Intune Service Release 2108

Intune Service release 2108

App management

Device filter evaluation reports now include filter results for assigned apps

If you’re using filters for assigning apps as available, you can now use the filter evaluation report on a device to determine if an app has been made available for install. You can see this report per device, under Devices > All Devices > select a device > Filter evaluation (preview).

• For more information on filters, see Use filters (preview) when assigning your apps, policies, and profiles in Microsoft Endpoint Manager.
• For more information on filter reports, see Filter reports and troubleshooting in Microsoft Endpoint Manager.

Applies to:

• Android device administrator
• Android Enterprise
• iOS/iPadOS
• macOS
• Windows 10 and newer

Additional Android SafetyNet evaluation type support for conditional launch policies

Conditional launch now supports a sub-setting of SafetyNet device attestation. If you select SafetyNet device attestation as required for conditional launch, you can specify that a specific SafetyNet evaluation type is used. This evaluation type is a hardware-backed key. The presence of a hardware-backed key as the evaluation type will indicate greater integrity of a device. Devices that do not support hardware-backed keys will be blocked by the MAM policy if they are targeted with this setting. For more information about SafetyNet evaluation and hardware-backed key support, see Evaluation types in the Android developer documentation. For more information about Android conditional launch settings, see Conditional launch.

Update to Outlook S/MIME settings for iOS and Android devices

You can now enable Outlook S/MIME settings to always sign and/or always encrypt on iOS and Android devices when using the managed apps option. You can find this setting in Microsoft Endpoint Manager admin center when using managed apps by selecting Apps > App configuration policies. In addition, you can add a LDAP (Lightweight Directory Access Protocol) URL for Outlook S/MIME on iOS and Android devices for both managed apps and managed devices. For related information, see App configuration policies for Microsoft Intune.

Scope tags for Managed Google Play apps

Scope tags determine which objects an admin with specific rights can view in Intune. Most newly-created items in Intune take on the scope tags of the creator. This is not the case for Managed Google Play Store apps. You can now optionally assign a scope tag to apply to all newly-synced Managed Google Play apps on the Managed Google Play connector pane. The chosen scope tag will only apply to new Managed Google Play apps, not Managed Google Play apps that have already been approved in the tenant. For related information see Add Managed Google Play apps to Android Enterprise devices with Intune and Use role-based access control (RBAC) and scope tags for distributed IT.

Content of macOS LOB apps will be displayed in Intune

Intune can now display the contents of macOS LOB apps ( .intunemac files) in the console. You can review and edit the app detection details in the Intune console that are captured from the .intunemac file when adding a macOS LOB app. When uploading a PKG file, detection rules will be auto-created. In the Microsoft Endpoint Manager admin center, select Apps > All apps > Add. Continue by selecting the Line-of-business app type and the App package file containing the .intunemac file. For more information, see How to add macOS line-of-business (LOB) apps to Microsoft Intune.

Device configuration

Use filters on DFCI configuration profiles on Windows 10 RS5+ devices

In Endpoint Manager, you can create filters to target devices based on different properties. When you create a Device Firmware Configuration Interface (DFCI) profile, you'll be able to use filters when assigning the profile.

• For more information on filters, see Use filters (preview) when assigning your apps, policies, and profiles.
• For more information on the DFCI profile, see Use Device Firmware Configuration Interface profiles on Windows devices.

Applies to:

• Windows 10 RS5 (1809) and newer on supported UEFI

New Deployment Channel setting for custom device configuration profiles on macOS devices

When creating a custom device restriction policy for macOS devices, there is a new deployment channel setting available (Devices > Configuration profiles > Create profile > macOS for platform > Templates > Custom for profile).

Use the Deployment channel setting to deploy the configuration profile to the user channel or the device channel. If you send the profile to the wrong channel, then deployment can fail. For more information on using a payload in a device profile or a user profile, see Profile-Specific Payload Keys (opens Apple developer website).

For more information about custom macOS profiles in Intune, see Use custom settings for macOS devices.

Applies to:

• macOS

Use Wi-Fi networks set up using configuration profiles setting for iOS/iPadOS 14.5 devices and newer

When creating a device restrictions policy for iOS/iPadOS devices, there's a new setting available (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile):

• Require devices to use Wi-Fi networks set up via configuration profiles: Set to Yes to require devices to only use Wi-Fi networks set up through configuration profiles.

To see the settings you can currently configure, go to iOS and iPadOS device settings to allow or restrict features using Intune.

Applies to:

• iOS/iPadOS 14.5 and newer

New macOS device configuration profile settings, and change to iOS/iPadOS setting name

There are new settings you can configure on macOS 10.13 devices and newer (Devices > Configuration profiles > Create profile > macOS for platform > Templates > Device restrictions for profile type):

• Block adding Game Center friends (App Store, Doc Viewing, Gaming): Prevents users from adding friends to the Game Center.
• Block Game Center (App Store, Doc Viewing, Gaming): Disables the Game Center, and the Game Center icon is removed from the Home screen.
• Block multiplayer gaming in the Game Center (App Store, Doc Viewing, Gaming): Prevents multiplayer gaming when using the Game Center.
• Block modification of wallpaper (General): Prevents the wallpaper from being changed.

To see the settings you can currently configure, go to macOS device settings to allow or restrict features.

Also, the iOS/iPadOS Block Multiplayer Gaming setting name is changing to Block multiplayer gaming in the Game Center (Devices> Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type).

For more information about this setting, go to iOS and iPadOS device settings to allow or restrict features.

Applies to:

• iOS/iPadOS
• macOS 10.13 and newer

More iOS/iPadOS home screen layout grid size options

On iOS/iPadOS devices, you can configure the grid size on the home screen (Devices > Device Configuration > Create profile > iOS/iPadOS for platform > Device features for profile > Home screen layout). For example, you can set the grid size to 4 columns x 5 rows.

The grid size will have more options:

• 4 columns x 5 rows
• 4 columns x 6 rows
• 5 columns x 6 rows

To see the home screen layout settings you can currently configure, go to device settings to use common iOS/iPadOS features in Intune.

Applies to:

• iOS/iPadOS

Add certificate server names to enterprise Wi-Fi profiles on Android Enterprise personally-owned devices with a work profile

On Android devices, you can use certificate-based authentication for Wi-Fi networks on personal devices with a work profile (Devices> Configuration profiles > Create profile > Android Enterprise for platform > Personally-owned work profile > Wi-Fi).

When you use the Enterprise Wi-Fi type, and select the EAP type, there's a new Certificate server names setting. Use this setting to add a list of the certificate server domain names used by your certificate. For example, enter srv.contoso.com.

On Android 11 and newer devices, if you use the Enterprise Wi-Fi type, then you must add the certificate server names. If you don't add the certificate server names, users will have connection issues.

For more information on the Wi-Fi settings you can configure on Android Enterprise devices, see Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune.

Applies to:

• Android Enterprise personally owned devices with work profile

Device enrollment

Modern authentication method with Apple Setup Assistant is out of preview for automated device enrollment

The modern authentication method with Apple Setup Assistant is now out of preview and generally available for use for automated device enrollment.

For information on how to use this authentication method on iOS/iPadOS devices, see Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment.

For information on how to use this authentication method on macOS devices, see Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager.

Device management

Endpoint analytics per device scoring

To help you identify devices that could be impacting user experience, Endpoint analytics shows some scores per device. Reviewing scores per device may help you find and resolve end-user impacting issues before a call is made to the help desk. You'll be able to display and sort by the Endpoint analytics, startup performance, and application reliability scores for each device. For more information, see Per device scores.

Device security

Changes to settings in the settings catalog for Microsoft Defender for Endpoint on macOS

We’ve added eight new settings to manage Microsoft Defender for Endpoint on macOS to the Intune settings catalog.

The new settings are found as follows under the following four categories in the settings catalog. For information about these settings, see Set preferences for Microsoft Defender for Endpoint on macOS in the Microsoft Defender for Endpoint on Macdocumentation.

• Microsoft Defender - Antivirus engine:

  • Disallowed threat actions
  • Exclusions merge
  • Scan history size
  • Scan Results Retention
  • Threat type settings merge

• Microsoft Defender - Cloud delivered protection preferences:

  • Automatic security intelligence updates

• Microsoft Defender - User interface preferences:

  • User initiated feedback

• Microsoft Defender - Network protection - This is a new category for Microsoft Defender for Endpoint in the catalog:

  • Enforcement level

Confirm Tunnel Gateway servers can access your internal network from within the Microsoft Endpoint Manager admin center

We've added the capability to the Microsoft Endpoint Manager admin center to confirm that your Tunnel Gateway servers can access your internal network, without someone having to access the servers directly. To enable this, you'll configure a new option called URL for internal network access check in the properties of each Tunnel Gateway site.

After adding a URL from your internal network to a Tunnel Gateway site, each server in that site periodically attempts to access it, and then reports on the result.

The status for this internal network access check is reported as Internal network accessibility on a server's Health check tab. Status values for this check include:

• Healthy - The server can access the URL specified in the site properties.
• Unhealthy - The server can't access the URL specified in the site properties.
• Unknown - This status appears when you haven't set a URL in the site properties, and doesn't affect the overall status of the site.

Your servers will need to upgrade to the latest version of the Tunnel Gateway server software for this feature to work.

Compliance setting for SafetyNet hardware-backed key attestation for Android Enterprise personally-owned work profile

We’ve added a new device compliance setting for Android Enterprise personally-owned work profile devices, Required SafetyNet evaluation type. This new setting becomes available after you configure SafetyNet device attestation to either Check basic integrity or Check basic integrity & certified devices. The new setting:

Required SafetyNet evaluation type:

• Not configured (defaults to basic evaluation) – This is the setting default.
• Hardware-backed key – Require that hardware-backed key attestation is used for SafetyNet evaluation. Devices that don’t support hardware-backed key attestation are marked as not compliant.

For more information about SafetyNet and which devices support hardware-backed key attestation, see Evaluation types in the SafetyNet documentation for Android.

Intune apps

Newly available protected app for Intune

The following protected app is now available for Microsoft Intune:

• F2 Touch Intune by cBrain A/S

For more information about protected apps, see Microsoft Intune protected apps.

Monitor and troubleshoot

Export GPO XML file size increased to 4 MB when using group policy analytics (preview) on Windows 10 and later devices

In Microsoft Endpoint Manager, you can use group policy analytics (preview) to analyze your on-premises GPOs, and determine how your GPOs translate in the cloud. To use this feature, you export your GPO as an XML file. The XML file size has increased from 750 KB to 4 MB.

For more information on using group policy analytics, see Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Endpoint Manager - Preview.

Applies to:

• Windows 10 and later

Device configuration reporting has been updated

All device configuration and endpoint security profiles are now merged into one report. You can view all the policies applied to your device in the new single report that contains improved data. For instance, you can see the distinction of profile types in the new Policy type field. Also, selecting a policy will provide additional details about settings applied to the device and status of the device. Role-based access control (RBAC) permissions have been applied to filter the list of profiles based on your permissions. In Microsoft Endpoint Manger admin center, you will select Devices > All devices > select a device > Device configuration to see this report when it is available. For more information, see Microsoft Intune reports.

New details for the Intune antivirus reports

We've added two new columns of detail to both the Windows 10 unhealthy endpoints report and the Antivirus agent status report.

The new details include:

• MDE Onboarding status - (HealthState/OnboardingState) Identifies the presence of the Microsoft Defender for Endpoint agent on the device.
• MDE Sense running state - (HealthState/SenseIsRunning) Reports on the operational status of the Microsoft Defender for Endpoint health sensor on a device.

For more information about these settings, see WindowsAdvancedThreatProtection CSP.

Customize health status thresholds for Microsoft Tunnel Gateway servers

You can now customize the thresholds that determine the health status for several metrics of Microsoft Tunnel Gateway.

Health status metrics have default values that determine whether the status reports as healthy, warning, or unhealthy. When you customize a metric, you change the performance requirements for the metrics status. You can customize the following metrics:

• CPU usage
• Memory usage
• Disk space usage
• Latency

When you change a threshold value, the change applies to all Tunnel servers in your tenant. You can also select an option to reset all the metrics o their default value.

After you update the thresholds, the values in the Health check tab automatically update to reflect status based on the updated thresholds.

View health status trends for Microsoft Tunnel Gateway servers

You can view health status trends for several Microsoft Tunnel Gateway health metrics in the form of a chart. The health status trend charts are available for individual servers you select from the Health status page.

The metrics that support trend charts include:

• Connections
• CPU usage
• Disk space usage
• Memory usage
• Average latency
• Throughput

Week of August 16, 2021

App management

Intune Company Portal for macOS devices is now a universal app

When you download Intune Company Portal for macOS devices version 2.18.2107 and later, it installs the new universal version of the app that runs natively on Apple Silicon Macs. The same app will install the x64 version of the app on Intel Mac machines. For related information, see Add the Company Portal for macOS app.

Device configuration

New version of the Certificate Connector for Microsoft Intune

We’ve released a new version of the Certificate Connector for Microsoft Intune, version 6.2108.18.0. This update includes:

• A fix to correctly display the current connector status in Microsoft Endpoint Manager admin center.
• A fix to correctly report on failures to deliver SCEP certificates.

For more information about the certificate connector, including a list of connector releases and updates, see Certificate Connector for Microsoft Intune.

Device management

Adding Windows Hello for Business to Windows 10 Diagnostics

We've added the information from the Operational Event Viewer for Windows Hello for Business to the data that’s collected for Windows 10 device diagnostics. See Data collected.

Week of August 2, 2021

Windows 365 now generally available

Windows 365 is a new service from Microsoft that automatically creates Cloud PCs for your end users. Cloud PCs are a new hybrid personal computing category that use both the power of the cloud and the accessing device to provide a full and personalized Windows virtual machine. Admins can use Microsoft Endpoint Manager to define the configurations and applications that are provisioned for each user’s Cloud PC. End users can access their Cloud PC from any device and any location. Windows 365 stores the end user’s Cloud PC and data in the cloud, not on the device, providing a secure experience.

For more information about Windows 365, see Windows 365.

For documentation on how to manage Windows 365 in your organization, see the Windows 365 documentation.