Merge pull request #16869 from MicrosoftDocs/main

Publish main to live, 12/05/24, 3:30 PM PT

memdocs/intune/apps/app-protection-policy-settings-ios.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 09/23/2024
+ms.date: 12/05/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -44,7 +44,7 @@ There are three categories of policy settings: *Data relocation*, *Access requir
 ## Data protection
 
 > [!IMPORTANT]
-> For apps that have updated to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, screen capture block will be applied if you have configured Send Org data to other apps setting to a value other than “All apps”. You can configure app configuration policy setting “com.microsoft.intune.mam.screencapturecontrol = Disabled” if you wish to allow screen capture for your iOS devices. 
+> For apps that have updated to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, screen capture block will be applied if you have configured **Send Org data to other apps** setting to a value other than "All apps". You can configure app configuration policy setting `com.microsoft.intune.mam.screencapturecontrol` = `Disabled` (**Apps** > **App configuration policies** > **Create** > **Managed apps** > under the **Settings** step, select **General configuration settings**) if you need to allow screen capture for your iOS devices. 
 
 ### Data Transfer
 | Setting | How to use | Default value |
@@ -187,7 +187,7 @@ By default, several settings are provided with pre-configured values and actions
 | **Min SDK version** | Specify a minimum value for the Intune SDK version.<p>*Actions* include: <br><ul><li>**Block access** - The user is blocked from access if the app's Intune app protection policy SDK version doesn't meet the requirement.<br></li><li>**Wipe data** - The user account that is associated with the application is wiped from the device.<br></li><li>**Warn** - The user will see a notification if the iOS/iPadOS SDK version for the app doesn't meet the minimum SDK requirement. The user will be instructed to upgrade to the latest version of the app. This notification can be dismissed.</li></ul>To learn more about the Intune app protection policy SDK, see [Intune App SDK overview](../developer/app-sdk.md). As apps often have distinct Intune SDK version between them, create a policy with one min Intune SDK version targeting one app (for example, *Intune SDK version policy for Outlook*). <br><br> This entry can appear multiple times, with each instance supporting a different action.|
 | **Device model(s)** | Specify a semi-colon separated list of model identifier(s). These values aren't case sensitive.<p>*Actions* include: <br><ul><li>**Allow specified (Block non-specified)** - Only devices that match the specified device model can use the app. All other device models are blocked. </li><li>**Allow specified (Wipe non-specified)** - The user account that is associated with the application is wiped from the device.</li></ul> For more information on using this setting, see [Conditional Launch actions](app-protection-policies-access-actions.md#ios-policy-settings). |
 | **Max allowed device threat level** | App protection policies can take advantage of the Intune-MTD connector. Specify a maximum threat level acceptable to use this app. Threats are determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device. Specify either *Secured*, *Low*, *Medium*, or *High*. *Secured* requires no threats on the device and is the most restrictive configurable value, while *High* essentially requires an active Intune-to-MTD connection.<p>*Actions* include: <br><ul><li>**Block access** - The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.</li><li>**Wipe data** - The user account that is associated with the application is wiped from the device.</li></ul>**Note:** *Requires app to have Intune SDK version 12.0.15 or above.* <br><br> For more information on using this setting, see [Enable MTD for unenrolled devices](../protect/mtd-enable-unenrolled-devices.md). |
-|**Primary MTD service** |If you have configured multiple Intune-MTD connectors, specify the primary MTD vendor app that should be used on the end user device.<p><p>**Values** include:<br><ul><li>**Microsoft Defender for Endpoint** - if the MTD connector is configured, specify Microsoft Defender for Endpoint will provide the device threat level information.</li><li>**Mobile Threat Defense (Non-Microsoft)** - if the MTD connector is configured, specify the non-Microsoft MTD will provide the device threat level information.</li></ul><p>You must configure the setting “Max allowed device threat level” to use this setting. <p> There are no **Actions** for this setting.|
+|**Primary MTD service** |If you have configured multiple Intune-MTD connectors, specify the primary MTD vendor app that should be used on the end user device.<p><p>**Values** include:<br><ul><li>**Microsoft Defender for Endpoint** - if the MTD connector is configured, specify Microsoft Defender for Endpoint will provide the device threat level information.</li><li>**Mobile Threat Defense (Non-Microsoft)** - if the MTD connector is configured, specify the non-Microsoft MTD will provide the device threat level information.</li></ul><p>You must configure the setting "Max allowed device threat level" to use this setting. <p> There are no **Actions** for this setting.|
 |**Non-working time** |There is no value to set for this setting.<p>*Actions* include: <br><ul><li>**Block access** - The user is blocked from access because the user account that is associated with the application is in non-working time.</li><li>**Warn** - The user sees a notification if the user account that is associated with the application is in non-working time. The notification can be dismissed.</li></ul>**Note**: This setting must only be configured if the tenant has been integrated with the **Working Time API**. For more information about integrating this setting with the **Working Time API**, see [Limit access to Microsoft Teams when frontline workers are off shift](/microsoft-365/frontline/flw-working-time). Configuring this setting without integrating with the Working Time API could result in accounts getting blocked due to missing working time status for the managed account associated with the application.<p>The following apps support this feature:<ul><li>Teams for iOS v6.9.2 or later</li><li>Edge for iOS v126.2592.56 or later</li></ul> |