Introducing the Resource performance report and other features

Week of August 19, 2024 (Service release 2408)

Microsoft Intune Suite
Easy creation of Endpoint Privilege Management elevation rules from support approval requests and reports

• You can now create Endpoint Privilege Management (EPM) elevation rules directly from a support approved elevation request or from details found in the EPM Elevation report. With this new capability, you won’t need to manually identify specific file detection details for elevation rules. Instead, for files that appear in the Elevation report or a support approved elevation request, you can select that file to open its elevation detail pane, and then select the option to Create a rule with these file details.
• When you use this option, you can then choose to add the new rule to one of your existing elevation policies, or create a new policy with only the new rule.
• Applies to:
• Windows 10
• Windows 11

Introducing the Resource performance report for physical devices in Advanced Analytics

• We're introducing the Resource performance report for Windows physical devices in Intune Advanced Analytics. The report is included as an Intune-add on under Microsoft Intune Suite.
• The resource performance scores and insights for physical devices are aimed to help IT admins make CPU/RAM asset management and purchase decisions that improve the user experience while balancing hardware costs.

App management
Managed Home Screen for Android Enterprise Fully Managed devices

• Managed Home Screen (MHS) is now supported on Android Enterprise Fully Managed devices. This capability offers organizations the ability to leverage MHS in scenarios where a device is associated with a single user.

Updates to the Discovered Apps report

• The Discovered Apps report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we are including it as a column in the Discovered Apps report.

Improvements to Intune Management Extension logs

• We have updated how log activities and events are made for Win32 apps and the Intune Management Extension (IME) logs. A new log file (AppWorkload.log) contains all logging information related to app deployment activities conducted by the IME. These improvements provide better troubleshooting and analysis of app management events on the client.

Device configuration

• New settings available in the Apple settings catalog
• The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see Create a policy using settings catalog.
• There are new settings in the Apple Settings Catalog. To see these settings, in the Microsoft Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type.

iOS/iPadOS
Declarative Device Management (DDM) > Safari Extension Settings:

• Managed Extensions
• Allowed Domains
• Denied Domains
• Private Browsing
• State
  Declarative Device Management (DDM) > Software Update Settings:
• Automatic Actions
• Download
• Install OS Updates
• Deferrals
• Combined Period In Days
• Notifications
• Rapid Security Response
• Enable
• Enable Rollback
• Recommended Cadence

Restrictions:

• Allow ESIM Outgoing Transfers
• Allow Personalized Handwriting Results
• Allow Video Conferencing Remote Control
• Allow Genmoji
• Allow Image Playground
• Allow Image Wand
• Allow iPhone Mirroring
• Allow Writing Tools

macOS
Authentication>Extensible Single Sign On (SSO):

• Platform SSO
• Authentication Grace Period
• FileVault Policy
• Non Platform SSO Accounts
• Offline Grace Period
• Unlock Policy

Authentication>Extensible Single Sign On Kerberos:

• Allow Password
• Allow SmartCard
• Identity Issuer Auto Select Filter
• Start In Smart Card Mode

**Declarative Device Management (DDM) > Disk Management:
**

• External Storage
• Network Storage

Declarative Device Management (DDM) > Safari Extension Settings:

• Managed Extensions
• Allowed Domains
• Denied Domains
• Private Browsing
• State

Declarative Device Management (DDM) > Software Update Settings:

• Allow Standard User OS Updates
• Automatic Actions
• Download
• Install OS Updates
• Install Security Update
• Deferrals
• Major Period In Days
• Minor Period In Days
• System Period In Days
• Notifications
• Rapid Security Response
• Enable
• Enable Rollback

Restrictions:
Allow Genmoji
Allow Image Playground
Allow iPhone Mirroring
Allow Writing Tools
System Policy>System Policy Control:
Enable XProtect Malware Upload

Enhancements to multi administrative approval

• Multi administrative approval adds the ability to limit application access policies to Windows applications or all non-Windows applications or both. We're adding a new access policy to the multiple administrative approval feature to allow approvals for changes to multiple administrative approval.

Device enrollment
Account-driven Apple User Enrollment now generally available for iOS/iPadOS 15+
Intune now supports account-driven Apple User Enrollment, the new, and improved version of Apple User Enrollment, for devices running iOS/iPadOS 15 and later. This new enrollment method utilizes just-in-time registration, removing the Company Portal app for iOS as an enrollment requirement. Device users can initiate enrollment directly in the Settings app, resulting in a shorter and more efficient onboarding experience.
Apple has announced they are ending support for profile-based Apple User Enrollment. As a result, Microsoft Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18. We recommend enrolling devices with account-driven Apple User Enrollment for similar functionality and an improved user experience.

Use corporate Microsoft Entra account to enable Android Enterprise management options in Intune
Managing Intune-enrolled devices with Android Enterprise management options previously required you to connect your Intune tenant to your managed Google Play account using an enterprise Gmail account. Now you can use a corporate Microsoft Entra account to establish the connection. This change is happening in new tenants, and doesn't affect tenants that have already established a connection.

Device management
21 Vianet support for Mobile Threat Defense connectors
Intune operated by 21Vianet now supports Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors are available.

Applies to:

• Android
• iOS/iPadOS

New cpuArchitecture filter device property for app and policy assignments
When you assign an app, compliance policy, or configuration profile, you can filter the assignment using different device properties, such as device manufacturer, operating system SKU, and more.
A new cpuArchitecture device filter property is available for Windows and macOS devices. With this property, you can filter app and policy assignments depending on the processor architecture.

Applies to:

• Windows 10
• Windows 11
• macOS

Device security
Windows platform name change for endpoint security policies
When you create an endpoint security policy in Intune, you can select the Windows platform. For multiple templates in endpoint security, there are now only two options to choose for the Windows platform: Windows and Windows (ConfigMgr).

What you need to know

• This change is only in the user experience (UX) that admins see when they create a new policy. There is no effect on devices.
• The functionally is the same as the previous platform names.
• There are no additional tasks or actions for existing policies.

Applies to:

• Windows

Target Date Time setting for Apple software update enforcement schedules updates using the local time on devices
You can specify the time that OS updates are enforced on devices in their local time zone. For example, configuring an OS update to be enforced at 5pm schedules the update for 5pm in the device's local time zone. Previously, this setting used the time zone of the browser where the policy was configured.

This change only applies to new policies that are created in the August 2408 release and later. The Target Date Time setting is in the settings catalog at Devices > Manage devices > Configuration > Create > New policy > iOS/iPadOS or macOS for platform > Settings catalog for profile type > Declarative Device Management > Software Update.

In a future release, the UTC text will be removed from the Target Date Time setting.

Applies to:

• iOS/iPadOS
• macOS

Intune Apps
Newly available protected apps for Intune
The following protected apps are now available for Microsoft Intune:

• Singletrack for Intune (iOS) by Singletrack
• 365Pay by 365 Retail Markets
• Island Browser for Intune (Android) by Island Technology, Inc.
• Recruitment.Exchange by Spire Innovations, Inc.
• Talent.Exchange by Spire Innovations, Inc.

Tenant administration
Organizational messages now in Microsoft 365 admin center
The organizational message feature has moved out of the Microsoft Intune admin center and into its new home in the Microsoft 365 admin center. All organizational messages you created in Microsoft Intune are now in the Microsoft 365 admin center, where you can continue to view and manage them. The new experience includes highly requested features such as the ability to author custom messages, and deliver messages on Microsoft 365 apps.