In this post, you can see all the new items that have been released in the following product areas
– Device Management
– App Management
– Device Configuration
– Device enrollment
– Monitor and Troubleshoot
Trusted Platform Manager (TPM) Version information now on Device Hardware page
You can now see the TPM version number on a device’s hardware page (Microsoft Endpoint Manager admin center > Devices > choose a device > Hardware > look under System enclosure).
Microsoft Endpoint Manager tenant attach: Device sync and device actions
Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Microsoft Endpoint Manager tenant attach: Device sync and device actions.
Manage S/MIME settings for Outlook on Android Enterprise devices
You can use app configuration policies to manage the S/MIME setting for Outlook on devices that run Android Enterprise. You can also choose whether or not to allow the device users to enable or disable S/MIME in Outlook settings. To use app configuration policies for Android, in the Microsoft Endpoint Manager admin center go to Apps > App configuration policies > Add > Managed devices. For more information about configuring settings for Outlook, see Microsoft Outlook configuration settings.
Pre-release testing for Managed Google Play apps
Organizations that are using Google Play’s closed test tracks for app pre-release testing can manage these tracks with Intune. You can selectively assign apps that are published to Google Play’s pre-production tracks to pilot groups in order to perform testing. In Intune, you can see whether an app has a pre-production build test track published to it, as well as be able to assign that track to AAD user or device groups. This feature is available for all of our currently supported Android Enterprise scenarios (work profile, fully managed, and dedicated). In the Microsoft Endpoint Manager admin center, you can add a Managed Google Play app by selecting Apps > Android > Add. For more information, see Working with Managed Google Play Closed Testing Tracks.
Microsoft Teams is now included in the Office 365 Suite for macOS
Users who are assigned Microsoft Office for macOS in Microsoft Endpoint Manager will now receive Microsoft Teams in addition to the existing Microsoft Office apps (Word, Excel, PowerPoint, Outlook, and OneNote). Intune will recognize the existing Mac devices that have the other Office for macOS apps installed, and will attempt to install Microsoft Teams the next time the device checks in with Intune. In the Microsoft Endpoint Manager admin center, you can find the Office 365 Suite for macOS by selecting Apps > macOS > Add. For more information, see Assign Office 365 to macOS devices with Microsoft Intune.
Update to Android app configuration policies
Android app configuration policies have been updated to allow admins to select the device enrollment type before creating an app config profile. The functionality is being added to account for certificate profiles that are based on enrollment type (Work profile or Device Owner). This update provides the following:
- If a new profile is created and Work Profile and Device Owner Profile are selected for device enrollment type, you will not be able to associate a certificate profile with the app config policy.
- If a new profile is created and Work Profile only is selected, Work Profile certificate policies created under Device Configuration can be utilized.
- If a new profile is created and Device Owner only is selected, Device Owner certificate policies created under Device Configuration can be utilized.
ImportantExisting policies created prior to the release of this feature (April 2020 release – 2004) that do not have any certificate profiles associated with the policy will default to Work Profile and Device Owner Profile for device enrollment type. Also, existing policies created prior to the release of this feature that have certificate profiles associated with them will default to Work Profile only.
Additionally, we are adding Gmail and Nine email configuration profiles that will work for both Work Profile and Device Owner enrollment types, including the use of certificate profiles on both email configuration types. Any Gmail or Nine policies that you have created under Device Configuration for Work Profiles will continue to apply to the device and it is not necessary to move them to app configuration policies.
In the Microsoft Endpoint Manager admin center, you can find app configuration policies by selecting Apps > App configuration policies. For more information about app configuration policies, see App configuration policies for Microsoft Intune.
Push notification when device ownership type is changed
You can configure a push notification to send to both your Android and iOS Company Portal users when their device ownership type has been changed from Personal to Corporate as a privacy courtesy. This push notification is set to off by default. The setting can be found in the Microsoft Endpoint Manager by selecting Tenant administration > Customization. To learn more about how device ownership affects your end-users, see Change device ownership.
Group targeting support for Customization pane
You can target the settings in the Customization pane to user groups. To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant administration > Customization. For more information about customization, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.
Microsoft Office 365 ProPlus rename
Microsoft Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. To learn more, see Name change for Office 365 ProPlus. In our documentation, we’ll commonly refer to it as Microsoft 365 Apps. In the Microsoft Endpoint Manager admin center, you can find the apps suite by selecting Apps > Windows > Add. For information about adding apps, see Add apps to Microsoft Intune.
New shell script settings for macOS devices
When configuring shell scripts for macOS devices, you can now configure the following new settings:
- Hide script notifications on devices
- Script frequency
- Maximum number of times to retry if script fails
For more information, see Use shell scripts on macOS devices in Intune.
Multiple “Evaluate each connection attempt” on-demand VPN rules supported on iOS, iPadOS, and macOS
The Intune user experience allows multiple on-demand VPN rules in the same VPN profile with the Evaluate each connection attempt action (Devices > Configuration profiles > Create profile > iOS/iPadOS or macOS for platform > VPN for profile > Automatic VPN > On-demand).
It only honored the first rule in the list. This behavior is fixed, and Intune evaluates all rules in the list. Each rule is evaluated in the order it appears in the on-demand rules list.
NoteIf you have existing VPN profiles that use these on-demand VPN rules, the fix applies the next time you change the VPN profile. For example, make a minor change, such as change the connection the name, and then save the profile.
If you’re using SCEP certificates for authentication, this change causes the certificates for this VPN profile to be re-issued.
For more information on VPN profiles, see Create VPN profiles.
Additional options in SSO and SSO app extension profiles on iOS/iPadOS devices
On iOS/iPadOS devices, you can:
- In SSO profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile > Single sign-on), set the Kerberos principal name to be the Security Account Manager (SAM) account name in SSO profiles.
- In SSO app extension profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile > Single sign-on app extension), configure the iOS/iPadOS Microsoft Azure AD extension with fewer clicks by using a new SSO app extension type. You can enable the Azure AD extension for devices in shared device mode and send extension-specific data to the extension.
For more information on using single sign-on on iOS/iPadOS devices, see Single sign-on app extension overview and Single sign-on settings list.
Delete Apple Automated Device Enrollment token when default profile is present
Previously, you couldn’t delete a default profile, which meant that you couldn’t delete the Automated Device Enrollment token associated with it. Now, you can delete the token when:
- no devices are assigned to the token
- a default profile is present To do so, delete the default profile and then delete the associated token. For more information, see Delete an ADE token from Intune.
Scaled up support for Apple Automated Device Enrollment and Apple Configurator 2 devices, profiles, and tokens
To help distributed IT departments and organizations, Intune now supports up to 1000 enrollment profiles per token, 2000 Automated Device Enrollment (formerly known as DEP) tokens per Intune account, and 75,000 devices per token. There is no specific limit for devices per enrollment profile, below the maximum number of devices per token.
Intune now supports up to 1000 Apple Configurator 2 profiles.
For more information, see Supported volume.
All devices page column entry changes
On the All devices page, the entries for the Managed by column have changed:
- Intune is now displayed instead of MDM
- Co-managed is now displayed instead of MDM/ConfigMgr Agent
The export values are unchanged.
Monitor and troubleshoot
Collect logs to better troubleshoot scripts assigned to macOS devices
You can now collect logs for improved troubleshooting of scripts assigned to macOS devices. You can collect logs up to 60 MB (compressed) or 25 files, whichever occurs first. For more information, see Troubleshoot macOS shell script policies using log collection.
Derived credentials to provision Android Enterprise Fully Managed devices with certificates
Intune now supports use of derived credentials as an authentication method for Android devices. Derived credentials are an implementation of the National Institute of Standards and Technology (NIST) 800-157 standard for deploying certificates to devices. Our support for Android expands on our support for devices that run iOS/iPadOS.
Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card, like a smart card. To get a derived credential for their mobile device, users start in the Microsoft Intune app and follow an enrollment workflow that is unique to the provider you use. Common to all providers is the requirement to use a smart card on a computer to authenticate to the derived credential provider. That provider then issues a certificate to the device that’s derived from the user’s smart card.
You can use derived credentials as the authentication method for device configuration profiles for VPN and WiFi. You can also use them for app authentication, and S/MIME signing and encryption for applications that support it.
Intune now supports the following derived credential providers with Android:
- Entrust Datacard
A third provider, DISA Purebred, will be available for Android in a future release.
Microsoft Edge security baseline is now Generally Available
A new version of the Microsoft Edge security baseline is now available, and is released as generally available (GA). The previous Edge baseline was in Preview. The new baseline version ins April 2020 (Edge version 80 and later).
With the release of this new baseline, you’ll no longer be able to create profiles based on the previous baseline versions, but you can continue to use profiles you created with those versions. You can also choose to update your existing profiles to use the latest baseline version.