply your own image as the home screen wallpaper, and choose if users can
change the image. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the device keeps its current wallpaper.
Enter URL of wallpaper image: Enter the URL of your wallpaper image. This
image shows on the device home screen. For example, enter
http://www.contoso.com/image.jpg .
Enable launcher feed: Enable turns on the launcher feed, which shows
calendars, documents, and recent activities. When set to Not configured
(default), Intune doesn't change or update this setting. By default, this feed isn't
shown.
Allow user to enable/disable feed: Enable lets users enable or disable the
launcher feed. Enable only forces this setting the first time the profile is
assigned. Any future profile assignments don't force this setting. When set to
Not configured (default), Intune doesn't change or update this setting. By
default, users are prevented from changing the launcher feed settings.
Dock presence: The dock gives users quick access to their apps and tools. Your
options:
Not configured (default): Intune doesn't change or update this setting.
Show: The dock is shown on devices.
Hide: The dock is hidden. Users must swipe up to access the dock.
Disabled: The dock isn't shown on devices, and users are prevented from
showing it.
Allow user to change dock presence: Enable allows users to show or hide the
dock. Enable only forces this setting the first time the profile is assigned. Any
future profile assignments don't force this setting. When set to Not configured
(default), Intune doesn't change or update this setting. By default, users aren't
allowed to change the device dock configuration.
Search bar replacement: Choose where to put the search bar. Your options:
Not configured (default): Intune doesn't change or update this setting.
Top: Search bar is shown at the top of devices.
Bottom: Search bar is shown at the bottom of devices.
Hide: Search bar is hidden.
Device password
Device default (default): Most devices don't require a password when set to
Device default. If you want to require users to set up a passcode on their
devices, configure this setting to something more secure than Device default.
Weak biometric: Strong vs. weak biometrics (opens Android's web site)
Alphabetic: Letters in the alphabet are required. Numbers and symbols aren't
required. Also enter:
Minimum password length: Enter the minimum length the password must
have, between 4 and 16 characters.
Number of days until password expires: Enter the number of days, until the device
password must be changed, from 1-365. For example, enter 90 to expire the
password after 90 days. When the password expires, users are prompted to create
a new password. When the value is blank, Intune doesn't change or update this
setting.
Number of passwords required before user can reuse a password: Use this
setting to restrict users from creating previously used passwords. Enter the number
of previously used passwords that can't be used, from 1-24. For example, enter 5
so users can't set a new password to their current password or any of their
previous four passwords. When the value is blank, Intune doesn't change or
update this setting.
Number of sign-in failures before wiping device: Enter the number of wrong
passwords allowed before the device is wiped, from 4-11. When the value is blank,
Intune doesn't change or update this setting.
7 Note
Users on fully managed, and corporate-owned work profile devices are not
prompted to set a password. The settings are required, but users might not
be notified. Users need to set the password manually. The policy reports as
failed until the user sets a password that meets your requirements.
To apply the device password settings during device enrollment, assign the
device restriction profile to users, not devices. During enrollment, users are
asked to set a screen lock. Then, they must choose a device password that
meets all the requirements in this device restriction profile.
On dedicated devices that are not using kiosk mode, users are not notified
of any password requirement. Users need to set the password manually.
The policy reports as failed until the user sets a password that meets your
requirements.
Disabled lock screen features: When the device is locked, choose the features that
can't be used. For example, when Secure camera is checked, the camera feature is
disabled on the device. Any features not checked are enabled on the device.
These features are available to users when the device is locked. Users won't see or
access features that are checked.
On corporate-owned work profile devices, only Unredacted notifications, Trust
agents, and Fingerprint unlock can be disabled.
If users turn off the Use one lock setting on their device, then disabling
Fingerprint unlock and disabling Trust agents apply at the corporate-owned
work profile-level. If users turn on the Use one lock setting, then disabling
Fingerprint unlock and disabling Trust agents apply at the device-level.
Select how long users have before they're required to unlock the device using a
strong authentication method. Your options:
Device default (default): The screen locks using the device's default time.
24 hours since last pin, password, or pattern unlock: The screen locks 24 hours
after users last used a strong authentication method to unlock the device. When
the timeout is reached, non-strong authentication methods are disabled until
the device is unlocked using strong authentication.
2.3.4 Advanced passcode management: Strong Authentication required timeout
(opens Android's web site)
Power settings
Dedicated devices
Account changes: Block prevents users from updating or changing accounts when
in kiosk mode. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to update user accounts
on the device.
Applications
App auto-updates (work profile-level): Devices check for app updates daily.
Choose when automatic updates are installed. Your options:
Not configured: Intune doesn't change or update this setting.
User choice: The OS might default to this option. Users can set their preferences
in the Managed Google Play app.
Never: Updates are never installed. This option isn't recommended.
Wi-Fi only: Updates are installed only when the device is connected to a Wi-Fi
network.
Always: Updates are installed when they're available.
Allow access to all apps in Google Play store: When set to Allow:
Users get access to all apps in the Google Play store.
Users can't use apps that are explicitly targeted with uninstall.
Users can't use apps that are added to a blocklist on the personal profile of
corporate-owned devices with a work profile.
For more information on excluding users and groups from specific apps, see
Include and exclude app assignments.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might:
Only show apps in the Managed Google Play store that are approved, or apps
that are required.
Uninstall apps that were installed outside of the Managed Google Play store.
If you want to enable side-loading, set the Allow installation from unknown sources
and Allow access to all apps in Google Play store settings to Allow.
Dedicated devices
Clear local data in apps not optimized for Shared device mode: Add any app not
optimized for shared device mode to the list. The app's local data will be cleared
whenever a user signs out of an app that's optimized for shared device mode.
Available for dedicated devices enrolled with Shared mode running Android 9 and
later.
When you use this setting, users can't initiate sign out from non-optimized apps
and get single sign-out.
Users will need to sign out of an app that has been optimized for Shared Device
mode. Microsoft apps that are optimized for Shared device mode on Android
include Teams and Intune’s Managed Home Screen.
For apps that haven't been optimized for Shared Device mode, deleting
application data extends to local app storage only. Data may be left in other
areas of the device. User identifying artifacts such as email address and
username may be left behind on the app and visible by others.
Non-optimized apps that provide support for multiple accounts could exhibit
indeterminate behavior and are therefore not recommended.
All non-optimized apps should be thoroughly tested before being used in multi-
user scenarios on shared devices to ensure they work as expected. For example,
validate your core scenarios in each app, verify that the app signs out properly, and
that all data is sufficiently cleared for your organization’s needs.
Connectivity
Choose Not configured to disable always-on VPN for all VPN clients.
) Important
VPN client: Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Palo Alto Networks GlobalProtect
Pulse Secure
Custom
Package ID: Enter the package ID of the app in the Google Play store. For
example, if the URL for the app in the Play store is
https://play.google.com/store/details?id=com.contosovpn.android.prod ,
) Important
The VPN client you choose must be installed on the device, and it must
support per-app VPN in corporate-owned work profiles. Otherwise, an
error occurs.
You do need to approve the VPN client app in the Managed Google Play
Store, sync the app to Intune, and deploy the app to the device. After you
do this, then the app is installed in the user's corporate-owned work
profile.
You still need to configure the VPN client with a VPN profile, or through an
app configuration profile.
There may be known issues when using per-app VPN with F5 Access for
Android 3.0.4. For more information, see F5's release notes for F5 Access
for Android 3.0.4 .
Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a
connection to the VPN isn't established, then the device won't have network
access. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow traffic to flow through the VPN tunnel or
through the mobile network.
Proxy Auto-Config: Enter the PAC URL to a proxy autoconfiguration script. For
example, enter https://proxy.contoso.com/proxy.pac .
For more information on PAC files, see Proxy Auto-Configuration (PAC) file
(opens a non-Microsoft site).
For more information on this feature, see setRecommendedGlobalProxy (opens
an Android site).
Required password type: Enter the required password complexity level, and
whether biometric devices can be used. Your options:
Device default
Weak biometric: Strong vs. weak biometrics (opens Android's web site)
Alphabetic: Letters in the alphabet are required. Numbers and symbols aren't
required. Also enter:
Minimum password length: Enter the minimum length the password must
have, between 4 and 16 characters.
Number of days until password expires: Enter the number of days, until the device
password must be changed, from 1-365. For example, enter 90 to expire the
password after 90 days. When the password expires, users are prompted to create
a new password. When the value is blank, Intune doesn't change or update this
setting.
Number of passwords required before user can reuse a password: Use this
setting to restrict users from creating previously used passwords. Enter the number
of previously used passwords that can't be used, from 1-24. For example, enter 5
so users can't set a new password to their current password or any of their
previous four passwords. When the value is blank, Intune doesn't change or
update this setting.
Number of sign-in failures before wiping device: Enter the number of wrong
passwords allowed before the device is wiped, from 4-11. 0 (zero) might disable
the device wipe functionality. When the value is blank, Intune doesn't change or
update this setting.
7 Note
Fully managed, dedicated, and corporate-owned work profile devices are not
prompted to set a password. The settings are required, but users might not be
notified. Users need to set the password manually. The policy reports as failed
until the user sets a password that meets your requirements.
Required unlock frequency: Strong authentication is when users unlock the work
profile using a password, PIN, or pattern. Non-strong authentication methods are
when users unlock the work profile using some biometric options, such as a
fingerprint or face scan.
Select how long users have before they're required to unlock the work profile
using a strong authentication method. Your options:
Device default (default): The screen locks using the device's default time.
24 hours since last pin, password, or pattern unlock: The screen locks 24 hours
after users last used a strong authentication method to unlock the work profile.
When the timeout is reached, non-strong authentication methods are disabled
until the work profile is unlocked using strong authentication.
Personal profile
Camera: Block prevents access to the camera during personal use. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow using the camera in the personal profile.
Screen capture: Block prevents screen captures during personal use. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow users to get screen captures or screenshots in the personal
profile.
Allow users to enable app installation from unknown sources in the personal
profile: Select Allow so users can install apps from unknown sources in the
personal profile. It allows users to install apps from sources other than the Google
Play Store. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might prevent users from installing apps from
unknown sources in the personal profile.
Type of restricted apps list: Select Allow apps to create a list of Managed Google
Play apps that are allowed and approved to install and run in the personal profile
on the device. Select Blocked apps to create a list of Managed Google Play apps
that are prohibited and prevented from installing and running in the personal
profile on the device. When set to Not configured (default), Intune doesn't include
a list of apps to allow or block.
By default, the OEM default messages are shown. When you deploy a custom message
using Intune, the Intune default message is also deployed. If you don't enter a custom
message for the device's default language, then the Intune default message is
automatically shown.
For example, you deploy a custom message for English and French. The user changes
the device's default language to Spanish. Since you didn't deploy a custom message to
the Spanish language, then the Intune default message is shown.
The Intune default message is translated for all languages in the Endpoint Manger
admin center (Settings > Language + Region). The Language setting value
determines the default language used by Intune. By default, it's set to English.
Short support message: When users try to change a setting that's managed by the
organization, a short message is shown.
Using the following settings, you can customize this message and enter a different
message for different languages. By default, this message is in English (United
States).
All, except when specified: This message is the Intune default message, and is
shown for all languages. If you don't enter a custom message, then this text is
automatically shown. This text is also automatically translated to the device's
default language.
You can change this message. Any changes aren't translated. If you delete all
the text in this message and leave this setting blank, then the following original
short Intune default message is used and is translated:
You do not have permission for this action. For more information, contact
your IT admin.
Select Locale: Select the locale or region to show a different custom message
for that specific locale.
Long support message: On the device, in Settings > Security > Device admin
apps > Device Policy, a long support message is shown.
Using the following settings, you can customize this message and enter a different
message for different languages. By default, this message is in English (United
States).
All, except when specified: This message is the Intune default message, and is
shown for all languages. If you don't enter a custom message, then this text is
automatically shown, and is automatically translated to the device's default
language.
You can change this message. Any changes aren't translated. If you delete all
the text in this message and leave this setting blank, then the following original
long Intune default message is used and is translated:
The organization's IT admin can monitor and manage apps and data associated
with this device, including settings, permissions, corporate access,
Select Locale: Select the locale or region to show a different custom message
for that specific locale.
Message: Enter the text you want shown, a max of 4096 characters. The text you
enter isn't translated to the device's default language. So if you want to show a
message in Spanish, enter the text in Spanish.
Lock screen message: Enter the text you want shown on the device lock screen.
Using the following settings, you can customize this message and enter a different
message for different languages. By default, this message is in English (United
States).
All, except when specified: Enter the text you want shown for all languages, a
max of 4096 characters. This text is automatically translated to the device's
default language. If you don't enter a custom message, then Intune doesn't
change or update this setting. By default, the OS might not show a lock screen
message.
Select Locale: Select the locale or region to show a different custom message
for that specific locale.
Message: Enter the text you want shown, a max of 4096 characters. The text you
enter isn't translated to the device's default language. So if you want to show a
message in Spanish, enter the text in Spanish.
When you configure the Lock screen message, you can also use the following
device tokens to show device-specific information:
{{AADDeviceId}} : Azure AD device ID
{{AccountId}} : Intune tenant ID or account ID
7 Note
Variables aren't validated in the UI and are case sensitive. As a result, you may
see profiles saved with incorrect input. For example, if you enter
{{DeviceID}} , instead of {{deviceid}} or {{DEVICEID}} , then the literal string
is shown instead of the device's unique ID. Be sure to enter the correct
information. All lowercase or all uppercase variables are supported, but not a
mix.
Next steps
Assign the profile and monitor its status.
You can also create dedicated device kiosk profiles for Android and Windows 10 devices.
This article describes the different settings you can control on Android Enterprise
devices. As part of your mobile device management (MDM) solution, use these settings
to allow or disable features, control security, and more.
Tip
When you create device restriction policies, there are many settings available. To
help determine the settings that are right for your organization, you can use the
security configuration framework guidance:
Android Enterprise personally owned work profile security settings
General settings
Copy and paste between work and personal profiles: Block prevents copy-and-
paste between work and personal apps. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users
to share data using copy-and-paste with apps in the personal profile.
Data sharing between work and personal profiles: Choose if apps in the work
profile can share with apps in the personal profile. For example, you can control
sharing actions within applications, such as the Share… option in the Chrome
browser app. This setting doesn't apply to copy/paste clipboard behavior. Your
options:
Device default: Sharing from the work profile to the personal profile is blocked.
Sharing from the personal profile to the work profile is allowed.
Apps in work profile can handle sharing request from personal profile:
Enables the built-in Android feature that allows sharing from the personal
profile to the work profile. When enabled, a sharing request from an app in the
personal profile can share with apps in the work profile.
No restrictions on sharing: Enables sharing across the work profile boundary in
both directions. When you select this setting, apps in the work profile can share
data with unbadged apps in the personal profile. This setting allows managed
apps in the work profile to share with apps on the unmanaged side of the
device. So, use this setting carefully.
Default app permissions: Sets the default permission policy for all apps in the
work profile. Starting with Android 6, users are prompted to grant certain
permissions required by apps when the app is launched. This policy setting lets
you decide if users are prompted to grant permissions for all apps in the work
profile. For example, you assign an app to the work profile that requires location
access. Normally that app prompts users to approve or deny location access to the
app. Use this policy to automatically grant permissions without a prompt,
automatically deny permissions without a prompt, or let users decide. Your
options:
Device default
Prompt
Auto grant
Auto deny
You can also use an app configuration policy to grant permissions for individual
apps (Apps > App configuration policies).
Add and remove accounts: This setting allows or prevents accounts from being
added in the work profile, including Google accounts. Your options:
Allow all accounts types, except Google accounts (default): Intune doesn't
change or update this setting. By default, the OS might allow adding accounts
in the work profile.
Allow all account types: Allows all accounts, including Google accounts. These
Google accounts are blocked from installing apps from the Managed Google
Play Store.
Google domain allow-list: Restricts users to add only certain Google account
domains in the work profile. You can import a list of allowed domains in the
following format:
csv
contoso.com
microsoft.com
Or, add the domains individually using the contoso.com format. When left
blank, by default, the OS might allow adding all Google domains in the work
profile.
Block all account types: Prevents users from manually adding or removing
accounts in the work profile. For example, when you deploy the Gmail app into
the work profile, you can prevent users from adding or removing accounts in
this work profile.
7 Note
On personally owned devices with a work profile (BYOD) and corporate owned
devices with work profile (COPE), Google accounts can't be added to the
Settings app > Accounts > Work.
Contact sharing via Bluetooth: Enable allows sharing and access to personally
owned devices with a work profile contacts from another device, including a car,
that's paired using Bluetooth. Enabling this setting may allow certain Bluetooth
devices to cache work contacts upon first connection. Disabling this policy after an
initial pairing/sync may not remove work contacts from a Bluetooth device.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might not share work contacts.
Screen capture: Block prevents screenshots or screen captures on the device in the
work profile. It also prevents the content from being shown on display devices that
don't have a secure video output. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow getting
screenshots.
Display work contact caller-id in personal profile: Block doesn't show the work
contact caller number in the personal profile. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
show work contact caller details.
Search work contacts from personal profile: Block prevents users from searching
for work contacts in apps in the personal profile. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow searching for work contacts in the personal profile.
Camera: Block prevents access to the camera on the device in the personally
owned work profile. The camera on the personal side isn't affected by the setting.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow access to the camera.
Allow widgets from work profile apps: Enable allows users to put widgets
exposed by apps on the home screen. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might disable this
feature.
For example, Outlook is installed on your users' work profile. When set to Enable,
users can put the agenda widget on the device home screen.
Work Profile Password
These password settings apply to the work profile password on personally owned
devices with a work profile.
Require Work Profile Password: Require forces a passcode policy that only applies
to apps in the work profile. By default, users can use the two separately defined
PINs. Or, users can combine the PINs into the stronger of the two PINs. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to use work apps without entering a password.
Maximum minutes of inactivity until work profile locks: Enter the length of time
devices must be idle before the screen is automatically locked. Users must enter
their credentials to regain access. For example, enter 5 to lock the device after 5
minutes of being idle. When the value is blank or set to Not configured, Intune
doesn't change or update this setting.
On devices, users can't set a time value greater than the configured time in the
profile. Users can set a lower time value. For example, if the profile is set to 15
minutes, users can set the value to 5 minutes. Users can't set the value to 30
minutes.
Number of sign-in failures before wiping device: Enter the number of wrong
passwords allowed before the work profile on the device is wiped, from 4-11. 0
(zero) might disable the device wipe functionality. When the value is blank, Intune
doesn't change or update this setting.
Password expiration (days): Enter the number of days until user passwords must
be changed (from 1-365).
Prevent reuse of previous passwords: Use this setting to restrict users from
creating previously used passwords. Enter the number of previously used
passwords that can't be used, from 1-24. For example, enter 5 so users can't set a
new password to their current password or any of their previous four passwords.
When the value is blank, Intune doesn't change or update this setting.
Face unlock: Block prevents users from using the device's facial recognition to
unlock the personally owned work profile. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow users
to unlock the device using facial recognition.
Fingerprint unlock: Block prevents users from using the device's fingerprint
scanner to unlock the personally owned work profile. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow users to unlock the device using a fingerprint.
Iris unlock: Block prevents users from using the device's iris scanner to unlock the
personally owned work profile. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to
unlock the device using the iris scanner.
Smart Lock and other trust agents: Block prevents Smart Lock or other trust
agents from adjusting lock screen settings on compatible devices. If devices are in
a trusted location, then this feature, also known as a trust agent, lets you disable or
bypass the device lock screen password. For example, bypass the work profile
password when devices are connected to a specific Bluetooth device, or when
devices are close to an NFC tag. Use this setting to prevent users from configuring
Smart Lock.
When set to Not configured (default), Intune doesn't change or update this
setting.
On personally owned devices with a work profile, there are two passwords affected
by this Password complexity setting:
The device password that unlocks the device
The work profile password that allows users to access the work profile
If the device password complexity is too low, then the device password is
automatically changed to require a High complexity. The end users must update
the device password to meet the complexity requirements. Then, they sign into the
work profile and are prompted to update the work profile complexity configured in
the Password complexity setting in your policy.
) Important
If the Required password type and Minimum password length settings are
changed from the default values in a policy, then:
If you change an existing policy with the Required password type and
Minimum password length settings that already configured, then
Android Enterprise 12+ devices will automatically use the Password
complexity setting with the High complexity.
) Important
Required password type: Enter the required password complexity level, and
whether biometric devices can be used. Your options:
Device default (default): Intune doesn't change or update this setting. By
default, the OS might not require a password.
Low security biometric: Strong vs. weak biometrics (opens Android's web
site)
Required
At least numeric: Includes numeric characters, such as 123456789 .
Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234 ,
aren't allowed.
At least alphabetic: Includes letters in the alphabet. Numbers and symbols
aren't required.
At least alphanumeric: Includes uppercase letters, lowercase letters, and
numeric characters.
At least alphanumeric with symbols: Includes uppercase letters, lowercase
letters, numeric characters, punctuation marks, and symbols.
Minimum password length: Enter the minimum length the password must have,
between 4 (default) and 16 characters.
Password
These password settings apply to the device password on personally owned devices
with a work profile.
All Android devices
Maximum minutes of inactivity until screen locks: Enter the length of time devices
must be idle before the screen is automatically locked. Users must enter their
credentials to regain access. For example, enter 5 to lock the device after 5
minutes of being idle. When the value is blank or set to Not configured, Intune
doesn't change or update this setting.
On devices, users can't set a time value greater than the configured time in the
profile. Users can set a lower time value. For example, if the profile is set to 15
minutes, users can set the value to 5 minutes. Users can't set the value to 30
minutes.
Number of sign-in failures before wiping device: Enter the number of wrong
passwords allowed before the personally owned work profile in the device is
wiped, from 4-11. 0 (zero) might disable the device wipe functionality. When the
value is blank, Intune doesn't change or update this setting.
Password expiration (days): Enter the number of days, until the device password
must be changed, from 1-365. For example, enter 90 to expire the password after
90 days. When the password expires, users are prompted to create a new
password. When the value is blank, Intune doesn't change or update this setting.
Prevent reuse of previous passwords: Use this setting to restrict users from
creating previously used passwords. Enter the number of previously used
passwords that can't be used, from 1-24. For example, enter 5 so users can't set a
new password to their current password or any of their previous four passwords.
When the value is blank, Intune doesn't change or update this setting.
Fingerprint unlock: Block prevents users from using the device's fingerprint
scanner to unlock the device. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to unlock the
device using a fingerprint.
Face unlock: Block prevents users from using the device's facial recognition to
unlock the device. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to unlock the device using
facial recognition.
Iris unlock: Block prevents users from using the device's iris scanner to unlock the
device. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to unlock the device using the iris
scanner.
Smart Lock and other trust agents: Block prevents Smart Lock or other trust
agents from adjusting lock screen settings on compatible devices. If devices are in
a trusted location, then this feature, also known as a trust agent, lets you disable or
bypass the device lock screen password. For example, bypass the personally owned
work profile password when devices are connected to a specific Bluetooth device,
or when devices are close to an NFC tag. Use this setting to prevent users from
configuring Smart Lock.
When set to Not configured (default), Intune doesn't change or update this
setting.
On personally owned devices with a work profile, there are two passwords affected
by this Password complexity setting:
The device password that unlocks the device
The work profile password that allows users to access the work profile
If the device password complexity is too low, then the device password is
automatically changed to require a High complexity. The end users must update
the device password to meet the complexity requirements. Then, they sign into the
work profile and are prompted to update the work profile complexity configured in
the Password complexity setting in your policy.
) Important
If the Required password type and Minimum password length settings are
changed from the default values in a policy, then:
If you change an existing policy with the Required password type and
Minimum password length settings that already configured, then
Android Enterprise 12+ devices will automatically use the Password
complexity setting with the High complexity.
) Important
Required password type: Enter the required password complexity level, and
whether biometric devices can be used. Your options:
Device default (default): Intune doesn't change or update this setting. By
default, the OS might not require a password.
Low security biometric: Strong vs. weak biometrics (opens Android's web
site)
Required
At least numeric: Includes numeric characters, such as 123456789 .
Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234 ,
aren't allowed.
At least alphabetic: Includes letters in the alphabet. Numbers and symbols
aren't required.
At least alphanumeric: Includes uppercase letters, lowercase letters, and
numeric characters.
At least alphanumeric with symbols: Includes uppercase letters, lowercase
letters, numeric characters, punctuation marks, and symbols.
Minimum password length: Enter the minimum length the password must have,
between 4 (default) and 16 characters.
System security
Threat scan on apps: Require enforces that the Verify Apps setting is enabled for
work and personal profiles. When set to Not configured (default), Intune doesn't
change or update this setting.
Connectivity
Always-on VPN: Enable sets a VPN client to automatically connect and reconnect
to the VPN. Always-on VPN connections stay connected. Or, immediately connect
when users lock their device, the device restarts, or the wireless network changes.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might disable always-on VPN for all VPN clients.
) Important
VPN client: Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Palo Alto Networks GlobalProtect
Pulse Secure
Custom
Package ID: Enter the package ID of the app in the Google Play store. For
example, if the URL for the app in the Play store is
https://play.google.com/store/details?id=com.contosovpn.android.prod ,
then the package ID is com.contosovpn.android.prod .
) Important
The VPN client you choose must be installed on the device. It must also
support per-app VPN in personally owned devices with a work profile.
Otherwise, an error occurs.
You do need to approve the VPN client app in the Managed Google Play
Store, sync the app to Intune, and deploy the app to the device. After you
do this, then the app is installed in the user's personally owned devices
with a work profile.
There may be known issues when using per-app VPN with F5 Access for
Android 3.0.4. For more information, see F5's release notes for F5 Access
for Android 3.0.4 .
Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a
connection to the VPN isn't established, then the device won't have network
access.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow traffic to flow through the VPN tunnel or
through the mobile network.
Next steps
Assign the profile and monitor its status.
This article describes the different email settings you can control on Android Enterprise
personally owned devices with a work profile. As part of your mobile device
management (MDM) solution, use these settings to configure an Exchange email server,
use SSL to encrypt emails, and more. The email profile uses the email app on the device,
and allows users to connect to their organization email.
As an Intune administrator, you can create and assign email settings to Android
Enterprise personally owned devices with a work profile. To learn more about email
profiles in Intune, see configure email settings.
Android Enterprise
Email app: Select Gmail or Nine Work. This app is the client app that connects to
the email server you enter.
Email server: Enter the host name of your Exchange server. For example, enter
outlook.office365.com .
Username attribute from AAD: This name is the attribute Intune gets from Azure
Active Directory (Azure AD). Intune dynamically generates the username that's
used by this profile. Make sure your users have email addresses that match the
attribute you select. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com .
User name: Gets only the name, such as user1 .
Email address attribute from AAD: This name is the email attribute Intune gets
from Azure AD. Intune dynamically generates the email address that's used by this
profile. Your options:
User principal name: Uses the full principal name, such as user1@contoso.com or
user1 , as the email address.
SSL: Choose Enable to use Secure Sockets Layer (SSL) communication when
sending emails, receiving emails, and communicating with the Exchange server.
Amount of email to synchronize: Choose the amount of time of email you want to
synchronize. Or, select Unlimited to synchronize all available email.
Content type to sync (Nine Work only): Choose which data you want to
synchronize on the devices. Your options:
Contacts: Choose Enable to allow end users to sync contacts to their devices.
Calendar: Choose Enable to allow end users to sync the calendar to their
devices.
Tasks: Choose Enable to allow end users to sync any tasks to their devices.
Next steps
Assign the profile and monitor its status.
You can also create email profiles for Android Samsung Knox, iOS/iPadOS, and Windows
10 and later devices.
Android Enterprise device settings to
configure VPN in Intune
Article • 07/13/2023
This article describes the different VPN connection settings you can control on Android
Enterprise devices. As part of your mobile device management (MDM) solution, use
these settings to create a VPN connection, choose how the VPN authenticates, select a
VPN server type, and more.
As an Intune administrator, you can create and assign VPN settings to Android
Enterprise devices. To learn more about VPN profiles in Intune, see VPN profiles.
7 Note
To configure always-on VPN, you need to create a VPN profile, and also create a
device restrictions profile with the Always-on VPN setting configured.
Some Microsoft 365 services, such as Outlook, may not perform well using third
party or partner VPNs. If you're using a third party or partner VPN, and experience
a latency or performance issue, then remove the VPN.
Cisco AnyConnect
F5 Access
Pulse Secure
) Important
Prior to support for using Microsoft Defender for Endpoint as the tunnel
client app, a standalone tunnel client app was available in preview and
used a connection type of Microsoft Tunnel (standalone client). As of June
14 2021, both the standalone tunnel app and standalone client connection
type are deprecated and drop from support after January 31, 2022.
The available settings depend on the VPN client you choose. Some settings are only
available for specific VPN clients.
VPN server address or FQDN: Enter the IP address or fully qualified domain name
(FQDN) of the VPN server that devices connect. For example, enter 192.168.1.1 or
vpn.contoso.com .
Authentication method: Choose how devices authenticate to the VPN server. Your
options:
Username and password: When end users sign into the VPN server, they're
prompted to enter their user name and password.
Derived credential: Use a certificate that's derived from a user's smart card. If
no derived credential issuer is configured, Intune prompts you to add one.
Enter key and value pairs for the NetMotion Mobility VPN attributes: Add or
import Keys and Values that customize your VPN connection. These values are
typically supplied by your VPN provider.
Microsoft Tunnel site (Microsoft Tunnel only): Select an existing site. The VPN
client connects to the public IP address or FQDN of this site.
For more information, see Use a VPN and per-app VPN policy on Android Enterprise
devices.
Only one VPN client can be configured for always-on VPN on a device. Be sure to
have no more than one always-on VPN policy deployed to a single device.
Address: Enter the IP address or fully qualified host name of the proxy server. For
example, enter 10.0.0.3 or vpn.contoso.com .
Port number: Enter the port number associated with the proxy server. For example,
enter 8080 .
Cisco AnyConnect
7 Note
With Cisco AnyConnect in the personally owned work profile, there may be
some extra steps for end users to complete the VPN connection. For more
information, go to VPN profiles - What successful VPN profiles look like.
F5 Access
Pulse Secure
NetMotion Mobility
Microsoft Tunnel
) Important
Prior to support for using Microsoft Defender for Endpoint as the tunnel
client app, a standalone tunnel client app was available in preview and
used a connection type of Microsoft Tunnel (standalone client). As of June
14, 2021, both the standalone tunnel app and standalone client connection
type are deprecated and drop from support after January 31, 2022.
The available settings depend on the VPN client you choose. Some settings are only
available for specific VPN clients.
VPN server address: Enter the IP address or fully qualified domain name (FQDN) of
the VPN server that devices connect. For example, enter 192.168.1.1 or
vpn.contoso.com .
Authentication method: Choose how devices authenticate to the VPN server. Your
options:
Username and password: When end users sign into the VPN server, they're
prompted to enter their user name and password.
Derived credential: Use a certificate that's derived from a user's smart card. If
no derived credential issuer is configured, Intune prompts you to add one.
Fingerprint (Check Point Capsule VPN only): Enter the fingerprint string given to
you by the VPN vendor, such as Contoso Fingerprint Code . This fingerprint verifies
that the VPN server can be trusted.
When authenticating, a fingerprint is sent to the client so the client knows to trust
any server that has the same fingerprint. If the device doesn't have the fingerprint,
it prompts the user to trust the VPN server while showing the fingerprint. The user
manually verifies the fingerprint, and chooses to trust to connect.
Enter key and value pairs for the NetMotion Mobility VPN attributes: Add or
import Keys and Values that customize your VPN connection. These values are
typically supplied by your VPN provider.
Microsoft Tunnel site (Microsoft Tunnel only): Select an existing site. The VPN
client connects to the public IP address or FQDN of this site.
For more information, see Use a VPN and per-app VPN policy on Android Enterprise
devices.
Only one VPN client can be configured for always-on VPN on a device. Be sure to
have no more than one always-on VPN policy deployed to a single device.
Address: Enter the IP address or fully qualified host name of the proxy server. For
example, enter 10.0.0.3 or vpn.contoso.com .
Port number: Enter the port number associated with the proxy server. For example,
enter 8080 .
Next steps
Assign the profile and monitor its status.
You can also create VPN profiles for Android device administrator, iOS/iPadOS, macOS,
and Windows 10 and later.
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your
Android Enterprise fully managed and dedicated devices. Microsoft Intune offers many
features, including authenticating to your network, using a pre-shared key, and more.
This article describes these settings. Use Wi-Fi on your devices includes more
information about the Wi-Fi feature in Microsoft Intune.
Basic
Wi-Fi type: Select Basic.
Network name: Enter a name for this Wi-Fi connection. End users see this name
when they browse their device for available Wi-Fi connections. For example, enter
Contoso WiFi.
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
When devices are connected to another preferred Wi-Fi connection, then they
won't automatically connect to this Wi-Fi network. If devices fail to connect
automatically when this setting is enabled, then disconnect the devices from any
existing Wi-Fi connections.
Hidden network: Select Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Select Disable to show this
network in the list of available networks on the device.
Wi-Fi type: Select the security protocol to authenticate to the Wi-Fi network. Your
options:
Open (no authentication): Only use this option if the network is unsecured.
WEP-Pre-shared key: Enter the password in Pre-shared key. When your
organization's network is set up or configured, a password or network key is
also configured. Enter this password or network key for the PSK value.
WPA-Pre-shared key: Enter the password in Pre-shared key. When your
organization's network is set up or configured, a password or network key is
also configured. Enter this password or network key for the PSK value.
Proxy server address: Enter the IP address of the proxy server. For example,
enter 10.0.0.22 .
Port number: Enter the port number of the proxy server. For example, enter
8080 .
Exclusion list: Enter a hostname or IP address that won't use the proxy. You
can use the * wildcard character and enter multiple host names and IP
addresses. If you enter multiple host names or IP addresses, they must be on
a separate line. For example, you can enter:
*.contoso.com
test.contoso1.com
mysite.contoso2.com
10.0.0.5
10.0.0.6
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL
that contains the configuration file. For example, enter
http://proxy.contoso.com , 10.0.0.11 , or http://proxy.contoso.com/proxy.pac .
For more information on PAC files, see Proxy Auto-Configuration (PAC) file
(opens a non-Microsoft site).
Enterprise
Wi-Fi type: Select Enterprise.
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
When devices are connected to another preferred Wi-Fi connection, then they
won't automatically connect to this Wi-Fi network. If devices fail to connect
automatically when this setting is enabled, then disconnect the devices from any
existing Wi-Fi connections.
Hidden network: Select Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Select Disable to show this
network in the list of available networks on the device.
EAP type: Select the Extensible Authentication Protocol (EAP) type used to
authenticate secured wireless connections. Your options:
Also enter:
Radius server name: Enter the DNS name that's used in the certificate
presented by the Radius Server during client authentication to the Wi-Fi
access point. For example, enter Contoso.com , uk.contoso.com , or
jp.contoso.com .
If you have multiple Radius servers with the same DNS suffix in their fully
qualified domain name, then you can enter only the suffix. For example, you
can enter contoso.com .
When you enter this value, user devices can bypass the dynamic trust dialog
that's sometimes shown when connecting to the Wi-Fi network.
On Android 11 and newer, new Wi-Fi profiles may require this setting be
configured. Otherwise, the devices may not connect to your Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
7 Note
A good practice is to enter the Radius server name and add a Root
certificate for server validation.
Also enter:
Radius server name: Enter the DNS name that's used in the certificate
presented by the Radius Server during client authentication to the Wi-Fi
access point. For example, enter Contoso.com , uk.contoso.com , or
jp.contoso.com .
If you have multiple Radius servers with the same DNS suffix in their fully
qualified domain name, then you can enter only the suffix. For example, you
can enter contoso.com .
When you enter this value, user devices can bypass the dynamic trust dialog
that's sometimes shown when connecting to the Wi-Fi network.
On Android 11 and newer, new Wi-Fi profiles may require this setting be
configured. Otherwise, the devices may not connect to your Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
Username and Password: Prompt the user for a user name and password
to authenticate the connection. Also enter:
Non-EAP method (inner identity): Choose how you authenticate the
connection. Be sure you select the same protocol that's configured on
your Wi-Fi network. Your options:
Unencrypted password (PAP)
Microsoft CHAP (MS-CHAP)
Microsoft CHAP Version 2 (MS-CHAP v2)
Certificates: Select the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the
device to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed
by the real identification sent in a secure tunnel.
Radius server name: Enter the DNS name that's used in the certificate
presented by the Radius Server during client authentication to the Wi-Fi
access point. For example, enter Contoso.com , uk.contoso.com , or
jp.contoso.com .
If you have multiple Radius servers with the same DNS suffix in their fully
qualified domain name, then you can enter only the suffix. For example, you
can enter contoso.com .
When you enter this value, user devices can bypass the dynamic trust dialog
that's sometimes shown when connecting to the Wi-Fi network.
On Android 11 and newer, new Wi-Fi profiles may require this setting be
configured. Otherwise, the devices may not connect to your Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
Username and Password: Prompt the user for a user name and password
to authenticate the connection. Also enter:
Certificates: Select the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the
device to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed
by the real identification sent in a secure tunnel.
Proxy server address: Enter the IP address of the proxy server. For example,
enter 10.0.0.22 .
Port number: Enter the port number of the proxy server. For example, enter
8080 .
Exclusion list: Enter a hostname or IP address that won't use the proxy. You
can use the * wildcard character and enter multiple host names and IP
addresses. If you enter multiple host names or IP addresses, they must be on
a separate line. For example, you can enter:
*.contoso.com
test.contoso1.com
mysite.contoso2.com
10.0.0.5
10.0.0.6
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL
that contains the configuration file. For example, enter
http://proxy.contoso.com , 10.0.0.11 , or http://proxy.contoso.com/proxy.pac .
For more information on PAC files, see Proxy Auto-Configuration (PAC) file
(opens a non-Microsoft site).
7 Note
SSID: Enter the service set identifier, which is the real name of the wireless
network that devices connect to. However, users only see the network name you
configured when they choose the connection.
Hidden network: Select Enable to hide this network from the list of available
networks on the device. The SSID isn't broadcasted. Select Disable to show this
network in the list of available networks on the device.
EAP type: Select the Extensible Authentication Protocol (EAP) type used to
authenticate secured wireless connections. Your options:
Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA) to your wireless
network access servers. For example, add mywirelessserver.contoso.com or
mywirelessserver . When you enter this information, you can bypass the
dynamic trust window displayed on user's devices when they connect to this
Wi-Fi network.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
Certificates: Select the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the device
to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed by
the real identification sent in a secure tunnel.
Root certificate for server validation: Select one or more existing trusted
root certificate profiles. When the client connects to the network, these
certificates are used to establish a chain of trust with the server. If your
authentication server uses a public certificate, then you don't need to include
a root certificate.
Username and Password: Prompt the user for a user name and password
to authenticate the connection. Also enter:
Non-EAP method (inner identity): Choose how you authenticate the
connection. Be sure you select the same protocol that's configured on
your Wi-Fi network. Your options:
Unencrypted password (PAP)
Microsoft CHAP (MS-CHAP)
Microsoft CHAP Version 2 (MS-CHAP v2)
Certificates: Select the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the
device to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed
by the real identification sent in a secure tunnel.
Username and Password: Prompt the user for a user name and password
to authenticate the connection. Also enter:
Certificates: Select the SCEP or PKCS client certificate profile that is also
deployed to the device. This certificate is the identity presented by the
device to the server to authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an
EAP identity request. This text can be any value, such as anonymous . During
authentication, this anonymous identity is initially sent, and then followed
by the real identification sent in a secure tunnel.
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL
that contains the configuration file. For example, enter
http://proxy.contoso.com , 10.0.0.11 , or http://proxy.contoso.com/proxy.pac .
For more information on PAC files, see Proxy Auto-Configuration (PAC) file
(opens a non-Microsoft site).
Next steps
The profile is created, but might not be doing anything. Be sure to assign this profile
and monitor its status..
You can also create Wi-Fi profiles for Android, iOS/iPadOS, macOS, and Windows 10.
) Important
Don't use custom configuration profiles for sensitive information, such as Wi-Fi
connections or authenticating apps, sites, and more. Instead, use the built-in
profiles for sensitive information, as they're designed and configured to handle
sensitive information.
For example, use the built-in Wi-Fi profile to deploy a Wi-Fi connection. Use the
built-in certificates profile for authentication.
Using Microsoft Intune, you can add or create custom settings for your iOS/iPadOS
devices using "custom profiles". Custom profiles are a feature in Intune. They're
designed to add device settings and features that aren't built in to Intune.
iOS/iPadOS
When using iOS/iPadOS devices, there are two ways to get custom settings into Intune:
Apple Configurator
Apple Profile Manager
You can use these tools to export settings to a configuration profile. In Intune, you
import this file, and then assign the profile to your iOS/iPadOS users and devices. Once
assigned, the settings are distributed. They also create a baseline or standard for
iOS/iPadOS in your organization.
This article provides some guidance on using Apple Configurator and Apple Profile
Manager, and describes the properties you can configure.
After you add a device in Profile Manager, go to Under the Library > Devices >
select your device > Settings. Enter the general settings for the device.
Download and save this file. You enter this file in the Intune profile.
Be sure the settings you export from the Apple Profile Manager are compatible
with the iOS/iPadOS version on the devices. For information on resolving
incompatible settings, search for Configuration Profile Reference and Mobile
Device Management Protocol Reference on the Apple Developer website.
Custom configuration profile name: Enter a name for the policy. This name is
shown on the device, and in the Intune status.
Configuration profile file: Browse to the configuration profile you created using
the Apple Configurator or Apple Profile Manager. The max file size is 1000000
bytes (just under 1 MB). The imported file is shown in the File contents area.
You can also add device tokens to your custom configuration files. Device tokens
are used to add device-specific information. For example, to show the serial
number, enter {{serialnumber}} . On the device, the text shows similar to
123456789ABC , which is unique to each device. When entering variables, be sure to
use curly brackets {{ }} . App configuration tokens includes a list of variables that
can be used. You can also use deviceid or any other device-specific value.
7 Note
Variables aren't validated in the UI, and are case sensitive. As a result, you may
see profiles saved with incorrect input. For example, if you enter {{DeviceID}}
instead of {{deviceid}} , then the literal string is shown instead of the device's
unique ID. Be sure to enter the correct information.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile.
7 Note
Intune may support more settings than the settings listed in this article. Not all
settings are documented, and won’t be documented. To see the settings you can
configure, create a device configuration profile, and select Settings Catalog. For
more information, see Settings catalog.
Intune includes some built-in settings to allow iOS/iPadOS users to use different Apple
features on their devices. For example, you can control AirPrint printers, add apps and
folders to the dock and home screen pages, show app notifications, show asset tag
details on the lock screen, use single sign-on authentication, and use certificate
authentication.
iOS/iPadOS
Use these features to control iOS/iPadOS devices as part of your mobile device
management (MDM) solution.
This article lists these settings, and describes what each setting does. For more
information on these features, go to Add iOS/iPadOS or macOS device feature settings.
7 Note
These settings apply to different enrollment types, with some settings applying to
all enrollment options. For more information on the different enrollment types, see
iOS/iPadOS enrollment.
AirPrint
Settings apply to: All enrollment types
7 Note
Be sure to add all printers to the same profile. Apple prevents multiple AirPrint
profiles from targeting the same device.
IP address: Enter the IPv4 or IPv6 address of the printer. If you use hostnames to
identify printers, you can get the IP address by pinging the printer in the terminal.
Get the IP address and path (in this article) provides more details.
Resource path: The path is typically ipp/print for printers on your network. Get
the IP address and path (in this article) provides more details.
Port: Enter the listening port of the AirPrint destination. If you leave this property
blank, AirPrint uses the default port. Available on iOS 11.0+, and iPadOS 13.0+.
Force TLS: Enable secures AirPrint connections with Transport Layer Security (TLS).
Available on iOS 11.0+, and iPadOS 13.0+.
Enter printer details to add an AirPrint destination to the list. Many AirPrint servers
can be added.
Import a comma-separated file (.csv) with this information. Or, Export to create a
list of the AirPrint servers you added.
1. On a Mac that's connected to the same local network (subnet) as the AirPrint
printers, open Terminal (from /Applications/Utilities).
Note the printer information. For example, it may return something similar to
ipp://myprinter.local.:631/ipp/port1 . The first part is the name of the printer.
Note the IP address. For example, it may return something similar to PING
myprinter.local (10.50.25.21) .
4. Use the IP address and resource path values. In this example, the IP address is
10.50.25.21 , and the resource path is /ipp/port1 .
7 Note
Only add an app once to the dock, page, folder on a page, or folder in the
dock. Adding the same app in any two places prevents the app from showing
on devices, and may show reporting errors.
For example, if you add the camera app to a dock and a page, the camera app
isn't shown, and reporting might show an error for the policy. To add the
camera app to the home screen layout, choose only the dock or a page, not
both.
When you apply a home screen layout, it overwrites any user-defined layout.
So, it's recommended to use home screen layouts on userless devices.
You can have preexisting apps installed on the device that are not included in
the home screen layout configuration. These apps are shown in alphabetical
order after the configured apps.
Home screen
Use this feature to add apps. And, see how these apps look on pages, the dock, and
within folders. It also shows you the app icons. Volume Purchase Program (VPP) apps,
line-of business apps, and web link apps (web app URLs) are populated from the client
apps you add.
Layout size: Choose an appropriate grid size for the device's home screen. An app
or folder takes up one place in the grid. If the target device doesn't support the
selected size, some apps may not fit and will be pushed to the next available
position on a new page. For reference:
iPhone 6 and later support 4 columns x 6 rows
App: Select existing apps from the list. This option adds apps to the home
screen on devices. If you don't have any apps, then Add apps to Intune.
You can also search for apps by the app name, such as authenticator or drive .
Or, search by the app publisher, such as Microsoft or Apple .
Folder: Adds a folder to the home screen. Enter the Folder name, and select
existing apps from the list to go in the folder. This folder name is shown to users
on their devices.
You can also search for apps by the app name, such as authenticator or drive .
Or, search by the app publisher, such as Microsoft or Apple .
Apps are arranged from left to right, and in the same order as shown. Apps can
be moved to other positions. You can only have one page in a folder. As a work
around, add nine (9) or more apps to the folder. Apps are automatically moved
to the next page. You can add any combination of VPP apps, web links (web
apps), store apps, line-of-business apps, and system apps.
Dock
Add up to four (4) items for iPhones, and up to six (6) items for iPads (apps and folders
combined) to the dock on the screen. Many devices support fewer items. For example,
iPhone devices support up to four items. So, only the first four items you add are shown.
App: Select existing apps from the list. This option adds apps to the dock on the
screen. If you don't have any apps, then Add apps to Intune.
You can also search for apps by the app name, such as authenticator or drive .
Or, search by the app publisher, such as Microsoft or Apple .
Folder: Adds a folder to the dock on the screen. Enter the Folder name, and
select existing apps from the list to go in the folder. This folder name is shown
to users on their devices.
You can also search for apps by the app name, such as authenticator or drive .
Or, search by the app publisher, such as Microsoft or Apple .
Apps are arranged from left to right, and in the same order as shown. Apps can
be moved to other positions. If you add more apps than can fit on a page, then
the apps are automatically moved to another page. You can add up to 20 pages
in a folder on the dock. You can add any combination of VPP apps, web links
(web apps), store apps, line-of-business apps, and system apps.
7 Note
When you use the Home Screen Layout settings to add pages, or add pages and
apps to the dock, the icons on the Home Screen and pages are locked. They can't
be moved or deleted. This behavior might be by design with iOS/iPadOS and
Apple's MDM policies.
Example
In the following example, the dock screen shows the Safari, Mail, and Stocks apps. The
Stocks app is selected to show its properties:
When you assign the policy to an iPhone, the dock looks similar to the following image:
App notifications
App bundle ID: Enter the App Bundle ID of the app you want to add. See
Bundle IDs for built-in iOS/iPadOS apps for some examples.
App name: Enter the name of the app you want to add. This name is used for
your reference in the Microsoft Intune admin center. It isn't shown on devices.
Publisher: Enter the publisher of the app you're adding. This name is used for
your reference in the Microsoft Intune admin center. It isn't shown on devices.
Notifications: Enable or Disable the app from sending notifications to devices.
Show on Lock Screen: Enable shows app notifications on the device lock
screen. Disable prevents the app from showing notifications on the lock
screen.
Alert type: When devices are unlocked, choose how the notification is shown.
Your options:
None: No notification is shown.
Banner: A banner is briefly shown with the notification. This setting might
also be known as Temporary Banner.
Modal: The notification is shown and users must manually dismiss it
before continuing to use the device. This setting might also be known as
Persistent Banner.
Badge on app icon: Select Enable to add a badge to the app icon. The badge
means the app sent a notification.
The text you enter is shown on the sign in window and lock screen on devices.
Asset tag information: Enter information about the asset tag of the device. For
example, enter Owned by Contoso Corp or Serial Number: {{serialnumber}} .
Device tokens can also be used to add device-specific information to these fields.
For example, to show the serial number, enter Serial Number: {{serialnumber}} or
Device ID: {{DEVICEID}} . On the lock screen, the text shows similar to Serial
7 Note
Variables aren't validated in the UI, and are case sensitive. As a result, you may
see profiles saved with incorrect input. For example, if you enter {{DeviceID}}
instead of {{deviceid}} or '{{DEVICEID}}', then the literal string is shown
instead of the device's unique ID. Be sure to enter the correct information. All
lowercase or all uppercase variables are supported, but not a mix.
Single sign-on
Settings apply to: Device enrollment, Automated device
enrollment (supervised)
Realm: Enter the domain part of the URL. For example, enter contoso.com .
Azure AD username attribute: Intune looks for this attribute for each user in Azure
AD. Intune then populates the respective field (such as UPN) before generating the
XML that gets installed on devices. Your options:
Not configured: Intune doesn't change or update this setting. By default, the
OS will prompt users for a Kerberos principal name when the profile is deployed
to devices. A principal name is required for MDMs to install SSO profiles.
User principal name: The user principal name (UPN) is parsed in the following
way:
You can also overwrite the realm with the text you enter in the Realm text box.
For example, Contoso has several regions, including Europe, Asia, and North
America. Contoso wants their Asia users to use SSO, and the app requires the
UPN in the username@asia.contoso.com format. When you select User Principal
Name, the realm for each user is taken from Azure AD, which is contoso.com . So
for users in Asia, select User Principal Name, and enter asia.contoso.com . The
user's UPN becomes username@asia.contoso.com , instead of
username@contoso.com .
Intune device ID: Intune automatically selects the Intune Device ID.
By default, apps only need to use the device ID. But if your app uses the realm
and the device ID, you can type the realm in the Realm text box.
7 Note
Apps: Add apps on users devices that can use single sign-on.
The AppIdentifierMatches array must include strings that match app bundle IDs.
These strings may be exact matches, such as com.contoso.myapp , or enter a prefix
match on the bundle ID using the * wildcard character. The wildcard character
must appear after a period character (.), and may appear only once, at the end of
the string, such as com.contoso.* . When a wildcard is included, any app whose
bundle ID begins with the prefix is granted access to the account.
Use App Name to enter a user-friendly name to help you identify the bundle ID.
URL prefixes: Add any URLs in your organization that require user single sign-on
authentication.
For example, when a user connects to any of these sites, the iOS/iPadOS device
uses the single sign-on credentials. Users don't need to enter any additional
credentials. If multi-factor authentication is enabled, then users are required to
enter the second authentication.
7 Note
The URL matching patterns must begin with either http:// or https:// . A simple
string match is run, so the http://www.contoso.com/ URL prefix doesn't match
http://www.contoso.com:80/ . With iOS 10.0+ and iPadOS 13.0+, a single wildcard *
The http://.com and https://.com patterns match all HTTP and HTTPS URLs,
respectively.
Tip
These settings use Apple's Web Content Filter settings. For more information on
these settings, see Apple's Platform Deployment site (opens Apple's web site).
Configure URLs: Use Apple's built-in web filter that looks for adult terms,
including profanity and sexually explicit language. This feature evaluates each
web page as it's loaded, and identifies and blocks unsuitable content. You can
also add URLs that you don't want checked by the filter. Or, block specific URLs,
regardless of Apple's filter settings.
Permitted URLs: Add the URLs you want to allow. These URLs bypass Apple's
web filter.
7 Note
The URLs you enter are the URLs you don't want evaluated by the Apple
web filter. These URLs aren't a list of allowed web sites. To create a list of
allowed websites, set the Filter Type to Specific websites only.
Blocked URLs: Add the URLs you want to stop from opening, regardless of
the Apple web filter settings.
Specific websites only (for the Safari web browser only): These URLs are added
to the Safari browser's bookmarks. Users are only allowed to visit these sites; no
other sites can be opened. Use this option only if you know the exact list of
URLs that users can access.
URL: Enter the URL of the website you want to allow. For example, enter
https://www.contoso.com .
Bookmark Path: Apple changed this setting. All bookmarks go into the
Allowed Sites folder. Bookmarks don't go in to the bookmark path you enter.
Title: Enter a descriptive title for the bookmark.
If you don't enter any URLs, then users can't access any websites except for
microsoft.com , microsoft.net , and apple.com . These URLs are automatically
allowed by Intune.
Not configured: Intune doesn't change or update this setting. By default, the
OS doesn't use app extensions. To disable an app extension, you can switch the
SSO app extension type to Not configured.
Microsoft Azure AD: Uses the Microsoft Enterprise SSO plug-in, which is a
redirect-type SSO app extension. This plug-in provides SSO for Active Directory
accounts across all applications that support Apple's Enterprise Single Sign-
On feature. Use this SSO app extension type to enable SSO on Microsoft
apps, organization apps, and websites that authenticate using Azure AD.
The SSO plug-in acts as an advanced authentication broker that offers security
and user experience improvements. All apps that use the Microsoft
Authenticator app for authentication continue to get SSO with the Microsoft
Enterprise SSO plug-in for Apple devices.
) Important
To achieve SSO with the Microsoft Azure AD SSO app extension type, first
install the iOS/iPadOS Microsoft Authenticator app on devices. The
Authenticator app delivers the Microsoft Enterprise SSO plug-in to devices,
and the MDM SSO app extension settings activate the plug-in. Once
Authenticator and the SSO app extension profile are installed on devices,
users must enter their credentials to sign in, and establish a session on
their devices. This session is then used across different applications without
requiring users to authenticate again. For more information about
Authenticator, see What is the Microsoft Authenticator app.
Redirect: Use a generic, customizable redirect app extension to use SSO with
modern authentication flows. Be sure you know the extension ID for your
organization's app extension.
Tip
With the Redirect and Credential types, you add your own configuration
values to pass through the extension. If you're using Credential, consider
using built-in configuration settings provided by Apple in the Kerberos type.
After users successfully sign in to the Authenticator app, they aren't prompted to
sign in to other apps that use the SSO extension. The first time users open
managed apps that don't use the SSO extension, they're prompted to select the
account that's signed in.
Enable shared device mode (Microsoft Azure AD only): Choose Yes if you're
deploying the Microsoft Enterprise SSO plug-in to iOS/iPadOS devices configured
for Azure AD's shared device mode feature. Devices in shared mode allow many
users to globally sign in and out of applications that support shared device mode.
When set to Not configured, Intune doesn't change or update this setting. By
default, iOS/iPadOS devices aren't intended to be shared among multiple users.
For more information about shared device mode and how to enable it, see
Overview of shared device mode and Shared device mode for iOS devices.
Extension ID (Redirect and Credential): Enter the bundle identifier that identifies
your SSO app extension, such as com.apple.extensiblesso .
Team ID (Redirect and Credential): Enter the team identifier of your SSO app
extension. A team identifier is a 10-character alphanumerical (numbers and letters)
string generated by Apple, such as ABCDE12345 . The team ID isn't required.
Realm (Credential and Kerberos): Enter the name of your authentication realm. The
realm name should be capitalized, such as CONTOSO.COM . Typically, your realm name
is the same as your DNS domain name, but in all uppercase.
Domains (Credential and Kerberos): Enter the domain or host names of the sites
that can authenticate through SSO. For example, if your website is
mysite.contoso.com , then mysite is the host name, and .contoso.com is the
domain name. When users connect to any of these sites, the app extension
handles the authentication challenge. This authentication allows users to use Face
ID, Touch ID, or Apple pincode/passcode to sign in.
All the domains in your single sign-on app extension Intune profiles must be
unique. You can't repeat a domain in any sign-on app extension profile, even if
you're using different types of SSO app extensions.
These domains aren't case-sensitive.
The domain must begin with a period ( . ).
URLs (Redirect only): Enter the URL prefixes of your identity providers on whose
behalf the redirect app extension uses SSO. When users are redirected to these
URLs, the SSO app extension intervenes and prompts SSO.
All the URLs in your Intune single sign-on app extension profiles must be
unique. You can't repeat a domain in any SSO app extension profile, even if
you're using different types of SSO app extensions.
The URLs must begin with http:// or https:// .
Key: Enter the name of the item you want to add, such as user name or
'AppAllowList'.
Block keychain usage (Kerberos only): Yes prevents passwords from being saved
and stored in the keychain. If blocked, users aren't prompted to save their
password, and need to reenter the password when the Kerberos ticket expires.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow passwords to be saved and stored in the
keychain. Users aren't prompted to reenter their password when the ticket expires.
Require Face ID, Touch ID, or passcode (Kerberos only): Yes forces users to enter
their Face ID, Touch ID, or device passcode when the credential is needed to
refresh the Kerberos ticket. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might not require users to use
biometrics or device passcode to refresh the Kerberos ticket. If Keychain usage is
blocked, then this setting doesn't apply.
Set as default realm (Kerberos only): Yes sets the Realm value you entered as the
default realm. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might not set a default realm.
Tip
Select Yes for this setting if you're configuring multiple Kerberos SSO app
extensions in your organization.
Select Yes for this setting if you're using multiple realms. It sets the Realm
value you entered as the default realm.
If you only have one realm, leave it Not configured (default).
Block Autodiscover (Kerberos only): Yes prevents the Kerberos extension from
automatically using LDAP and DNS to determine its Active Directory site name.
Allow only managed apps (Kerberos only): When set to Yes, the Kerberos
extension allows only managed apps, and any apps entered with the app bundle
ID to access the credential. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow non-managed apps
to access the credential.
Principal name (Kerberos only): Enter the username of the Kerberos principal. You
don't need to include the realm name. For example, in user@contoso.com , user is
the principal name, and contoso.com is the realm name.
Tip
You can also use variables in the principal name by entering curly brackets
{{ }} . For example, to show the username, enter Username: {{username}} .
Active Directory site code (Kerberos only): Enter the name of the Active Directory
site that the Kerberos extension should use. You may not need to change this
value, as the Kerberos extension may automatically find the Active Directory site
code.
Cache name (Kerberos only): Enter the Generic Security Services (GSS) name of the
Kerberos cache. You most likely don't need to set this value.
Sign in window text (Kerberos only): Enter the text shown to users at the Kerberos
sign in window.
App bundle IDs (Microsoft Azure AD, Kerberos): Enter the bundle IDs of the
additional apps that should get single sign-on through an extension on your
devices.
If you use the Microsoft Azure AD SSO app extension type, then:
These apps use the Microsoft Enterprise SSO plug-in to authenticate the user
without requiring a sign-in.
The app bundle IDs you enter have permission to use the Microsoft Azure AD
SSO app extension if they don't use any Microsoft libraries, such as Microsoft
Authentication Library (MSAL).
The experience for these apps may not be as seamless compared to the
Microsoft libraries. Older apps that use MSAL authentication, or apps that don't
use the newest Microsoft libraries, must be added to this list to work properly
with the Microsoft Azure SSO app extension.
If you use the Kerberos SSO app extension type, then these apps:
Have access to the Kerberos Ticket Granting Ticket
Have access to the authentication ticket
Authenticate users to services they're authorized to access
Domain realm mapping (Kerberos only): Enter the domain DNS suffixes that
should map to your realm. Use this setting when the DNS names of the hosts don't
match the realm name. You most likely don't need to create this custom domain-
to-realm mapping.
PKINIT certificate (Kerberos only): Select the Public Key Cryptography for Initial
Authentication (PKINIT) certificate that can be used for Kerberos authentication.
You can choose from PKCS or SCEP certificates that you've added in Intune. For
more information about certificates, see Use certificates for authentication in
Microsoft Intune.
Wallpaper
You can experience unexpected behavior when a profile with no image is assigned to
devices with an existing image. For example, you create a profile without an image. This
profile is assigned to devices that already have an image. In this scenario, the image may
change to the device default, or the original image may stay on the device. This
behavior is controlled and limited by Apple's MDM platform.
Tip
When configuring a wallpaper policy, Microsoft recommends enabling the
Block modification of Wallpaper setting. This setting prevents users from
changing the wallpaper.
To display different images on the lock screen and home screen, create a
profile with the lock screen image. Create another profile with the home
screen image. Assign both profiles to your iOS/iPadOS user or device groups.
Next steps
Assign the profile and monitor its status.
You can also create device feature profiles for macOS devices.
iOS and iPadOS device settings to allow
or restrict features using Intune
Article • 06/29/2023
7 Note
Intune may support more settings than the settings listed in this article. Not all
settings are documented, and won’t be documented. To see the settings you can
configure, create a device configuration profile, and select Settings Catalog. For
more information, see Settings catalog.
This article describes the different settings you can control on iOS and iPadOS devices.
As part of your mobile device management (MDM) solution, use these settings to allow
or disable features, set password rules, allow or restrict specific apps, and more.
iOS/iPadOS
These settings are added to a device configuration profile in Intune, and then assigned
or deployed to your iOS/iPadOS devices.
Tip
These settings use Apple's restriction settings. For more information on these
settings, see Apple's mobile device management settings site (opens Apple's
web site).
The security configuration framework is organized into distinct configuration levels that
provide guidance for personally owned and supervised devices, with each level building
off the previous level.
The available levels and settings in each level vary by device type:
7 Note
These settings apply to different enrollment types, with some settings applying to
all enrollment options. For more information on the different enrollment types, see
iOS/iPadOS enrollment.
For example, you want to prevent users from saving files from the OneDrive app to
Dropbox. Configure this setting as Yes. After devices receive the policy (for
example, after a restart), it no longer allows saving.
7 Note
When this setting is blocked (set to Yes), third party keyboards installed from
the App Store are also blocked.
Allow unmanaged apps to read from managed contacts accounts: Yes lets
unmanaged apps, such as the built-in iOS/iPadOS Contacts app, to read and
access contact information from managed apps, including the Outlook mobile
app. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might prevent reading from the built-in Contacts
app on devices.
This setting allows or prevents reading contact information. It doesn't control
syncing contacts between the apps.
To use this setting, set the Block viewing corporate documents in unmanaged
apps setting to Yes.
For more information about these two settings, and their impact on Outlook for
iOS/iPadOS contact export synchronization, see Support Tip: Use Intune custom
profile settings with the iOS/iPadOS Native Contacts App .
Yes also prevents contact export synchronization in Outlook for iOS/iPadOS. For
more information, see Support Tip: Enabling Outlook iOS/iPadOS Contact Sync
with iOS12 MDM Controls .
Block in-app purchases: Yes prevents in-app purchases from the store. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow store purchases within a running app.
Block download of explicit sexual content in Apple Books: Yes prevents users
from downloading media from the iBook store that's tagged as erotica. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to download books with the "Erotica" category.
Allow managed apps to write contacts to unmanaged contacts accounts: Yes lets
managed apps, such as the Outlook mobile app, save or sync contact information,
including business and corporate contacts, to the built-in iOS/iPadOS Contacts
app. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might prevent managed apps from saving or syncing
contact information to the built-in iOS/iPadOS Contacts app on devices.
To use this setting, set the Block viewing corporate documents in unmanaged
apps setting to Yes.
Ratings region: Select the ratings region you want to use for allowed downloads.
And then select the allowed ratings for Movies, TV Shows, and Apps.
Block playback of explicit music, podcast, and iTunes U: Yes prevents explicit
iTunes music, podcast, or news content. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow the
device to access content rated as adult from the store.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Block adding Game Center friends: Yes prevents users from adding Game Center
friends. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow users to add friends in Game Center.
Block Game Center: Yes prevents using the Game Center app. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow using the Game Center app on devices.
Block access to network drive in Files app: Using the Server Message Block (SMB)
protocol, devices can access files or other resources on a network server. Yes
prevents accessing files on a network SMB drive. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow access.
For the ASAM configuration to apply, users must manually open the specific app. This
task also applies to the Company Portal app.
For example, in a school or university environment, add an app that lets users take
a test on the device. Or, lock the device into the Company Portal app until the user
authenticates. When the apps actions are completed by users, or you remove this
policy, the device returns to its normal state.
Not all apps support autonomous single app mode. To put an app in ASAM, a
bundle ID or a key value pair delivered by an app config policy are typically
required. For more information, see the
autonomousSingleAppModePermittedAppIDs restriction in Apple's MDM
documentation. For more information on the specific settings required for the app
you're configuring, see the vendor documentation.
For example, to configure Zoom Rooms in autonomous single app mode, Zoom
says to use the us.zoom.zpcontroller bundle ID. In this instance, you also make a
change in the Zoom web portal. For more information, see the Zoom help
center .
On iOS/iPadOS devices, the Company Portal app supports ASAM. When the
Company Portal app is in ASAM, users must manually open the Company Portal
app. Then the device is locked in the Company Portal app until the user
authenticates. When users sign in to the Company Portal app, they can use other
apps and the Home screen button on the device. When they sign out of the
Company Portal app, the device returns to single app mode, and locks on the
Company Portal app.
To turn the Company Portal app into a 'sign in/sign out' app (enable ASAM), enter
the Company Portal app name, such as Microsoft Intune Company Portal , and the
bundle ID ( com.microsoft.CompanyPortal ) in these settings. After this profile is
assigned, you must open the Company Portal app to lock the app so users can
sign in and sign out of it. For the ASAM configuration to apply, users must
manually open the Company Portal app.
When the device configuration profile is removed, and the user signs out, the
device isn't locked in the Company Portal app.
You can also Import a CSV file with the list of app names and their bundle IDs. Or,
Export an existing list that includes the apps.
Built-in Apps
Settings apply to: All enrollment types
Block Siri: Yes prevents access to Siri. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow using the Siri
voice assistant on devices.
Block Siri while device is locked: Yes prevents access to Siri when devices are
locked. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow using the Siri voice assistant on
devices when they're locked.
Require Safari fraud warnings: Yes requires fraud warnings to be shown in the web
browser on devices. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might not show these warnings.
Block Siri for dictation: Yes prevents connections to Siri servers. Users can't use Siri
to dictate text. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow Siri to be used for dictation.
Also available for user enrollment.
Block Siri for translation: Yes prevents connections to Siri servers so that users
can't use Siri to translate text. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow Siri to be used for
translation. Also available for user enrollment.
Safari cookies: By default, Apple allows all cookies, and blocks cross site tracking.
Use this setting to allow users to enable or disable these features. Your options:
Not configured (default): Intune doesn't change or update this setting. By
default, the OS allows all cookies and blocks cross site tracking, and might allow
users to enable and disable these features.
Allow all cookies, and allow cross site tracking: Cookies are allowed, and can
be disabled by users. By default, cross site tracking is blocked, and can be
enabled by users.
Block all cookies, and block cross site tracking: Cookies and cross site tracking
are both blocked. Users can't enable or disable either setting.
Allow all cookies, and block cross site tracking: Cookies are allowed, and can
be disabled by users. By default, cross site tracking is blocked, and can't be
enabled or disabled by users.
Block Safari JavaScript: Yes prevents Java scripts in the browser from running on
devices. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow Java scripts.
Block Safari Pop-ups: Yes blocks all pop-ups in the Safari web browser. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow the pop-up blocker.
Intune only manages access to the device camera. It doesn't have access to
pictures or videos.
Block FaceTime: Yes prevents access to the FaceTime app. When set to Not
configured (default), Intune doesn't change or update this setting. By default,
the OS might allow access to the FaceTime app on devices.
Require Siri profanity filter: Yes turns on the filter, and prevents Siri from dictating,
or speaking profane language. When set to Not configured (default), Intune
doesn't change or update this setting.
To use this setting, set the Block Siri setting to Not configured.
To use this setting, set the Block Siri setting to Not configured.
Block Apple News: Yes prevents access to the Apple News app on devices. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow using the Apple News app.
Block Apple Books: Yes prevents access to the iBooks store. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to browse and buy books from the iBooks store.
Block iMessage: Yes prevents using the Messages app for iMessage. If devices
support text messaging, then users can still send and receive text messages using
SMS. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow using the Messages app to send and read
messages over the internet.
Block Podcasts: Yes prevents using the Podcasts app. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow using the Podcasts app.
Music service: Yes disables the Music Service, and reverts the Music app to classic
mode. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow using the Apple Music app.
Block iTunes Radio: Yes prevents using the iTunes Radio app. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow using the iTunes Radio app.
Block iTunes store: Yes prevents using iTunes on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow iTunes.
Block Find My iPhone: In the Find My app, Yes disables/hides the Devices tab. Yes
may also prevent pairing of AirTags. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow using the
Devices tab in the Find My app to get the approximate location of the device.
Block Find My Friends: Yes prevents this feature in the Find My app. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow using this Find My app feature to find family and friends from
an Apple device or iCloud.com.
Block user modification to the Find My Friends settings: Yes prevents changes to
the Find My Friends app settings. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allow users to
change settings for the Find My Friends app.
Block removal of system apps from device: Yes prevents removing system apps
from devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to remove system apps.
Block Safari: Yes prevents using the Safari browser on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to use the Safari browser.
Block Safari Autofill: Yes disables the autofill feature in Safari on devices. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to change autocomplete settings in the web
browser.
Block iCloud document and data sync: Yes prevents iCloud from syncing
documents and data. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow document and key-value
synchronization to your iCloud storage space.
Block iCloud Keychain sync: Yes disables syncing credentials stored in the
Keychain to iCloud. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow users to sync these
credentials.
Block iCloud Private Relay: Yes disables the iCloud Private Relay. When disabled,
Apple doesn't encrypt internet traffic leaving the device. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow this feature, which prevents networks and servers from monitoring
a user's activity across the internet.
Connected Devices
Block Apple Watch auto unlock: Yes prevents users from unlocking their device
with Apple Watch when an obstruction, such as a mask, prevents Face ID from
recognizing a user's face. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow Apple Watch to auto
unlock a device if an obstruction is preventing Face ID from recognizing the user.
Block pairing with Apple Watch: Yes prevents pairing with an Apple Watch. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow devices to pair with an Apple Watch.
Block modifying Bluetooth settings: Yes stops users from changing Bluetooth
settings on devices. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow users to change these
settings.
Block pairing with non-Configurator hosts: Yes prevents host pairing. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow host pairing to let the administrator control which devices an
iOS/iPadOS device can pair with.
Block AirPrint: Yes prevents using the AirPrint feature on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to use AirPrint.
Block storage of AirPrint credentials in Keychain: Block prevents using
Keychain storage for username and password on devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default,
the OS might allow storing the AirPrint username and password in the Keychain
app.
Require AirPrint to destinations with trusted certificates: Yes forces devices to
use trusted certificates for TLS printing communication. When set to Not
configured (default), Intune doesn't change or update this setting.
Block iBeacon discovery of AirPrint printers: Yes prevents malicious AirPrint
Bluetooth beacons from phishing for network traffic. When set to Not
configured (default), Intune doesn't change or update this setting. By default,
the OS might allow advertising AirPrint printers on devices.
Block setting up new nearby devices: Yes disables the prompt to set up new
devices that are nearby. When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow prompts for users to
connect to other nearby Apple devices.
Block access to USB drive in Files app: Devices can connect and open files on a
USB drive. Yes prevents device access to the USB drive in the Files app when a USB
is connected to the device. Blocking this feature also blocks users from transferring
files onto a USB drive connected to an iPad. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might allow access
to a USB drive in the Files app.
Disable near-field communication (NFC): Yes disables NFC, and prevents devices
from pairing with other NFC-enabled devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, users might be
allowed to use NFC, and connect to other NFC-enabled devices.
Allow users to boot devices into recovery mode with unpaired devices: Yes lets a
user boot a device into recovery mode with an unpaired device. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might prevent users from booting devices into recovery mode with an unpaired
device.
This feature applies to:
iOS/iPadOS 14.5 and newer
Domains
Managed Safari web domains: Add one or more web domain URLs to the list.
When documents are downloaded from the domains you enter, they're considered
managed. This setting applies only to documents downloaded using the Safari
browser.
General
Block over-the-air PKI updates: Yes prevents your users from receiving software
updates unless devices are connected to a computer. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow a device to receive software updates without being connected to a
computer.
Force limited ad tracking: Yes disables the device advertising identifier. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might keep it enabled.
Block trusting new enterprise app authors: Yes removes the Trust Enterprise
Developer button in Settings > General > Profiles & Device Management on
devices. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might let users choose to trust apps that aren't
downloaded from the app store.
Block app clips: Yes blocks App Clips on managed devices. Specifically, setting to
Yes:
Prevents users from adding App Clips on devices.
Removes existing App Clips on devices.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow adding and removing App Clips on devices.
For more information on Apple's policy, see Apple Advertising & Privacy (opens
Apple's web site).
To use this setting, set the Block sending diagnostic and usage data to Apple
setting to Not configured.
Block remote AirPlay, view screen by Classroom app, and screen sharing: Yes
prevents the Classroom app from remotely viewing the screen on devices. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow the Apple Classroom app to view the screen.
To use this setting, set the Block screenshots and screen recording setting to Not
configured.
Allow Classroom app to perform AirPlay and view screen without prompting: Yes
lets teachers silently observe students' iOS/iPadOS screens using the Classroom
app without the students knowing. Student devices enrolled in a class using the
Classroom app automatically give permission to that course's teacher. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might prevent this feature.
To use this setting, set the Block screenshots and screen recording setting to Not
configured.
Block modification of account settings: Yes prevents users from updating device-
specific settings from the iOS/iPadOS settings app. For example, users can't create
new device accounts, or change the user name or password. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to change these settings.
This feature also applies to settings in the iOS/iPadOS settings app, such as Mail,
Contacts, Calendar, Twitter, and more. This feature doesn't apply to apps with
account settings that aren't configurable in the iOS/iPadOS settings app, such as
the Microsoft Outlook app.
Block Screen time: Yes prevents users from setting their own restrictions in Screen
Time (device settings). When set to Not configured (default), Intune doesn't
change or update this setting. By default, the OS might allow users to configure
device restrictions (such as parental controls or content, and privacy restrictions)
on devices.
This setting was renamed from Enabling restrictions in the device settings. Impact
of this change:
iOS 11.4.1 and older: Yes prevents users from setting their own restrictions in
the device settings. The behavior is the same; and there are no changes for
users.
iOS 12.0 and newer: Yes prevents users from setting their own Screen Time in
the device settings (Settings > General > Screen Time), including content and
privacy restrictions. Devices upgraded to iOS 12.0 won't see the restrictions tab
in the device settings anymore (Settings > General > Device Management >
Management Profile > Restrictions). These settings are in Screen Time.
Block use of erase all content and settings: Yes prevents using the erase all
content and settings option on devices. When set to Not configured (default),
Intune doesn't change or update this setting. By default, the OS might give users
access to these settings.
Block modification of device name: Yes prevents changing the device name
locally. When set to Yes, you can remotely rename a device with a remote device
action. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to change the name of devices.
Block modification of notifications settings: Yes prevents changing the
notification settings. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might allow users to change the device
notification settings.
Block modification of Wallpaper: Yes prevents the wallpaper from being changed.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow users to change the wallpaper on devices.
Block removing apps: Yes prevents removing apps. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow users to remove apps from devices.
Allow USB accessories while device is locked: Yes lets USB accessories exchange
data with devices that are locked for over an hour. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
not update USB Restricted mode on devices, and USB accessories are blocked from
transferring data from devices if locked for over an hour.
Force automatic date and time: Yes forces supervised devices to set the Date &
Time automatically. The device's time zone is updated when the device has cellular
connections or has Wi-Fi with location services enabled. When set to Not
configured (default), Intune doesn't change or update this setting.
Allow Classroom to lock to an app and lock the device without prompting: Yes
allows teacher to lock apps or lock devices using the Classroom app without
prompting the student. Locking apps means devices can only access teacher
specified apps. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might prevent teachers from locking apps or
devices using the Classroom app without prompting the student.
Block VPN creation: Yes prevents users from creating VPN configuration settings.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might let users create VPNs on devices.
Defer software updates: Enable allows you to delay when software updates are
shown on devices, from 1-90 days. This setting doesn't control when updates are
or aren't installed.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might show software updates on devices as Apple
releases them. For example, if an iOS/iPadOS update gets released by Apple on a
specific date, then that update naturally shows up on devices around the release
date.
Delay visibility of software updates: Enter a value from 1-90 days. When the
delay expires, users get notified to update to the earliest OS version available
when the delay is triggered. Don't set this value to zero ( 0 ) days.
For example, if iOS 12.a is available on January 1, and Delay visibility is set to 5
days, then iOS 12.a isn't shown as an available update on user devices. On the
sixth day following the release, that update is available, and users can install it.
Block spell-check: Yes prevents spell checker. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow using spellchecker.
Block keyboard shortcuts: Yes stops users from using keyboard shortcuts. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow using keyboard shortcuts on devices.
Block dictation: Yes stops users from using voice input to enter text. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow users to use dictation input.
Block QuickPath: Yes prevents users from using QuickPath. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow users to use QuickPath, which allows a continuous input on the
device's keyboard. Users can type by swiping across the keys to create words.
Kiosk
Single App Mode (opens Apple's web site) is referred to as Kiosk mode in Intune.
Require Assistive touch: Yes requires the Assistive Touch accessibility setting be on
devices. This feature helps users with on-screen gestures that might be difficult for
them. When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might not run or enable this feature in kiosk mode.
Require invert colors: Yes requires the Invert Colors accessibility setting so users
with visual impairments can change the display screen. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might not run or enable this feature in kiosk mode.
Require mono audio: Yes requires the Mono audio accessibility setting be on
devices. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might not run or enable this feature in kiosk mode.
Require Voice control: Yes enables voice control on devices, and allows users to
fully control the OS using Siri commands. Users can't turn it off. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might disable voice control.
Tip
If you have LOB apps available for your organization, and they're not Voice
Control ready on day 0 when iOS 13.0 releases, then we recommend you
leave this setting as Not configured.
Require VoiceOver: Yes requires the VoiceOver accessibility setting to read text on
the screen out loud. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might not run or enable this feature in
kiosk mode.
Require zoom: Yes requires the zoom setting so users can touch to zoom in on the
screen. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might not run or enable this feature in kiosk mode.
Block auto lock: Yes prevents automatic locking of devices. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might allow this feature.
Block ringer switch: Yes disables the ringer (mute) switch on devices. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow this feature.
Block screen rotation: Yes prevents changing the screen orientation when users
rotate the device. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow this feature.
Block screen sleep button: Yes disables the screen sleep wake button on devices.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow this feature.
Block touch: Yes disables the touchscreen on devices. When set to Not configured
(default), Intune doesn't change or update this setting. By default, the OS might
allow users to use the touchscreen.
Block volume buttons: Yes prevents using the volume buttons on devices. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow the volume buttons.
Allow Assistive touch control: Yes lets users use the assistive touch function. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might disable this feature.
Allow invert colors control: Yes inverts color changes to let users adjust the invert
colors function. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might disable this feature.
Speak on selected text: Yes allows the Speak Selection accessibility settings be on
devices. This feature reads text out loud that users select. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might disable this feature.
Allow Voice Control: Yes allows users to change the state of voice control on their
devices. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might block users from changing the state of voice
control on their devices.
Allow VoiceOver control: Yes allows voiceover changes to let users update the
VoiceOver function, such as how fast on-screen text is read out loud. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might prevent voiceover changes.
Allow zoom control: Yes allows zoom changes by users. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the
OS might prevent zoom changes.
7 Note
Before you can configure an iOS/iPadOS device for kiosk mode, you must use the
Apple Configurator tool or the Apple Device Enrollment Program to put devices
into supervised mode. See Apple's guide on using the Apple Configurator tool.
If
the iOS/iPadOS app you enter is installed after you assign the profile, then the
device doesn't enter kiosk mode until the device is restarted.
Locked Screen Experience
Password
) Important
On user-enrolled devices, if you configure any password setting, then the Simple
passwords settings is automatically set to Yes, and a 6 digit PIN is enforced.
For example, you configure the Password expiration setting, and push this policy
to user-enrolled devices. On the devices, the following happens:
Block simple passwords: Yes blocks simple passwords, and requires more complex
passwords. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow simple passwords, such as 0000 and
1234 .
Required password type: Enter the required password complexity level your
organization requires. Your options:
Device default
Numeric: Can be alphabetic characters, such as abcdef, and numeric characters,
such as 123456789.
Alphanumeric: Includes uppercase letters, lowercase letters, and numeric
characters.
7 Note
Minimum password length: Enter the minimum length the password must have,
from 4-16 characters. On user enrolled devices, enter a length between 4 and 6
characters.
7 Note
For devices that are user enrolled, users can set a PIN greater than 6 digits.
But, no more than 6 digits are enforced on devices. For example, an
administrator sets the minimum length to 8 . On user-enrolled devices, users
are only required to set a 6 digit PIN. Intune doesn't force a PIN greater than
6 digits on user-enrolled devices.
Number of sign-in failures before wiping device: Enter the number of failed sign-
ins before the device is wiped, from 2-11. It's not recommended to set this value to
2 or 3 . It's common to enter the wrong password. Wiping the device after two or
three incorrect password attempts happens often. It's recommended to set this
value to at least 4 .
iOS/iPadOS has built-in security that can impact this setting. For example,
iOS/iPadOS may delay triggering the policy depending on the number of sign-in
failures. It may also consider repeatedly entering the same passcode as one
attempt. Apple's iOS/iPadOS security guide (opens Apple's web site) is a good
resource, and provides more specific details on passcodes.
Maximum minutes after screen lock before password is required1: Enter how
long devices stay idle before users must reenter their password. If the time you
enter is longer than what's currently set on the device, then the device ignores the
time you enter.
Maximum minutes of inactivity until screen locks1: Enter the maximum number of
minutes of inactivity allowed on devices until the screen locks.
iOS/iPadOS options:
Not configured (Default): Intune doesn't change or update this setting.
Immediately: Screen locks after 30 seconds of inactivity.
1: Screen locks after 1 minute of inactivity.
2: Screen locks after 2 minutes of inactivity.
3: Screen locks after 3 minutes of inactivity.
4: Screen locks after 4 minutes of inactivity.
5: Screen locks after 5 minutes of inactivity.
iPadOS options:
Not configured (Default): Intune doesn't change or update this setting.
Immediately: Screen locks after 2 minutes of inactivity.
2: Screen locks after 2 minutes of inactivity.
5: Screen locks after 5 minutes of inactivity.
10: Screen locks after 10 minutes of inactivity.
15: Screen locks after 15 minutes of inactivity.
If a value doesn't apply to iOS and iPadOS, then Apple uses the closest lowest
value. For example, if you enter 4 minutes, then iPadOS devices use 2 minutes. If
you enter 10 minutes, then iOS devices use 5 minutes. This behavior is an Apple
limitation.
7 Note
The Intune UI for this setting doesn't separate the iOS and iPadOS supported
values. The UI might be updated in a future release.
Password expiration (days): Enter the number of days before the device password
must be changed, from 1-730.
Block Touch ID and Face ID unlock: Yes prevents using a fingerprint or face to
unlock devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to unlock devices using
biometrics.
Block modification of Touch ID fingerprints and Face ID faces: Yes stops users
from changing, adding, or removing TouchID fingerprints and Face ID. When set
to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow users to update the TouchID fingerprints and Face
ID on devices.
Blocking this setting also stops users from changing, adding, or removing
FaceID authentication.
Block password AutoFill: Yes prevents using the AutoFill Passwords feature.
Choosing Yes also has the following impact:
Users aren't prompted to use a saved password in Safari or in any apps.
Automatic Strong Passwords are disabled, and strong passwords aren't
suggested to users.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow these features.
Block password sharing: Yes prevents sharing passwords between devices using
AirDrop. When set to Not configured (default), Intune doesn't change or update
this setting. By default, the OS might allow passwords to be shared.
Restricted apps
7 Note
When there's a restricted app on the device, this setting reports as 'Not
compliant'.
Enter the iTunes App store URL of the app you want. For example, to add the
Microsoft Work Folders app, enter https://itunes.apple.com/us/app/work-
folders/id950878067?mt=8 or https://apps.apple.com/us/app/work-
folders/id950878067?mt=8 .
To find the URL of an app, open the iTunes App Store, and search for the app. For
example, search for Microsoft Remote Desktop or Microsoft Word . Select the app,
and copy the URL.
You can also use iTunes to find the app, and then use the Copy Link task to get the
app URL.
Import a CSV file with details about the app, including the URL. Use the <app url>,
<app name>, <app publisher> format. Or, Export an existing list that includes the
restricted apps list in the same format.
) Important
Device profiles that use the restricted app settings must be assigned to user
groups, not device groups.
Shared iPad
This feature applies to:
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS allows a Shared iPad user to sign in to the device with
the Guest account. When the user signs out, none of the user's data is saved or
synced to iCloud.
Hidden apps: Enter a list of apps that are hidden from users. Users can't view, or
open these apps.
Apple prevents hiding some native apps. For example, you can't hide the
Settings app on the device. Delete built-in Apple apps lists the apps that can
be hidden.
Visible apps: Enter a list of apps that users can view and launch. No other apps
can be viewed or launched.
App URL: Enter the store app URL of the app you want to show or hide. For
example:
To find the URL of an app, open the iTunes App Store, and search for the app. For
example, search for Microsoft Remote Desktop or Microsoft Word . Select the app,
and copy the URL.
You can also use iTunes to find the app, and then use the Copy Link task to get the
app URL.
App Bundle ID: Enter the app bundle ID of the app you want. You can show or
hide built-in apps and line-of-business apps. Apple's web site has a list of built-in
Apple apps .
App name: Enter the app name of the app you want. You can show or hide built-in
apps and line-of-business apps. Apple's web site has a list of built-in Apple apps .
Import a CSV file with details about the app, including the URL. Use the <app url>,
<app name>, <app publisher> format. Or, Export to create a list of the restricted
apps you added, in the same format.
Tip
You can import a list of preinstalled Apple apps by downloading the Apple
App BundleIDs CSV (opens a Microsoft GitHub site).
Wireless
) Important
This setting is treated as a remote device action. So, this setting isn't shown in
the management profile on devices. Every time the data roaming status
changes on the device, Data roaming is blocked by the Intune service. In
Intune, if the reporting status shows a success, then know that it's working,
even though the setting isn't shown in the management profile on the device.
Block global background fetch while roaming: Yes prevents using the global
background fetch feature when roaming over the cellular network. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might allow devices to fetch data, such as email, when it's roaming on a
cellular network.
Block voice dialing while device is locked: Yes prevents using the voice dialing
feature on devices. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow voice dialing on devices.
Block voice roaming: Yes prevents voice roaming over the cellular network. When
set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allow voice roaming when devices are on a cellular network.
Block personal Hotspot: Yes turns off the personal hotspot on devices with every
device sync. This setting might not be compatible with some carriers. When set to
Not configured (default), Intune doesn't change or update this setting. By default,
the OS might keep the personal hotspot configuration as the default set by users.
) Important
This setting is treated as a remote device action. So, this setting isn't shown in
the management profile on devices. Every time the personal hotspot status
changes on the device, Personal Hotspot is blocked by the Intune service. In
Intune, if the reporting status shows a success, then know that it's working,
even though the setting isn't shown in the management profile on the device.
Cellular usage rules (managed apps only): Allow defines the data types that
managed apps can use when on cellular networks. When set to Not configured
(default), Intune doesn't change or update this setting. Your options:
Block use of cellular data: Choose the apps that can't use cellular data. Your
options:
Not configured: Intune doesn't change or update this setting.
All managed apps
Choose specific apps: Add the app bundle ID, app name, and publisher.
Block use of cellular data when roaming: Choose the apps that can't use
cellular data when roaming. Your options:
Not configured: Intune doesn't change or update this setting.
All managed apps
Choose specific apps: Add the app bundle ID, app name, and publisher.
Block changes to cellular plan settings: Yes prevents changing any settings in the
cellular plan. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allow users to make changes.
If you set this setting and the Block personal Hotspot setting to Yes, then the
personal hotspot is turned off.
Require joining Wi-Fi networks only using configuration profiles: Yes forces
devices to use only Wi-Fi networks set up through Intune configuration profiles.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow devices to use other Wi-Fi networks.
This setting is available for iOS/iPadOS 14.4 and older devices. On iOS/iPadOS
14.5 and newer devices, use the Require devices to use Wi-Fi networks set up
via configuration profiles setting.
When set to Yes, be sure the device has a Wi-Fi profile. If you don't assign a Wi-
Fi profile, then this setting can prevent devices from connecting to the internet.
For example, if this device restrictions profile is assigned before a Wi-Fi profile,
then the device might be blocked from connecting to the internet.
If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi
profile. Then, set this setting to Yes in a device restrictions profile, and assign
the profile to the device.
Configuring this setting doesn't prevent users from selecting a Wi-Fi network.
Require devices to use Wi-Fi networks set up via configuration profiles: Yes
forces the device to use Wi-Fi networks set up through configuration profiles.
When set to Not configured (default), Intune doesn't change or update this
setting. By default, the OS might allow devices to use other Wi-Fi networks.
On iOS/iPadOS 14.5 and newer devices, use this setting. Don't use the Require
joining Wi-Fi networks only using configuration profiles setting.
When set to Yes, be sure the device has a Wi-Fi profile. If you don't assign a Wi-
Fi profile, then this setting can prevent devices from connecting to the internet.
For example, if this device restrictions profile is assigned before a Wi-Fi profile,
then the device might be blocked from connecting to the internet.
If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi
profile. Then, set this setting to Yes in a device restrictions profile, and assign
the profile to the device.
Kiosk Mode (Single App Mode): Referred to as "app lock" in the Apple developer
documentation .
Disable Activation Lock
Autonomous Single App Mode
Web Content Filter
Set background and lock screen
Silent App Push
Always-On VPN
Allow managed app installation exclusively
iBookstore
iMessages
Game Center
AirDrop
AirPlay
Host pairing
Cloud Sync
Spotlight search
Handoff
Erase device
Restrictions UI
Installation of configuration profiles by UI
News
Keyboard shortcuts
Passcode modifications
Device name changes
Automatic app downloads
Apple Music
Mail Drop
Pair with Apple Watch
7 Note
You can also restrict device features and settings on macOS devices.
Add e-mail settings for iOS and iPadOS
devices in Microsoft Intune
Article • 02/21/2023
In Microsoft Intune, you can create and configure email to connect to an Exchange
email server, choose how users authenticate, use S/MIME for encryption, and more. The
email profile uses the native or built-in email app on the device, and allows users to
connect to their organization email.
iOS/iPadOS
This article describes all the email settings available for devices running iOS/iPadOS. You
can create a device configuration profile to push or deploy these email settings to your
iOS/iPadOS devices.
7 Note
These settings are available for all enrollment types. For more information on the
enrollment types, see iOS/iPadOS enrollment.
These settings use the Apple ExchangeActiveSync payload (opens Apple's web
site).
Account name: Enter the display name for the email account. This name is shown
to users on their devices.
Username attribute from AAD: This name is the attribute Intune gets from Azure
Active Directory. Intune dynamically generates the username that's used by this
profile. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com
Primary SMTP address: Gets the name in email address format, such as
user1@contoso.com
sAM Account Name: Requires the domain, such as domain\user1 . Also enter:
User domain name source: Choose AAD (Azure Active Directory) or Custom.
Custom: Get the attributes from a custom domain name. Also enter:
Custom domain name to use: Enter a value that Intune uses for the
domain name, such as contoso.com or contoso .
Email address attribute from AAD: Choose how the email address for the user is
generated. Make sure your users have email addresses that match the attribute
you select. Your options:
User principal name: Use the full principal name as the email address, such as
user1@contoso.com or user1 .
Primary SMTP address: Use the primary SMTP address to sign in to Exchange,
such as user1@contoso.com .
7 Note
SSL: Enable uses Secure Sockets Layer (SSL) communication when sending emails,
receiving emails, and communicating with the Exchange server.
Confirm your email solution supports OAuth before targeting this profile to
your users. Microsoft 365 Exchange Online supports OAuth. On-premises
Exchange and other partner or third-party solutions may not support OAuth.
On-premises Exchange can be configured for Modern Authentication. For more
information, see Hybrid modern authentication overview and prerequisites for
on-premises Skype for Business and Exchange servers.
If the email profile uses Oauth, and the email service doesn't support it, then the
Re-Enter password option appears broken. For example, nothing happens when
the user selects Re-Enter password in Apple's device settings.
The default action is to add an application using the Application Access Panel
Add App feature without business approval. For more information, see assign
users to applications.
7 Note
) Important
Configuring these settings deploys a new profile to the device, even when an
existing email profile is updated to include these settings. Users are prompted to
enter their Exchange ActiveSync account password. These settings take effect when
the password is entered.
Exchange data to sync: When using Exchange ActiveSync, choose the Exchange
services that are synced on the device: Calendar, Contacts, Reminders, Notes, and
Email. Your options:
All data (default): Sync is enabled for all services.
Email only: Sync is enabled for Email only. Sync is disabled for the other
services.
Calendar only: Sync is enabled for Calendar only. Sync is disabled for the other
services.
Calendar and Contacts only: Sync is enabled for Calendar and Contacts only.
Sync is disabled for the other services.
Contacts only: Sync is enabled for Contacts only. Sync is disabled for the other
services.
Allow users to change sync settings: Choose if users can change the Exchange
ActiveSync settings for the Exchange services on the device: Calendar, Contacts,
Reminders, Notes, and Email. Your options:
Yes (default): Users can change the sync behavior of all services. Choosing Yes
allows changes to all services.
No: Users can't change the sync settings of all the services. Choosing No blocks
changes to all services.
Tip
If you configured the Exchange data to sync setting to sync only some
services, we recommend selecting No for this setting. Choosing No prevents
users from changing the Exchange service that's synced.
Your options:
Enable S/MIME: Allows users to sign and/or encrypt email in the iOS/iPadOS
native mail application. Also enter:
Allow user to change setting: Enable allows users to change the signing
options. Disable (default) prevents users from changing the signing, and
forces users to use the signing you configured.
Allow user to change setting: Enable allows users to change the signing
certificate. Disable (default) prevents users from changing the signing
certificate, and forces users to use the certificate you configured.
Enable shows the per-message encryption option when creating a new email.
Users can then choose to opt in or opt-out of per-message encryption. If the
Encrypt by default setting is also enabled, enabling per-message encryption
allows users to opt out of encryption per message.
Amount of email to synchronize: Choose the number of days of email that you
want to synchronize. Or select Unlimited to synchronize all available email.
Allow email to be sent from third-party applications: Enable (default) allows users
to select this profile as the default account for sending email. It allows third-party
applications to open email in the native email app, such as attaching files to email.
VPN profile for per account VPN: Starting in iOS/iPadOS 14, email traffic for the
native Mail app can be routed through a VPN based on the account the user is
using. When set to None, Intune doesn't enable per-account VPN for this e-mail
profile.
Per-app VPN connections you create are shown in this list. If you select a VPN
profile from the list, any email that's sent to and from this account in the Mail app
uses the VPN tunnel. The per-app VPN connection automatically turns on when
users use their organization account in the Mail app.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and
monitor its status.
Microsoft Intune includes many VPN settings that can be deployed to your iOS/iPadOS
devices. These settings are used to create and configure VPN connections to your
organization's network. This article describes these settings. Some settings are only
available for some VPN clients, such as Citrix, Zscaler, and more.
iOS/iPadOS
Some Microsoft 365 services, such as Outlook, may not perform well using third
party or partner VPNs. If you're using a third party or partner VPN, and experience
a latency or performance issue, then remove the VPN.
7 Note
These settings are available for all enrollment types except user enrollment.
User enrollment is limited to per-app VPN. For more information on the
enrollment types, see iOS/iPadOS enrollment.
The available settings depend on the VPN client you choose. Some settings
are only available for specific VPN clients.
These settings use the Apple VPN payload (opens Apple's web site).
Connection type
Select the VPN connection type from the following list of vendors:
Cisco AnyConnect
F5 Access Legacy
F5 Access
Applies to Palo Alto Networks GlobalProtect app version 4.1 and earlier.
Applies to Palo Alto Networks GlobalProtect app version 5.0 and later.
Pulse Secure
Cisco (IPSec)
Citrix VPN
Citrix SSO
Zscaler
To use Conditional Access, or allow users to bypass the Zscaler sign-in screen, you
must integrate Zscaler Private Access (ZPA) with your Azure AD account. For
detailed steps, see the Zscaler documentation .
NetMotion Mobility
IKEv2
) Important
Plan for change. On April 29, 2022 both the Microsoft Tunnel connection type
and Microsoft Defender for Endpoint as the tunnel client app became generally
available. With this general availability, the use of the Microsoft Tunnel
(standalone client)(preview) connection type and the standalone tunnel client
app are deprecated and soon will drop from support.
On July 29, 2022, the standalone tunnel client app will no longer be
available for download. Only the generally available version of Microsoft
Defender for Endpoint will be available as the tunnel client app.
On August 1, 2022, the Microsoft Tunnel (standalone client) (preview)
connection type will cease to connect to Microsoft Tunnel.
To avoid a disruption in service for Microsoft Tunnel, plan to migrate your use
of the deprecated tunnel client app and connection type to those that are
now generally available.
Microsoft Tunnel
Applies to the Microsoft Defender for Endpoint app that includes Tunnel client
functionality.
) Important
On April 29, 2022, this connection type became generally available and
supports Microsoft Defender for Endpoint as a tunnel client app. However, the
connection type continues to reflect preview.
Custom VPN
7 Note
Cisco, Citrix, F5, and Palo Alto have announced that their legacy clients don't work
on iOS 12 and later. You should migrate to the new apps as soon as possible. For
more information, see the Microsoft Intune Support Team Blog .
Custom domain name (Zscaler only): Prepopulate the Zscaler app's sign-in field
with the domain your users belong to. For example, if a username is
Joe@contoso.net , then the contoso.net domain statically appears in the field when
the app opens. If you don't enter a domain name, then the domain portion of the
UPN in Azure Active Directory (AD) is used.
VPN server address: The IP address or fully qualified domain name (FQDN) of the
VPN server that devices connect with. For example, enter 192.168.1.1 or
vpn.contoso.com .
Organization's cloud name (Zscaler only): Enter the cloud name where your
organization is provisioned. The URL you use to sign in to Zscaler has the name.
Username and password: End users must enter a username and password to
sign in to the VPN server.
7 Note
If username and password are used as the authentication method for Cisco
IPsec VPN, they must deliver the SharedSecret through a custom Apple
Configurator profile.
Derived credential: Use a certificate that's derived from a user's smart card. If
no derived credential issuer is configured, Intune prompts you to add one. For
more information, see Use derived credentials in Microsoft Intune.
Excluded URLs (Zscaler only): When connected to the Zscaler VPN, the listed URLs
are accessible outside the Zscaler cloud. You can add up to 50 URLs.
Split tunneling: Enable or Disable to let devices decide which connection to use,
depending on the traffic. For example, a user in a hotel uses the VPN connection to
access work files, but uses the hotel's standard network for regular web browsing.
VPN identifier (Custom VPN, Zscaler, and Citrix): An identifier for the VPN app
you're using, and is supplied by your VPN provider.
Enter key/value pairs for your organization's custom VPN attributes (Custom
VPN, Zscaler, and Citrix): Add or import Keys and Values that customize your VPN
connection. Remember, these values are typically supplied by your VPN provider.
Enable network access control (NAC) (Cisco AnyConnect, Citrix SSO, F5 Access):
When you choose I agree, the device ID is included in the VPN profile. This ID can
be used for authentication to the VPN to allow or prevent network access.
For the VPN partners that support device ID, the VPN client, such as Citrix SSO, can
get the ID. Then, it can query Intune to confirm the device is enrolled, and if the
VPN profile is compliant or not compliant.
To remove this setting, recreate the profile, and don't select I agree. Then,
reassign the profile.
Enter key and value pairs for the NetMotion Mobility VPN attributes (NetMotion
Mobility only): Enter or import key and value pairs. These values may be supplied
by your VPN provider.
Microsoft Tunnel site (Microsoft Tunnel only): Select an existing site. The VPN
client connects to the public IP address or FQDN of this site.
IKEv2 settings
These settings apply when you choose Connection type > IKEv2.
Always-on VPN: Enable sets a VPN client to automatically connect and reconnect
to the VPN. Always-on VPN connections stay connected or immediately connect
when the user locks their device, the device restarts, or the wireless network
changes. When set to Disable (default), always-on VPN for all VPN clients is
disabled. When enabled, also configure:
Network interface: All IKEv2 settings only apply to the network interface you
choose. Your options:
Wi-Fi and Cellular (default): The IKEv2 settings apply to the Wi-Fi and cellular
interfaces on the device.
Cellular: The IKEv2 settings only apply to the cellular interface on the device.
Select this option if you're deploying to devices with the Wi-Fi interface
disabled or removed.
Wi-Fi: The IKEv2 settings only apply to the Wi-Fi interface on the device.
User to disable VPN configuration: Enable lets users turn off always-on VPN.
Disable (default) prevents users from turning it off.The default value for this
setting is the most secure option.
Voicemail: Choose what happens with voicemail traffic when always-on VPN is
enabled. Your options:
Force network traffic through VPN (default): This setting is the most secure
option.
Allow network traffic to pass outside VPN
Drop network traffic
AirPrint: Choose what happens with AirPrint traffic when always-on VPN is
enabled. Your options:
Force network traffic through VPN (default): This setting is the most secure
option.
Allow network traffic to pass outside VPN
Drop network traffic
Cellular services: On iOS 13.0+, choose what happens with cellular traffic when
always-on VPN is enabled. Your options:
Force network traffic through VPN (default): This setting is the most secure
option.
Allow network traffic to pass outside VPN
Drop network traffic
Allow traffic from non-native captive networking apps to pass outside VPN: A
captive network refers to Wi-Fi hotspots typically found in restaurants and
hotels. Your options:
No: Forces all Captive Networking (CN) app traffic through the VPN tunnel.
Yes, all apps: Allows all CN app traffic to bypass the VPN.
Yes, specific apps: Add a list of CN apps whose traffic can bypass the VPN.
Enter the bundle identifiers of CN app. For example, enter
com.contoso.app.id.package .
Traffic from Captive Websheet app to pass outside VPN: Captive WebSheet is a
built-in web browser that handles captive sign-on. Enable allows the browser
app traffic to bypass the VPN. Disable (default) forces WebSheet traffic to use
the always-on VPN. The default value is the most secure option.
Local identifier: Enter the device FQDN or subject common name of the IKEv2 VPN
client on the device. Or, you can leave this value empty (default). Typically, the local
identifier should match the user or device certificate's identity. The IKEv2 server
may require the values to match so it can validate the client's identity.
Client Authentication type: Choose how the VPN client authenticates to the VPN.
Your options:
User authentication (default): User credentials authenticate to the VPN.
Machine authentication: Device credentials authenticate to the VPN.
Server certificate issuer common name: Allows the VPN server to authenticate to
the VPN client. Enter the certificate issuer common name (CN) of the VPN server
certificate that's sent to the VPN client on the device. Be sure the CN value
matches the configuration on the VPN server. Otherwise, the VPN connection fails.
Server certificate common name: Enter the CN for the certificate itself. If left
blank, the remote identifier value is used.
Dead peer detection rate: Choose how often the VPN client checks if the VPN
tunnel is active. Your options:
Not configured: Uses the iOS/iPadOS system default, which may be the same as
choosing Medium.
None: Disables dead peer detection.
Low: Sends a keepalive message every 30 minutes.
Medium (default): Sends a keepalive message every 10 minutes.
High: Sends a keepalive message every 60 seconds.
TLS version range minimum: Enter the minimum TLS version to use. Enter 1.0 ,
1.1 , or 1.2 . If left blank, the default value of 1.0 is used. When using user
TLS version range maximum: Enter the maximum TLS version to use. Enter 1.0 ,
1.1 , or 1.2 . If left blank, the default value of 1.2 is used. When using user
Perfect forward secrecy: Select Enable to turn on perfect forward secrecy (PFS).
PFS is an IP security feature that reduces the impact if a session key is
compromised. Disable (default) doesn't use PFS.
Certificate revocation check: Select Enable to make sure the certificates aren't
revoked before allowing the VPN connection to succeed. This check is best-effort.
If the VPN server times out before determining if the certificate is revoked, access
is granted. Disable (default) doesn't check for revoked certificates.
Use IPv4/IPv6 internal subnet attributes: Some IKEv2 servers use the
INTERNAL_IP4_SUBNET or INTERNAL_IP6_SUBNET attributes. Enable forces the VPN
connection to use these attributes. Disable (default) doesn't force the VPN
connection to use these subnet attributes.
Mobility and multihoming (MOBIKE): MOBIKE allows VPN clients to change their
IP address without recreating a security association with the VPN server. Enable
(default) turns on MOBIKE, which can improve VPN connections when traveling
between networks. Disable turns off MOBIKE.
Maximum transmission unit: Enter the maximum transmission unit (MTU) in bytes,
from 1-65536. When set to Not configured or left blank, Intune doesn't change or
update this setting. By default, Apple may set this value to 1280.
This setting applies to:
iOS/iPadOS 14 and newer
7 Note
Lifetime (minutes): Enter how long the security association stays active until the
keys are rotated. Enter a whole value between 10 and 1440 (1440 minutes is 24
hours). Default is 1440 .
7 Note
Also configure:
Diffie-Hellman group: Select the group you want. Default is group 2 .
Lifetime (minutes): Enter how long the security association stays active until the
keys are rotated. Enter a whole value between 10 and 1440 (1440 minutes is 24
hours). Default is 1440 .
Automatic VPN
Type of automatic VPN: Select the VPN type you want to configure: On-demand
VPN or per-app VPN:
For example, you can create a condition where the VPN connection is only used
when a device isn't connected to a company Wi-Fi network. Or, if a device can't
access a DNS search domain you enter, then the VPN connection isn't started.
On-demand rules > Add: Select Add to add a rule. If there isn't an existing
VPN connection, then use these settings to create an on-demand rule. If
there's a match to your rule, then the device does the action you select.
I want to do the following: If there's a match between the device value
and your on-demand rule, then select the action you want the device to
do. Your options:
Establish VPN: If there's a match between the device value and your
on-demand rule, then the device connects to the VPN.
Disconnect VPN: If there's a match between the device value and your
on-demand rule, then the VPN connection is disconnected.
When users try to access these domains: Enter one or more DNS
domains, like contoso.com . If users try to connect to a domain in
this list, then the device uses DNS to resolve the domains you
enter. If the domain doesn't resolve, meaning it doesn't have
access to internal resources, then it connects to the VPN on-
demand. If the domain does resolve, meaning it already has
access to internal resources, then it doesn't connect to the VPN.
7 Note
The idea is the opposite of the first bullet (When users try
to access these domains setting is empty). For instance,
the When users try to access these domains list has
internal DNS servers. A device on an external network
can't route to the internal DNS servers. The name
resolution times out, and the device connects to the VPN
on-demand. Now the internal resources are available.
The idea is that the URL is only accessible on the internal network.
If the URL can be accessed, then a VPN connection isn't needed. If
the URL can't be accessed, then the device is on an external
network, and it connects to the VPN on-demand. Once the VPN
connection is established