From 63479245e47032c62565ac356a5270fb321d73c8 Mon Sep 17 00:00:00 2001 From: Michel Bulgado <52046383+mibulgad@users.noreply.github.com> Date: Fri, 20 Sep 2024 14:23:43 -0400 Subject: [PATCH 01/12] Update corporate-identifiers-add.md Adding the supported OS builds under Limitation section. --- memdocs/intune/enrollment/corporate-identifiers-add.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index dbbce515741..03465b28bd0 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -247,7 +247,7 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations -- Windows corporate device identifiers are only supported for devices running Windows 10 version 22H2 and later and Windows 11 version 22H2 and later. Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows. +- Windows corporate device identifiers are only supported for devices running Windows 10 version 22H2 (19045.4598) and later and Windows 11 version 22H2 (22621.3374) and 23H2 (22631.3374) or later. Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows. - You can upload up to 10 CSV files for Windows corporate identifiers in the admin center. If you need to upload more data, we recommend using PowerShell or the Microsoft Intune Graph API to add corporate identifiers. From 8440ef9dc6ef51232c2a03d290b2c3817a63cac2 Mon Sep 17 00:00:00 2001 From: Anya Novicheva Date: Wed, 25 Sep 2024 12:42:59 -0400 Subject: [PATCH 02/12] Update device-enrollment-program-enroll-ios.md Adding doc updates for ADE support for ACME cert instead of SCEP cert in the management profile. --- .../enrollment/device-enrollment-program-enroll-ios.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md index 2ce70c822c5..5a8f0058520 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md @@ -41,6 +41,15 @@ This article describes how to prepare and set up automated device enrollment in ## Overview of features The following table shows the features and scenarios supported with automated device enrollment. +## Certificates +This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management. + +Devices that are already enrolled do not get an ACME certificate on unless they re-enroll into Microsoft Intune. ACME is supported on devices running: + +- iOS 16.0 or later + +- iPadOS 16.1 or later + | Feature | Use this enrollment option when | | --- | --- | | You want supervised mode. | ✔️

Supervised mode deploys software updates, restricts features, allows and blocks apps, and more.| From cd412eaf811efebc874a261abd0f955850679069 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 25 Sep 2024 12:43:18 -0400 Subject: [PATCH 03/12] Update corporate-identifiers-add.md Formatting, style --- memdocs/intune/enrollment/corporate-identifiers-add.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index 03465b28bd0..140f96c7280 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -247,7 +247,12 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations -- Windows corporate device identifiers are only supported for devices running Windows 10 version 22H2 (19045.4598) and later and Windows 11 version 22H2 (22621.3374) and 23H2 (22631.3374) or later. Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows. +- Windows corporate device identifiers are only supported for devices running: + - Windows 10 version 22H2 (OS build 19045.4598) or later. + - Windows 11 version 22H2 (OS build 22621.3374) or later. + - Windows 11 version 23H2 (OS build 22621.3374) or later. + + Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows. - You can upload up to 10 CSV files for Windows corporate identifiers in the admin center. If you need to upload more data, we recommend using PowerShell or the Microsoft Intune Graph API to add corporate identifiers. From 732c3f6a202b8b16b45713462504be4f69446586 Mon Sep 17 00:00:00 2001 From: Anya Novicheva Date: Wed, 25 Sep 2024 12:44:06 -0400 Subject: [PATCH 04/12] Update device-enrollment-program-enroll-macos.md Adding doc updates for ADE support for ACME cert instead of SCEP cert in the management profile --- .../enrollment/device-enrollment-program-enroll-macos.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md index 11903aba1a4..99af4ca01be 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md @@ -33,6 +33,13 @@ Set up automated device enrollment in Intune for new or wiped Macs purchased thr This article describes how to set up an automated device enrollment profile for corporate-owned Macs. +## Certificates +This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management. + +Devices that are already enrolled do not get an ACME certificate on unless they re-enroll into Microsoft Intune. ACME is supported on devices running: + +- macOS 13.1+ + >[!NOTE] > The steps in this article are the same whether you're using Apple Business Manager or Apple School Manager. For brevity, we refer to *Apple Business Manager* only throughout the steps in this article, except where clarification is necessary. From 9e685ed1dd418272adec78cfb3f95df39ee54a81 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 25 Sep 2024 12:45:45 -0400 Subject: [PATCH 05/12] Update corporate-identifiers-add.md Typo line 252, 253 --- memdocs/intune/enrollment/corporate-identifiers-add.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index 140f96c7280..50f7896c938 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -250,7 +250,7 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen - Windows corporate device identifiers are only supported for devices running: - Windows 10 version 22H2 (OS build 19045.4598) or later. - Windows 11 version 22H2 (OS build 22621.3374) or later. - - Windows 11 version 23H2 (OS build 22621.3374) or later. + - Windows 11 version 23H2 (OS build 22631.3374) or later. Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows. From a42f140fb2bf5e9a8a2a6977d62785f2779d1a4f Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 25 Sep 2024 13:00:57 -0400 Subject: [PATCH 06/12] Update device-enrollment-program-enroll-ios.md Moved section to line 57 --- .../device-enrollment-program-enroll-ios.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md index 5a8f0058520..10b8496bcc4 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md @@ -41,15 +41,6 @@ This article describes how to prepare and set up automated device enrollment in ## Overview of features The following table shows the features and scenarios supported with automated device enrollment. -## Certificates -This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management. - -Devices that are already enrolled do not get an ACME certificate on unless they re-enroll into Microsoft Intune. ACME is supported on devices running: - -- iOS 16.0 or later - -- iPadOS 16.1 or later - | Feature | Use this enrollment option when | | --- | --- | | You want supervised mode. | ✔️

Supervised mode deploys software updates, restricts features, allows and blocks apps, and more.| @@ -63,6 +54,15 @@ Devices that are already enrolled do not get an ACME certificate on unless they | Devices are managed by another MDM provider. | ❌

If you want to fully manage a device in Intune, users must unenroll from the current MDM provider, and then enroll in Intune. Or, you can use MAM to manage specifics apps on the device. Since these devices are owned by the organization, we recommend enrolling them in Intune. | | You use the device enrollment manager (DEM) account. | ❌

The DEM account isn't supported. | +## Certificates +This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management. + +Devices that are already enrolled do not get an ACME certificate on unless they re-enroll into Microsoft Intune. ACME is supported on devices running: + +- iOS 16.0 or later + +- iPadOS 16.1 or later + ## Prerequisites Before you create the enrollment profile, you must have: From 0f4f69a32a64f2d22bd994cff935f57892ab9c87 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 25 Sep 2024 14:31:41 -0400 Subject: [PATCH 07/12] Update corporate-identifiers-add.md Updated known issues and limitations per PM --- memdocs/intune/enrollment/corporate-identifiers-add.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index 50f7896c938..1f0da1926f6 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -248,11 +248,12 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations - Windows corporate device identifiers are only supported for devices running: + - Windows 10 version 22H2 (OS build 19045.4598) or later. - Windows 11 version 22H2 (OS build 22621.3374) or later. - Windows 11 version 23H2 (OS build 22631.3374) or later. - Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows. + Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. - You can upload up to 10 CSV files for Windows corporate identifiers in the admin center. If you need to upload more data, we recommend using PowerShell or the Microsoft Intune Graph API to add corporate identifiers. From e2c3afaa197112a38fc8a12169ada073b5abc6b0 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 25 Sep 2024 14:33:28 -0400 Subject: [PATCH 08/12] Update device-enrollment-program-enroll-macos.md Moved section --- .../device-enrollment-program-enroll-macos.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md index 99af4ca01be..53e3bcbcc00 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md @@ -33,13 +33,6 @@ Set up automated device enrollment in Intune for new or wiped Macs purchased thr This article describes how to set up an automated device enrollment profile for corporate-owned Macs. -## Certificates -This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management. - -Devices that are already enrolled do not get an ACME certificate on unless they re-enroll into Microsoft Intune. ACME is supported on devices running: - -- macOS 13.1+ - >[!NOTE] > The steps in this article are the same whether you're using Apple Business Manager or Apple School Manager. For brevity, we refer to *Apple Business Manager* only throughout the steps in this article, except where clarification is necessary. @@ -51,8 +44,14 @@ Devices that are already enrolled do not get an ACME certificate on unless they 4. [Assign DEP profile to devices](#assign-an-enrollment-profile-to-devices) 5. [Distribute devices to users](#end-user-experience-with-managed-devices) --> +## Certificates + +This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management. + +Devices that are already enrolled do not get an ACME certificate unless they re-enroll into Microsoft Intune. ACME is supported on devices running macOS 13.1 and later. ## Limitations + Automated device enrollment via Apple Business Manager and Apple School Manager isn't supported with [device enrollment manager accounts](device-enrollment-manager-enroll.md). ## Prerequisites From 84b38e8d13dba3e8d251e5f231100924e76f1352 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 25 Sep 2024 14:34:57 -0400 Subject: [PATCH 09/12] Update corporate-identifiers-add.md Fixed list formatting --- memdocs/intune/enrollment/corporate-identifiers-add.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index 1f0da1926f6..8de4cc4aa20 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -247,10 +247,12 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations -- Windows corporate device identifiers are only supported for devices running: +- Windows corporate device identifiers are only supported for devices running: - - Windows 10 version 22H2 (OS build 19045.4598) or later. - - Windows 11 version 22H2 (OS build 22621.3374) or later. + - Windows 10 version 22H2 (OS build 19045.4598) or later. + + - Windows 11 version 22H2 (OS build 22621.3374) or later. + - Windows 11 version 23H2 (OS build 22631.3374) or later. Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. From e7ec11f14419187ee828119b021cc6a2453b6066 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 25 Sep 2024 14:38:01 -0400 Subject: [PATCH 10/12] Update device-enrollment-program-enroll-ios.md Removed extra word line 58 --- .../intune/enrollment/device-enrollment-program-enroll-ios.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md index 10b8496bcc4..97e38d865e2 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md @@ -57,7 +57,7 @@ The following table shows the features and scenarios supported with automated de ## Certificates This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management. -Devices that are already enrolled do not get an ACME certificate on unless they re-enroll into Microsoft Intune. ACME is supported on devices running: +Devices that are already enrolled do not get an ACME certificate unless they re-enroll into Microsoft Intune. ACME is supported on devices running: - iOS 16.0 or later From 4c9be13e4b2b6cbb22e8690b95727940fad20ef2 Mon Sep 17 00:00:00 2001 From: abigail-stein <123512958+abigail-stein@users.noreply.github.com> Date: Wed, 25 Sep 2024 15:41:58 -0400 Subject: [PATCH 11/12] Update oemconfig-managed-home-screen-permissions-android.md --- .../oemconfig-managed-home-screen-permissions-android.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md b/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md index f8dbf6f4974..ec567ffe455 100644 --- a/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md +++ b/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md @@ -170,7 +170,7 @@ When you use the schema settings in the **Knox Service Plugin** app, the Intune For guidance on configuring the OEM app schema, use the following links: - [Blog - Frontline workers get a better experience from Microsoft and Samsung](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/frontline-workers-get-a-better-experience-from-microsoft-and/ba-p/4078801) - - [Knox Service Plugin - Overview](https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/welcome/) (opens Samsung's web site) + - [Knox Service Plugin - Grant special permissions for an app](https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/kbas/kba-1261-grant-special-permissions-for-an-app/) (opens Samsung's web site) When you create the Intune policy, you enter the following info: From 2d10a4039dd750e3f1170b56b031f1e237029f7c Mon Sep 17 00:00:00 2001 From: LuNeicia Williams Date: Wed, 25 Sep 2024 17:01:52 -0500 Subject: [PATCH 12/12] Update apps-inc-exl-assignments.md should this line read -- If you want to select a group that currently isn't available, first remove the *group from the app's assigned list. instead of If you want to select a group that currently isn't available, first remove the *app from the app's assigned list. --- memdocs/intune/apps/apps-inc-exl-assignments.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/apps/apps-inc-exl-assignments.md b/memdocs/intune/apps/apps-inc-exl-assignments.md index 2c0b7af8c95..af4796d552a 100644 --- a/memdocs/intune/apps/apps-inc-exl-assignments.md +++ b/memdocs/intune/apps/apps-inc-exl-assignments.md @@ -85,7 +85,7 @@ To assign an app to groups by using the include and exclude assignment: > [!NOTE] > When you add a group, if any other group has already been included for a specific assignment type, the app is preselected and can't be modified for other include assignment types. The group that has been used can't be used as an included group. -When you make group assignments, groups that have already been assigned aren't available to be modified. If you want to select a group that currently isn't available, first remove the app from the app's assigned list. +When you make group assignments, groups that have already been assigned aren't available to be modified. If you want to select a group that currently isn't available, first remove the group from the app's assigned list. To edit assignments, in the app **Assignments** pane, select the row that contains the specific assignment that you want to change. You can also remove an assignment by selecting the ellipse (**…**) at the end of a row, and then selecting **Remove**.