Merging changes synced from https://github.com/MicrosoftDocs/memdocs-pr (branch live)

dstrome · dstrome · commit a64632d81a3f · 2022-09-06T17:39:48.000Z
diff --git a/memdocs/intune/apps/app-configuration-policies-use-ios.md b/memdocs/intune/apps/app-configuration-policies-use-ios.md
@@ -225,7 +225,7 @@ Apple's Automated Device Enrollments are not compatible with the app store versi
     - **Use the Company Portal on an Automated Device Enrollment (ADE) device enrolled with user affinity**: 
     
         > [!NOTE]
-        > This process is not needed for iOS/iPadOS devices enrolling with ADE through Setup Assistant with modern authentication. Also, this is not needed for devices enrolling with ADE with user affinity if a VPP token is being used to send the Company Portal app to the device.
+        > When the enrollment profile has **"Install Company Portal"** set to yes, Intune pushes the application configuration policy below automatically as part of the initial enrollment process. This configuration should not be deployed manually to users or devices as this will cause a conflict with the payload already sent during enrollment, resulting on end-users being asked to download a new management profile after signing in to Company Portal (when they shouldn't, because there is a management profile already installed on these devices).
 
         ``` xml
         <dict>
diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md
@@ -273,6 +273,18 @@ You can disable the extension framework, like Coupons, within Edge for iOS and A
 > [!NOTE]
 > Edge for iOS does not support disabling extensions.
 
+#### Control Cookie Mode
+
+You can control whether sites can store cookies for your users within Edge for Android.  To do this, configure the following setting:
+
+|Key |Value |
+|:-----------|:-------------|
+|com.microsoft.intune.mam.managedbrowser.cookieControlsMode |**0** (default) allow cookies <br>**1** block non-Microsoft cookies <br>**2** block non-Microsoft cookies in InPrivate mode <br>**3** block all cookies |
+
+> [!NOTE]
+> Edge for iOS does not support controling cookies.
+
+
 ### Kiosk mode experiences on Android devices
 
 Edge for Android can be enabled as a kiosk app with the following settings:
diff --git a/memdocs/intune/configuration/telecom-expenses-monitor.md b/memdocs/intune/configuration/telecom-expenses-monitor.md
@@ -6,7 +6,7 @@ keywords: Saaswedo
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 06/08/2020
+ms.date: 09/06/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -34,10 +34,12 @@ Using Intune, you can manage telecom expenses from data usage on organization-ow
 
 The integration with Datalert can set, monitor, and enforce roaming and domestic data usage limits. When the limits exceed your thresholds, alerts are automatically triggered. You can also configure the service to apply different actions to users or groups, such as disable roaming or exceed the threshold. The Datalert management console includes reports that show data usage and monitoring information.
 
+> [!IMPORTANT]
+> When you enable integration with Datalert, Intune is allowed to send the Subscriber Number, such as the device's phone number, and Azure AD `DeviceID` to an external third party.  
+
 The following image shows how Intune integrates with Datalert:
 
-> [!div class="mx-imgBorder"]
-> ![Diagram of Intune and Datalert integration](./media/telecom-expenses-monitor/tem-datalert-intune-solution-diagram.png)
+:::image type="content" source="./media/telecom-expenses-monitor/tem-datalert-intune-solution-diagram.png" alt-text="A screenshot that shows the Microsoft Intune and Datalert integration, including blocking and unnblocking data." lightbox="./media/telecom-expenses-monitor/tem-datalert-intune-solution-diagram.png":::
 
 To use the Datalert service with Intune, there are some configuration settings in Datalert and Intune. This article shows you how to:
 
@@ -85,17 +87,15 @@ Intune integrates with the following telecom expense management provider:
 
     The following image shows the green check marks when the connection succeeds:
 
-      > [!div class="mx-imgBorder"]
-      > ![Datalert page showing Intune / Datalert on successful connection.](./media/telecom-expenses-monitor/tem-datalert-connection.png)
+    :::image type="content" source="./media/telecom-expenses-monitor/tem-datalert-connection.png" alt-text="[A screenshot that shows the Datalert page with the Microsoft Intune / Datalert Connection with a successfull status.":::
 
 7. In **Datalert App / ADAL Consent**, set the switch to **On**. On the Microsoft authentication page, select **Accept**.
 
     You're redirected to a Datalert **thank you** page that closes after a few moments. Datalert validates the connection, and shows green check marks next to the items that validated. If validation fails, you see a message in red. Contact Datalert support for help.
 
     The following image shows the green check marks when the connection succeeds:
 
-      > [!div class="mx-imgBorder"]
-      > ![Datalert page showing Datalert App / ADAL Consent on successful connection.](./media/telecom-expenses-monitor/tem-datalert-adal-consent.png)
+    :::image type="content" source="./media/telecom-expenses-monitor/tem-datalert-adal-consent.png" alt-text="[A screenshot that shows the Datalert page with the Datalert App / ADAL Consent status that's successfull." lightbox="./media/telecom-expenses-monitor/tem-datalert-adal-consent.png":::
 
 8. In **MDM Profiles management (optional)**, set the switch to **On**. This setting allows Datalert to read the available profiles in Intune to help you set up policies. 
 
@@ -105,8 +105,7 @@ Intune integrates with the following telecom expense management provider:
 
     The following image shows the green check marks when the connection succeeds:
 
-    > [!div class="mx-imgBorder"]
-    > ![Datalert page showing M D M Profiles management on successful connection.](./media/telecom-expenses-monitor/tem-datalert-mdm-profiles.png)
+    :::image type="content" source="./media/telecom-expenses-monitor/tem-datalert-mdm-profiles.png" alt-text="[A screenshot that shows the Datalert page with the MDM Profiles management status with a successfull connection." lightbox="./media/telecom-expenses-monitor/tem-datalert-mdm-profiles.png":::
 
 ### Step 2: Confirm telecom expense management is active in Intune
 
@@ -116,8 +115,7 @@ After you complete Step 1, your connection is automatically enabled. In Intune,
 
 2. Select **Tenant administration** > **Connectors and tokens** > **Telecom Expense Management**. Look for the **Active** connection status:
 
-    > [!div class="mx-imgBorder"]
-    > ![Intune page showing datalert connection status Active](./media/telecom-expenses-monitor/tem-azure-portal-enable-service.png)
+    :::image type="content" source="./media/telecom-expenses-monitor/tem-azure-portal-enable-service.png" alt-text="[A screenshot that shows Microsoft Intune with a successful and active connection status with Datalert in the Endpoint Manager admin center." lightbox="./media/telecom-expenses-monitor/tem-azure-portal-enable-service.png":::
 
 ### Step 3: Deploy the Datalert app to devices
 
@@ -136,8 +134,7 @@ To create device categories in Intune, see [map devices to groups](../enrollment
 
 These categories are shown to users during enrollment ([enroll Android devices](../enrollment/android-enroll.md)). Depending on the category users choose, the enrolled device is moved to the corresponding device group.
 
-> [!div class="mx-imgBorder"]
-> ![Screenshot of the Corporate device group Dynamic membership rules page.](./media/telecom-expenses-monitor/tem-dynamic-membership-rules.png)
+:::image type="content" source="./media/telecom-expenses-monitor/tem-dynamic-membership-rules.png" alt-text="[A screenshot that shows the Corporate device group Dynamic membership rules page in Microsoft Intune." lightbox="./media/telecom-expenses-monitor/tem-dynamic-membership-rules.png":::
 
 #### Add the Datalert app to Intune
 
@@ -151,13 +148,11 @@ The following steps add the Datalert app. As an example, iOS/iPadOS is used. [Ad
 
 4. Choose the **Datalert** app > **Select**:
 
-    > [!div class="mx-imgBorder"]
-    > ![Add the datalert app from the app store to Intune client apps](./media/telecom-expenses-monitor/tem-select-app-from-apple-app-store.png)
+    :::image type="content" source="./media/telecom-expenses-monitor/tem-select-app-from-apple-app-store.png" alt-text="[A screenshot that shows how to add the Datalert app in Microsoft Intune.":::
 
 5. Enter any additional properties, such as app information and scope tags:
 
-    > [!div class="mx-imgBorder"]
-    > ![Enter the app properties, including the name, description, choose the OS, and more settings to the app in Intune](./media/telecom-expenses-monitor/tem-steps-to-create-the-app.png)
+    :::image type="content" source="./media/telecom-expenses-monitor/tem-steps-to-create-the-app.png" alt-text="[A screenshot that shows how to enter the app properties, including the name, description, choose the OS, and more settings to the app in Microsoft Intune." lightbox="./media/telecom-expenses-monitor/tem-steps-to-create-the-app.png":::
 
 6. Select **OK** > **Add** to save your changes. The Datalert app is shown in the list.
 
@@ -169,17 +164,15 @@ The following steps add the Datalert app. As an example, iOS/iPadOS is used. [Ad
 
     In these steps, you'll choose to make the app installation required or optional for the group. The following example shows the installation as required. When required, users must install the Datalert app after enrolling their device.
 
-    > [!div class="mx-imgBorder"]
-    > ![Screenshot of the Add a policy pane](./media/telecom-expenses-monitor/tem-assign-datalert-app-to-device-group.png)
+    :::image type="content" source="./media/telecom-expenses-monitor/tem-assign-datalert-app-to-device-group.png" alt-text="[A screenshot that shows how to add an app policy in Microsoft Intune." lightbox="./media/telecom-expenses-monitor/tem-assign-datalert-app-to-device-group.png":::
 
 ### Step 4: Add organization phone lines to the Datalert console
 
 Intune and Datalert services are now configured to communicate with each other. Next, add your organization paid phone lines to the Datalert console. Enter thresholds and actions for any cellular or roaming usage violations. You can manually add corporate paid phone lines to the Datalert console, or automatically add them after the device is enrolled in Intune.
 
 To set these items, go to the [Datalert setup for Microsoft Intune](http://www.datalert.fr/microsoft-intune/intune-setup) (opens Datalert's web site). Under the **Settings** tab, follow the steps in the setup wizard.
 
-> [!div class="mx-imgBorder"]
-> ![Screenshot of the wizard for Datalert setup.](./media/telecom-expenses-monitor/tem-add-phone-lines-to-datalert-console.png)
+:::image type="content" source="./media/telecom-expenses-monitor/tem-add-phone-lines-to-datalert-console.png" alt-text="[A screenshot that shows the Datalert website when the Microsoft Intune setup completes." lightbox="./media/telecom-expenses-monitor/tem-add-phone-lines-to-datalert-console.png":::
 
 The Datalert service is now active. It starts monitoring data usage, and disabling cellular and roaming data on devices that exceed the configured usage limits.
 
@@ -205,4 +198,4 @@ For the end-user experience, the following articles may help:
 
 ## Next steps
 
-Data usage reporting is available in Saaswedo's Datalert management console.
+Data usage reporting is available in Saaswedo's Datalert management console.
diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 04/15/2022
+ms.date: 08/24/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -33,9 +33,6 @@ ms.collection:
 
 # Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment
 
-> [!IMPORTANT]
-> Apple recently changed from using the Apple Device Enrollment Program (DEP) to using Apple Automated Device Enrollment (ADE). The Microsoft Intune user interface doesn't currently reflect that change. Currently, you'll still see *Device Enrollment Program* in the Intune portal. Wherever you see references to DEP, Intune now uses Automated Device Enrollment.
-
 You can set up Intune to enroll iOS/iPadOS devices purchased through Apple's [Automated Device Enrollment (ADE)](https://deploy.apple.com). Automated Device Enrollment lets you enroll large numbers of devices without ever touching them. Devices like iPhones, iPads, and MacBooks can be shipped directly to users. When a user turns on the device, Setup Assistant, which includes the typical out-of-box-experience for Apple products, runs with preconfigured settings and the device enrolls into management.
 
 To enable ADE, you use the Intune portal and either the [Apple Business Manager (ABM)](https://business.apple.com/) portal or the [Apple School Manager (ASM)](https://school.apple.com/) portal. In either Apple portal, you need a list of serial numbers or a purchase order so you can assign devices to Intune for management. You create ADE enrollment profiles in Intune. These profiles contain settings that are applied to devices during enrollment. ADE can't be used with a [Device Enrollment Manager](device-enrollment-manager-enroll.md) account.
@@ -45,18 +42,24 @@ To enable ADE, you use the Intune portal and either the [Apple Business Manager
 
 If you experience sync problems during the enrollment process, you can look for solutions at [Troubleshoot iOS/iPadOS device enrollment problems](/troubleshoot/mem/intune/troubleshoot-ios-enrollment-errors#error-messages).
 
-## Automated Device Enrollment and Company Portal
+## Deploy Company Portal app  
+
+> [!IMPORTANT]
+> We don't recommend using the App Store version of the Company Portal app because it isn't compatible with automated device enrollment and doesn't provide the automatic updates and availability like deployment does. 
 
-ADE enrollments aren't compatible with the App Store version of the Company Portal app. You can give users access to the Company Portal app on an ADE device. You might want to provide this access for one of the following reasons:
-- To let users choose which corporate apps they want to use on their devices 
-- To use modern authentication to complete the enrollment process
-- To provide a staged enrollment in which the device is enrolled and receives device policies before users authenticate in Company Portal
+Deploying the Intune Company Portal app through Intune is the best way to provide the app to users and the only way to: 
 
-To enable modern authentication during enrollment, push the app to the device by using **Install Company Portal with VPP** (Volume Purchase Program) in the ADE profile. For more information, see [Automatically enroll iOS/iPadOS devices with Apple's ADE](device-enrollment-program-enroll-ios.md#create-an-apple-enrollment-profile).
+* Enable automatic app updates for Company Portal on ADE devices  
+* Ensure all ADE devices, including already-enrolled ones, receive the app 
 
-To enable the Company Portal to update automatically and provide the Company Portal app on devices already enrolled with ADE, deploy the Company Portal app through Intune as a required VPP app with an [application configuration policy](../apps/app-configuration-policies-use-ios.md#configure-the-company-portal-app-to-support-ios-and-ipados-devices-enrolled-with-automated-device-enrollment) applied. Deploy the Company Portal app in this way to enable Device Staging for devices only without user affinity. With Device Staging, a device is fully enrolled and receives device policies before the addition of a user affinity. Device Staging can also be used to transition a device without user affinity, to a device with user affinity.
+Deploy the app as a required, VPP app [with device licensing](../apps/vpp-apps-ios.md#how-are-purchased-apps-licensed). For information about how to sync, assign, and manage a VPP app, see [assign a volume-purchased app](../apps/vpp-apps-ios.md#assign-a-volume-purchased-app). 
 
-Specifically for the authentication method Setup Assistant with modern authentication, do not separately deploy the Company Portal app as a client app, with or without an app config targeted to it. ADE devices enrolling with Setup Assistant with modern authentication should be excluded from any separate Company Portal targeting in the tenant. The Company Portal is sent as a required app automatically when Setup Assistant with modern authentication is chosen as the authentication method in the assigned enrollment profile. 
+To enable automatic app updates for Company Portal, go to your app token settings in the admin center and change **Automatic app updates** to **Yes**. See [Upload an Apple VPP or Apple Business Manager location token](../apps/vpp-apps-ios.md#upload-an-apple-vpp-or-apple-business-manager-location-token) for the steps to access your token settings. If you don't enable automatic updates, the device user will need to manually check for them on their own.  
+
+*Device staging* is used to transition a device without user affinity, to a device with user affinity. To stage a device, set up VPP deployment as described earlier in this section. Then configure and deploy an [app configuration policy](../apps/app-configuration-policies-use-ios.md#configure-the-company-portal-app-to-support-ios-and-ipados-devices-enrolled-with-automated-device-enrollment). Make sure the policy only targets those ADE devices without user affinity.  
+
+> [!IMPORTANT]
+> During initial enrollment, Intune automatically pushes the app configuration policy settings under [Use the Company Portal on an Automated Device Enrollment (ADE) device enrolled with user affinity](../apps/app-configuration-policies-use-ios.md#configure-the-company-portal-app-to-support-ios-and-ipados-devices-enrolled-with-automated-device-enrollment) when the enrollment profile setting **"Install Company Portal"** is set to yes.  This configuration should not be deployed manually to users because it will cause a conflict with the configuration sent during the initial enrollment. If both are deployed, Intune will incorrectly prompt device users to sign in to Company Portal and download a management profile they've already installed. 
 
 ## What is supervised mode?
 
