I
Intune_Support_Team
With Apple's recent announcement of iOS/iPadOS 18.0 and macOS 15.0 Sequoia, we’ve been working hard to ensure that Microsoft Intune can provide day zero support for Apple’s latest operating systems so that existing features work as expected.
We’ll continue to upgrade our service and release new features that integrate elements of support for the new operating system (OS) versions.
With iOS/iPadOS 18, Apple no longer supports profile-based User Enrollment. Due to these changes, Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18 and you’ll need to use an alternate management method for enrolling devices. We recommend enrolling devices with account driven User Enrollment for similar functionality and an improved user experience. For those looking for a simpler enrollment experience, try the new web based device enrollment for iOS/iPadOS.
Please note, device enrollment with Company Portal will remain unaffected by these changes.
Impact to existing devices and profiles:
After Intune ends support for User Enrollment with Company Portal:
We’ve continued to invest in the data-driven infrastructure that powers the settings catalog, enabling us to provide day zero support for new settings as they’re released by Apple. The Apple settings catalog has been updated to support all of the newly released iOS/iPadOS and macOS settings for both declarative device management (DDM) and mobile device management (MDM) so that your team can have your devices ready for day zero. New settings for DDM include:
Disk Management
Safari Extension Settings
Software Update Settings
Software Update Settings > Automatic updates
Software Update Settings > Deferrals
Software Update Settings > Rapid Security Response
Extensible Single Sign On (SSO) > Platform SSO
Extensible Single Sign On Kerberos
Restrictions
System Policy Control
Math
System Extensions
Web Content Filter
More information on configuring these new settings using the settings catalog can be found at Create a policy using settings catalog in Microsoft Intune.
With Intune’s September (2409) release, there’ll be six new Setup Assistant screens that admins can choose to show or hide when creating an Automated Device Enrollment (ADE) policy. These include three iOS/iPadOS and three macOS Skip Keys that will be available for both existing and new enrollment policies.
For more information refer to Apple's SkipKeys | Apple Developer Documentation.
We previously introduced a new model for enrolling user-less devices (or devices without a primary user) for supported and allowed OS versions to keep enrolled devices secure and efficient. The support statements have been updated to reflect the changes with the iOS/iPadOS 18 and upcoming macOS 15 releases:
If you have any questions or feedback, leave a comment on this post or reach out on X @IntuneSuppTeam. Stay tuned to What’s new in Intune for additional settings and capabilities that will soon be available!
Continue reading...
We’ll continue to upgrade our service and release new features that integrate elements of support for the new operating system (OS) versions.
Apple User Enrollment with Company Portal
With iOS/iPadOS 18, Apple no longer supports profile-based User Enrollment. Due to these changes, Intune will end support for Apple User Enrollment with Company Portal shortly after the release of iOS/iPadOS 18 and you’ll need to use an alternate management method for enrolling devices. We recommend enrolling devices with account driven User Enrollment for similar functionality and an improved user experience. For those looking for a simpler enrollment experience, try the new web based device enrollment for iOS/iPadOS.
Please note, device enrollment with Company Portal will remain unaffected by these changes.
Impact to existing devices and profiles:
After Intune ends support for User Enrollment with Company Portal:
- Existing enrolled devices are not impacted and will continue to be enrolled.
- Users won’t be able to enroll new devices if they’re targeted with this enrollment type profile.
- Intune technical support will only be provided for existing devices enrolled with this method. We won’t provide technical support for any new enrollments.
New settings and payloads
We’ve continued to invest in the data-driven infrastructure that powers the settings catalog, enabling us to provide day zero support for new settings as they’re released by Apple. The Apple settings catalog has been updated to support all of the newly released iOS/iPadOS and macOS settings for both declarative device management (DDM) and mobile device management (MDM) so that your team can have your devices ready for day zero. New settings for DDM include:
Disk Management
- External Storage: Control the mount policy for external storage
- Network Storage: Control the mount policy for network storage
Safari Extension Settings
- Allowed Domains: Control the domain and sub-domains that the extension can access
- Denied Domains: Control the domain and sub-domains that the extension cannot access
- Private Browsing: Control whether an extension is allowed in Private Browsing
- State: Control whether an extension is allowed, disallowed, or configurable by the user
Software Update Settings
- Allow Standard User OS Updates: Control whether a standard user can perform Major and Minor software updates
Software Update Settings > Automatic updates
- Allowed: Specifies whether automatic downloads of available updates can be controlled by the user
- Download: Specifies whether automatic downloads of available updates can be controlled by the user
- Install OS Updates: Specifies whether automatic install of available OS updates can be controlled by the user
- Install Security Update: Specifies whether automatic install of available security updates can be controlled by the user
Software Update Settings > Deferrals
- Combined Period In Days: Specifies the number of days to defer a major or minor OS software update on the device
- Major Period In Days: Specifies the number of days to defer a major OS software update on the device
- Minor Period In Days: Specifies the number of days to defer a minor OS software update on the device
- System Period In Days: Specifies the number of days to defer system or non-OS updates. When set, updates only appear after the specified delay, following the release of the update
- Notifications: Configure the behavior of notifications for enforced updates
Software Update Settings > Rapid Security Response
- Enable: Control whether users are offered Rapid Security Responses when available
- Enable Rollback: Control whether users are offered Rapid Security Response rollbacks
- Recommended Cadence: Specifies how the device shows software updates to the user
New settings for MDM include:
Extensible Single Sign On (SSO) > Platform SSO
- Authentication Grace Period: The amount of time after a 'FileVault Policy', 'Login Policy', or 'Unlock Policy' is received or updated that unregistered local accounts can be used
- FileVault Policy: The policy to apply when using Platform SSO at FileVault unlock on Apple Silicon Macs
- Login Policy: The policy to apply when using Platform SSO at the login window
- Non Platform SSO Accounts: The list of local accounts that are not subject to the 'FileVault Policy', 'Login Policy', or 'Unlock Policy'
- Offline Grace Period: The amount of time after the last successful Platform SSO login a local account password can be used offline
- Unlock Policy: The policy to apply when using Platform SSO at screensaver unlock
Extensible Single Sign On Kerberos
- Allow Password: Allow the user to switch the user interface to Password mode
- Allow SmartCard: Allow the user to switch the user interface to SmartCard mode
- Identity Issuer Auto Select Filter: A string with wildcards that can use used to filter the list of available SmartCards by issuer. e.g "*My CA2*"
- Start In Smart Card Mode: Control if the user interface will start in SmartCard mode
Restrictions
- Allow ESIM Outgoing Transfers
- Allow Personalized Handwriting Results
- Allow Video Conferencing Remote Control
- Allow Genmoji
- Allow Image Playground
- Allow Image Wand
- Allow iPhone Mirroring
- Allow Writing Tools
System Policy Control
- Enable XProtect Malware Upload
With the upcoming Intune September (2409) release, the new DDM settings will be:
Math
- Calculator
- Basic Mode
- Add Square Root
- Scientific Mode - Enabled
- Programmer Mode - Enabled
- Input Modes - Unit Conversion
- System Behavior - Keyboard Suggestions
- System Behavior - Math Notes
New MDM settings for Intune’s 2409 (September) release include:
System Extensions
- Non Removable System Extensions
- Non Removable System Extensions UI
Web Content Filter
- Hide Deny List URLs
More information on configuring these new settings using the settings catalog can be found at Create a policy using settings catalog in Microsoft Intune.
Updates to ADE Setup Assistant screens within enrollment policies
With Intune’s September (2409) release, there’ll be six new Setup Assistant screens that admins can choose to show or hide when creating an Automated Device Enrollment (ADE) policy. These include three iOS/iPadOS and three macOS Skip Keys that will be available for both existing and new enrollment policies.
- Emergency SOS (iOS/iPadOS 16+)
- The IT admin can choose to show or hide the iOS/iPadOS Safety (Emergency SOS) setup pane that is displayed during Setup Assistant.
- The IT admin can choose to show or hide the iOS/iPadOS Safety (Emergency SOS) setup pane that is displayed during Setup Assistant.
- Action button (iOS/iPadOS 17+)
- The IT admin can choose to show or hide the iOS/iPadOS Action button configuration pane that is displayed during Setup Assistant.
- The IT admin can choose to show or hide the iOS/iPadOS Action button configuration pane that is displayed during Setup Assistant.
- Intelligence (iOS/iPadOS 18+)
- The IT admin can choose to show or hide the iOS/iPadOS Intelligence setup pane that is displayed during Setup Assistant.
- The IT admin can choose to show or hide the iOS/iPadOS Intelligence setup pane that is displayed during Setup Assistant.
- Wallpaper (macOS 14+)
- The IT admin can choose to show or hide the macOS Sonoma wallpaper setup pane that is displayed after an upgrade. If the screen is hidden, the Sonoma wallpaper will be set by default.
- The IT admin can choose to show or hide the macOS Sonoma wallpaper setup pane that is displayed after an upgrade. If the screen is hidden, the Sonoma wallpaper will be set by default.
- Lockdown mode (macOS 14+)
- The IT admin can choose to show or hide the macOS Lockdown Mode setup pane that is displayed during Setup Assistant.
- The IT admin can choose to show or hide the macOS Lockdown Mode setup pane that is displayed during Setup Assistant.
- Intelligence (macOS 15+)
- The IT admin can choose to show or hide the macOS Intelligence setup pane that is displayed during Setup Assistant.
- The IT admin can choose to show or hide the macOS Intelligence setup pane that is displayed during Setup Assistant.
For more information refer to Apple's SkipKeys | Apple Developer Documentation.
Updates to supported vs. allowed versions for user-less devices
We previously introduced a new model for enrolling user-less devices (or devices without a primary user) for supported and allowed OS versions to keep enrolled devices secure and efficient. The support statements have been updated to reflect the changes with the iOS/iPadOS 18 and upcoming macOS 15 releases:
- Support statement for supported versus allowed macOS versions for devices without a primary user.
If you have any questions or feedback, leave a comment on this post or reach out on X @IntuneSuppTeam. Stay tuned to What’s new in Intune for additional settings and capabilities that will soon be available!
Continue reading...