Microsoft Intune: What’s new in May and June release

As usual in this blog, this article will provide an overall overview of the main news released by Microsoft on Intune; the purpose of these articles is to allow those who follow me to stay up to date on these topics and have the necessary references to carry out more in-depth information.

The most important news introduced in the June release is the availability in General Availability of the enrollment scenario corporate-owned devices with work profile; companies will be able to manage and configure corporate accounts, applications and data within the work profile while they will not have visibility of the data and applications within the personal profile.

Figure 1 – Corporate-owned devices with work profile

Another interesting news, released in Public Preview in June, is the ability to manage Azure Virtual Desktop Session Host through Microsoft Intune. Azure Virtual Desktop is Microsoft’s cloud-based solution that provides a real workstation based on Windows 10, allowing access to company data/applications in absolute security and simultaneously (multisession mode); with Microsoft Intune, it will then be possible to manage these types of systems using device-based configuration policies.

In the next paragraphs, as usual, I will summarize the other important news introduced in the last two months.

App Management

Improvements in the application status interface

Within the Home, Dashboard and App Overview sections, the interface has been improved to allow IT Admins to have more information on the status of managed applications and their distribution.

With the introduction of the latest release (2106), Intune displays only the apps that are specific to the platform of the device you’re viewing.

Updated default license type for Apple VPP apps

Starting from the June release, the default for the type of licensing dedicated to Apple VPP apps is “device”; through this type of licensing, users will no longer need to sign-in on the Apple Store in order to install applications.

For more information on the options available based on the type of licensing, you can refer to the following link.

New protected apps

The following protected apps have been added on Microsoft Intune:

  • Secrets Confidential File Viewer (Hitachi Solutions, Ltd.)
  • AventX Mobile Work Orders (STR Software)
  • Slack for Intune (Slack Technologies, Inc.)
  • Dynamics 365 Sales (Microsoft)
  • Leap Work for Intune (LeapXpert Limited)
  • iManage Work 10 For Intune (iManage, LLC)
  • Microsoft Whiteboard Android version (Microsoft)

Device Configuration

New settings for iOS / IPadOS versions 14.5 and later

Starting from release 2105, new settings have been introduced for iOS and iPadOS that can be configured through specific Device Restriction policies (Devices> Configuration profiles> Create profile> iOS / iPadOS for platform> Device restrictions for profile). Here are the new options available:

  • Block Apple Watch auto unlock: if set to Yes, users will not be able to unlock their device through Apple Watch;
  • Allow users to boot devices into recovery mode with unpaired devices: if set to Yes, users will be able to boot their device in recovery mode with an unpaired device;
  • Block Siri for dictation: if set to Yes, it disables connections to servers hosting the Siri service, therefore users will not be able to use this service to dictate text;

Cookie management and cross site tracking on Safari

Through the use of specific Device Restriction policies (Devices> Configuration profiles> Create profile> iOS / iPadOS for platform> Device restrictions for profile> Built-in Apps), it is possible to manage cookies and cross-site tracking on the Safari browser. It is important to underline that, by default, Safari limits the collection of cookies and third-party data.

Device Enrollment

Browser Access option enabled by default during the enrollment of Android devices

With the introduction of the June release, the Browser Access option appears to be active by default during registration in the following Android device modes:

  • Azure AD Shared Dedicated devices
  • Fully managed
  • Corporate-owned with work profile
  • Compliant devices will be able to access Conditional Access protected resources through the browser.

Device Management

New Filters option for app and policy assignment

Another very interesting news released in the 2105 release is the introduction of a new option called Filters. Through the use of this option, it is possible to further restrict the scope of application of a given policy (including Compliance Policies and Settings Catalog) or app, making this process more flexible and granular. For example, you can use the Filters option in the following scenarios:

  • Distribution of a policy on Windows 10 systems categorized as corporate that appear to belong to the Marketing area;
  • Distribution of an iOS / iPadOS application to iPad devices only;
  • Distribution of a policy based on the registration methodology (EnrollmentProfileName) for the following platforms:
    • Windows
    • iOS / iPadOS
    • Android (release 2106)
Figure 2 – Filters option overview

To create a new filter, access one of the following sections:

  • Devices> Filters (preview)> Create
  • Apps> Filters (preview)> Create
  • Tenant administration> Filters (preview)> Create

Speed up the process of applying security updates

In the latest releases, Microsoft has released in public preview the possibility of expedite the process of applying security updates through the application of policies dedicated to Windows Update for Business (Quality updates policy).

When this type of policy is applied, the device will proceed as soon as possible with the download and installation of the security update without waiting for the check-in.

Restart remote action removed for corporate devices

The Restart action have been removed from the remote actions for devices registered in the corporate-owned with work profile. Any Restart action during a multiple selection of devices will be ignored and will be categorized as Not supported.

Offboarding for Tenant Attach devices

Starting with these latest releases, Microsoft has introduced the ability to offboard devices registered in the Tenant Attach mode; to perform this operation, it is necessary to access the Tenant administration> Connectors and tokens> Microsoft Endpoint Configuration Manager section, select the name of the site concerned and select the Delete option.

Monitor and Troubleshooting

Reporting improvements

In the May and June releases, revision and updating activities were carried out on the reporting. In detail:

  • A new report called App Install Status has been introduced which allows you to view the list of applications including version and installation status.
  • A new report called Device Install Status has been introduced which, based on the selected application, allows you to view the list of affected devices and some details such as Platform, Version, Status, last check-in, etc.
  • A new report called User Install Status has been introduced which, based on the selected application, allows you to view the list of interested users and some details such as Name, UPN, Status, etc.
  • The Certificates report has been updated by introducing more details and information.
  • The reporting dedicated to the Settings Catalog has been updated by introducing a section dedicated to the application status of the various settings; through the section By setting status it will therefore be possible to view the number of systems on which the single configuration is applied and to monitor their application status.

It is important to underline that, through the Graph API v1.0, it has been made possible to export the reports on the platform.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: