Merge pull request #7449 from MicrosoftDocs/main

Publish 04/25/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/configmgr/tenant-attach/deploy-asr-policy.md

@@ -2,7 +2,7 @@
 title: Tenant attach - Create and deploy Attack surface reduction policies from the admin center (preview)
 titleSuffix: Configuration Manager
 description: "Create and deploy Attack surface reduction policies from the Microsoft Endpoint Manager console and for Configuration Manager collections."
-ms.date: 09/29/2021
+ms.date: 04/25/2022
 ms.topic: conceptual
 ms.prod: configuration-manager
 ms.technology: configmgr-core
@@ -33,6 +33,7 @@ ms.author: brenduns
 
    - **Platform**: Windows 10 and later (ConfigMgr)
    - **Profile**: Choose one of the following profiles:
+     - Attack Surface Reduction Rules (ConfigMgr) (preview) 
      - Exploit Protection (ConfigMgr) (preview)
      - Web Protection (ConfigMgr) (preview)
 

memdocs/intune/apps/app-configuration-policies-overview.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 02/01/2022
+ms.date: 04/15/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -55,7 +55,9 @@ The available configuration parameters and the implementation of the configurati
 >
 > You will only see apps from [Managed Google Play store](https://play.google.com/work), not the [Google Play store](https://play.google.com/store/apps), when using Managed Devices as the Enrollment Type for Android devices.
 
-You can assign an app configuration policy to a group of end-users and devices by using a combination of [include and exclude assignments](apps-inc-exl-assignments.md). Once you add an app configuration policy, you can set the assignments for the app configuration policy. When you set the assignments for the policy, you can choose to include and exclude the [groups](../fundamentals/groups-add.md) of end-users for which the policy applies. When you choose to include one or more groups, you can choose to select specific groups to include or select built-in groups. Built-in groups include **All Users**, **All Devices**, and **All Users + All Devices**.
+You can assign an app configuration policy to a group of end-users and devices by using a combination of [include and exclude assignments](apps-inc-exl-assignments.md). As part of the process to add or update an app configuration policy, you can set the assignments for the app configuration policy. When you set the assignments for the policy, you can choose to include and exclude the [groups](../fundamentals/groups-add.md) of end-users for which the policy applies. When you choose to include one or more groups, you can choose to select specific groups to include or select built-in groups. Built-in groups include **All Users**, **All Devices**, and **All Users + All Devices**.
+
+The app configuration policy workload provides a list of app configuration policies that have been created for your tenant. This list provides details, such as Name, Platform, Updated, Enrollment type, and Scope Tags. For additional details about a specific app configuration policy, select the policy. On the policy **Overview** pane, you can see specific details, such as the policy status based on device and based on user, as well as whether the policy has been assigned.
 
 ## Apps that support app configuration
 

memdocs/intune/apps/app-protection-framework.md

@@ -199,7 +199,7 @@ The policy settings enforced in level 3 include all the policy settings recommen
 | Data Transfer |       Dialer App URL Scheme  |          *replace_with_dialer_app_url_scheme* |          iOS/iPadOS  | On iOS/iPadOS, this value must be replaced with the URL scheme for the custom dialer app being used. If the URL scheme is not known, contact the app developer for more information. For more information on URL schemes, see [Defining a Custom URL Scheme for Your App](https://developer.apple.com/documentation/uikit/inter-process_communication/allowing_apps_and_websites_to_link_to_your_content/defining_a_custom_url_scheme_for_your_app).|
 | Data transfer |       Receive   data from other apps  |          Policy   managed apps  |          iOS/iPadOS, Android         |  |
 | Data transfer |       Open data into Org documents  |          Block  |          iOS/iPadOS, Android         |  |
-| Data transfer |       Allow users to open data from selected services  |          OneDrive for Business, SharePoint, Camera  |          iOS/iPadOS, Android         |  |
+| Data transfer |       Allow users to open data from selected services  |          OneDrive for Business, SharePoint, Camera, Photo Library  |          iOS/iPadOS, Android         | For related information, see [Android app protection policy settings](..\apps\app-protection-policy-settings-android.md) and [iOS app protection policy settings](..\apps\app-protection-policy-settings-ios.md).  |
 | Data transfer |       Third-party   keyboards  |          Block  |          iOS/iPadOS        | On iOS/iPadOS, this blocks all third-party keyboards from   functioning within the app.  |
 | Data transfer |       Approved   keyboards  |          Require  |          Android        |  |
 | Data transfer |       Select   keyboards to approve  |          *add/remove   keyboards*  |          Android        | With Android, keyboards must be selected in   order to be used based on your deployed Android devices.  |

memdocs/intune/apps/app-protection-policy-settings-android.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 01/21/2022
+ms.date: 04/13/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -54,7 +54,7 @@ There are three categories of policy settings: data protection settings, access
 |<ul><b><ul><b>**Dialer App Name** | When a specific dialer app has been selected, you must provide the name of the dialer app. | **Blank** |
 | **Receive data from other apps** | Specify what apps can transfer data to this app: <ul><li>**Policy managed apps**: Allow transfer only from other policy-managed apps.</li><li>**All apps**: Allow data transfer from any app.</li><li>**None**: Do not allow data transfer from any app, including other policy-managed apps. </li></ul> <p>There are some exempt apps and services from which Intune may allow data transfer. See  [Data transfer exemptions](app-protection-policy-settings-android.md#data-transfer-exemptions) for a full list of apps and services. | **All apps** |
 | <ul><b>**Open data into Org documents** | Select **Block** to disable the use of the *Open* option or other options to share data between accounts in this app. Select **Allow** if you want to allow the use of *Open*. <br><br>When set to **Block** you can configure the **Allow user to open data from selected services** to specific which services are allowed for Org data locations.<br><br>**Note:**<ul><li><i>This setting is only configurable when the setting **Receive data from other apps** is set to **Policy managed apps**.</i></li><li><i>This setting will be "Allow" when the setting **Receive data from other apps** is set to **All apps**.</i></li><li><i>This setting will be "Block" with no allowed service locations when the setting **Receive data from other apps** is set to **None**.</i></li><li><i>The following apps support this setting:</i><ul><li><i>OneDrive 6.14.1 or later.</i></li><li><i>Outlook for Android 4.2039.2 or later.</i></li><li><i>Teams for Android 1416/1.0.0.2021173701 or later.</i></li></ul></li></ul> | <br><br> **Allow**   |
-| <ul><b><ul><b>**Allow users to open data from selected services** | Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.<br><br>Supported services:<ul><li>OneDrive for Business</li><li>SharePoint Online</li><li>Camera</li></ul>**Note:** Camera does not include Photos or Photo Gallery access.| **All selected**  |
+| <ul><b><ul><b>**Allow users to open data from selected services** | Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.<br><br>Supported services:<ul><li>OneDrive for Business</li><li>SharePoint Online</li><li>Camera</li><li>Photo Library</li></ul>**Note:** Camera does not include Photos or Photo Gallery access.| **All selected**  |
 | **Restrict cut, copy and paste between other apps** | Specify when cut, copy, and paste actions can be used with this app. Choose from: <ul><li>**Blocked**:  Do not allow cut, copy, and paste actions between this app and any other app.</li><li>**Policy managed apps**: Allow cut, copy, and paste actions between this app and other policy-managed apps.</li><li>**Policy managed with paste in**: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.</li><li>**Any app**: No restrictions for cut, copy, and paste to and from this app. | **Any app** |
 | <ul><b>**Cut and copy character limit for any app** | Specify the number of characters that may be cut or copied from org data and accounts.  This will allow sharing of the specified number of characters when it would be otherwise blocked by the "Restrict cut, copy, and paste with other apps" setting.<p>Default Value = 0<p>**Note**: Requires Intune Company Portal version 5.0.4364.0 or later.  | **0** |
 | **Screen capture and Google Assistant** | Select **Block** to block screen capture and the **Google Assistant** capabilities of the device when using this app. Choosing **Block** will also blur the App-switcher preview image when using this app with a work or school account.| **Block** |
@@ -155,4 +155,4 @@ By default, several settings are provided with pre-configured values and actions
 | **Min Company Portal version** | By using the **Min Company Portal version**, you can specify a specific minimum defined version of the Company Portal that is enforced on an end user device. This conditional launch setting allows you to set values to **Block access**, **Wipe data**, and **Warn** as possible actions when each value is not met. The possible formats for this value follows the pattern *[Major].[Minor]*, *[Major].[Minor].[Build]*, or *[Major].[Minor].[Build].[Revision]*. Given that some end users may not prefer a forced update of apps on the spot, the 'warn' option may be ideal when configuring this setting. The Google Play Store does a good job of only sending the delta bytes for app updates, but this can still be a large amount of data that the user may not want to utilize if they are on data at the time of the update. Forcing an update and thereby downloading an updated app could result in unexpected data charges at the time of the update. For more information, see [Android policy settings](app-protection-policies-access-actions.md#android-policy-settings). |
 | **Max Company Portal version age (days)** | You can set a maximum number of days as the age of the Company Portal (CP) version for Android devices. This setting ensures that end users are within a certain range of CP releases (in days). The value must be between 0 and 365 days. When the setting for the devices is not met, the action for this setting is triggered. Actions include **Block access**, **Wipe data**, or **Warn**. For related information, see [Android policy settings](app-protection-policies-access-actions.md#android-policy-settings). |
 | **Max allowed device threat level** | App protection policies can take advantage of the Intune-MTD connector. Specify a maximum threat level acceptable to use this app. Threats are determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device. Specify either *Secured*, *Low*, *Medium*, or *High*. *Secured* requires no threats on the device and is the most restrictive configurable value, while *High* essentially requires an active Intune-to-MTD connection. *Actions* include: <br><ul><li>**Block access** - The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.</li></ul> <ul><li>**Wipe data** - The user account that is associated with the application is wiped from the device.</li></ul>For more information on using this setting, see [Enable the Mobile Threat Defense connector in Intune for unenrolled devices](../protect/mtd-enable-unenrolled-devices.md). |
-| **Require device lock** | This setting determines if the Android device has a device PIN, password, or pattern set but cannot distinguish between the lock options or complexity. If device lock is not enabled on the device, then the App protection policy can take action. There is no value for this setting, but *Actions* include: <br><ul><ul><li>**Warn** - The user sees a notification if a device lock is not enabled. The notification can be dismissed.</li><li>**Block access** - The user will be blocked from access if device lock is not enabled.</li></ul> <ul><li>**Wipe data** - The user account that is associated with the application is wiped from the device.</li></ul> |
+| **Require device lock** | This setting determines whether the Android device has a device PIN that meets the minimum password requirement. The App protection policy can take action if the device lock doesn’t meet the minimum password requirement.<p><p>**Values** include:<br><ul><li>**Low Complexity**</li><li>**Medium Complexity**</li><li>**High Complexity**</li></ul><p>This complexity value is targeted to Android 11+. For devices operating on Android 10 and earlier, setting a complexity value of low, medium, or high will default to the expected behavior for **Low Complexity**. For more information, see Google's developer documentation [getPasswordComplexity](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getPasswordComplexity%28%29), [PASSWORD_COMPLEXITY_LOW](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#PASSWORD_COMPLEXITY_LOW), [PASSWORD_COMPLEXITY_MEDIUM](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#PASSWORD_COMPLEXITY_MEDIUM), and [PASSWORD_COMPLEXITY_HIGH](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#PASSWORD_COMPLEXITY_HIGH).<p>**Actions** include:<br><ul><li>**Warn** - The user sees a notification if the device lock doesn’t meet the minimum password requirement. The notification can be dismissed.</li><li>**Block access** - The user will be blocked from access if the device lock doesn’t meet the minimum password requirement.</li></ul><ul><li>**Wipe data** - The user account that is associated with the application is wiped from the device if the device lock doesn’t meet the minimum password requirement.</li></ul> |

memdocs/intune/apps/app-protection-policy-settings-ios.md

@@ -57,7 +57,7 @@ There are three categories of policy settings: *Data relocation*, *Access requir
 |<ul><ul>**Dialer App URL Scheme** | When a specific dialer app has been selected, you must provide the dialer app URL scheme that is used to launch the dialer app on iOS devices. For more information, see Apple's documentation about [Phone Links](https://developer.apple.com/library/archive/featuredarticles/iPhoneURLScheme_Reference/PhoneLinks/PhoneLinks.html#//apple_ref/doc/uid/TP40007899-CH6-SW1). | **Blank** |
 | **Receive data from other apps** | Specify what apps can transfer data to this app: <ul><li>**All apps**: Allow data transfer from any app.</li><li>**None**: Do not allow data transfer from any app, including other policy-managed apps.</li><li>**Policy managed apps**: Allow transfer only from other policy-managed apps.</li><li>**All apps with incoming Org data**: Allow data transfer from any app. Treat all incoming data without a user identity as data from your organization. The data will be marked with the MDM enrolled user's identity as defined by the `IntuneMAMUPN` setting.<p><p>**Note:** _The **All apps with incoming Org data** value is applicable to MDM enrolled devices only. If this setting is targeted to a user on an unenrolled device, the behavior of the **Any apps** value applies._</li></ul> Multi-identity MAM enabled applications will attempt to switch to an unmanaged account when receiving unmanaged data if this setting is configured to **None** or **Policy managed apps**. If there is no unmanaged account signed into the app or the app is unable to switch, the incoming data will be blocked.<br><br> | **All apps** |
 | <ul>**Open data into Org documents** | Select **Block** to disable the use of the *Open* option or other options to share data between accounts in this app. Select **Allow** if you want to allow the use of *Open*. <br><br>When set to **Block** you can configure the **Allow user to open data from selected services** to specific which services are allowed for Org data locations.<br><br>**Note:**<ul><li><i>This setting is only configurable when the setting **Receive data from other apps** is set to **Policy managed apps**.</i></li><li><i>This setting will be "Allow" when the setting **Receive data from other apps** is set to **All apps** or **All apps with incoming Org data**. </i></li><li><i>This setting will be "Block" with no allowed service locations when the setting **Receive data from other apps** is set to **None**.</i></li><li><i>The following apps support this setting:</i><ul><li><i>OneDrive 11.45.3 or later.</i></li><li><i>Outlook for iOS 4.60.0 or later.</i></li><li><i>Teams for iOS 3.17.0 or later.</i></li></ul></li></ul> | **Allow** |
-| <ul><ul>**Allow users to open data from selected services** | Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data from external locations.<br><br>Supported services:<ul><li>OneDrive for Business</li><li>SharePoint Online</li><li>Camera</li></ul> **Note:** Camera does not include Photos or Photo Gallery access. | **All selected**  |
+| <ul><ul>**Allow users to open data from selected services** | Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data from external locations.<br><br>Supported services:<ul><li>OneDrive for Business</li><li>SharePoint Online</li><li>Camera</li><li>Photo Library</li></ul> **Note:** Camera does not include Photos or Photo Gallery access. | **All selected**  |
 | **Restrict cut, copy and paste between other apps** | Specify when cut, copy, and paste actions can be used with this app. Select from: <ul><li>**Blocked**:  Don't allow cut, copy, and paste actions between this app and any other app.</li><li>**Policy managed apps**: Allow cut, copy, and paste actions between this app and other policy-managed apps.</li><li>**Policy managed with paste in**: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.</li><li>**Any app**: No restrictions for cut, copy, and paste to and from this app.</ul> | **Any app** |
 | <ul>**Cut and copy character limit for any app** | Specify the number of characters that may be cut or copied from Org data and accounts.  This will allow sharing of the specified number of characters to any application, regardless of the **Restrict cut, copy, and paste with other apps** setting.<p>Default Value = 0<p>**Note**: *Requires app to have Intune SDK version 9.0.14 or later.*  | **0** |
 | **Third party keyboards** | Choose **Block** to prevent the use of third-party keyboards in managed applications.<p>When this setting is enabled, the user receives a one-time message stating that the use of third-party keyboards is blocked. This message appears the first time a user interacts with organizational data that requires the use of a keyboard. Only the standard iOS/iPadOS keyboard is available while using managed applications, and all other keyboard options are disabled. This setting will affect both the organization and personal accounts of multi-identity applications. This setting does not affect the use of third-party keyboards in unmanaged applications.<p>**Note:** This feature requires the app to use Intune SDK version 12.0.16 or later. Apps with SDK versions from 8.0.14 to, and including, 12.0.15, will not have this feature correctly apply for multi-identity apps. For more details, see [Known issue: Third party keyboards are not blocked in iOS/iPadOS for personal accounts](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Updated-Known-issue-Third-party-keyboards-are-not-blocked-in-iOS/ba-p/339486). | **Allow** |