Android app configuration policies support new variable values

Week of August 18, 2025 (Service release 2508)

App management
Android app configuration policies support new variable values
Android Enterprise app configuration policies in Intune now support more variable values. The new values include account name, device name, employee ID, MEID, serial number, and the last four digits of the serial number.
Applies to:

• Android Enterprise

Offline Mode and App access without sign in for Android Enterprise Dedicated Devices on Managed Home Screen
Managed Home Screen (MHS) for Android Enterprise dedicated devices now supports two new features: Offline mode and App access without sign in.

• Offline mode – Lets users access designated apps when the device is offline or unable to connect to the network. You can configure a grace period before requiring users to sign in once connectivity is restored.
• App access without sign in – Lets users launch specific apps from the MHS sign-in screen via the MHS top bar, regardless of network status. This is useful for apps that need to be available immediately, such as help desk or emergency tools.
  These features are designed for dedicated devices enrolled in Microsoft Entra shared device mode and can be configured via device configuration policy.

Applies to: Android Enterprise dedicated devices

Device configuration
Managed Installer support for user and device groups
We’ve updated our Managed Installer policy to add the capability to target individual groups of users and devices, using one or more individual policies. Until now, a Managed Installer policy was a tenant-wide configuration that applied to all Windows devices. With this update, separate policies can now be assigned to different device groups providing you more flexibility.

If you previously had a tenant-wide managed installer policy in effect, that policy remains available with a group assignment to all your devices. This reconfiguration is equivalent to the previous tenant-wide configuration it had before. You can choose to use that converted policy or implement new policies with more granular control.

For more information about configuring and using managed installers, see Get started with managed installers.

Applies to:

• Windows

New Windows settings in the settings catalog
The Intune settings catalog lists all the settings you can configure, and all in one place. There are new settings in the Windows settings catalog (Devices >Manage devices>Configuration>Create>New policy>Windows 10 and
later for platform>Settings catalog for profile type).

Microsoft Edge Administrative Templates policy updates (v138):
Intune supports ingestion of new Microsoft Edge policies including AI search, TLS 1.3 early data, and external link handling. Several legacy policies are deprecated or marked obsolete. These updates enhance browser control and security for enterprise environments.

OneDrive:

• Disable a toast and activity center message to encourage a user to sign in OneDrive using an existing credential that is made available to Microsoft applications - This setting allows IT admins to prevent detection of new accounts in OneDrive, helping enforce organizational sync and access controls.
  Administrative Templates\\Windows Components\\Sync your settings:
• Enable Windows Backup - This setting allows IT admins to manage syncing behavior for Windows Backup features. Specifically, this policy controls whether language preferences are included in backup sync, which helps organizations tailor backup configurations to their needs.

Applies to:

• Windows

New day zero settings available in the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices>Manage devices> Configuration>Create>New policy>iOS/iPadOS or macOS for platform>Settings catalog for profile type.

iOS/iPadOS
Declarative Device Management (DDM)>Audio Accessory Settings:

• Temporary Pairing Disabled
• Temporary Pairing Unpairing Time
• Unpairing Policy
• Unpairing Hour

Declarative Device Management (DDM)> Safari Settings:

• Accept Cookies
• Allow Disabling Fraud Warning
• Allow History Clearing
• Allow JavaScript
• Allow Private Browsing
• Allow Popups
• Allow Summary
• Page Type
• Homepage URL
• Extension Identifier

Restrictions:

• Allow Safari History Clearing
• Allow Safari Private Browsing
• Denied ICCIDs For iMessage And FaceTime
• Denied ICCIDs For RCS

MacOS
Authentication>Extensible Single Sign On Kerberos:

• Allow Platform SSO Auth Fallback

Declarative Device Management (DDM)>Safari Settings:

• Allow History Clearing
• Allow Private Browsing
• Allow Summary
• Page Type
• Homepage URL
• Extension Identifier

Restrictions:

• Allow Safari History Clearing
• Allow Safari Private Browsing

New setting in the Android settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There's a new Hide organization name setting (Devices>Manage devices >Configuration>Create>New policy>Android Enterprise for platform >Settings catalog for profile type). When set to True, the enterprise name isn't shown on the device, such as lock screen.

For a list of existing settings you can configure in the settings catalog, see Android Enterprise device settings list in the Intune settings catalog.
Applies to:

• Android Enterprise corporate-owned devices with a work profile (COPE)
• Android Enterprise corporate owned fully managed (COBO)

Device enrollment
Intune supports Ubuntu 22.04 and later
Microsoft Intune and the Microsoft Intune app for Linux now support Ubuntu 22.04 LTS and Ubuntu 24.04 LTS, and has ended support for Ubuntu 20.04 LTS. Devices that are currently enrolled on Ubuntu 20.04 LTS remain enrolled even though the version is no longer supported. New devices are unable to enroll if they're running Ubuntu 20.04 LTS. To see what devices or users might be affected, check your Intune reporting. In the admin center, go to Devices > All devices and filter OS by Linux. You can add more columns to help identify who in your organization has devices running Ubuntu 20.04 LTS. Notify your users to upgrade their devices to a supported Ubuntu version.

Device management
Wipe remote action supports multiple administrative approval (MAA)
When you use the multiple administrative approval (MAA) feature, you require a second admin account to approve a change before the change is applied.

The Wipe remote action supports MAA. Use MAA with the Wipe action to help mitigate the risk of unauthorized or compromised remote actions by a single admin account.

Configure Windows Backup for Organizations (public preview)
Intune administrators can configure a new feature in public preview called Windows Backup for Organizations. With this feature, you can back up your organization's Windows 10 or Windows 11 settings and restore them on a Microsoft Entra joined device. Backup settings are configurable in the Microsoft Intune admin center settings catalog, while a tenant-wide setting that lets you restore a device is available in the admin center under Enrollment. The backup setting is available now in public preview, while the restore setting will be available for public preview beginning August 26th.

New resolution button improves compliance remediation experience
We improved the Just in Time (JIT) compliance remediation experience for device users in Microsoft Intune. Intune has collaborated with Microsoft Defender to:

• Remove user clicks required to view and learn remediation steps.
• Add a Resolve button to reduce time-to-remediation.
  When a user opens a productivity app and sees they are marked noncompliant due to Microsoft Defender, the user can now select Resolve. This action redirects them to Microsoft Defender, where Microsoft Defender takes steps to remediate the user and then redirect the user back to their productivity app.

Even if you aren't using Microsoft Defender, if you have Conditional Access turned on your users can have an improved experience. With JIT compliance remediation, users go through an embedded flow that shows them their compliance status, noncompliance reasoning, and a list of actions right within a productivity app. This flow eliminates extra steps, the need to switch between apps, and reduces the number of authentications.

As an admin, if you have JIT registration and compliance remediation set up already, you have no action items. If you don't, set it up today to support this new functionality.

Intune apps
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:

• Avenza Maps for Intune by Avenza Systems Inc.
• Datasite for Intune by Datasite (Android)
• Dialpad by Dialpad, Inc.
• Dialpad Meetings by Dialpad, Inc.
• Omega 365 by Omega 365 Core AS
• Symphony Messaging Intune by Symphony Communication Services, LLC
• Zoho Projects - Intune by Zoho Corporation (Android

Monitor and troubleshoot
Declarative software update reports for Apple devices
You can now use several new software update reports for Apple devices that are powered by Apples built-in declarative reporting infrastructure. The declarative reporting infrastructure provides Intune with a near real-time view of the software update status of managed devices. The following Apple software update reports are now available:

• A per-device software update report - Per-device software update reports are available in the Intune Admin center by going to Devices and then selecting an applicable device. In the Devices Overview pane for that device, below Monitor, you'll find the report listed as iOS software updates for iOS or iPadOS devices, and as macOS software updates for macOS devices.
• With these per-device reports available, the previously available macOS per-device Software updates report is now deprecated. While the deprecated report remains available in the admin center and can still be used while viewing a device, the report will be removed from Intune with a future update.
• Apple software update failures - With this operational report, you can view details across your entire managed Apple device fleet. Details include why the update failed to install and the timestamp of the last failure. To find this report, in the admin center go to Devices > Monitor, and then select the report’s name to view the report details.
• Apple software update report - This is an organizational report that displays details about pending and current software update information across your entire managed Apple device fleet. To find this report, in the admin center go to Reports > Device management > Apple updates, select the Reports tab, and then select the report tile.
• Apple software update summary report - View the Apple software update summary report, in the admin center go to Reports > Device management > Apple updates, and then select the Summary tab. Here you’ll see a roll up of update status from macOS, iOS, and iPadOS devices. This includes the version of the latest update that is available for each platform, and the date that update became available.

The following Apple devices support these new reports:

• iOS 17 and later
• iPadOS 17 and later
• macOS 14 and later

Role-based access control
Multi-administrator approval support for role-based access control
Multi-administrator approval (MAA) now supports role-based access control. When enabled, any changes to roles, including modifications to role permissions, admin groups, or member group assignments, require a second administrator to approve the change before it's applied. This dual authorization process helps protect your organization from unauthorized or accidental role-based access control changes.