In development for Microsoft Intune

08/28/2020

15 minutes to read

+4



In this article

To help in your readiness and planning, this page lists Intune UI updates and features that are in development but not yet released. In addition to the information on this page:

If we anticipate that you'll need to take action before a change, we'll publish a complementary post in Office message center.

When a feature enters production, whether it's a preview or generally available, the feature description will move from this page to What's new.

This page and the What's new page are updated periodically. Check back for additional updates.

Refer to the Microsoft 365 roadmap for strategic deliverables and timelines.

Note This page reflects our current expectations about Intune capabilities in an upcoming release. Dates and individual features might change. This page doesn't describe all features in development.

RSS feed: Find out when this page is updated by copying and pasting the following URL into your feed reader: https://docs.microsoft.com/api/search/rss?search=%22in+development+-+microsoft+intune%22&locale=en-us

This article was last updated on the date listed under the title above.

App management

We're updating the device icons in the Company Portal and Intune apps on Android devices to create a more modern look and feel and to align with the Microsoft Fluent Design System. For related information, see Update to icons in Company Portal app for iOS/iPadOS and macOS.

iOS Company Portal will support Apple's Automated Device Enrollment without user affinity

iOS Company Portal will be supported on devices enrolled using Apple's Automated Device Enrollment without requiring an assigned user. An end user can sign in to the iOS Company Portal to establish themselves as the primary user on an iOS/iPadOS device enrolled without device affinity. For more information about Automated Device Enrollment, see Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrollment.

Device configuration

Create PKCS certificate profiles for Android Enterprise Fully Managed devices (COBO)

You can create PKCS certificate profiles to deploy certificates to Android Enterprise Device owner and Work profile devices (Devices > Configuration profiles > Create profile > Android Enterprise > Device owner only, or Android Enterprise > Work profile only for platform > PKCS for profile).

Soon you'll be able to create PKCS certificate profiles for Android Enterprise Fully Managed devices. The Intune PFX certificate connector is required. If you don't use SCEP, and only use PKCS, you can remove the NDES connector after you install the new PFX connector. The new PFX connector imports PFX files, and deploys PKCS certificates to all platforms.

For more information on PKCS certificates, see Configure and use PKCS certificates with Intune.

Applies to:

Android Enterprise fully managed (COBO)

Use NetMotion as a VPN connection type for Android Enterprise work profile devices

When you create a VPN profile, NetMotion is available as a VPN connection type (Devices > Device configuration > Create profile > Android Enterprise work profile for platform > VPN for profile > NetMotion for connection type).

For more information on VPN profiles in Intune, see Create VPN profiles to connect to VPN servers.

Applies to:

Android Enterprise work profile

Changes for Password settings in Device restriction profiles for Android device administrator

We’re introducing a few changes for password settings for Device restriction and compliance policies for Android device administrator. (Devices > Configuration profiles > Create profile > Device restrictions and Devices > Compliance policies > Create Policy) These changes help Intune accommodate changes in Android version 10 and later, to ensure settings for passwords continue to apply to devices as expected.

Changes include:

Removal of the top-level option for Password .

. Settings will be reorganized into sections that are based on which devices they apply to.

The Minimum password length will be disabled for use unless Password type is configured to a value where the password length applies.

will be disabled for use unless is configured to a value where the password length applies. Additional updates to labels and example text.

These changes apply to the UI for settings, and won’t affect existing profiles.

Device enrollment

Ending support for iOS 11

After iOS 14 releases, Intune enrollment and the Company Portal app will support iOS versions 12 and later. Older versions won't be supported but will continue to receive policies.

Ending support for macOS 10.12

After macOS 11 releases, Intune enrollment and the Company Portal will support macOS versions 10.13 and later. Older versions won't be supported.

Device management

PowerShell scripts support for BYOD devices

PowerShell scripts will support Azure AD registered devices in Intune. For more information about PowerShell, see Use PowerShell scripts on Windows 10 devices in Intune. This functionality does not support devices running Windows 10 Home edition.

Log Analytics will include device details log

Intune device detail logs will be available in Reports > Log analytics. You can correlate device details to build custom queries and Azure workbooks.

Tenant attach: Run Scripts from the admin center

You'll be able to bring the power of the Configuration Manager on-premises Run Scripts feature to the Microsoft Endpoint Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud against an individual Configuration Manager managed device. This gives all the traditional benefits of PowerShell scripts that have already been defined and approved by the Configuration Manager admin to this new environment. For more information, see Configuration Manager technical preview 2005.

You'll be able to deploy Software Updates to groups of macOS devices. This feature includes critical, firmware, configuration file, and other updates. You'll be able to send updates on the next device check-in or select a weekly schedule to deploy updates in or out of time windows that you set. This helps when you want to update devices outside standard work hours or when your help desk is fully staffed. You'll also get a detailed report of all macOS devices with updates deployed. You can drill into the report on a per-device basis to see the statuses of particular updates.

Intune apps

Unified delivery of Azure AD Enterprise and Office Online applications in the Windows Company Portal

In the 2006 release, we announced Unified delivery of Azure AD Enterprise and Office Online applications in the Company Portal. This feature will be supported in the Windows Company Portal. On the Customization pane of Intune, you will be able to select to Hide or Show both Azure AD Enterprise applications and Office Online applications in the Windows Company Portal. Each end-user will see their entire application catalog from the chosen Microsoft service. By default, each additional app source will be set to Hide. In the Microsoft Endpoint Manager admin center, you will select Tenant administration > Customization to find this configuration setting. For related information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Monitor and troubleshoot

Power BI compliance report template V2.0

Admins will be able to update the Power BI compliance report template version from V1.0 to V2.0. V2.0 will include an improved design, as well as changes to the calculations and data that are being surfaced as part of the template. For related information, see Connect to the Data Warehouse with Power BI.

Security

App protection policy support for Symantec Endpoint Security and Check Point Sandblast

In October of 2019, Intune app protection policy added the capability to use data from some of our Microsoft Threat Defense partners (MTD partners). We are adding support for the following partners, to use an app protection policy to block, or selectively wipe the user's corporate data based on the health of a device:

Check Point Sandblast on Android, iOS and iPadOS

on Android, iOS and iPadOS Symantec Endpoint Security on Android, iOS and iPadOS

For information about using app protection policy with MTD partners, see Create Mobile Threat Defense app protection policy with Intune.

Microsoft Defender ATP creates Endpoint Manager Security task with vulnerability details

Threat and Vulnerability Management (TVM) in Microsoft Defender ATP discovers misconfigured security settings on devices. Administrators use this information to update vulnerable devices.

Soon, Microsoft Defender ATP can raise an Endpoint Manager Security task (Endpoint Manager > Endpoint Security > Security tasks) with the vulnerability details, and show the affected devices. IT administrators can accept the security task, and deploy the required configuration.

For more information on security tasks, see Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP.

Notices

These notices provide important information that can help you prepare for future Intune changes and features.

Due to a change made by Google, the end-user experience for new Wi-Fi profiles is significantly different starting in the October release of the Company Portal app. Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're deployed. Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect when in range. There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the admin experience in the Endpoint Manager admin center.

Applies to:

Android device administrator, Android 10 and later

Microsoft Intune ends support for Windows Phone 8.1 and Windows 10 Mobile

Microsoft mainstream support for Windows Phone 8.1 ended in July 2017 and extended support ended in June 2019. The Company Portal app for Windows Phone 8.1 has been in sustain mode since October 2017. Additionally, Microsoft Intune has ended support on February 20, 2020 for Windows Phone 8.1.

Microsoft mainstream support for Windows 10 Mobile ended in December 2019. As mentioned in the support statement, Windows 10 Mobile users will no longer be eligible to receive new security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft. Based on the all-up Mobile OS support, Microsoft Intune ends support for both the Company Portal for the Windows 10 Mobile app and the Windows 10 Mobile Operating System on August 10, 2020.

As of August 10, enrollments for Windows Phone 8.1 and Windows 10 Mobile devices will fail and Windows Mobile profile types are removed from the Intune UI. Devices already enrolled will no longer check into the Intune service and we will delete device and policy data.

End of support for legacy PC management

Legacy PC management is going out of support on October 15, 2020. Upgrade devices to Windows 10 and reenroll them as Mobile Device Management (MDM) devices to keep them managed by Intune.

Learn more

Move to the Microsoft Endpoint Manager admin center for all your Intune management

In MC208118 posted last March, we introduced a new, simple URL for your Microsoft Endpoint Manager – Intune administration: https://endpoint.microsoft.com. Microsoft Endpoint Manager is a unified platform that includes Microsoft Intune and Configuration Manager. Starting August 1, 2020, we will remove Intune administration at https://portal.azure.com and recommend you instead use https://endpoint.microsoft.com for all your endpoint management.

Decreasing support for Android device administrator

Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.

How does this affect me?

Because of these changes by Google, in October 2020, you will no longer have as extensive management capabilities on impacted device administrator-managed devices.

Note This date was previously communicated as fourth quarter of 2020, but it has been moved out based on the latest information from Google.

Device types that will be impacted

Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:

Enrolled in device administrator management.

Running Android 10 or later.

All Android manufacturers, except Samsung.

Devices will not be impacted if they are any of the below:

Not enrolled with device administrator management.

Running an Android version below Android 10.

Samsung devices. Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.

Settings that will be impacted

Google's decreased device administrator support prevents configuration of these settings from applying on impacted devices.

Configuration profile device restriction settings

Block Camera

Set Minimum password length

Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but will apply on devices with a password)

(will not apply on devices without a password set, but will apply on devices with a password) Set Password expiration (days)

Set Required password type

Set Prevent use of previous passwords

Block Smart Lock and other trust agents

Compliance policy settings

Set Required password type

Set Minimum password length

Set Number of days until password expires

Set Number of previous passwords to prevent reuse

User experience of impacted settings on impacted devices

Impacted configuration settings:

For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.

For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).

Impacted compliance settings:

For already enrolled devices that already had the settings applied, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance, and the password requirements will still be enforced in the Settings app.

For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of compliance, but stricter password requirements will not be enforced in the Settings app.

Additional user experience change for Wi-Fi profiles

Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're deployed. Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect when in range. There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the admin experience in the Endpoint Manager admin center.

Cause of impact

Devices will begin being impacted in October 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).

At that point, device administrator-managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:

Updates to Android 10 or later.

Updates the Company Portal app to the version that targets API level 29.

Additional impacts based on Android OS version

Android 10: For all device administrator managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:

Network access control for VPN will no longer work

Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned

The IMEI and serial number will no longer be visible to IT admins in Intune

Android 11: These are the changes that will impact device administrator managed device when they update to Android 11:

For device administrator devices (excluding Samsung) running Android 11 and later, Google has removed the ability for management agents like Company Portal to enforce blocking Camera, even before the October update to the Company Portal app. Policies blocking camera that are applied to devices before they update to Android 11 will continue to apply.

With Android 11, trusted root certificates can no longer be deployed to devices enrolled with device administrator (except on Samsung devices). Users must manually install the trusted root certificate on the device. With the trusted root certificate manually installed on a device, you can then use SCEP to provision certificates to the device. In this scenario you must still create and deploy a trusted certificate policy to the device, and link that policy to the SCEP certificate profile. If the trusted root certificate is on the device, then the SCEP certificate profile will install successfully. If the trusted certificate cannot be found, the SCEP certificate profile will fail.



What do I need to do to prepare for this change?

To avoid the reduction in functionality coming in October 2020, we recommend the following:

New enrollments : Onboard new devices into Android Enterprise management (where available) and/or app protection policies. Avoid onboarding new devices into device administrator management.

: Onboard new devices into Android Enterprise management (where available) and/or app protection policies. Avoid onboarding new devices into device administrator management. Previously enrolled devices : If a device administrator-managed device is running Android 10 or later or may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator management to Android Enterprise management and/or app protection policies. You can leverage the streamlined flow to move Android devices from device administrator to work profile management.

: If a device administrator-managed device is running Android 10 or later or may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator management to Android Enterprise management and/or app protection policies. You can leverage the streamlined flow to move Android devices from device administrator to work profile management. Configure Password Complexity: For impacted devices running Android 10 and later, a future setting called Password Complexity lets you continue enforcing password restrictions and compliance. Password Complexity is a measure of password strength that factors in password type, length, and quality.

What if I have non-Samsung devices that cannot move to Android Enterprise?

Some devices can’t move from device administrator to Android Enterprise management. For example, Google hasn’t made Android Enterprise available in some markets. You can still use Intune to manage non-Samsung devices with device administrator, but the changes to functionality mentioned in this post will apply. For guidance on managing devices when Android Enterprise isn’t available, see How to use Intune in environments without Google Mobile Services.

Additional information

In the July Company Portal release, we’ll be changing the iOS/iPadOS enrollment flow for Apple’s Automated Device Enrollment (formerly known as DEP). The enrollment flow change is only encountered during the “Enroll with User Affinity” flow. Previously, if you set the “Install Company Portal” to “no” as part of your configuration, users could still install the Company Portal app from the store which would then trigger enrollment where the user would add in the appropriate serial number. With this upcoming Company Portal release, we’ll be removing that serial number confirmation screen. Instead, you’ll want to create a corresponding app configuration policy to send down alongside the Company Portal to ensure that users can successfully enroll, or set the “Install Company Portal” to “Yes” as part of your configuration.

See the post here for more info.

See also

For details about recent developments, see What's new in Microsoft Intune.