Merge pull request #6138 from MicrosoftDocs/release-intune-2111

Author: dougeby

memdocs/intune/apps/apps-add-android-for-work.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 09/16/2021
+ms.date: 11/08/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -216,6 +216,32 @@ By default, an Android Enterprise fully managed device will not allow employees
 > [!NOTE]
 > The Microsoft Intune app, the Microsoft Authenticator app, and the Company Portal app will be installed as required apps onto all fully managed devices during onboarding. Having these apps automatically installed provides Conditional Access support, and Microsoft Intune app users can see and resolve compliance issues. 
 
+## Update a Managed Google Play app
+By default, Managed Google Play apps will not update unless the following conditions are met:
+
+- The device is connected to wi-fi
+- The device is charging
+- The device is not actively being used 
+- The app to be updated is not running on the foreground
+
+For more information, see the [Manage App Updates](https://support.google.com/googleplay/work/answer/9350374?hl=en) documentation from Google. 
+
+You can choose to configure the wi-fi requirement for dedicated, fully managed, and corporate-owned work profile devices by configuring app auto-updates in [device configurations policies](../configuration/device-restrictions-android-for-work.md).
+
+For dedicated, fully managed, and corporate-owned work profile devices, you can choose an app update mode when an app is assigned to groups. The update modes available are:
+
+- **Default**: The app's updates are subject to default conditions (described above). 
+- **High Priority**: The app will update as soon as possible from when a new update is released, disregarding all of the default conditions. This may be disruptive for some users since the update can occur while the device is being used.
+
+To edit the app update mode:
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Apps** > **All apps**.
+3. Select the app from the apps list.
+4. Select **Properties**.
+5. Select **Edit** by the **Assignments** section.
+6. Find the group you'd like to edit the app update mode for by clicking the corresponding group mode for that group.
+7. Under **app settings**, select the desired update mode.
+
 ## Manage Android Enterprise app permissions
 Android Enterprise requires you to approve apps in the Managed Google Play web console before you sync them with Intune and assign them to your users. Because Android Enterprise allows you to silently and automatically push the apps to users' devices, you must accept the app permissions on behalf of all your users. Users don't see any app permissions when they install the apps, so it's important that you understand the permissions.
 

memdocs/intune/apps/apps-supported-intune-apps.md

@@ -6,7 +6,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 10/15/2021
+ms.date: 11/04/2021
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -173,6 +173,7 @@ The following apps support the core Intune App Protection Policy settings. Apps
 | **Notate for Intune**<p><img alt="Partner app - Notate for Microsoft Intune icon" src="./media/apps-supported-intune-apps/icon-p-notate.png" width="100"> | Notate is the ultimate Exchange Information Manager. Go paperless and improve collaboration. Let Notate advance your digital transformation. | [App Store link (iOS)](https://apps.apple.com/app/notate-for-microsoft-intune/id1511979523) | 
 | **Now<sup>&#174;</sup> Mobile - Intune**<p><img alt="Partner app - Now Mobile for Intune icon" src="./media/apps-supported-intune-apps/icon-p-now-mobile.png" width="100"> | Now employees can find answers and get work done across IT, HR, Facilities, Finance, Legal and other departments, all from a modern mobile app powered by the Now Platform<sup>&#174;</sup>.<p>The Now Platform<sup>&#174;</sup> delivers employee experiences and productivity through digital workflows across departments, systems and people.<p>Examples of things you can do in the app:<ul><li>IT: Request a laptop or a reset password</li><li>Facilities: Find and book a conference room</li><li>Finance: Request a corporate credit card</li><li>Legal: Have a new vendor sign a non-disclosure agreement (NDA)</li><li>HR: Find the next company holiday and check the vacation policy</li></ul><p>Now<sup>&#174;</sup> Mobile powered by the Now Platform<sup>&#174;</sup> - finally work life can be as great as real life | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.servicenow.requestor.mam.intune),<br>[App Store link (iOS)](https://apps.apple.com/app/now-mobile-intune/id1494183300) | 
 | **Omnipresence Go**<p><img alt="Partner app - Omnipresence Go icon" src="./media/apps-supported-intune-apps/icon-p-omnipresence.png" width="100"> | Omnipresence is a Customer Experience Management platform for Life Sciences companies. You can use Omnipresence CXM to engage with customers and patients of Life Sciences companies. <p>Omnipresence is built by life sciences experts who understand pharma, biotech, and med-device business needs and compliance requirements. As a unified platform, functional teams can work together using a shared view of their customers and plans across devices, online and offline, in harmony with their Microsoft applications. By using Omnipresence, you can focus on enabling great customer experiences based on advanced analytics and AI that deliver insights to enrich every stage of the customer journey.| [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.omnipresence.live),<br>[App Store link (iOS)](https://apps.apple.com/in/app/omnipresence-technologies/id1504126395#?platform=iphone) | 
+| **PenPoint**<p><img alt="Partner app - PenPoint icon" src="./media/apps-supported-intune-apps/icon-p-penpoint.png" width="100"> | PenPoint works with PenLink’s on-premise software, PLX, to conduct lawful communications surveillance operations in the support of law enforcement investigations. PenPoint for Intune provides secure mobile access to communications surveillance data collected and stored by a PLX system. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.penlink.PenPoint),<br>[App Store link (iOS)](https://itunes.apple.com/app/penpoint/id1451352658?mt=8) | 
 | **PrinterOn for Microsoft**<p><img alt="Partner app - PrinterOn for Microsoft icon" src="./media/apps-supported-intune-apps/icon-p-printeron.png" width="100"> | PrinterOn's wireless mobile printing solutions enable users to remotely print from anywhere at any time over a secure network.| [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.printeron.droid.phone),<br>[App Store link (iOS)](https://apps.apple.com/us/app/printeron-for-microsoft/id1258715414?mt=8) | 
 | **Qlik Sense Mobile**<p><img alt="Partner app - Qlik Sense Mobile icon" src="./media/apps-supported-intune-apps/icon-p-qlik.png" width="100"> | Qlik Sense is a market leading, next generation application for self-service oriented analytics. Qlik's patented associative technology allows people to easily combine data from many different sources and explore it freely, without the limitations of query-based tools. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.qlik.qliksense.mobile),<br>[App Store link (iOS)](https://apps.apple.com/app/qlik-sense-mobile/id1217049362) | 
 | **SAP Fiori**<p><img alt="Partner app - SAP Fiori icon" src="./media/apps-supported-intune-apps/icon-p-sap-fiori.png" width="100"> | Increase your daily productivity by tackling your most common business tasks anywhere and anytime with the SAP Fiori Client mobile app for iPhone and iPad. Deliver a next-level mobile experience with enhanced attachment handling and full-screen operations using this enhanced mobile runtime for the Web version of over 750 SAP Fiori app. Plus, access custom SAP Fiori mobile apps—built by customers using SAP Fiori mobile service—that are ready to support Intune mobile app management. | [App Store link (iOS)](https://apps.apple.com/us/app/sap-fiori-client/id824997258?mt=8) |  

memdocs/intune/apps/apps-win32-supersedence.md

@@ -6,7 +6,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 07/19/2021
+ms.date: 11/04/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -39,6 +39,12 @@ Supersedence relationships can be created when adding or modifying a Win32 app w
 
 App supersedence can only be applied to Win32 apps. For more information, see [Add a Win32 app](apps-win32-add.md) to Intune.
 
+A Microsoft Endpoint Manager permission will be required to create and edit Win32 app supersedence and dependency relationships with other apps. The permission is available under the **Mobile apps** category by selecting **Relate**. Starting in the **2202** service release, MEM admins will need this permission to add supersedence and dependency apps when creating or editing a Win32 app in Microsoft Endpoint Manager admin center. To find this permission in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Roles** > **All roles** > **Create**.
+
+This Win32 app supersedence permission has been added to the following built-in roles:
+- Application Manager
+- School administrator
+
 ## Create a Supersedence relationship in Intune
 
 The following steps help you create a supersedence relationship between apps:

memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-penpoint.png

@@ -4,7 +4,7 @@ description: Add or create settings using ADMX administrative templates to confi
 ms.author: mandia
 author: MandiOhlinger
 manager: dougeby
-ms.date: 02/26/2021
+ms.date: 11/04/2021
 audience: ITPro
 ms.topic: how-to
 ms.service: microsoft-intune
@@ -34,6 +34,9 @@ This article applies to:
 
   For Microsoft Edge version 45 and earlier, see [Microsoft Edge Browser device restrictions](device-restrictions-windows-10.md#microsoft-edge-legacy-version-45-and-older).
 
+> [!NOTE]
+> Additional ADMX settings for Edge 95 and Edge updater have been added to Administrative Templates. This includes support for "Target Channel override" which allows customers to opt into the **[Extended Stable](https://blogs.windows.com/msedgedev/2021/07/15/opt-in-extended-stable-release-cycle/)** release cycle option at any point using Group Policy or through Intune.
+
 When you use Intune to manage and enforce policies, it's similar to using Active Directory group policy, or configuring local Group Policy Object (GPO) settings on user devices. But, Intune is 100% cloud.
 
 This article shows you how to configure Microsoft Edge policy settings using administrative templates in Microsoft Intune.

memdocs/intune/configuration/administrative-templates-configure-edge.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 10/19/2021
+ms.date: 11/15/2021
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -446,6 +446,8 @@ End of comment -->
 
 ### Applications
 
+#### Fully managed, dedicated, and corporate-owned work profile devices
+
 - **Allow installation from unknown sources**: **Allow** lets users turn on **Unknown sources**. This setting allows apps to install from unknown sources, including sources other than the Google Play Store. It allows users to side-load apps on the device using means other than the Google Play Store. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might prevent users from turning on **Unknown sources**.
 
 - **App auto-updates (work profile-level)**: Devices check for app updates daily. Choose when automatic updates are installed. Your options:
@@ -464,6 +466,17 @@ End of comment -->
 
 If you want to enable side-loading, set the **Allow installation from unknown sources** and **Allow access to all apps in Google Play store** settings to **Allow**.
 
+#### Dedicated devices
+
+- **Clear local data in apps not optimized for Shared device mode (Public Preview)**: Add any app not optimized for shared device mode to the list. The app's local data will be cleared whenever a user signs out of an app that's optimized for shared device mode. Available for dedicated devices enrolled with Shared mode running Android 9 and later. 
+
+  When you use this setting, users cannot initiate sign out from non-optimized apps and get single sign-out. 
+  - Users will need to sign out of an app that has been optimized for Shared Device mode. Microsoft apps that are optimized for Shared device mode on Android include Teams and Intune’s Managed Home Screen. 
+  - For apps that have not been optimized for Shared Device mode, deleting application data extends to local app storage only. Data may be left in other areas of the device. User identifying artifacts such as email address and username may be left behind on the app and visible by others. 
+  - Non-optimized apps that provide support for multiple accounts could exhibit indeterminate behavior and are therefore not recommended. 
+  
+  All non-optimized apps should be thoroughly tested before being used in multi-user scenarios on shared devices to ensure they work as expected. For example, validate your core scenarios in each app, verify that the app signs out properly, and that all data is sufficiently cleared for your organization’s needs.
+
 ### Connectivity
 
 #### Fully managed, dedicated, and corporate-owned work profile devices

memdocs/intune/configuration/device-restrictions-android-for-work.md

@@ -70,7 +70,11 @@ Be sure the file is less than 4 MB and has a proper unicode encoding. If the exp
 
     - **Group Policy name**: The name is automatically generated using information in the GPO.
     - **Active Directory Target**: The target is automatically generated using the organizational unit (OU) target information in the GPO.
-    - **MDM Support**: Shows the percentage of group policy settings in the GPO that have the same setting in Intune.
+    - **MDM Support**: Shows the percentage of group policy settings in the GPO that have the same setting in Intune.  
+
+        > [!NOTE]
+        > Whenever the Microsoft Intune product team makes changes to the mapping in Intune, the percentage under MDM Support automatically updates to reflect those changes.   
+
     - **Unknown Settings**: Shows GPO settings that fall outside of the list of the Configuration Service Providers (CSPs) that this tool can parse.
     - **Targeted in AD**: **Yes** means the GPO is linked to an OU in on-premises group policy. **No** means the GPO isn't linked to an on-premises OU.
     - **Last imported**: Shows the date of the last import.
@@ -79,7 +83,7 @@ Be sure the file is less than 4 MB and has a proper unicode encoding. If the exp
 
     :::image type="content" source="./media/group-policy-analytics/import-refresh-filter-options.png" alt-text="Import, refresh, filter, or export a group policy object (GPO) to a CSV file in Microsoft Intune and Endpoint Manager admin center.":::
 
-4. Select the **MDM Support** percentage for a listed GPO. More detailed information about the GPO is shown:
+4. Select the **MDM Support** percentage for a listed GPO. More detailed information about the GPO is shown:  
 
     - **Setting Name**: The name is automatically generated using information in the GPO setting.
     - **Group Policy Setting Category**: Shows the setting category for ADMX settings, such as Internet Explorer and Microsoft Edge. Not all settings have a setting category.

memdocs/intune/configuration/group-policy-analytics.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 10/19/2021
+ms.date: 11/16/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -130,6 +130,17 @@ There are thousands of settings available in the settings catalog. To make it ea
 
   :::image type="content" source="./media/settings-catalog/settings-picker-filter-edition.png" alt-text="In Settings Catalog, filter the settings list by Windows edition in Microsoft Intune and Endpoint Manager admin center.":::
 
+## Duplicate a profile  
+
+ Select **Duplicate** to create a copy of an existing profile. Duplicating is useful when you need a profile that's similar yet distinct from the original one. The copy contains the same setting configurations and scope tags as the original profile, but doesn't have assignments attached to it. After you give the new profile a name, you can edit it to adjust the settings and add assignments.      
+ 
+1. Go to **Devices** > **Configuration profiles**.
+2. Locate the profile that you want to copy in the table. Right-click the profile or select the ellipses context menu (**…**) that's in the same row.    
+3. Select **Duplicate**.  
+4. Enter a new name for the policy, and optionally, a description. 
+5. Select **Save**.  
+
+
 ## Reporting and conflicts
 
 You create the policy, and assign it to your groups. In the Endpoint Manager admin center, you can check the status of your policy. The data refreshes automatically, and operates in near real time.