Merge pull request #8497 from MicrosoftDocs/main

Publish 09/21/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/intune/enrollment/enrollment-notifications.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 09/20/2022
+ms.date: 09/21/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -36,7 +36,7 @@ ms.collection: M365-identity-device-management
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-Set up enrollment notifications in Microsoft Intune to notify employees of newly-enrolled devices. You can create a custom message for employees and include information in the notification about how to report an unrecognized device. 
+Set up enrollment notifications in Microsoft Intune to notify employees of newly enrolled devices. You can create a custom message for employees and include information in the notification about how to report an unrecognized device. 
 
 Intune delivers enrollment notifications via email or push notification. You can apply your tenant's branding and customization settings to email notifications. 
 
@@ -50,7 +50,7 @@ Enrollment notifications work on devices running:
 This article describes how to create enrollment notifications in the Microsoft Endpoint Manager admin center.  
 
 ## Example  
-The following example image shows what the enrollment notification looks like to the device user.  
+The following example image shows what an enrollment notification looks like to a device user.  
 
 > [!div class="mx-imgBorder"] 
 > ![Example image of an enrollment notification configured in Intune, notifying the recipient that a device named *Nia's iPhone" was enrolled, and includes HTML elements such as bolded font and a hyperlink, device details, contact information, and privacy statement.](./media/enrollment-notifications/enrollment-notification-message.png)  
@@ -117,7 +117,9 @@ Email notifications appear in the user's inbox. Push notifications appear in the
     * **Show Company portal website link**: Flip the switch **On** to show a link to the Company Portal website. The tenant value is automatically populated. 
 8. Select **Next**. 
 9. Optionally, assign a scope tag, like `US-NC IT Team` or `JohnGlenn_ITDepartment`, to limit management of the notification to specific IT groups. Then select **Next**.  
-10. In **Assignments**, select the users or groups that will receive your profile. You can also apply assignment filters, which are available for Windows and Apple devices.   
+10. In **Assignments**, select the users or groups receiving the notification. 
+
+    Optionally, you can apply assignment filters. For more information about using filters on enrollment policies like this one, see [Supported filter properties](../enrollment/create-device-platform-restrictions.md#supported-filter-properties). Assignment filters are available for Windows and Apple enrollments.     
 11. Select **Next**. 
 12. In **Review + create**, review the notification details, and then select **Create**.  
 

memdocs/intune/fundamentals/in-development.md

@@ -8,7 +8,7 @@ keywords:
 author: dougeby 
 ms.author: dougeby
 manager: dougeby
-ms.date: 08/24/2022
+ms.date: 09/21/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -64,20 +64,6 @@ You can use RSS to be notified when this article is updated. For more informatio
 
 <!-- ***********************************************-->
 
-## App management
-
-### New app types for Microsoft Endpoint Manager<!-- 7210233 -->
-As an admin, you will be able to create and assign two new types of Intune apps:
-- **iOS/iPadOS web clip** 
-- **Windows web link**
-
-These new app types work in a similar way to the existing **web link** application type, however they apply only for their specific platform, whereas web link applications apply across all platforms. With these new app types, you can assign to groups and also use assignment filters to limit the scope of assignment. You will find this functionality in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), by selecting **Apps** > **All Apps** > **Add**.
-
-### Ending support for Windows 8.1<!-- 14740233 -->
-Microsoft Intune will be ending support on October 21, 2022 for devices running Windows 8.1. After that date, technical assistance and automatic updates that help protect your devices running Windows 8.1 will no longer be available. Additionally, because the sideloading scenario for line-of-business apps is only applicable to Windows 8.1 devices, Intune will no longer support Windows 8.1 sideloading. Sideloading is installing, and then running or testing an app that isn't certified by the Microsoft Store. In Windows 10/11, "sideloading" is simply setting a device config policy to include "Trusted app installation". For more information, see [Plan for Change: Ending support for Windows 8.1](../fundamentals/whats-new.md#plan-for-change-ending-support-for-windows-81-).
-
-<!-- ***********************************************-->
-
 ## Device management
 
 ###  Support for Locate device on Android Enterprise corporate owned fully managed and Android Enterprise corporate owned work profile devices<!-- 12391424 -->
@@ -91,12 +77,6 @@ Applies to:
 - Android Enterprise corporate owned dedicated devices
 - Android Enterprise corporate owned work profile
 
-### Intune moving to support iOS/iPadOS 14 and higher later this year<!-- 14778947 -->
-Later this year, Apple is expected to release iOS/iPadOS 16. Due to this expected release, Microsoft Intune and the Intune Company Portal will require iOS/iPadOS 14 and higher shortly after the release of iOS/iPad 16. For related information, see [Supported operating systems and browsers in Intune](../fundamentals/supported-devices-browsers.md).
-
-### Intune moving to support macOS 11.6 and higher later this year<!-- 14766663 -->
-With Apple's expected release of macOS 13 Ventura later this year, Microsoft Intune, the Company Portal app, and the Intune MDM agent will be moving to support macOS 11.6 (Big Sur) and later. For related information, see [Supported operating systems and browsers in Intune](../fundamentals/supported-devices-browsers.md).
-
 <!-- ***********************************************-->
 
 ## Device enrollment
@@ -108,55 +88,6 @@ Windows Autopilot diagnostics will automatically capture diagnostics about Windo
 
 ## Device configuration
 
-### New settings available in the iOS/iPadOS and macOS Settings Catalog<!-- 15349701 -->
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. There are new settings are available in the Settings Catalog. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), you'll be able to find these settings by selecting **Devices** > **Configuration profiles** > **Create profile** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
-
-New settings include:
-
-**Accounts > LDAP**:
-
-- LDAP Account Description
-- LDAP Account Host Name
-- LDAP Account Password
-- LDAP Account Use SSL
-- LDAP Account User Name
-- LDAP Search Settings
-
-Applies to:
-- iOS/iPadOS
-- macOS
-
-The following settings are also in Settings Catalog. Previously, they were only available in Templates:
-
-**Privacy > Privacy Preferences Policy Control**:
-
-- Accessibility
-- Address Book
-- Apple Events
-- Calendar
-- Camera
-- File Provider Presence
-- Listen Event
-- Media Library
-- Microphone
-- Photos
-- Post Event
-- Reminders
-- Screen Capture
-- Speech Recognition
-- System Policy All Files
-- System Policy Desktop Folder
-- System Policy Documents Folder
-- System Policy Downloads Folder
-- System Policy Network Volumes
-- System Policy Removable Volumes
-- System Policy Sys Admin Files
-
-Applies to:
-- macOS
-
-For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
-
 ### Filter app and group policy assignments using Windows 11 SE operating system SKUs<!-- 10588651 -->
 When you assign an app or policy, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.
 
@@ -169,41 +100,6 @@ For more information on filters and the device properties you can currently use,
 Applies to:
 - Windows 11 SE
 
-### New lock screen message when adding custom support information to Android Enterprise devices<!-- 13158348 -->
-On Android Enterprise devices, you can create a device restrictions configuration profile that shows a custom support message on the devices. You'll be able to configure this in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Devices** > **Configuration profiles** > **Create profile** > **Android Enterprise** > **Fully managed, dedicated, and corporate-owned work profile** for platform > **Device restrictions** for profile type > **Custom support information**.
-
-There will be a new setting you can configure:
-- **Lock screen message**: Add a message that's shown on the device lock screen. 
-
-When you configure the **Lock screen message**, you can also use the following device tokens to show device-specific information:
-
-- `{{AADDeviceId}}`: Azure AD device ID
-- `{{AccountId}}`: Intune tenant ID or account ID
-- `{{DeviceId}}`: Intune device ID
-- `{{DeviceName}}`: Intune device name
-- `{{domain}}`: Domain name
-- `{{EASID}}`: Exchange Active Sync ID
-- `{{IMEI}}`: IMEI of the device
-- `{{mail}}`: Email address of the user
-- `{{MEID}}`: MEID of the device
-- `{{partialUPN}}`: UPN prefix before the @ symbol
-- `{{SerialNumber}}`: Device serial number
-- `{{SerialNumberLast4Digits}}`: Last 4 digits of the device serial number
-- `{{UserId}}`: Intune user ID
-- `{{UserName}}`: User name
-- `{{userPrincipalName}}`: UPN of the user
-
-> [!NOTE]
-> Variables aren't validated in the UI and are case sensitive. As a result, you may see profiles saved with incorrect input. For example, if you enter `{{DeviceID}}`, instead of `{{deviceid}}` or `{{DEVICEID}}`, then the literal string is shown instead of the device's unique ID. Be sure to enter the correct information. All lowercase or all uppercase variables are supported, but not a mix.
-
-To see a list of settings you can currently configure, go to [Android Enterprise device settings to allow or restrict features using Intune](../configuration/device-restrictions-android-for-work.md).
-
-Applies to:
-- Android 7.0 and newer
-- Android Enterprise corporate owned fully managed
-- Android Enterprise corporate owned dedicated devices
-- Android Enterprise corporate owned work profile
-
 ### New password complexity requirements for Android Enterprise 12+ personally owned devices with a work profile<!-- 12436068 -->
 On Android Enterprise 11 and older personally owned devices with a work profile, you can set the **Required password type** and a **Minimum password length** in device configuration profiles and compliance policies.
 
@@ -231,30 +127,10 @@ Applies to:
 - Android 12.0 and newer
 - Android Enterprise personally owned devices with a work profile
 
-### Filter on the user scope or device scope in the Settings Catalog for Windows devices<!-- 13949975 -->
-When you create a Settings Catalog policy, you can use **Add settings** > **Add filter** to filter settings based on the Windows OS edition (**Devices** > **Configuration profiles** > **Create profile** > **Windows 10 and later** for platform > **Settings Catalog (preview)** for profile type).
-
-When you **Add filter**, you'll be able to filter on the settings by user scope or device scope.
-
-For more information, go to [Use the settings catalog to configure settings: Device scope vs. user scope settings](../configuration/settings-catalog.md#device-scope-vs-user-scope-settings)
-
-Applies to:
-- Windows 10
-- Windows 11
-
 <!-- ***********************************************-->
 
 ## Device security
 
-### Trend Micro – new Mobile Threat Defense (MTD) partner<!--11017779 -->
-You’ll soon be able to use Trend Micro as an integrated Mobile Threat Defense (MTD) partner with Intune. To connect Trend Micro, you’ll configure the Trend Micro MTD connector in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) at **Tenant administration** > **Connectors and tokens** > **Mobile Threat Defense**.
-
-With Trend Micro as a MTD partner, you’ll be able to control mobile device access to your organization’s resources using conditional access that’s based on risk assessment.
-
-Applies to:  
-- Android Enterprise
-- iOS/iPadOS
-
 ### Reusable groups of settings for Microsoft Defender Firewall Rules<!-- 5653346, 6009541 -->
  You’ll soon be able to add reusable groups of settings to your profiles for Microsoft Defender Firewall Rules. The reusable groups are collections of remote IP addresses and FQDNs that you define one time and can then use with one or more firewall rule profiles. You’ll no longer need to reconfigure the same group of IP addresses in each individual profile that might require them.  
 

memdocs/intune/protect/certificate-connector-overview.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 08/03/2022
+ms.date: 09/21/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -384,6 +384,12 @@ New updates for the connector can take a week or more to become available for ea
 > [!IMPORTANT]  
 > Starting April 2022, certificate connectors earlier than version **6.2101.13.0** will be deprecated and will show a status of *Error*. Starting August 2022, these connector versions **won't** be able to revoke certificates. Starting September 2022, these connector versions **won't** be able to issue certificates. This includes both the [PFX Certificate Connector for Microsoft Intune](../protect/certificate-connectors.md#pfx-certificate-connector-release-history) and  [Microsoft Intune Connector](../protect/certificate-connectors.md#microsoft-intune-connector-release-history), which on July 29, 2021 were replaced by the *Certificate Connector for Microsoft Intune* (as detailed in this article).
 
+### September 21, 2202
+
+Version **6.2206.122.0** - Changes in this release:
+
+- Improved telemetry in addition to bug fixes and performance improvements
+
 ### June 30, 2022
 
 Version **6.2205.201.0** - Changes in this release:
@@ -434,6 +440,7 @@ This update includes:
 - Additional logging for Digicert PKCS requests
 - Enhancement to cryptography operations made during handling of PKCS requests
 
+<!-- archived update details that are over one year old: 
 ### August 16, 2021
 
 Version **6.2108.18.0**. This update includes:
@@ -447,6 +454,7 @@ Version **6.2107.45.0** - The Certificate Connector for Microsoft Intune is rele
 
 This connector is a unified connector in that it includes the capabilities of both the *PFX Certificate Connector for Microsoft Intune* and *Microsoft Intune Connector*, which it replaces.  With this release, the previous connectors remain supported, but are no longer developed nor available for download. Plan to replace existing installations of the individual with installations of this new unified connector.
 
+-->
 
 ## Next steps
 

memdocs/intune/protect/certificates-profile-scep.md

@@ -57,11 +57,26 @@ Devices that run Android Enterprise might require a PIN before SCEP can provisio
 
      SCEP certificate profiles for the *Fully Managed, Dedicated, and Corporate-Owned Work Profile* profile have the following limitations:
 
-      1. Under Monitoring, certificate reporting isn't available for Device Owner SCEP certificate profiles.
+     1. Under Monitoring, certificate reporting isn't available for **Device Owner** SCEP certificate profiles.
+     1. You can't use Intune to revoke certificates that were provisioned by SCEP certificate profiles for **Device Owner**. You can manage revocation through an external process or directly with the certification authority.
+     1. For Android Enterprise dedicated devices, SCEP certificate profiles are supported for Wi-Fi network configuration, VPN, and authentication. SCEP certificate profiles on Android Enterprise dedicated devices aren't supported for app authentication.
 
-      2. You can't use Intune to revoke certificates that were provisioned by SCEP certificate profiles for Device Owners. You can manage revocation through an external process or directly with the certification authority.
+     For **Android (AOSP)**, the following limitations apply:
 
-      3. For Android Enterprise dedicated devices, SCEP certificate profiles are supported for Wi-Fi network configuration, VPN, and authentication. SCEP certificate profiles on Android Enterprise dedicated devices aren't supported for app authentication.
+     1. Under Monitoring, certificate reporting isn't available for **Device Owner** SCEP certificate profiles.
+     1. You can't use Intune to revoke certificates that were provisioned by SCEP certificate profiles for **Device Owners**. You can manage revocation through an external process or directly with the certification authority.
+     1. SCEP certificate profiles are supported for Wi-Fi network configuration.  VPN configuration profile support is not available. A future update may include support for VPN configuration profiles.  
+     1. The following 3 variables are not available for use on Android (AOSP) SCEP certificate profiles.  Support for these variables will come in a future update.
+        - onPremisesSamAccountName
+        - OnPrem_Distinguished_Name
+        - Department
+
+     > [!NOTE]
+     > **Device Owner** is equivalent to Corporate Owned devices. The following are considered as Device Owner:
+     > - Android Enterprise - Fully Managed, Dedicated, and Corporate-Owned Work Profile
+     > - Android AOSP
+     >   - User-affinity
+     >   - User-less
 
 4. Select **Create**.
 
@@ -75,7 +90,7 @@ Devices that run Android Enterprise might require a PIN before SCEP can provisio
 
    - **Certificate type**:
 
-     *(Applies to:  Android, Android Enterprise, iOS/iPadOS, macOS, Windows 8.1, and Windows 10/11)*
+     *(Applies to:  Android, Android Enterprise, Android (AOSP), iOS/iPadOS, macOS, Windows 8.1, and Windows 10/11)*
 
      Select a type depending on how you'll use the certificate profile:
 
@@ -259,9 +274,12 @@ Devices that run Android Enterprise might require a PIN before SCEP can provisio
 
    - **Hash algorithm**:
 
-     *(Applies to Android, Android enterprise, Windows 8.1, and Windows 10/11)*
+     *(Applies to Android, Android (AOSP), Android enterprise, Windows 8.1, and Windows 10/11)*
 
      Select one of the available hash algorithm types to use with this certificate. Select the strongest level of security that the connecting devices support.
+     
+     NOTE: Android AOSP and Android Enterprise devices will select the strongest algorithm supported - SHA-1 will be ignored, and SHA-2 will be used instead. 
+
 
    - **Root Certificate**: