Merge pull request #8253 from Erikre/erikre-oob2208-9740832

erikre-oob2208-9740832

Author: Angela Fleischmann

memdocs/intune/apps/app-protection-framework.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 06/10/2022
+ms.date: 08/15/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -129,9 +129,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
 | Simple PIN  | Allow  | iOS/iPadOS, Android  |   |
 | Select Minimum PIN length  | 4  | iOS/iPadOS, Android  |   |
 | Touch ID instead of PIN for access (iOS 8+/iPadOS)  | Allow  | iOS/iPadOS  |   |
-| Fingerprint instead of PIN for access (Android 9.0+)  | Allow  | Android  |   |
-| Override biometrics with PIN after timeout  | Require  | iOS/iPadOS  |   |
-| Override fingerprint with PIN after timeout  | Require  | Android  |   |
+| Override biometrics with PIN after timeout  | Require  | iOS/iPadOS, Android  |   |
 | Timeout (minutes of activity)  | 720  | iOS/iPadOS, Android  |   |
 | Face ID instead of PIN for access (iOS 11+/iPadOS)  | Allow  | iOS/iPadOS  |   |
 | Biometric instead of PIN for access  | Allow  | iOS/iPadOS, Android  |   |
@@ -215,6 +213,8 @@ The policy settings enforced in level 3 include all the policy settings recommen
 |       Select   Minimum PIN length  |          6  |          iOS/iPadOS,   Android  |
 |       PIN reset   after number of days  |          Yes  |          iOS/iPadOS,   Android  |
 |       Number of   days  |          365  |          iOS/iPadOS,   Android  |
+|       Class 3 Biometrics (Android 9.0+)​   |          Require  |          Android  |
+|       Override Biometrics with PIN after biometric updates   |          Require  |          Android  |
 
 #### Conditional launch
 

memdocs/intune/apps/app-protection-policy-settings-android.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 06/10/2022
+ms.date: 08/15/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -120,10 +120,11 @@ For more information, see [Data transfer policy exceptions for apps](app-protect
 |<ol><br>**PIN type** |Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter **or** at least 1 special character. <br><br> Default value = **Numeric**<br><br> **Note:** Special characters allowed include the special characters and symbols on the Android English language keyboard. |
 |<ul><b> **Simple PIN** |Select **Allow** to allow users to use simple PIN sequences like *1234*, *1111*, *abcd* or *aaaa*. Select **Blocks** to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. If **Block** is configured, 1235 or 1112 would not be accepted as PIN set by the end user, but 1122 would be allowed. <br><br>Default value = **Allow** <br><br>**Note:** If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter **or** at least one special character in their PIN. If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number **and** one letter **and** at least one special character in their PIN. </li> |
 |<ul><b> **Select minimum PIN length** |Specify the minimum number of digits in a PIN sequence. <br><br>Default value = **4** |
-|<ul><b> **Fingerprint instead of PIN for access (Android 9.0+)** |Select **Allow** to allow the user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN for app access. <br><br>Default value = **Allow** <br><br>**Note:** This feature supports generic controls for biometric on Android devices. OEM-specific biometric settings, like Samsung Pass, *are not supported.* <br><br>On Android, you can let the user prove their identity by using [Android fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN. When the user tries to use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN. <br><br> Android personally owned work profile enrolled devices require registering a separate fingerprint for the **Fingerprint instead of PIN for access** policy to be enforced. This policy takes effect only for policy-managed apps installed in the Android personally owned work profile. The separate fingerprint must be registered with the device after the Android personally owned work profile is created by enrolling in the Company Portal. For more information about personally owned work profile fingerprints using Android personally owned work profiles, see [Lock your work profile](https://support.google.com/work/android/answer/7029958). |
-|<ul><b>**Override fingerprint with PIN after timeout** |To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require** |
-|<ul><b><ul><b> **Timeout (minutes of inactivity)** |Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30** |
-|<ul><b>**Biometrics instead of PIN for access** |Select **Allow** to allow the user to use Face Unlock to authenticate users on Android devices. If allowed, Face Unlock is used to access the app on Android 10 or higher devices.    |
+|<ul><b>**Biometrics instead of PIN for access** |Select **Allow** to allow the user to use biometrics to authenticate users on Android devices. If allowed, biometrics is used to access the app on Android 10 or higher devices.    |
+|<ul><b>**Override biometric with PIN after timeout** |To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require** |
+|<ul><b><ul><b> **Timeout (minutes of inactivity)** |Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a biometric. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30** |
+|<ul><b> **Class 3 biometrics (Android 9.0+)** | Select **Require** to require the user to sign in with class 3 biometrics. For more information on class 3 biometrics, see [Biometrics](https://source.android.com/docs/security/biometric) in Google's documentation.  |
+|<ul><b> **Override biometrics with PIN after biometric updates​** | Select **Require** to override the use of biometrics with PIN when a change in biometrics is detected.<p><p>**NOTE:**<br>Depending on the Android device manufacturer, not all forms of biometrics may be supported for cryptographic operations. Currently, cryptographic operations are supported for any biometric (e.g., fingerprint, iris, or face) on the device that meets or exceeds the requirements for Class 3 biometrics, as defined in the Android documentation. See the `BIOMETRIC_STRONG` constant of the [BiometricManager.Authenticators](https://developer.android.com/reference/android/hardware/biometrics/BiometricManager.Authenticators#BIOMETRIC_STRONG) interface and the `authenticate` method of the [BiometricPrompt](https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt#authenticate(android.hardware.biometrics.BiometricPrompt.CryptoObject,%20android.os.CancellationSignal,%20java.util.concurrent.Executor,%20android.hardware.biometrics.BiometricPrompt.AuthenticationCallback)) class. You may need to contact your device manufacturer to understand the device-specific limitations.  |
 |<ul><b>**PIN reset after number of days** |Select **Yes** to require users to change their app PIN after a set period of time, in days.  <br><br>When set to *Yes*, you then configure the number of days before the PIN reset is required. <br><br> Default value = **No**  |
 |<ul><b><ul><b> **Number of days** |Configure the number of days before the PIN reset is required. <br><br> Default value = **90**  |
 |<ul><b>**Select number of previous PIN values to maintain** |This setting specifies the number of previous PINs that Intune will maintain. Any new PINs must be different from those that Intune is maintaining. <br><br> Default value = **0** |

memdocs/intune/fundamentals/whats-new.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 08/03/2022
+ms.date: 08/15/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -59,6 +59,12 @@ You can use RSS to be notified when this page is updated. For more information,
 ### Role-based access control
 ### Scripts
 -->
+## Week of August 15, 2022
+
+### App management
+
+#### Android strong biometric change detection<!-- 9740832 -->
+The Android **Fingerprint instead of PIN for access** setting in Intune, which allows the end-user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN, is being modified. This change will allow you to require end-users to set strong biometrics, as well as require end-users to confirm their app protection policy (APP) PIN if a change in strong biometrics is detected. You can find Android app protection polices in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Apps** > **App protection policies** > **Create policy** > **Android**. For more information, see [Android app protection policy settings in Microsoft Intune](../apps/app-protection-policy-settings-android.md#access-requirements).
 
 ## Week of August 1, 2022