diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 43dd76a00..f70854873 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,35 @@ { "redirections": [ + { + "source_path": "surface-duo/surface-duo-2-manage-oemconfig.md", + "redirect_url": "/previous-versions/surface-duo/surface-duo-2-manage-oemconfig", + "redirect_document_id": false + }, + { + "source_path": "surface-duo/surface-duo-config-work-profile.md", + "redirect_url": "/previous-versions/surface-duo/surface-duo-config-work-profile", + "redirect_document_id": false + }, + { + "source_path": "surface-duo/surface-duo-launcher-config.md", + "redirect_url": "/previous-versions/surface-duo/surface-duo-launcher-config", + "redirect_document_id": false + }, + { + "source_path": "surface-duo/surface-duo-manage.md", + "redirect_url": "/previous-versions/surface-duo/surface-duo-manage", + "redirect_document_id": false + }, + { + "source_path": "surface-duo/surface-duo-secure.md", + "redirect_url": "/previous-versions/surface-duo/surface-duo-secure", + "redirect_document_id": false + }, + { + "source_path": "surface-duo/surface-lifecycle-android-devices.md", + "redirect_url": "/previous-versions/surface-duo/surface-lifecycle-android-devices", + "redirect_document_id": false + }, { "source_path": "surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", "redirect_url": "/surface-hub/finishing-your-surface-hub-meeting", diff --git a/surface-duo/TOC.yml b/surface-duo/TOC.yml index 010314262..bb3c0b62d 100644 --- a/surface-duo/TOC.yml +++ b/surface-duo/TOC.yml @@ -1,32 +1,15 @@ - name: Surface Duo href: index.yml - items: - - name: Overview - items: - - name: Surface Duo management overview - href: surface-duo-manage.md - - name: Surface Duo security overview - href: surface-duo-secure.md - - - name: Secure - items: - - name: Android Enterprise security configuration framework - href: /mem/intune/enrollment/android-configuration-framework - - - name: Manage - items: - - name: Manage OEMConfig on Surface Duo 2 - href: surface-duo-2-manage-oemconfig.md - - name: Configure work profile for Surface Duo - href: surface-duo-config-work-profile.md - - name: Configure Microsoft Launcher for Surface Duo - href: surface-duo-launcher-config.md - - - name: Support - items: - - name: Contact Surface Duo Support - href: /surface/contact-surface-business-education-support - - name: Warranty service offerings - href: https://www.microsoft.com/surface/business/warranty-protection-plans-and-support - - name: Surface Lifecycle for Android-based devices - href: surface-lifecycle-android-devices.md \ No newline at end of file + items: + - name: Overview + - name: Secure + items: + - name: Android Enterprise security configuration framework + href: /mem/intune/enrollment/android-configuration-framework + - name: Manage + - name: Support + items: + - name: Contact Surface Duo Support + href: /surface/contact-surface-business-education-support + - name: Warranty service offerings + href: https://www.microsoft.com/surface/business/warranty-protection-plans-and-support diff --git a/surface-duo/images/duo-wp-1.png b/surface-duo/images/duo-wp-1.png deleted file mode 100644 index bccdc8331..000000000 Binary files a/surface-duo/images/duo-wp-1.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-2.png b/surface-duo/images/duo-wp-2.png deleted file mode 100644 index ca7c10640..000000000 Binary files a/surface-duo/images/duo-wp-2.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-3.png b/surface-duo/images/duo-wp-3.png deleted file mode 100644 index 5ec486d9d..000000000 Binary files a/surface-duo/images/duo-wp-3.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-4.png b/surface-duo/images/duo-wp-4.png deleted file mode 100644 index ac6d1f508..000000000 Binary files a/surface-duo/images/duo-wp-4.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-5.png b/surface-duo/images/duo-wp-5.png deleted file mode 100644 index 7f03bf03a..000000000 Binary files a/surface-duo/images/duo-wp-5.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-6.png b/surface-duo/images/duo-wp-6.png deleted file mode 100644 index 5c53dd3ea..000000000 Binary files a/surface-duo/images/duo-wp-6.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-7.png b/surface-duo/images/duo-wp-7.png deleted file mode 100644 index 0322efcf0..000000000 Binary files a/surface-duo/images/duo-wp-7.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-8.png b/surface-duo/images/duo-wp-8.png deleted file mode 100644 index 6deb1c526..000000000 Binary files a/surface-duo/images/duo-wp-8.png and /dev/null differ diff --git a/surface-duo/images/duo-wp-9.png b/surface-duo/images/duo-wp-9.png deleted file mode 100644 index 8ab505f4a..000000000 Binary files a/surface-duo/images/duo-wp-9.png and /dev/null differ diff --git a/surface-duo/images/enroll-start.png b/surface-duo/images/enroll-start.png deleted file mode 100644 index 83a2f8905..000000000 Binary files a/surface-duo/images/enroll-start.png and /dev/null differ diff --git a/surface-duo/images/surface-oem-config.png b/surface-duo/images/surface-oem-config.png deleted file mode 100644 index d604a3c6d..000000000 Binary files a/surface-duo/images/surface-oem-config.png and /dev/null differ diff --git a/surface-duo/surface-duo-2-manage-oemconfig.md b/surface-duo/surface-duo-2-manage-oemconfig.md deleted file mode 100644 index cc56e6e53..000000000 --- a/surface-duo/surface-duo-2-manage-oemconfig.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -title: Manage OEMConfig on Surface Duo 2 -description: This article explains how to manage hardware components on Surface Duo 2 using Android OEMConfig via an MDM provider such as Microsoft Intune. -author: coveminer -ms.service: surface -ms.author: karand -ms.topic: how-to -ms.date: 6/08/2022 -ms.reviewer: karand -manager: frankbu -ms.localizationpriority: medium -appliesto: -- Surface Duo 2 ---- - -# Manage OEMConfig on Surface Duo 2 - -With Surface Duo 2, admins can remotely configure specific hardware components via a mobile device management (MDM) provider such as Microsoft Intune. Specifically, you can turn on or off the following components: - -- Camera -- Microphone -- Near Field Communication (NFC) -- Wireless LAN (aka Wi-Fi) -- Bluetooth - -This capability is similar to Device Firmware Configuration Interface profiles that admins use to remotely manage firmware on Surface Pro 8 and other Surface devices. - -OEMConfig policies are a distinct type of device configuration policy similar to app configuration policy. OEMConfig is a standard defined by Google that uses app configuration in Android to send device settings to apps written by OEMs (original equipment manufacturers). This standard allows OEMs and enterprise mobility management (EMM) solutions to build and support OEM-specific features in a standardized way. To learn more, see [OEMConfig supports enterprise device features](https://blog.google/products/android-enterprise/oemconfig-supports-enterprise-device-features/) at Google’s Android Enterprise blog. - -## Prerequisites - -- Surface Duo 2 -- Devices configured for Full Device Management or Dedicated Device Management - -## Get started - -:::image type="content" source="images/surface-oem-config.png" alt-text="Microsoft Surface OEM Config app" ::: - -First, add the Microsoft Surface OEMConfig application to your environment using the Managed Google Play iframe in your EMM. - -First, assign the Surface OEMConfig app to the groups or users you want to target. Then create an Android Configuration profile to apply your settings to target devices. - -> [!NOTE] -> This guide shows how to use OEMConfig with Microsoft Intune, which functions as an MDM and EMM solution. However, the feature can be used with [any EMM that supports Full Device Management or Dedicated Device Management](https://androidenterprisepartners.withgoogle.com/emm/). - -## Assign Surface OEMConfig to groups or users - -> [!TIP] -> Before beginning, review Intune documentation: [Managed Google Play app deployment to unmanaged devices](/mem/intune/apps/apps-deploy#managed-google-play-app-deployment-to-unmanaged-devices) - -1. Sign in to the Intune portal at [Microsoft Intune admin center](https://intune.microsoft.com/). -2. Go to **Apps** > **Android** > and select **Add**. -3. Under **App** type, select **Managed Google Play**. -4. On the **Managed Google Play** page, search for Microsoft Surface OEMConfig. -5. On the Surface OEMConfig page, select **Properties**. Under Assignments, select **Edit**. -6. Assign to groups or users as appropriate. -7. Select **Review** + save. - -## Manage firmware on Surface Duo 2 - -1. Select **Devices** > **Android Configuration profiles** > **Create profile**. -2. Under Platform, select **Android enterprise**. Under **Profile** type, choose **OEMConfig** and then select **Create**. -3. Enter a name and an optional description. -4. Choose **Select an OEMConfig app** and select **Surface OEMConfig**. Select **Next**. -5. Select **Next**. On the configuration settings page, you can manage the following: Camera, Microphone, Near Field Communication (NFC), Wireless LAN (aka Wi-Fi), and Bluetooth. These components are enabled by default. To turn any of them off, select **false** and click **Next**. -6. Enter scope tags as appropriate and select **Next**. -7. Under Assignments, add a group containing the Surface Duo 2 devices you wish to target. Or you can add All users or All devices, as appropriate. Select **Next**. -8. Review the profile and select **Create**. - -## Security - -To enhance the security of your deployment, consider deploying additional Android Enterprise policies designed to prevent accidental misuse of devices: - -- Disable developer mode. -- Use Enterprise Factory Reset Protection to control who can perform a factory reset on your devices. - -To learn more, see [Android Enterprise device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-android-for-work). - -## Reporting - -[Microsoft Intune reports](/mem/intune/fundamentals/reports) allow you to monitor the health and activity of Surface Duo 2 devices across your organization and provide other reporting data across Intune. To learn more, see [Microsoft Intune reports](/mem/intune/fundamentals/reports) - -## Related links - -- [Android Enterprise device settings to allow or restrict features using Intune](/mem/intune/configuration/device-restrictions-android-for-work). -- [Microsoft Intune reports](/mem/intune/fundamentals/reports) -- [Android Enterprise EMM directory](https://androidenterprisepartners.withgoogle.com/emm/) diff --git a/surface-duo/surface-duo-config-work-profile.md b/surface-duo/surface-duo-config-work-profile.md deleted file mode 100644 index d71a715cc..000000000 --- a/surface-duo/surface-duo-config-work-profile.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Configure Android Enterprise Work Profile for Surface Duo -description: This article explains how to set up work profile on Surface Duo. -ms.service: surface -author: coveminer -ms.author: chauncel -ms.topic: how-to -ms.date: 9/25/2020 -ms.reviewer: karand -manager: frankbu -ms.localizationpriority: medium -appliesto: -- Surface Duo ---- - -# Configure Android Enterprise Work Profile for Surface Duo - -Targeted at BYOD deployments, work profiles provide a separate space on Duo for work apps and data, giving organizations full control of their data, apps, and security policies without preventing employees from using their device for personal apps and data. - -### Set up Android Enterprise Work Profile - -Use work profiles to manage corporate data and apps on user-owned Android devices. By default, enrollment of personally owned work profile devices is enabled and requires no further admin configuration. - -**To enable Enterprise Work Profile:** - -- In Microsoft Intune, select **Devices** > **Android** > **Android enrollment** and then select **Personal devices with work profile**. -

- ![Enable Enterprise Work Profile.](images/enroll-start.png) - - -**Sign into Surface Duo with Android Enterprise Work Profile** - -1. Install the Company Portal app from Google Play Store and sign in with your Microsoft work or school account.

-![Sign into Surface Duo.](images/duo-wp-1.png) - -2. On the Access Setup page, select **Begin**.

-![Begin.](images/duo-wp-2.png) - -3. Review the information on the privacy page and select **Continue**.

- ![Continue.](images/duo-wp-3.png) -

- ![Select continue.](images/duo-wp-4.png) - -4. When the work profile setup completes, select **Continue** to activate and register the device.

- ![Select continue to activate and register the device.](images/duo-wp-5.png) - -5. Select **Continue**.

- ![Select continue again.](images/duo-wp-6.png) - -6. When you have activated the work profile, select **Continue** to update device settings. In this example, the work profile applies an MDM setting to require a stronger 6-digit alphanumeric password.

- - ![Example alphanumeric password.](images/duo-wp-7.png)

-7. Select **Resolve** to enter the required authentication and then select **Continue** to complete Work Profile setup.

- ![Select continue to complete setup.](images/duo-wp-8.png)

- ![complete setup.](images/duo-wp-9.png)

- -## Learn more - -- [Set up enrollment of Android Enterprise work profile devices](/mem/intune/enrollment/android-work-profile-enroll) diff --git a/surface-duo/surface-duo-launcher-config.md b/surface-duo/surface-duo-launcher-config.md deleted file mode 100644 index 822483c9b..000000000 --- a/surface-duo/surface-duo-launcher-config.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Configure Microsoft Launcher for Surface Duo -description: This article summarizes how to configure Microsoft Launcher for managed devices in commercial environments. -ms.service: surface -author: coveminer -ms.author: chauncel -ms.topic: how-to -ms.date: 8/12/2020 -ms.reviewer: karand -manager: frankbu -ms.localizationpriority: medium -appliesto: -- Surface Duo ---- - -# Configure Microsoft Launcher for Surface Duo - -Surface Duo supports Microsoft Launcher for enterprise, an Android application that lets users personalize their phone, stay organized on the go, and seamlessly sync their Calendar, Task, Notes and more between mobile devices and their PCs. In fact, the Surface Duo launcher is a two-screen customized version of Microsoft Launcher that you can adjust to define the preferred experiences on the fully managed devices for your organization as well as allow users some options to personalize their experiences on these corporate devices. For example, you can select which apps you want pinned to the home screen, deploy a branded wallpaper, or hide a search bar while allowing users to enable the Search bar if desired. - -## Microsoft Launcher settings - -Microsoft Launcher includes the following settings to customize the end user experience: - - -- Home Screen App Order User Change Allowed -- Set Grid Size -- Set Device Wallpaper -- Set Device Wallpaper User Change Allowed -- Feed Enable -- Feed Enable User Change Allowed -- Search Bar Placement -- Search Bar Placement User Change Allowed -- Dock Mode -- Dock Mode User Change Allowed - -For full details of each setting, refer to [Configure Microsoft Launcher for Android Enterprise with Intune](/mem/intune/apps/configure-microsoft-launcher). - -For step by step deployment instructions, refer to [How to Setup Microsoft Launcher on Android Enterprise Fully Managed Devices with Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-setup-microsoft-launcher-on-android-enterprise-fully/ba-p/1482134). diff --git a/surface-duo/surface-duo-manage.md b/surface-duo/surface-duo-manage.md deleted file mode 100644 index 3ba14d05a..000000000 --- a/surface-duo/surface-duo-manage.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Surface Duo management overview -description: Manage Surface Duo with Intune or any EMM solution for secure, efficient management of personal & company-owned devices in enterprise settings -ms.service: surface -author: coveminer -ms.author: chauncel -ms.topic: how-to -ms.date: 9/23/2020 -ms.reviewer: karand -manager: frankbu -ms.localizationpriority: medium -appliesto: -- Surface Duo ---- - -# Surface Duo management overview - -Commercial customers can manage Surface Duo using any of various Enterprise mobility management (EMM) solutions that each provide a consistent set of cloud-based, device management capabilities whether managing employee- or company-owned devices. - -You can manage Duo manage Duo via the [Microsoft EMM](https://androidenterprisepartners.withgoogle.com/provider/#!/75) that uses a unified console -- Microsoft Intune admin center – and extensible components like Microsoft Intune. Alternatively, you can use any EMM provider in Google’s Android ecosystem. In some cases, third-party EMM solutions provide additional support to meet specific scenarios that may be useful depending on your environment. - -To compare EMM solutions, refer to the [Android Enterprise Solutions Directory](https://androidenterprisepartners.withgoogle.com/emm/). - -Microsoft Intune lets you manage Duo with the latest mobile device management policies as well as earlier technologies such as Exchange ActiveSync. If you already use Exchange ActiveSync settings to manage mobile devices, you can apply those settings to Duo devices with Intune using an Email device-configuration profile. For more information, see [Add email settings to devices using Intune](/mem/intune/configuration/email-settings-configure). - -The primary means of managing devices in Intune, profiles provide default settings that you can customize to meet the needs of your organization. - -## Managing personally owned Surface Duo devices - -| Solution | Features | Learn more | -| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| App Protection Policies without device enrollment | Allows you to manage and protect your organization's data within an application.
Deploy app protection policies, a lightweight management solution without requiring device enrollment.
A growing number of apps can now be managed with app protection policies including Microsoft Office and third-party apps like Adobe Acrobat, Service Now, and Zoom. For a complete list, refer to [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps). | - [App protection policies overview](/mem/intune/apps/app-protection-policy-settings-android)
- [Android app protection policy settings in Microsoft Intune](/mem/intune/apps/app-protection-policy-settings-android).
- [Prepare Android apps for app protection policies with the Intune App Wrapping Tool](/mem/intune/developer/app-wrapper-prepare-android). | -| Android Enterprise work profile | Targeted at BYOD deployments, work profiles provide a separate space on Duo for work apps and data, giving organizations full control of their data, apps, and security policies without restricting users from using their device for personal apps and data. | - [Configure Android Enterprise Work Profile for Surface Duo](surface-duo-config-work-profile.md). | - -## Managing corporate-owned Surface Duo devices - -| Solution | Description | Learn more | -| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Corporate-owned devices with work profile | Targeted at organizations that wish to enable personal use on corporate-owned single-user devices that they have provided for work. It’s designed to give organizations more granular control than managing with a work profile but don’t wish to completely lock down devices using Full device management or dedicated device management.
Work and personal profile app data isolated by Android OS but differs from Android Enterprise work profile by providing admins more device-level control.
IT admins can see, control, and configure the work accounts, applications, and data in the work profile, while end users are guaranteed that admins will have no visibility into the data and applications in the personal profile. | - [Intune announcing public preview for Android Enterprise corporate-owned devices with a work profile](https://techcommunity.microsoft.com/t5/intune-customer-success/intune-announcing-public-preview-for-android-enterprise/ba-p/1524325) | -| Android Enterprise Fully Managed | Provides comprehensive device and app management capabilities for company-owned devices associated with a single user and leveraged exclusively for work and not personal use.

Full device management provides IT with full control over device data and security, as well as access to Android's full suite of app management features. For example:

- You can set the minimum password requirements on a device
- Remotely wipe and lock a device
- Set default responses to app permission requests.
- Customize end user experience with Microsoft Launcher

You also have full control over the apps on a device, including the ability to remotely install and remove apps. | - [Set up Intune enrollment of Android Enterprise fully managed devices](/mem/intune/enrollment/android-fully-managed-enroll). | -| Dedicated device management | This enterprise deployment scenario is targeted for devices deployed into specific use cases like logistics, transportation and factory floors. Use it for locked down experiences where you need to restrict usage to one or two apps and prohibit users from altering any settings. | - [Set up Intune enrollment of Android Enterprise dedicated devices](/mem/intune/enrollment/android-kiosk-enroll) | - -## Learn more - -- [Ignite Session: Deploy, Manage, and Enable Productivity with Surface Duo in the Enterprise](https://youtu.be/DOsBMNFmdfw) -- [Manage devices with Microsoft Intune](/mem/intune/remote-actions/device-management) -- [Intune deployment planning, design, and implementation guide](/mem/intune/fundamentals/planning-guide) -- [Enroll Android devices with Intune](/mem/intune/enrollment/android-enroll) \ No newline at end of file diff --git a/surface-duo/surface-duo-secure.md b/surface-duo/surface-duo-secure.md deleted file mode 100644 index e1b9751d0..000000000 --- a/surface-duo/surface-duo-secure.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: Surface Duo security overview -description: This article highlights how Surface Duo delivers enterprise-grade security on a mobile device via the Android OS and Microsoft engineered UEFI. -ms.service: surface -author: coveminer -ms.author: chauncel -ms.topic: how-to -ms.date: 8/12/2020 -ms.reviewer: karand -manager: frankbu -ms.localizationpriority: medium -appliesto: -- Surface Duo ---- - -# Surface Duo security overview - -Surface Duo has built-in protection at every layer with deeply integrated hardware, firmware, and software to secure your devices, identities, and data. As an Android 10 device, Surface Duo utilizes Android security features at the OS level and the Google services layer. The Android OS leverages traditional OS security controls to protect user data and system resources, protects device integrity against malware, and provides application isolation. Additionally, Google provides various services layered on top of the OS that, when combined with Android OS security, help continuously protect the Android user. - -- **Custom engineered UEFI.** Unique to Surface Duo, among Android devices, is Microsoft's custom engineered Unified Extensible Firmware Interface (UEFI), which enables complete control over firmware components. Microsoft delivers Enterprise-grade security to Surface Duo by writing or reviewing every line of firmware code in-house, allowing Microsoft to respond directly and agilely to potential firmware threats and mitigate supply chain security risks. -- **Verified Boot.** Starting at the hardware level upon sign-in, Verified Boot strives to ensure executed code only comes from a trusted source. It establishes a full chain of trust -- from the hardware-protected root of trust to the bootloader, boot partition and other verified partitions. When Surface Duo boots up, each stage verifies the integrity and authenticity of the next stage before handing over execution. -- **App separation.** Application sandboxing isolates and guards Android apps, preventing malicious apps from accessing private information. Mandatory, always-on encryption and key handling help protect data in transit and at rest -- even if devices fall into the wrong hands. Encryption is protected with Keystore keys, which store cryptographic keys in a container, making it more difficult to extract from a device. -- **Google Play Protect.** At the software layer, Surface Duo uses Google Play Protect threat detection, which scans all applications including public apps from Google Play, system apps updated by Microsoft and carriers, and sideloaded apps. -- **Microsoft Defender ATP.** The enterprise-grade antivirus and malware protection software for Window 10 is now available for Android devices managed from Intune. To learn more, see [Microsoft defender ATP for Android](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android). - -## Mobile device management security - -Surface Duo is secured in a corporate environment using an Enterprise Mobility Management (EMM) solution that provides a consistent set of protection tools, technologies, and best practices that you can tailor to meet your organizational and compliance requirements. A broad range of management APIs gives IT departments the tools to help prevent data leakage and enforce compliance in various scenarios. Multi-profile support and device-management options enable the separation of work and personal data, helping keep company data secure. - -MDM security is built on an expanding set of configuration technologies to enable users to be productive on the go while also protecting critical corporate intellectual property. This includes app protection policies, device restriction policies, and related technologies designed to enable you to meet specific goals depending on your environment -- whether your business consists of delivering restaurant takeout orders, managing IT services for dental offices, or handling sensitive national security information. - -For example, you may wish to strengthen device authentication by requiring users to enter a 6-digit alphanumeric pin along with 2-factor authentication. You may want to restrict the devices users can enroll in to help you stay compliant with licensing limits or avoid granting access to "jailbroken" phones or other unsupported device types. Intune and other EMMs allow organizations to manage devices according to their needs. - -## App protection policies - -App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it and can be managed by Intune. - -App protection policies allow you to manage and protect your organization's data within an application. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. See the official list of [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps) available for public use. - -## Security considerations for managing Surface Duo - -The growing number of policy settings available in mobile device management solutions enable organizations to adjust protection levels to meet their specific needs. To help organizations prioritize security settings for Surface Duo (or any other Android device), Intune has introduced its [Android Enterprise security configuration framework](/mem/intune/enrollment/android-configuration-framework) organized into several distinct configuration scenarios, providing guidance for work profile and fully managed scenarios. - -| Security level | Targeted to | Summary | Settings info | -| -------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Work profile basic security - Level 1 | Personal devices with access to work or school data. | Introduces password requirements, separates work and personal data, and validates Android device attestation. | [Work profile level 1 settings](/mem/intune/enrollment/android-work-profile-security-settings) | -| Work profile high security - Level 3
(Due to framework conventions, this is the next level above Level 1.)
| Devices used by users or groups who are uniquely high risk. For example, users handling highly sensitive data where unauthorized disclosure causes considerable material loss. | Introduces mobile threat defense or Microsoft Defender ATP, sets the minimum Android version to 8.0, enacts stronger password policies, and further restricts work and personal separation. | [Work profile level 3 settings](/mem/intune/enrollment/android-work-profile-security-settings#work-profile-high-security) | -| Fully managed basic security -Level 1 | Minimum-security configuration for an enterprise device, applicable to most mobile users accessing work or school data. | Introduces password requirements, sets the minimum Android version to 8.0, and enacts certain device restrictions. | [Fully managed Level 1 settings](/mem/intune/fundamentals/protection-configuration-levels#level-1---minimum-protection-and-configuration) | -| Fully managed enhanced security Level 2 | Devices where users access sensitive or confidential information. | Enacts stronger password policies and disables user/account capabilities. | [Fully managed Level 2 settngs](/mem/intune/fundamentals/protection-configuration-levels#level-2---enhanced-protection-and-configuration) | -| Fully managed high security Level 3 | Devices used by users or groups who are uniquely high risk. For example, users handling highly sensitive data where unauthorized disclosure causes considerable material loss. | Increases the minimum Android version to 10.0, introduces mobile threat defense or Microsoft Defender ATP, and enforces additional device restrictions. | [Fully managed Level 3 settings](/mem/intune/fundamentals/protection-configuration-levels#level-3---high-protection-and-configuration) | - - As with any framework, settings within a corresponding level may need to be adjusted based on the organization's needs as security must evaluate the threat environment, risk appetite, and impact on usability. - -## Learn more - -- [Android Enterprise security configuration framework](/mem/intune/enrollment/android-configuration-framework) -- [App protection policies overview](/mem/intune/apps/app-protection-policy) -- [Android app protection policy settings in Microsoft Intune](/mem/intune/apps/app-protection-policy-settings-android) -- [Set enrollment restrictions](/mem/intune/enrollment/enrollment-restrictions-set) -- [Android Enterprise Security white paper](https://static.googleusercontent.com/media/www.android.com/en//static/2016/pdfs/enterprise/Android_Enterprise_Security_White_Paper_2019.pdf) diff --git a/surface-duo/surface-lifecycle-android-devices.md b/surface-duo/surface-lifecycle-android-devices.md deleted file mode 100644 index 0f7af4baa..000000000 --- a/surface-duo/surface-lifecycle-android-devices.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Surface Lifecycle for Android-based devices -description: This article explains how Surface Duo will receive Android version and security updates for at least 3 years from its release date. -ms.service: surface -author: coveminer -ms.author: chauncel -ms.topic: how-to -ms.date: 01/03/2022 -ms.reviewer: jerbos -manager: frankbu -ms.localizationpriority: medium -appliesto: -- Surface Duo ---- - -# Surface Lifecycle for Android-based devices - -The Surface Lifecycle for Android-based devices covers Android version and security updates for Surface Duo. The lifecycle begins when a device is first released and concludes when Surface ceases publication of updates. - -## Surface Android device support - -Surface Android devices will receive Android version and security updates for at least 3 years from its release date (September 10, 2020). In cases where the support duration is longer than 3 years, an updated end of servicing date will be published 18 months before expiration of the last planned servicing date. - -The following table outlines support information for Surface Duo: - -| Device | Supported OS at device release | Release date | Last planned Android version update | Last planned security update | -| ----------- | ------------------------------------------ | ------------------ | --------------------------------------- | -------------------------------- | -| Surface Duo | Android 10 | September 10, 2020 | September 10, 2023 | September 10, 2023 | -| Surface Duo 2| Android 11 | October 21, 2021 | October 21, 2024 | October 21, 2024 |