Merge branch 'main' into release-intune-2204

v-alje · v-alje · commit ab5af73cbf88 · 2022-04-19T11:46:34.000-07:00
diff --git a/memdocs/autopilot/windows-autopilot-hybrid.md b/memdocs/autopilot/windows-autopilot-hybrid.md
@@ -155,9 +155,9 @@ If you have a web proxy in your networking environment, ensure that the Intune C
 
 4. If you selected **Dynamic Devices** for the membership type, in the **Group** pane, select **Dynamic device members**.
 
-5. In the **Advanced rule** box, enter one of the following code lines:
+5. Select **Edit** in the **Rule syntax** box and enter one of the following code lines:
     - To create a group that includes all your Autopilot devices, enter `(device.devicePhysicalIDs -any _ -contains "[ZTDId]")`.
-    - Intune's Group Tag field maps to the OrderID attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices with a specific Group Tag(OrderID), type: `(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")`
+    - Intune's Group Tag field maps to the OrderID attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices with a specific Group Tag (OrderID), type: `(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")`.
     - To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter `(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")`.
  
 6. Select **Save** > **Create**. 
@@ -250,7 +250,7 @@ It takes about 15 minutes for the device profile status to change from *Not assi
     - **Name**: Enter a descriptive name for the new profile.
     - **Description**: Enter a description for the profile.
     - **Platform**: Select **Windows 10 and later**.
-    - **Profile type**: Select **Templates**, choose the template name **Domain Join** and select **Create**.
+    - **Profile type**: Select **Templates**, choose the template name **Domain Join**, and select **Create**.
 3. Enter the **Name** and **Description** and select **Next**. 
 5. Provide a **Computer name prefix** and **Domain name**.
 6. (Optional) Provide an **Organizational unit** (OU) in [DN format](/windows/desktop/ad/object-names-and-identities#distinguished-name). Your options include:
diff --git a/memdocs/intune/apps/apps-add.md b/memdocs/intune/apps/apps-add.md
@@ -126,7 +126,7 @@ Intune-managed apps can also enable app protection without requiring enrollment,
 
 ### Understanding licensed apps
 In addition to understanding web apps, store apps, and LOB apps, you should also be aware of the destination of volume-purchase-program apps and licensed apps, such as: 
-- **Apple Volume Purchasing Program for Business (iOS)**: The iOS/iPadOS App Store lets you purchase multiple licenses for an app that you want to run in your company. Purchasing multiple copies helps you to efficiently manage apps in your company. For more information, see [Manage iOiOS/iPadOSS volume-purchased apps](vpp-apps-ios.md).
+- **Apple Volume Purchasing Program for Business (iOS)**: The iOS/iPadOS App Store lets you purchase multiple licenses for an app that you want to run in your company. Purchasing multiple copies helps you to efficiently manage apps in your company. For more information, see [Manage iOS/iPadOS volume-purchased apps](vpp-apps-ios.md).
 - **Android Enterprise fully managed work profile**: How you assign apps to Android Enterprise fully managed work profile devices differs from how you assign them to standard Android devices. All apps you install for Android Enterprise fully managed work profiles come from the Managed Google Play store. You use Intune to browse for the apps you want and approve them. The app then appears in the **Licensed apps** node of the portal, and you can manage assignment of the app as you would any other app.
 - **Microsoft Store for Business (Windows 10)**: Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps in the portal. For more information, see [Manage apps from Microsoft Store for Business](windows-store-for-business.md).
 
diff --git a/memdocs/intune/developer/app-sdk-ios.md b/memdocs/intune/developer/app-sdk-ios.md
@@ -897,6 +897,10 @@ By default, apps are considered single identity. The SDK sets the process identi
 
     The app does not have to call `setUIPolicyIdentity` in response to this call. If the SDK needs the app to switch to an unmanaged user account, the empty string will be passed into the `identitySwitchRequired` call.
 
+* **SDK-initiated identity auto-enroll**:
+
+     When the SDK needs to auto-enroll a user in the app to perform an action, apps must implement the `addIdentity:completionHandler:` method in `IntuneMAMPolicyDelegate`. The application must then call the completion handler and pass in IntuneMAMAddIdentityResultSuccess if the app is able to add the identity or IntuneMAMAddIdentityResultFailed otherwise.
+
 * **Selective wipe**:
 
     When the app is selectively wiped, the SDK will call the `wipeDataForAccount` method in `IntuneMAMPolicyDelegate`. The app is responsible for removing the specified user's account and any data associated with it. The SDK is capable of removing all files owned by the user and will do so if the app returns FALSE from the `wipeDataForAccount` call.
@@ -907,6 +911,10 @@ By default, apps are considered single identity. The SDK sets the process identi
 
 If your app integrates with Siri Intents or makes Siri Intent Donations, please make sure to read the comments for `areSiriIntentsAllowed` in `IntuneMAMPolicy.h` for instructions on supporting this scenario. 
     
+ ## Printing
+
+ If your app implements printing and provides a custom print action on a custom menu, be sure to utilize `UIPrintInteractionController.isPrintingAvailable()` to determine if you should add your print action to your custom menu.
+ 
 ## Notifications
 
 If your app receives notifications, please make sure to read the comments for `notificationPolicy` in `IntuneMAMPolicy.h` for instructions on supporting this scenario.  It is recommended that apps register for `IntuneMAMPolicyDidChangeNotification` described in `IntuneMAMPolicyManager.h`, and communicate this value to their `UNNotificationServiceExtension` via the keychain.
diff --git a/memdocs/intune/protect/conditional-access-assign-jamf.md b/memdocs/intune/protect/conditional-access-assign-jamf.md
@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Device compliance policy for Jamf devices
+title: Use Intune compliance and Azure AD Conditional Access policies with Jamf Pro
 titleSuffix: Microsoft Intune
-description: Use Microsoft Intune compliance policies with Azure Active Directory Conditional Access to help secure Jamf-managed devices.
+description: Create Intune compliance policies and Azure AD Conditional Access to help secure Jamf-managed devices.
 keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 09/28/2020
+ms.date: 04/19/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -21,7 +21,7 @@ ms.assetid: c87fd2bd-7f53-4f1b-b985-c34f2d85a7bc
 #ROBOTS: 
 #audience:
 
-ms.reviewer: samyada
+ms.reviewer: tycast
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -31,20 +31,21 @@ ms.collection: M365-identity-device-management
 
 # Enforce compliance on Macs managed with Jamf Pro
 
-When you integrate Jamf Pro with Intune, you can use Conditional Access policies to enforce compliance on your Mac devices with your organizational requirements. This article will help you with the following tasks:
+After you integrate Jamf Pro with Intune, configure Intune compliance policies and Azure Active Directory (Azure AD) Conditional Access policies to enforce compliance of macOS devices with your organizational requirements.
+
+This article can help you with the following tasks:
 
 - Create Conditional Access policies.
 - Configure Jamf Pro to deploy the Intune Company Portal app to devices you manage with Jamf.
 - Configure devices to register with Azure AD when the device user signs in to the Company Portal app they start from within the *Jamf Self Service* app. Device registration establishes an identity in Azure AD that allows the device to be evaluated by Conditional Access policies for access to company resources.
 
-Device users first learn about Jamf Pro and Intune integration through either a communication from your IT department about how to register a device, or by discovering the Intune Company Portal app that you deploy through *Jamf Pro Self Service*. After device registration completes, inventory data collected by Jamf Pro for that device is shared with Intune. Information is shared for only those Mac devices that have completed.
-
-The procedures in this article require access to both the Intune and Jamf Pro consoles.
-Intune supports two methods to integrate Jamf Pro, which you configure separately from the procedures in this article:
+The procedures in this article require access to both the Intune and Jamf Pro consoles. Intune supports two methods to integrate Jamf Pro, which you configure separately from the procedures in this article:
 
-- Recommended: [Use the Jamf Cloud Connector to integrate Jamf Pro with Intune](conditional-access-jamf-cloud-connector.md)
+- *Recommended* - [Use the Jamf Cloud Connector to integrate Jamf Pro with Intune](conditional-access-jamf-cloud-connector.md)
 - [Manually configure integration of Jamf Pro with Intune](conditional-access-integrate-jamf.md)
 
+After integration is configured, device users learn about Jamf Pro and Intune integration through either a communication from your IT department about how to register a device, or by discovering the Intune Company Portal app that you deploy through *Jamf Pro Self Service*. After device registration completes, inventory data collected by Jamf Pro for that device is shared with Intune. Information is shared for only those Mac devices that have completed.
+
 ## Set up device compliance policies in Intune
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -124,7 +125,7 @@ The console displays a message with the success or failure of the connection. Sh
 
 To remove a Jamf-managed device, open the Microsoft Endpoint Manager admin center, and select **Devices** > **All devices**, select the device, and then select **Delete**.  Bulk device deletion can be enabled by selecting multiple devices and clicking **Delete**.
 
-Get information on how to [remove a Jamf-managed device in the Jamf Pro docs](https://www.jamf.com/jamf-nation/articles/80/unmanaging-computers-while-preserving-their-inventory-information). You can also file a support ticket with [Jamf support](https://www.jamf.com/support/) for additional help.
+Get information on how to [remove a Jamf-managed device in the Jamf Pro docs](https://www.jamf.com/jamf-nation/articles/80/unmanaging-computers-while-preserving-their-inventory-information). You can also file a support ticket with [Jamf support](https://www.jamf.com/support/) for more help.
 
 ## Next steps
 
diff --git a/memdocs/intune/protect/conditional-access-integrate-jamf.md b/memdocs/intune/protect/conditional-access-integrate-jamf.md
@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Integrate Jamf Pro with Microsoft Intune for compliance
+title: Manually configure Jamf Pro Integration with Microsoft Intune  
 titleSuffix: Microsoft Intune
-description: Use Microsoft Intune compliance policies with Azure Active Directory Conditional Access to help integrate and secure Jamf-managed devices.
+description: When you can't use the Jamf Pro Cloud Connector, manually configure integration to support using Intune compliance and Azure AD Conditional Access policies with Jamf-managed devices.
 keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 09/24/2020
+ms.date: 04/19/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -21,23 +21,24 @@ ms.assetid: 4b6dcbcc-4661-4463-9a36-698d673502c6
 #ROBOTS: 
 #audience:
 
-ms.reviewer: samyada
+ms.reviewer: tycast
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
 ms.custom: intune-azure
 ms.collection: M365-identity-device-management
 ---
 
-# Integrate Jamf Pro with Intune for compliance
+# Manually Integrate Jamf Pro with Intune for compliance
 
-When your organization uses [Jamf Pro](https://www.jamf.com) to manage macOS devices, you can use Microsoft Intune compliance policies with Azure Active Directory (Azure AD) Conditional Access to ensure devices in your organization are compliant before they can access company resources. To integrate Jamf Pro with Intune, you have two options:
+Intune supports integrating your Jamf Pro deployment to bring device compliance and Conditional Access policies to your macOS devices. Through integration, you can require that your macOS devices that are managed by Jamf Pro meet your Intune device compliance requirements before those devices are allowed to access your organization's resources. Resource access is controlled by your Azure Active Directory (Azure AD) Conditional Access policies in the same way as for devices managed through Intune.
 
-- **Manually configure integration** - Use the information in this article to manually configure Jamf integration with Intune.
-- **Use the Jamf Cloud Connector** (*recommended*) - Use the information in [Use the Jamf Cloud Connector with Microsoft Intune](../protect/conditional-access-jamf-cloud-connector.md) to install the Jamf Cloud Connector to integrate Jamf Pro with Microsoft Intune. The Cloud Connector automates many of the steps that are required when you manually configure integration.
+When Jamf Pro integrates with Intune, you can sync the inventory data from macOS devices with Intune, through Azure AD. Intune's compliance engine then analyzes the inventory data to generate a report. Intune's analysis is combined with intelligence about the device user's Azure AD identity to drive enforcement through Conditional Access. Devices that are compliant with the Conditional Access policies can gain access to protected company resources.
 
+This article can help you manually integrate Jamf Pro with Intune. 
 
-When Jamf Pro integrates with Intune, you can sync the inventory data from macOS devices with Intune, through Azure AD. Intune's compliance engine then analyzes the inventory data to generate a report. Intune's analysis is combined with intelligence about the device user's Azure AD identity to drive enforcement through Conditional Access. Devices that are compliant with the Conditional Access policies can gain access to protected company resources.
+> [!TIP]
+> Instead of manually configuring Jamf Pro integration with Intune, we recommend configuring and using the [Jamf Cloud Connector with Microsoft Intune](../protect/conditional-access-jamf-cloud-connector.md). The Cloud Connector automates many of the steps that are required when you manually configure integration.
 
 After you configure integration, you'll then [configure Jamf and Intune to enforce compliance with Conditional Access](conditional-access-assign-jamf.md) on devices managed by Jamf.
 
@@ -56,7 +57,6 @@ You need the following to configure Conditional Access with Jamf Pro:
 
 ### Network ports
 
-<!-- source: https://support.microsoft.com/en-us/help/4519171/troubleshoot-problems-when-integrating-jamf-with-microsoft-intune -->
 The following ports should be accessible for Jamf and Intune to integrate correctly:
 
 - **Intune**: Port 443
@@ -103,9 +103,9 @@ To connect Intune with Jamf Pro:
 
 6. Select **API permissions** under **Manage**. 
 
-7. On the API permissions page, remove all permissions from this app by selecting the **...** icon next to each existing permission. Note that this is required; the integration will not succeed if there are any unexpected extra permissions in this app registration.
+7. On the API permissions page, remove all permissions from this app by selecting the **...** icon next to each existing permission. This removal is required; the integration won't succeed if there are any unexpected extra permissions in this app registration.
 
-8. Next, we will add permissions to update device attributes. At the top left of the **API permissions** page, select **Add a permission** to add a new permission. 
+8. Next, add permissions to update device attributes. At the top left of the **API permissions** page, select **Add a permission** to add a new permission. 
 
 9. On the **Request API permissions** page, select **Intune**, and then select **Application permissions**. Select only the check box for **update_device_attributes** and save the new permission.
 10. Under **Microsoft Graph**, select **Application permissions**, then select **Application.Read.All**.
@@ -116,7 +116,7 @@ To connect Intune with Jamf Pro:
 
 13. Select **Add permissions**.
 
-14. Next, grant admin consent for this app by selecting **Grant admin consent for _\<your tenant>_** in the top left of the **API permissions** page. You may need to re-authenticate your account in the new window and grant the application access by following the prompts.  
+14. Next, grant admin consent for this app by selecting **Grant admin consent for _\<your tenant>_** in the top left of the **API permissions** page. You may need to reauthenticate your account in the new window and grant the application access by following the prompts.  
 
 15. Refresh the page by selecting **Refresh** at the top of the page. Confirm that admin consent has been granted for the **update_device_attributes** permission. 
 
@@ -168,15 +168,15 @@ The app registration process in Azure AD is complete.
 
 4. Select **Save** when you're ready to apply the configuration.
 
-5. To proceed, you will next need to use [Jamf to deploy the Company Portal for Mac](conditional-access-assign-jamf.md#deploy-the-company-portal-app-for-macos-in-jamf-pro) so that users can register their devices to Intune.
+5. To proceed, you'll next need to use [Jamf to deploy the Company Portal for Mac](conditional-access-assign-jamf.md#deploy-the-company-portal-app-for-macos-in-jamf-pro) so that users can register their devices to Intune.
 
 ## Set up compliance policies and register devices
 
 After you configure integration between Intune and Jamf, you need to [apply compliance policies to Jamf-managed devices](conditional-access-assign-jamf.md).
 
 ## Disconnect Jamf Pro and Intune
 
-Should you need to remove integration of Jamf Pro with Intune, use the following steps to remove the connection from within the Jamf Pro console.This information applies to both the a manually configured integration, as well as integration by using the Cloud Connector.
+Should you need to remove integration of Jamf Pro with Intune, use the following steps to remove the connection from within the Jamf Pro console. This information applies to both the manually configured integration, and integration by using the Cloud Connector.
 
 1. In Jamf Pro, go to **Global Management** > **Conditional Access**. On the **macOS Intune Integration** tab, select **Edit**.
 
diff --git a/memdocs/intune/protect/conditional-access-intune-common-ways-use.md b/memdocs/intune/protect/conditional-access-intune-common-ways-use.md
@@ -19,7 +19,7 @@ ms.localizationpriority: high
 #ROBOTS:
 #audience:
 
-#ms.reviewer: tycast
+ms.reviewer: tycast
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
diff --git a/memdocs/intune/protect/conditional-access-jamf-cloud-connector.md b/memdocs/intune/protect/conditional-access-jamf-cloud-connector.md
