Merge pull request #6693 from MicrosoftDocs/main

Publish 02/02/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/configmgr/core/clients/deploy/deploy-clients-to-windows-computers.md

@@ -339,11 +339,13 @@ Preinstall the Configuration Manager client on a reference computer that you use
 
 2. At a command prompt, type `net stop ccmexec` to stop the SMS Agent Host service (CcmExec.exe) on the reference computer.  
 
-3. Delete the SMSCFG.INI file from the Windows folder on the reference computer.  
+3. Delete the SMSCFG.INI file from the Windows folder on the reference computer.
 
-4. Remove any certificates that are stored in the local computer store on the reference computer. For example, if you use PKI certificates, before you image the computer, remove the certificates in the **Personal** store for **Computer** and **User**.  
+4. Remove the certificates from the local computer's **SMS** certificate store.   
 
-5. If the clients are installed in a different Configuration Manager hierarchy than the hierarchy of the reference computer, remove the trusted root key from the reference computer.  
+5. Remove any other valid client authentication certificates that are stored in the local computer store on the reference computer. For example, if you use PKI certificates, before you image the computer, remove the certificates in the **Personal** store for **Computer** and **User**.  
+
+6. If the clients are installed in a different Configuration Manager hierarchy than the hierarchy of the reference computer, remove the trusted root key from the reference computer.  
 
     > [!NOTE]  
     > If clients can't query Active Directory Domain Services to locate a management point, they use the trusted root key to determine trusted management points. If you deploy all imaged clients in the same hierarchy as that of the master computer, leave the trusted root key in place.

memdocs/intune/apps/app-configuration-policies-managed-app.md

@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Configuration policies for managed apps without device enrollment
+title: Configuration policies for Intune App SDK managed apps
 titleSuffix: Microsoft Intune
-description: Learn how to configure policies for managed apps without device enrollment.
+description: Learn how to configure policies for Intune App SDK managed apps.
 keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 12/16/2021
+ms.date: 01/28/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -29,33 +29,44 @@ ms.custom: intune-azure
 ms.collection: M365-identity-device-management
 ---
 
-# Add app configuration policies for managed apps without device enrollment
+# App configuration policies for Intune App SDK managed apps
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-You can use app configuration policies with managed apps that support the Intune App SDK, even on devices that are not enrolled. 
+The Intune App Software Development Kit (SDK) supports app configuration delivery through the mobile app management (MAM) channel. Within the Intune portal, the MAM channel is referred to as a Managed Apps app configuration policy. The MAM channel is different than the mobile device management (MDM) OS platform channels that are offered when a device is enrolled.
+
+To support app configuration through the MAM channel, the app must be integrated with [Intune App SDK](../developer/app-sdk.md). Line-of-business apps can either integrate the Intune App SDK or use the [Intune App Wrapping Tool](../developer/apps-prepare-mobile-application-management.md). For a comparison between the Intune App SDK and the Intune App Wrapping Tool, see [Prepare line-of-business apps for app protection policies](../developer/apps-prepare-mobile-application-management.md#feature-comparison).
+
+By using the MAM channel, apps can receive app configuration policies regardless of the device enrollment state. For information on which apps support app configuration through the MAM channel, see [Microsoft Intune protected apps](apps-supported-intune-apps.md). Documentation from the app vendor should be reviewed to see what configurations are available and how the configurations influence the behavior of the app.
+
+For more information, see [App configuration policies for Microsoft Intune](app-configuration-policies-overview.md).
+
+[!INCLUDE [android-supported-os](../includes/android-supported-os.md)]
+
+## Add a Managed apps app configuration policy
+
+Use the following steps to create a Managed apps app configuration policy. After the configuration is created, you can assign its settings to groups of users.
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Choose the **Apps** > **App configuration policies** > **Add** > **Managed apps**.
 3. On the **Basics** page, set the following details:
     - **Name**: The name of the profile that will appear in the portal.
     - **Description**: The  description of the profile that will appear in the portal.
     - **Device enrollment type**: Managed apps is selected.
-4. Choose either **Select public apps** or **Select custom apps** to choose the app that you are going to configure. Select the app from the list of apps that you have approved and synchronized with Intune.
+4. Choose either **Select public apps** or **Select custom apps** to choose the app that you are going to configure. Select the app from the list of apps that you've approved and synchronized with Intune.
 5. Click **Next** to display the **Settings** page.
 6. The **Settings page** provides options that are displayed based on the app that you're configuring:
 
-    - **General configuration settings** - For each general configuration setting that the app supports, type the **Name** and **Value**. 
- 
-        Intune App SDK-enabled apps support configurations in key/value pairs. To learn more about which key-value configurations are supported, consult the documentation for each app. Note that you can use tokens that will be dynamically populated with data generated by the application. To delete a general configuration setting, choose the ellipsis (**…**) and select **Delete**. For more information, see [Configuration values for using tokens](app-configuration-policies-managed-app.md#configuration-values-for-using-tokens). 
+    - **General configuration settings** - For each general configuration setting that the app supports, type the **Name** and **Value**.
+
+        Intune App SDK-enabled apps support configurations in key/value pairs. To learn more about which key-value configurations are supported, consult the documentation for each app. Note that you can use tokens that will be dynamically populated with data generated by the application. To delete a general configuration setting, choose the ellipsis (**…**) and select **Delete**. For more information, see [Configuration values for using tokens](app-configuration-policies-managed-app.md#configuration-values-for-using-tokens).
+
+    For information about app configuration settings for specific Microsoft apps, see:
 
-    - **Outlook configuration settings** - Outlook for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings. For more information, see [Outlook for iOS and Android - General app configuration scenarios](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#general-app-configuration-scenarios).
-   
-    - **S/MIME** - Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification that allows users to send and receive digitally signed and encrypted emails.
-        - **Enable S/MIME** - Specify whether or not S/MIME controls are enabled when composing an email. Default value: **Not configured**.
-        - **Allow user to change setting** - Specify if the user is allowed to change the setting. S/MIME must be enabled. Default value: **Yes**.
-        
-    For information about Outlook app configuration policy settings, see [Deploying Outlook for iOS and Android app configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune).
+    - [Manage web access by using Edge for iOS and Android with Microsoft Intune](manage-microsoft-edge.md)
+    - [Manage collaboration experiences in Office for iOS and Android with Microsoft Intune](manage-microsoft-office.md)
+    - [Deploying Outlook for iOS and Android app configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune)
+    - [Manage collaboration experiences in Teams for iOS and Android with Microsoft Intune](manage-microsoft-teams.md)
 
 7. Click **Next** to display the **Assignments** page.
 8. Click **Select groups to include**.
@@ -73,7 +84,7 @@ You can use app configuration policies with managed apps that support the Intune
 
 Intune can generate certain tokens and send them to the managed application. For example, if your app configuration can use an email setting, you can add a dynamic email by using a token. Type the name expected by the app in the **Name** field, and then type `{{mail}}` in the **Value** field.
 
-Intune supports the following token types in the configuration settings. Other custom key/value pairs are not supported.
+Intune supports the following token types in the configuration settings. Other custom key/value pairs aren't supported.
 
 - \{\{userprincipalname\}\}—for example, [email protected]
 - \{\{mail\}\}—for example, [email protected]