Declarative Device Management for Apple line-of-business apps on iOS/iPadOS

What's new in Microsoft Intune

Week of March 30, 2026 (Service release 2603)
App management
Declarative Device Management for Apple line-of-business apps on iOS/iPadOS

Microsoft Intune now supports Apple Declarative Device Management (DDM) for required line-of-business apps on devices running iOS/iPadOS 18 and later. By changing the management type to DDM in App information, you can deploy and configure apps using Apple's policy-based model, which improves delivery efficiency, provides real-time app status, and expands per-app options such as associated domains.

Applies to:

• iOS/iPadOS

Device configuration
Recovery lock features available for macOS devices
On macOS devices, you can configure a recovery OS password that prevents users from booting company-owned devices into recovery mode, reinstalling macOS, and bypassing remote management. Admins can also rotate this password.

There are two ways to use this feature:

• Settings catalog policy - In a settings catalog policy, you can use the Recovery Lock settings to:

1. Turn on the recovery lock feature
2. Configure a password rotation schedule

• Remote device action - Use the Recovery Lock device action to manually rotate the recovery lock password for a specific device.

The Recovery Lock password can be viewed in the per-setting status report > Passwords and keys. To view the Recovery Lock password, the signed-in administrator needs the Remote tasks/View macOS recovery lock password permission.

Applies to:

• macOS

New supported OEMConfig app for Android Enterprise
The following OEMConfig app is available in Intune for Android Enterprise:

• Inventus | com.inventus.oemconfig.gen

New settings in the Windows settings catalog
There are new settings in the Windows settings catalog. To see and configure these settings in Intune, create a Windows settings catalog profile (Devices > Configuration profiles > Create profile > Windows 10 and later > Settings catalog).

The new policies include:

• Connectivity >Disable Cross Device Resume: This feature lets Windows suggest continuing an activity users start on a device, like a phone, to a PC. IT admins can use this policy to turn off this feature and prevent users from continuing tasks, like browsing files or continuing to use supported apps that require linking between a phone and PC.

When set to CrossDeviceResume is Disabled, the Windows device doesn't receive any CrossDeviceResume notification. Users won't see any "resume from your phone" prompts. When you select CrossDeviceResume is Enabled, the Windows device does receive notification to resume activity from linked devices. If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned on, which means users see the notification. Changes to this policy take effect on reboot.

This policy:
Is available to Windows Insiders.
Uses the DisableCrossDeviceResume CSP.

• Windows AI >Remove Microsoft Copilot App: This policy setting allows you to uninstall the Microsoft Copilot app from devices. It applies to devices and users that meet the following conditions:

1. The Microsoft 365 Copilot and Microsoft Copilot apps are both installed.
2. The Microsoft Copilot app was not installed by the user.
3. The Microsoft Copilot app was not opened in the last 14 days.
   If this policy is enabled, the Microsoft Copilot app is uninstalled. Users can still re-install if they choose to.

Applies to:

• Windows

New updates to the Apple settings catalog
The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.

There are new settings in the Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices>Manage devices>Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS
Declarative Device Management (DDM) > External Intelligence Settings:

• Allow Sign In
• Allowed Workspace IDs

Declarative Device Management (DDM) > Intelligence Settings:

• Allow Apple Intelligence Report
• Allow Genmoji
• Allow Image Playground
• Allow Image Wand
• Allow Personalized Handwriting Results
• Allow Visual Intelligence Summary
• Allow Writing Tools
• Mail>Allow Smart Replies
• Mail>Allow Summary
• Notes>Allow Transcription
• Notes>Allow Transcription Summary
• Safari> Allow Summary
• Force On Device Only Dictation
• Force On Device Only Translation

Declarative Device Management (DDM) >Keyboard Settings:

• Allow Definition Lookup
• Allow Auto Correction
• Allow Dictation
• Allow Predictive Text
• Allow Slide To Type
• Allow Spell Check
• Allow Text Replacement
• Allow Math Keyboard Suggestions

Declarative Device Management (DDM)>Siri Settings:

• Allow User Generated Content
• Allow While Locked
• Force Profanity Filter

MacOS
Declarative Device Management (DDM) > External Intelligence Settings:

• Allow Sign In
• Allowed Workspace IDs

Declarative Device Management (DDM) > Intelligence Settings:

• Allow Apple Intelligence Report
• Allow Genmoji
• Allow Image Playground
• Allow Writing Tools
• Mail> Allow Smart Replies
• Mail>Allow Summary
• Notes>Allow Transcription
• Notes>Allow Transcription Summary
• Safari>Allow Summary
• Force On Device Only Dictation

Declarative Device Management (DDM)> Keyboard Settings:

• Allow Definition Lookup
• Allow Dictation
• Allow Math Keyboard Suggestions

Declarative Device Management (DDM)>Siri Settings:

• Force Profanity Filter

System Configuration > File Provider:

• Management Allows Remote Syncing
• Management Remote Syncing Allow List
• Management Allows External Volume Syncing
• Management External Volume Syncing Allow List
• Management Domain Auto Enablement List

Restrictions:

• Allow Rosetta Usage Awareness

Applies to:

• iOS/iPadOS
• MacOS

Device management
Remote Help connectivity update for Windows devices
We've improved connectivity when using the Launch Remote Help capability in the Intune admin center for Windows devices. For the best experience, we recommend updating firewall rules to include this new endpoint:

• *.trouter.communications.svc.cloud.microsoft
  For the current list of required network endpoints, see Network requirements for PowerShell scripts and Win32 apps and Remote Help in the Intune endpoints documentation.

With this endpoint addition, we've also added a new Intune Management Extension log, NotificationInfra.log, which tracks notifications sent through the Microsoft real-time communication channel.

Applies to:

• Windows

Support for Red Hat Enterprise Linux 9 and later
Microsoft Intune supports Red Hat Enterprise Linux (RHEL) 9 LTS and RHEL 10 LTS. Support for RHEL 8 LTS will end in July 2026. Devices already enrolled on RHEL 8 will remain enrolled. You can identify devices running RHEL 8 in the Intune admin center by going to Devices > All devices, filtering OS by Linux, and adding OS version columns. Notify users to upgrade their devices to a supported RHEL version. For more information about enrolling Linux devices, see Enrollment guide: Enroll Linux desktop devices in Microsoft Intune.

• Microsoft Intune app for Linux now supports the Microsoft Identity Broker
  The Microsoft Intune app for Linux now uses the Microsoft Identity Broker on supported Ubuntu and Red Hat Enterprise Linux (RHEL) distributions. Broker version 2.0.2 and later introduces a major architectural change from the previous Java-based broker. This update enables new single sign-on (SSO) experiences using phish-resistant MFA, smart card authentication, and certificate-based authentication with Microsoft Entra ID. For more information, see Enabling Phish-Resistant MFA (PRMFA) on Linux devices.

Device security
Hotpatching default enablement in Windows Autopatch
Starting with the May 2026 Windows security update, hotpatch updates are enabled by default for all eligible devices managed through Windows Autopatch. Hotpatch updates install faster and require fewer restarts, helping devices get secure sooner.

If your organization isn't ready for this change, you can opt out using either of the following options:

• Tenant-level setting: Opt out of hotpatch updates across all eligible devices in your tenant. This option becomes available April 1, 2026 in the Intune admin center.
• Quality update policy: Control hotpatch behavior for a specific group of devices. Hotpatch settings configured in a quality update policy override the tenant-level setting for devices assigned to that policy.

Key dates:

• April 1, 2026: Tenant-level opt-out setting available in the Intune admin center.
• May 2026 security update: Hotpatch updates enabled by default.

Intune apps
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:

• PerfectServe Clinical Collab by PerfectServe
• Synigo Pulse by Synigo B.V.
• DeepL for Intune by DeepL SE
• Foxit PDF Editor by Foxit Software Inc.
• EasyPlant QC Inspections by Technip Energies (Android)

Monitor and troubleshooting
Support for system proxy settings in endpoint analytics and Advanced Analytics
Devices configured with system-level (WinHTTP) proxy settings can now send telemetry to endpoint analytics and Advanced Analytics, enabling more comprehensive reporting. Endpoint Privilege Management (EPM) will also include elevation usage data from these devices.

No admin action is required. If endpoint analytics or EPM is enabled for a device, telemetry and events will automatically appear in the User Experience (Device blade), endpoint Analytics reports, and EPM.

For more details about displaying advanced proxy settings, see Netsh.exe commands.

Applies to:

• Windows

Improvements to device query for multiple devices
Device query for multiple devices now includes new capabilities to help you work with query results more efficiently.

You can use a search text box to search across all resulting rows of a query, use column headers to add filters for specific values, and create Microsoft Entra security groups directly from a query's device results.

Role-based access control
Scoped permissions for Role-based access control (public preview)
Intune now includes an opt-in public preview to enable Scoped permissions, making your role-based access control (RBAC) configuration more precise. Enabling Scoped permissions is a one-time choice that can't be undone. In the future, this will become the default behavior for all tenants.

Previously, when an admin had multiple role assignments using different scope tags for the same permission category, Intune merged permissions across those assignments, which could unintentionally grant broader access than intended. With Scoped permissions enabled, each role assignment's permissions apply only within its own scope tag context, so admins receive exactly the access you intended.

To help you prepare before enabling this change, Intune includes a new Permissions Assessment Report. The report details your tenant's current permissions and shows how they will change after enabling Scoped permissions. You can rerun the report as often as needed, adjust role assignments, and communicate any changes to affected admins before opting in.