Merge pull request #6203 from MicrosoftDocs/main

11/23/2021 AM Publish

Author: Taojunshen

memdocs/intune/apps/app-protection-framework.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 10/05/2021
+ms.date: 11/16/2021
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -218,7 +218,6 @@ The policy settings enforced in level 3 include all the policy settings recommen
 
 | Setting | Setting description |          Value / Action  |          Platform        | Notes |
 |----------------------------|--------------------------------------|-------------------|---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Device conditions  |       Min   OS version  |          *Format: Major.Minor<br>   Example: 9.0* / Block access   |          Android        | Microsoft recommends configuring   the minimum Android major version to match the supported Android versions for   Microsoft apps. OEMs and devices adhering to Android Enterprise recommended   requirements must support the current shipping release + one letter upgrade.   Currently, Android recommends Android 9.0 and later for knowledge workers.   See [Android Enterprise Recommended requirements](https://www.android.com/enterprise/recommended/requirements/) for Android's latest   recommendations |
 |       Device   conditions  |          Jailbroken/rooted devices  |        N/A / Wipe data  |          iOS/iPadOS,   Android        |  |
 |       Device   conditions  |          Max   allowed threat level  |          Secured / Block access  |          iOS/iPadOS,   Android        | <p>Unenrolled devices can be   inspected for threats using Mobile Threat Defense. For more information,   see  [Mobile Threat Defense for   unenrolled devices](../protect/mtd-enable-unenrolled-devices.md).      </p><p>     If the device is enrolled, this setting can be skipped in favor of   deploying Mobile Threat Defense for enrolled devices. For more information,   see [Mobile Threat Defense for enrolled   devices](../protect/mtd-device-compliance-policy-create.md).</p> |
 | Device conditions  |       Max   OS version  |          *Format: Major.Minor<br>   Example: 11.0* / Block access   |          Android        | Microsoft recommends configuring   the maximum Android major version to ensure beta or unsupported versions of the operating system are not used.   See [Android Enterprise Recommended requirements](https://www.android.com/enterprise/recommended/requirements/) for Android's latest   recommendations |

memdocs/intune/apps/app-protection-policies-monitor.md

@@ -39,7 +39,7 @@ There are three different places to monitor app protection policies:
 - Detailed view
 - Reporting view
 
-The retention period for app protection data is 90 days. Any app instances that have checked in to the Intune service within the past 90 days is included in the app protection status report. An *app instance* is a unique user + app + device. 
+App protection data is retained for a minimum of 90 days. Any app instances that have checked in to the Intune service within the past 90 days is included in the app protection status report. An *app instance* is a unique user + app + device. 
 
 > [!NOTE]
 > For more information, see [How to create and assign app protection policies](app-protection-policies.md).
@@ -181,4 +181,4 @@ Follow these steps to generate App Protection .csv file or App Configuration .cs
 ## See also
 - [Manage data transfer between iOS/iPadOS apps](data-transfer-between-apps-manage-ios.md)
 - [What to expect when your Android app is managed by app protection policies](../fundamentals/end-user-mam-apps-android.md)
-- [What to expect when your iOS/iPadOS app is managed by app protection policies](../fundamentals/end-user-mam-apps-ios.md)
+- [What to expect when your iOS/iPadOS app is managed by app protection policies](../fundamentals/end-user-mam-apps-ios.md)

memdocs/intune/apps/app-protection-policy-settings-android.md

@@ -56,7 +56,7 @@ There are three categories of policy settings: data protection settings, access
 | <ul><b><ul><b>**Allow users to open data from selected services** | Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.<br><br>Supported services:<ul><li>OneDrive for Business</li><li>SharePoint Online</li><li>Camera</li></ul>**Note:** Camera does not include Photos or Photo Gallery access.| **All selected**  |
 | **Restrict cut, copy and paste between other apps** | Specify when cut, copy, and paste actions can be used with this app. Choose from: <ul><li>**Blocked**:  Do not allow cut, copy, and paste actions between this app and any other app.</li><li>**Policy managed apps**: Allow cut, copy, and paste actions between this app and other policy-managed apps.</li><li>**Policy managed with paste in**: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.</li><li>**Any app**: No restrictions for cut, copy, and paste to and from this app. | **Any app** |
 | <ul><b>**Cut and copy character limit for any app** | Specify the number of characters that may be cut or copied from org data and accounts.  This will allow sharing of the specified number of characters when it would be otherwise blocked by the "Restrict cut, copy, and paste with other apps" setting.<p>Default Value = 0<p>**Note**: Requires Intune Company Portal version 5.0.4364.0 or later.  | **0** |
-| **Screen capture and Google Assistant** | Select **Block** to block screen capture and the **Google Assistant** capabilities of the device when using this app. Choosing **Allow** will also blur the App-switcher preview image when using this app with a work or school account.| **Block** |
+| **Screen capture and Google Assistant** | Select **Block** to block screen capture and the **Google Assistant** capabilities of the device when using this app. Choosing **Block** will also blur the App-switcher preview image when using this app with a work or school account.| **Block** |
 | **Approved keyboards**  | Select *Require* and then specify a list of approved keyboards for this policy. <p>Users who aren't using an approved keyboard receive a prompt to download and install an approved keyboard before they can use the protected app. This setting requires the app to have the Intune SDK for Android version 6.2.0 or later. | **Not required** |
 | <ul><b>**Select keyboards to approve** | This option is available when you select *Require* for the previous option. Choose *Select* to manage the list of keyboards and input methods that can be used with apps protected by this policy. You can add additional keyboards to the list, and remove any of the default options. You must have at least one approved keyboard to save the setting. Over time, Microsoft may add additional keyboards to the list for new App Protection Policies, which will require administrators to review and update existing policies as needed.<p>To add a keyboard, specify: <ul><li>**Name**: A friendly name that that identifies the keyboard, and is visible to the user. </li><li>**Package ID**:  The Package ID of the app in the Google Play store. For example, if the URL for the app in the Play store is `https://play.google.com/store/details?id=com.contoskeyboard.android.prod`, then the Package ID is `com.contosokeyboard.android.prod`. This package ID is presented to the user as a simple link to download the keyboard from Google Play.</li></ul></p> <p>**Note:** A user assigned multiple App Protection Policies will be allowed to use only the approved keyboards common to all policies.</p> | |
 

memdocs/intune/apps/app-protection-policy-settings-ios.md

@@ -113,7 +113,7 @@ The default app Universal Link exemptions are the following:
 | `http://maps.apple.com;` `https://maps.apple.com` | Maps App |
 | `http://facetime.apple.com;` `https://facetime.apple.com` | FaceTime App |
 
-If you don't want to allow the default Universal Link exemptions, you can delete them. You can also add Universal Links for third party or LOB apps.
+If you don't want to allow the default Universal Link exemptions, you can delete them. You can also add Universal Links for third party or LOB apps. The exempted universal links allow for wildcards such as `http://*.sharepoint-df.com/*`.
 
 ### Managed Universal Links
 

memdocs/intune/apps/apps-company-portal-macos.md

@@ -76,7 +76,7 @@ Company Portal for macOS can be downloaded and installed using the [macOS Shell
 
 ## Install Company Portal for macOS using the Apple Setup Assistant
 
-For macOS devices running 10.15 and later, when creating an Automated Device Enrollment profile, you can now choose a new authentication method: **Setup Assistant with modern authentication**. The user has to authenticate using Azure AD credentials during the setup assistant screens. This will require an additional Azure AD login post-enrollment in in the Company Portal app to gain access to corporate resources protected by Conditional Access and for Intune to assess device compliance.
+For macOS devices running 10.15 and later, when creating an Automated Device Enrollment profile, you can now choose a new authentication method: **Setup Assistant with modern authentication**. The user has to authenticate using Azure AD credentials during the setup assistant screens. This will require an additional Azure AD login post-enrollment in the Company Portal app to gain access to corporate resources protected by Conditional Access and for Intune to assess device compliance. The Company Portal can be installed in any of the three ways documented here for Setup Assistant with modern authentication. 
 
 Users must sign into the Company Portal to complete Azure AD authentication and gain access to resources protected by Conditional Access. User affinity is established when users complete the additional Azure AD login into the Company Portal app on the device. If the tenant has multi-factor authentication turned on for these devices or users, the users will be asked to complete multi-factor authentication during enrollment during Setup Assistant. Multi-factor authentication is not required, but it is available for this authentication method within Conditional Access if needed.
 

memdocs/intune/apps/manage-microsoft-edge.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 07/19/2021
+ms.date: 11/17/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -227,6 +227,14 @@ By default, users have the My Apps bookmark configured within the organization f
 
 Edge for iOS and Android offers organizations several options for managing the app's behavior.
 
+#### Azure AD password single sign-on
+
+The Azure AD Password single sign-on (SSO) functionality offered by Azure Active Directory brings user access management to web applications that don't support identity federation. By default, Edge for iOS and Android does not perform SSO with the Azure AD credentials. For more information, see [Add password-based single sign-on to an application](/azure/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications).
+
+|    Key    |    Value    |
+|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|      com.microsoft.intune.mam.managedbrowser.PasswordSSO     |     **true** Azure AD Password SSO is enabled<br>**false** (default) Azure AD Password SSO is disabled     |
+
 #### Default protocol handler
 
 By default, Edge for iOS and Android uses the HTTPS protocol handler when the user doesn't specify the protocol in the URL. Generally, this is considered a best practice, but can be disabled.

memdocs/intune/developer/app-wrapper-prepare-android.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 07/26/2021
+ms.date: 11/11/2021
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: developer
@@ -49,7 +49,7 @@ Before running the tool, review [Security considerations for running the App Wra
 
   - It cannot be encrypted.
   - It must not have previously been wrapped by the Intune App Wrapping Tool.
-  - It must be written for Android 4.0 or later.
+  - It must be written for Android 9.0 or later.
 
   > [!NOTE]
   > If your input app is an Android App Bundle (.aab), you will need to convert it to an APK before using the Intune App Wrapping Tool. For details, see [Convert Android App Bundle (AAB) to APK](#convert-android-app-bundle-aab-to-apk). As of August 2021, [new private apps can still be published to the Google Play Store as APKs](https://support.google.com/googleplay/work/answer/6145139?hl=en).

memdocs/intune/enrollment/apple-mdm-push-certificate-get.md

@@ -86,6 +86,3 @@ The certificate is associated with the Apple ID used to create it. Renew the MDM
 7. In [Intune](https://go.microsoft.com/fwlink/?linkid=2090973), select the **Apple MDM push certificate** browse icon, select the .pem file downloaded from Apple, and choose **Upload**.
 
 Your Apple MDM push certificate appears **Active** and has 365 days until expiration.
-
-> [!IMPORTANT]
-> Please be aware that if you renew an expired APNs certificate outside of the grace period (30 days as of this writing), Apple will issue you a brand new certificate. When this happens, because the certificate is now different, you will be forced to un-enroll and re-enroll all existing, Intune-managed iOS devices.