You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/apps/app-protection-policy-settings-ios.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -74,7 +74,7 @@ There are three categories of policy settings: *Data relocation*, *Access requir
74
74
### Functionality
75
75
| Setting | How to use | Default value |
76
76
|------|----------|-------|
77
-
|**Sync policy managed app data with native apps**| Choose **Block** to prevent the policy managed apps from saving data to the native Contacts app on the device. If you choose **Allow**, the app can save data to the native Contacts app on the device, when those features are enabled within the policy managed app.<br><br>When you perform a selective wipe to remove work, or school data from the app, contacts data synced directly from the app to the native Contacts app are removed. Any contacts data synced from the native Contacts app to another external source can't be wiped. Currently, this applies only to Outlook for iOS app; for more information, see [Deploying Outlook for iOS and Android app configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune). |**Allow**|
77
+
|**Sync policy managed app data with native apps or add-ins**| Choose Block to prevent policy managed apps from saving data to the device's native apps (like Contacts, Calendar and widgets), or to prevent the use of add-ins within the policy managed apps. If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.<br><br>When you perform a selective wipe to remove work, or school data from the app, contacts data synced directly from the app to the native Contacts app are removed. Any contacts data synced from the native Contacts app to another external source can't be wiped. Currently, this applies only to Outlook for iOS app; for more information, see [Deploying Outlook for iOS and Android app configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune). |**Allow**|
78
78
|**Printing Org data**| Select **Block** to prevent the app from printing work or school data. If you leave this setting to **Allow**, the default value, users will be able to export and print all Org data. |**Allow**|
79
79
| **Restrict web content transfer with other apps** | Specify how web content (http/https links) is opened from policy-managed applications. Choose from: <ul><li>**Any app**: Allow web links in any app.</li><li>**Intune Managed Browser**: Allow web content to open only in the Intune Managed Browser. This browser is a policy-managed browser.</li><li>**Microsoft Edge**: Allow web content to open only in the Microsoft Edge. This browser is a policy-managed browser.</li><li>**Unmanaged browser**: Allow web content to open only in the unmanaged browser defined by **Unmanaged browser protocol** setting. The web content will be unmanaged in the target browser.<br>**Note**: Requires app to have Intune SDK version 11.0.9 or later.</li></ul> If you're using Intune to manage your devices, see [Manage Internet access using managed browser policies with Microsoft Intune](manage-microsoft-edge.md).<br><br>If a policy-managed browser is required but not installed, your end users will be prompted to install the Microsoft Edge.<p>If a policy-managed browser is required, iOS/iPadOS Universal Links are managed by the **Allow app to transfer data to other apps** policy setting. <p>**Intune device enrollment**<br>If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune. <p>**Policy-managed Microsoft Edge**<br>The Microsoft Edge browser for mobile devices (iOS/iPadOS and Android) supports Intune app protection policies. Users who sign in with their corporate Azure AD accounts in the Microsoft Edge browser application will be protected by Intune. The Microsoft Edge browser integrates the Intune SDK and supports all of its data protection policies, with the exception of preventing:<br><ul><li>**Save-as**: The Microsoft Edge browser does not allow a user to add direct, in-app connections to cloud storage providers (such as OneDrive).</li><li>**Contact sync**: The Microsoft Edge browser does not save to native contact lists.</li></ul><br>**Note**: *The Intune SDK cannot determine if a target app is a browser. On iOS/iPadOS devices, no other managed browser apps are allowed.* | **Not configured** |
80
80
|<ul>**Unmanaged Browser Protocol**| Enter the protocol for a *single* unmanaged browser. Web content (http/https links) from policy managed applications will open in any app that supports this protocol. The web content will be unmanaged in the target browser. <br><br>This feature should only be used if you want to share protected content with a specific browser that is not enabled using Intune app protection policies. You must contact your browser vendor to determine the protocol supported by your desired browser.<br><br>**Note**: *Include only the protocol prefix. If your browser requires links of the form `mybrowser://www.microsoft.com`, enter `mybrowser`.*<br>Links will be translated as:<br><ul><li>`http://www.microsoft.com` > `mybrowser://www.microsoft.com`</li><li>`https://www.microsoft.com` > `mybrowsers://www.microsoft.com`</li></ul> |**Blank**|
Copy file name to clipboardExpand all lines: memdocs/intune/apps/apps-deploy.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -133,6 +133,9 @@ The information in the following table can help you understand the resulting int
133
133
> iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent will be enforced on the device at the time of the device check-in and will also show in the Company Portal app.<br><br>
134
134
> When conflicts occur in **Uninstall on device removal** setting, the app is not removed from the device when the device is no longer managed.
135
135
136
+
> [!NOTE]
137
+
> Apps deployed as Required to corporate-owned work profile devices cannot be uninstalled manually by the user.
138
+
136
139
## Managed Google Play app deployment to unmanaged devices
137
140
138
141
For unenrolled Android devices, you can use Managed Google Play to deploy store apps and line-of-business (LOB) apps to users. Once deployed, you can use [Mobile Application Management (MAM)](../apps/android-deployment-scenarios-app-protection-work-profiles.md#mam) to manage the applications. Managed Google Play apps targeted as **Available with or without enrollment** will appear in the Play Store app on the end user's device, and not in the Company Portal app. End user will browse and install apps deployed in this manner from the Play app. Because the apps are being installed from managed Google Play, the end user will not need to alter their device settings to allow app installation from unknown sources, which means the devices will be more secure. If the app developer publishes a new version of an app to Play that was installed on a user's device, the app will be automatically updated by Play.
Copy file name to clipboardExpand all lines: memdocs/intune/apps/lob-apps-macos-dmg.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -155,7 +155,7 @@ The app you have created appears in the apps list where you can assign it to the
155
155
-**"Available for enrolled devices" assignment type is not available**: Only **Required** and **Uninstall** assignment types are currently supported.
156
156
-**"Collect logs" action is unavailable during preview**: Log collection feature on macOS apps (DMG) is unavailable during preview.
157
157
-**Errors might not show details during preview**: Some errors you encounter may only show "Failed" status with an error code and not provide additional details.
158
-
-**App upgrade fails to install**: Updating an app that has the same bundle ID as an existing app in Applications folder fails to install.
158
+
-**App upgrade fails to install**: Updating an app that has the same bundle ID or same name as an existing app in Applications folder fails to install.
159
159
-**DMG apps report once after deployment**: Assigned DMG apps report back on initial deployment only. These apps will not report back again during preview.
160
160
-**Some DMG apps may display a warning to end-users on launch**: Apps downloaded from the internet and deployed using Intune may show a warning to end-users when launched. End-users can click "Open" on the dialog to continue opening the app.
Copy file name to clipboardExpand all lines: memdocs/intune/configuration/device-profile-assign.md
+9-1Lines changed: 9 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ keywords:
7
7
author: MandiOhlinger
8
8
ms.author: mandia
9
9
manager: dougeby
10
-
ms.date: 07/21/2022
10
+
ms.date: 07/26/2022
11
11
ms.topic: how-to
12
12
ms.service: microsoft-intune
13
13
ms.subservice: configuration
@@ -108,6 +108,14 @@ For example:
108
108
109
109
To summarize, use user groups when you want your settings and rules to always go with the user, whatever device they use.
110
110
111
+
### Windows CSPs
112
+
113
+
The policy settings for Windows devices are based on the [configuration service providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference). These settings map to registry keys or files on the devices.
114
+
115
+
Endpoint Manager exposes these CSPs so you can configure these settings and assign them to your Windows devices. These settings are configurable using the built-in templates and using the [settings catalog](settings-catalog.md). In the settings catalog, you'll see that some settings apply to the user scope and some settings apply to the device scope.
116
+
117
+
For information on how user scoped and device scoped settings are applied to Windows devices, go to [Settings catalog: Device scope vs. user scope settings](settings-catalog.md#device-scope-vs-user-scope-settings).
118
+
111
119
## Exclude groups from a profile assignment
112
120
113
121
Intune device configuration profiles let you include and exclude groups from profile assignment.
Copy file name to clipboardExpand all lines: memdocs/intune/configuration/settings-catalog.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ keywords:
7
7
author: MandiOhlinger
8
8
ms.author: mandia
9
9
manager: dougeby
10
-
ms.date: 06/21/2022
10
+
ms.date: 07/26/2022
11
11
ms.topic: how-to
12
12
ms.service: microsoft-intune
13
13
ms.subservice: configuration
@@ -212,9 +212,10 @@ When a device checks in to Intune, the device always presents a `deviceID`. The
212
212
The following list includes some possible combinations of scope, assignment, and the expected behavior:
213
213
214
214
- If a device scope policy is assigned to a device, then all users on that device have that setting applied.
215
+
- If a device scoped policy is assigned to a user, once that user signs in and an Intune sync occurs, then the device scope settings apply to all users on the device.
215
216
- If a user scope policy is assigned to a device, then all users on that device have that setting applied. This behavior is like a [loopback set to merge](/troubleshoot/windows-server/group-policy/loopback-processing-of-group-policy).
216
217
- If a user scoped policy is assigned to a user, then only that user has that setting applied.
217
-
-If a device scoped policy is assigned to a user, once that user signs in and an Intune sync occurs, then the device scope settings apply to all users on the device.
218
+
-There are some settings that are available in the user scope and the device scope. If one of these settings is assigned to both user and device scope, then user scope takes precedence over device scope.
218
219
219
220
If there isn't a [user hive](/windows/win32/sysinfo/registry-hives) during initial check-ins, then you may see some user scope settings marked as not applicable. This behavior happens in the early moments of a device before a user is present.
Copy file name to clipboardExpand all lines: memdocs/intune/enrollment/backup-restore-ios.md
+10-5Lines changed: 10 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ keywords:
8
8
author: Lenewsad
9
9
ms.author: lanewsad
10
10
manager: dougeby
11
-
ms.date: 01/14/2021
11
+
ms.date: 07/25/2022
12
12
ms.topic: how-to
13
13
ms.service: microsoft-intune
14
14
ms.subservice: enrollment
@@ -40,13 +40,16 @@ To back up and restore an iOS/iPadOS device, you must follow the Apple instructi
40
40
- To back up your device, see [How to back up your iPhone, iPad, and iPod touch](https://support.apple.com/HT203977).
41
41
- To restore your device, see [Restore your iPhone, iPad, or iPod touch from a backup](https://support.apple.com/HT204184).
42
42
- To transfer data to a new device, see the following Apple support article:
43
-
-[Use iCloud to transfer data from your previous iOS device to your new iPhone, iPad, or iPod touch](https://support.apple.com/HT210217)
43
+
-[Use iCloud to transfer data from your previous iOS device to your new iPhone, iPad, or iPod touch](https://support.apple.com/HT210217)
44
+
45
+
For more information about restoring Apple devices from backup, see [Get started using Apple Business Manager or Apple School Manager with Mobile Device Management](https://support.apple.com/HT207516).
44
46
45
47
> [!NOTE]
46
48
> Device-to-Device migration as offered on the Quick Start screen after resetting an iOS device isn't supported with Apple Business Manager (ABM). For details refer to the following [Apple support document.](https://support.apple.com/HT210216)
47
-
> Since this screen appears on the device before a wi-fi connection has been established and before the ABM profile has been downloaded, this quick start screen cannot be hidden via ABM.
49
+
> Since this screen appears on the device before a wi-fi connection has been established and before the ABM profile has been downloaded, this quick start screen cannot be hidden via ABM.
48
50
49
-
For more information about restoring Apple devices from backup, see [Get started using Apple Business Manager or Apple School Manager with Mobile Device Management](https://support.apple.com/HT207516).
51
+
## Back up Microsoft Authenticator
52
+
If you're using the Microsoft Authenticator app, it's also important to back up your credentials and accounts. For more information, visit [Back up and recover account credentials in the Authenticator app](https://support.microsoft.com/account-billing/back-up-and-recover-account-credentials-in-the-authenticator-app-bb939936-7a8d-4e88-bc43-49bc1a700a40#:~:text=The%20Microsoft%20Entra%20Authenticator%20app,or%20having%20to%20recreate%20accounts.).
50
53
51
54
## Restoring a backup to an iOS/iPadOS device
52
55
@@ -82,7 +85,9 @@ There is an additional migration scenario to consider, which should not be impac
82
85
- These devices will enroll into MEM/Intune as ‘personal’ devices, rather than ‘corporate’ devices. This condition will have an impact on the app inventory gathered from the device, the displayed phone number, etc., as described [here](../user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune.md).
83
86
- If you want to designate these migrated devices as corporate devices, following either of these steps:
84
87
- Add Corporate device identifiers as described [here](./device-enrollment-program-enroll-ios.md). Provided you can obtain a list of serial numbers from your current EMM vendor and this list is imported prior to enrolling the devices in Intune, this is the simplest option and avoids scripting.
85
-
- Use a script to modify the OwnershipType from Personal to Corporate. A sample script, which uses an exported list (.csv) of device serial numbers (taken from your current EMM vendor) as input, is located [here](https://github.com/scottbreenmsft/scripts/tree/master/Intune/Devices/SetOwnership).
88
+
- Use a script to modify the OwnershipType from Personal to Corporate. A sample script, which uses an exported list (.csv) of device serial numbers (taken from your current EMM vendor) as input, is located [here](https://github.com/scottbreenmsft/scripts/tree/master/Intune/Devices/SetOwnership).
89
+
90
+
86
91
87
92
> [!NOTE]
88
93
> If you use enrollment restrictions to prevent (block) personally owned devices from enrolling, you will need to add the devices using corporate device identifiers, prior to enrollment.
|Supervised|If **Yes**, administrators have enhanced control over the device.|iOS/iPadOS|
118
118
|Encrypted|If **Yes**, the data stored on the device is encrypted.|Windows, iOS/iPadOS, Android|
119
+
|Product Name|The product name of the device, such as iPad8,12.|iOS/iPadOS, macOS|
119
120
120
121
> [!Note]
121
122
> For Windows 10 devices that are registered with [Windows Autopilot service](../../autopilot/add-devices.md), Enrolled date might display the time when devices were registered with Autopilot instead of the time when they were enrolled.
0 commit comments