Merge pull request #7526 from MicrosoftDocs/main

Publish 05/03/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/analytics/enroll-configmgr.md

@@ -2,7 +2,7 @@
 title: Quickstart - Enroll Configuration Manager devices
 titleSuffix: Microsoft Endpoint Manager
 description: In this quickstart, you enroll Configuration Manager devices into Endpoint analytics.
-ms.date: 11/15/2021
+ms.date: 05/03/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-analytics
 ms.topic: quickstart
@@ -33,7 +33,7 @@ Before you start this tutorial, make sure you have the following prerequisites:
 
 ### Licensing Prerequisites
 
-Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint Manager. For more information, see [Microsoft Intune licensing](../intune/fundamentals/licenses.md) or [Microsoft Endpoint Configuration Manager licensing](../configmgr/core/understand/learn-more-editions.md).
+Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint Manager. For more information, see [Microsoft Intune licensing](../intune/fundamentals/licenses.md) or [Microsoft Endpoint Configuration Manager licensing](../configmgr/core/understand/learn-more-editions.md). Proactive remediations has an additional licensing requirement, for more information see, the [Endpoint analytics licensing requirements overview](overview.md#licensing-prerequisites).
 
 ## Endpoint analytics permissions
 

memdocs/analytics/enroll-intune.md

@@ -2,7 +2,7 @@
 title: Quickstart - Enroll Intune devices
 titleSuffix: Microsoft Endpoint Manager
 description: In this quickstart, you enroll Intune devices into Endpoint analytics.
-ms.date: 10/05/2021
+ms.date: 05/03/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-analytics
 ms.topic: quickstart
@@ -43,7 +43,7 @@ To enroll devices to Endpoint analytics, they need to send required functional d
 
 ### Licensing Prerequisites
 
-Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint Manager. For more information, see [Microsoft Intune licensing](../intune/fundamentals/licenses.md) or [Microsoft Endpoint Configuration Manager licensing](../configmgr/core/understand/learn-more-editions.md).
+Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint Manager. For more information, see [Microsoft Intune licensing](../intune/fundamentals/licenses.md) or [Microsoft Endpoint Configuration Manager licensing](../configmgr/core/understand/learn-more-editions.md). Proactive remediations has an additional licensing requirement, for more information see, the [Endpoint analytics licensing requirements overview](overview.md#licensing-prerequisites).
 
 ### Endpoint analytics permissions
 

memdocs/analytics/proactive-remediations.md

@@ -62,11 +62,14 @@ Proactive remediations requires the [licensing for Endpoint analytics](enroll-in
 - You can have up to 200 script packages.
    - A script package can contain a detection script only or both a detection script and a remediation script.
 - Ensure the scripts are encoded in UTF-8.
+  - If the option **Enforce script signature check** is enabled in the [Settings](#bkmk_prs_deploy) page of creating a script package, then make sure that the scripts are encoded in UTF-8 not UTF-8 BOM.
 - The maximum allowed output size limit is 2048 characters.
 - If the option **Enforce script signature check** is enabled in the [Settings](#bkmk_prs_deploy) page of creating a script package, the script runs using the device's PowerShell execution policy. The default execution policy for Windows client computers is **Restricted**. The default execution for Windows Server devices is **RemoteSigned**. For more information, see [PowerShell execution policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies#powershell-execution-policies).
    - Scripts built into Proactive remediations are signed and the certificate is added to the **Trusted Publishers** certificate store of the device.
    - When using third-party scripts that are signed, make sure the certificate is in the **Trusted Publishers** certificate store. As with any certificate, the certificate authority must be trusted by the device.
   - Scripts without **Enforce script signature check** use the **Bypass** execution policy.
+- Don't put secrets in scripts. Consider using parameters to handle secrets instead. <!--13957089-->
+- Don't put reboot commands in detection or remediations scripts. <!--13957089-->
 
 ## <a name="bkmk_prs_deploy"></a> Deploy built-in script packages
 

memdocs/intune/apps/android-deployment-scenarios-app-protection-work-profiles.md

@@ -80,7 +80,7 @@ This feature applies to:
 
 ### Android Enterprise personally-owned work profiles
 
-Android Enterprise personally-owned work profiles are the core Android Enterprise deployment scenario and the only scenario targeted at BYOD use cases. The Android Enterprise personally-owned work profile is a separate partition created at the Android OS level that can be managed by Intune.
+Android Enterprise personally-owned work profiles are the core Android Enterprise deployment scenario. The Android Enterprise personally-owned work profile is a separate partition created at the Android OS level that can be managed by Intune.
 
 An Android Enterprise personally-owned work profile includes the following features:
 

memdocs/intune/apps/app-configuration-policies-overview.md

@@ -143,7 +143,7 @@ You can validate the app configuration policy using the following three methods:
 You can validate iOS/iPadOS configuration with the **Intune Diagnostic Log** for settings deployed through the managed app configuration policies. In addition to the below steps, you can access managed app logs using Microsoft Edge. For more information, see [Use Edge for iOS and Android to access managed app logs](manage-microsoft-edge.md#use-edge-for-ios-and-android-to-access-managed-app-logs).
 
 1. If not already installed on the device, download and install the **Microsoft Edge** from the App Store. For more information, see [Microsoft Intune protected apps](apps-supported-intune-apps.md).
-2. Launch the **Microsoft Edge** and select **about** > **intunehelp** from the navigation bar.
+2. Launch the **Microsoft Edge** and enter **about:intunehelp** in the address box.
 3. Click **Get Started**.
 4. Click **Share Logs**.
 5. Use the mail app of your choice to send the log to yourself so they can be viewed on your PC. 
@@ -187,7 +187,7 @@ Your application configuration details should match the application configuratio
 You can validate iOS/iPadOS configuration with the **Intune Diagnostic Log** on managed devices for managed app configuration.
 
 1. If not already installed on the device, download and install the **Microsoft Edge** from the App Store. For more information, see [Microsoft Intune protected apps](apps-supported-intune-apps.md).
-2. Launch **Microsoft Edge** and select **about** > **intunehelp** from the navigation bar.
+2. Launch **Microsoft Edge** and enter **about:intunehelp** in the address box.
 3. Click **Get Started**.
 4. Click **Share Logs**.
 5. Use the mail app of your choice to send the log to yourself so they can be viewed on your PC. 

memdocs/intune/apps/app-discovered-apps.md

@@ -65,7 +65,7 @@ The following list provides the app platform type, the apps that are monitored f
 | iOS/iPadOS | Only managed apps | All apps installed on the device | Every 7 days from device enrollment |
 | macOS | Only managed apps | All apps installed on the device | Every 7 days from device enrollment |
 | Android | Only managed apps | All apps installed on the device | Every 7 days from device enrollment |
-| Android Enterprise | Only managed apps | Only apps installed in the Android Enterprise fully managed work profile | Every 7 days from device enrollment |
+| Android Enterprise | Only managed apps | Only apps installed on the Android Enterprise work profile device | Every 7 days from device enrollment |
 
 > [!NOTE]
 > - Windows 10/11 co-managed devices, as shown in the [client apps](../../configmgr/comanage/workloads.md#client-apps) workload in Configuration Manager, do not currently collect app inventory through the Intune Management Extension (IME) as per the above schedule. To mitigate this issue, the [client apps](../../configmgr/comanage/workloads.md#client-apps) workload in Configuration Manager should be switched to Intune for the IME to be installed on the device (IME is required for Win32 inventory and PowerShell deployment). Note that any changes or updates on this behavior are announced in [in development](../fundamentals/in-development.md) and/or [what's new](../fundamentals/whats-new.md).

memdocs/intune/apps/app-protection-policies.md

@@ -85,7 +85,7 @@ When you create an app protection policy for iOS/iPadOS and Android apps, you fo
     |     Device types | Use this option to specify whether this policy applies to MDM managed devices or unmanaged devices. For iOS/iPadOS APP policies, select from **Unmanaged** and **Managed** devices. For Android APP policies, select from **Unmanaged**, **Android device administrator**, and **Android Enterprise**.  |
     | Target policy to | In the **Target policy to** dropdown box, choose to target your app protection policy to **All Apps**, **Microsoft Apps**, or **Core Microsoft Apps**.<p>-**All Apps** includes all Microsoft and partner apps that have integrated the Intune SDK.</br>-**Microsoft Apps** includes all Microsoft apps that have integrated the Intune SDK.</br>-**Core Microsoft Apps** includes the following apps: Edge, Excel, Office, OneDrive, OneNote, Outlook, PowerPoint, SharePoint, Teams, To Do, and Word.<p>Next, you can select **View a list of the apps that will be targeted** to view a list of the apps that will be affected by this policy.|
     | Public apps | If you do not want to select one of the pre-defined app groups, you can choose to target individual apps by selecting **Selected apps** in the **Target policy to** dropdown box. Click **Select public apps** to select public apps to target. |
-    | Custom apps | If you do not want to select one of the pre-defined app groups, you can choose to target individual apps by selecting **Selected apps** in the **Target policy to** dropdown box. Click **Select custom apps** to select custom apps to target based on a Bundle ID. |
+    | Custom apps | If you do not want to select one of the pre-defined app groups, you can choose to target individual apps by selecting **Selected apps** in the **Target policy to** dropdown box. Click **Select custom apps** to select custom apps to target based on a Bundle ID. You cannot choose a custom app when targeting all public apps in the same policy. |
 
     The app(s) you have selected will appear in the public and custom apps list.
 

memdocs/intune/apps/app-protection-policy-settings-ios.md

@@ -61,6 +61,9 @@ There are three categories of policy settings: *Data relocation*, *Access requir
 | **Restrict cut, copy and paste between other apps** | Specify when cut, copy, and paste actions can be used with this app. Select from: <ul><li>**Blocked**:  Don't allow cut, copy, and paste actions between this app and any other app.</li><li>**Policy managed apps**: Allow cut, copy, and paste actions between this app and other policy-managed apps.</li><li>**Policy managed with paste in**: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.</li><li>**Any app**: No restrictions for cut, copy, and paste to and from this app.</ul> | **Any app** |
 | <ul>**Cut and copy character limit for any app** | Specify the number of characters that may be cut or copied from Org data and accounts.  This will allow sharing of the specified number of characters to any application, regardless of the **Restrict cut, copy, and paste with other apps** setting.<p>Default Value = 0<p>**Note**: *Requires app to have Intune SDK version 9.0.14 or later.*  | **0** |
 | **Third party keyboards** | Choose **Block** to prevent the use of third-party keyboards in managed applications.<p>When this setting is enabled, the user receives a one-time message stating that the use of third-party keyboards is blocked. This message appears the first time a user interacts with organizational data that requires the use of a keyboard. Only the standard iOS/iPadOS keyboard is available while using managed applications, and all other keyboard options are disabled. This setting will affect both the organization and personal accounts of multi-identity applications. This setting does not affect the use of third-party keyboards in unmanaged applications.<p>**Note:** This feature requires the app to use Intune SDK version 12.0.16 or later. Apps with SDK versions from 8.0.14 to, and including, 12.0.15, will not have this feature correctly apply for multi-identity apps. For more details, see [Known issue: Third party keyboards are not blocked in iOS/iPadOS for personal accounts](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Updated-Known-issue-Third-party-keyboards-are-not-blocked-in-iOS/ba-p/339486). | **Allow** |
+  
+> [!NOTE]
+> An app protection policy is required with IntuneMAMUPN for managed devices.
 
 ### Encryption
 | Setting | How to use | Default value |

memdocs/intune/apps/apps-add-built-in.md

@@ -31,7 +31,7 @@ ms.collection: M365-identity-device-management
 
 # Add built-in apps to Microsoft Intune
 
-The *built-in* app type makes it easy for you to assign curated managed apps, such as Microsoft 365 apps, to iOS/iPadOS and Android devices. You can assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and others. After you add an app, the app type is displayed as either *Built-in iOS app* or *Built-in Android app*. By using the built-in app type, you can choose which of these apps to publish to device users.
+The *built-in* app type makes it easy for you to assign curated managed apps, such as Microsoft 365 apps and third-party apps, to iOS/iPadOS and Android devices. You can assign specific apps for this app type, such as Excel, OneDrive, Outlook, Skype, and others. After you add an app, the app type is displayed as either *Built-in iOS app* or *Built-in Android app*. By using the built-in app type, you can choose which of these apps to publish to device users.
 
 In earlier versions of the Intune console, Intune provided several default managed Microsoft 365 apps, such as Outlook and OneDrive. The app types for these managed apps were tagged as *Managed iOS Store App* or *Managed Android App*. Instead of using these app types, we recommend that you use the built-in app type. By using the built-in app type, you have the additional flexibility to edit and delete Microsoft 365 apps.
 
@@ -43,7 +43,7 @@ In earlier versions of the Intune console, Intune provided several default manag
 To add a built-in app to your available apps in Microsoft Intune, do the following:
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Apps** > **All apps** > **Add**.
-3. In the **Select app type** pane, under the available **Store app** types, select **Built-In app**.
+3. In the **Select app type** pane, under the available **Other** types, select **Built-In app**.
 4. Click **Select**. The **Add app** steps are displayed.
 5. In the **Select Built-in apps** page, click **Select app** to select the apps that you want to include.
 6. Select the built-in apps that you want to include. 

memdocs/intune/apps/apps-deploy.md

@@ -60,6 +60,8 @@ The following table lists the various options for *assigning* apps to users and
 > To receive app updates on devices that aren't enrolled with Intune, device users must go to their organization's Company Portal and manually install app updates.
 > 
 > *Available assignments* are only valid for user groups, not device groups.
+> 
+> If Managed Google Play Pre-Production track apps are assigned as required on Android Enterprise personally-owned work profile devices, they will not install on the device. To work around this, create two identical user groups and assign the pre-production track as "available" to one and "required" to the other. The result will be that the pre-production track successfully deploys to the device. 
 
 ## Assign an app