Merge pull request #16896 from MicrosoftDocs/main

Publish main to live, 12/09/24, 3:30 PM PT

memdocs/intune/apps/app-protection-framework.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 01/12/2024
+ms.date: 12/09/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -34,7 +34,7 @@ ms.collection:
 
 As more organizations implement mobile device strategies for accessing work or school data, protecting against data leakage becomes paramount. Intune's mobile application management solution for protecting against data leakage is App Protection Policies (APP). APP are rules that ensure an organization's data remains safe or contained in a managed app, regardless of whether the device is enrolled. For more information, see [App protection policies overview](app-protection-policy.md).
 
-When configuring App Protection Policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint hardening endeavors, Microsoft has introduced a new taxonomy for [security configurations in Windows 10](https://aka.ms/secconframework), and Intune is leveraging a similar taxonomy for its APP data protection framework for mobile app management.  
+When you configure App Protection Policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint hardening endeavors, Microsoft has introduced a new taxonomy for [security configurations in Windows 10](https://aka.ms/secconframework), and Intune is leveraging a similar taxonomy for its APP data protection framework for mobile app management.  
 
 The APP data protection configuration framework is organized into three distinct configuration scenarios:
 
@@ -46,7 +46,7 @@ The APP data protection configuration framework is organized into three distinct
 
 ## APP Data Protection Framework deployment methodology
 
-As with any deployment of new software, features or settings, Microsoft recommends investing in a ring methodology for testing validation prior to deploying the APP data protection framework. Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct.
+As with any deployment of new software, features, or settings, Microsoft recommends investing in a ring methodology for testing validation prior to deploying the APP data protection framework. Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct.
 
 Microsoft recommends the following deployment ring approach for the APP data protection framework:
 
@@ -75,7 +75,7 @@ Administrators can incorporate the below configuration levels within their ring
 
 ### Conditional Access Policies
 
-To ensure that only apps supporting App Protection Poliies access work or school account data, Microsoft Entra Conditional Access policies are required. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection).
+To ensure that only apps supporting App Protection Policies access work or school account data, Microsoft Entra Conditional Access policies are required. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection).
 
  See **Require approved client apps or app protection policy with mobile devices** in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection) for steps to implement the specific policies. Finally, implement the steps in [Block legacy authentication](/azure/active-directory/conditional-access/block-legacy-authentication) to block legacy authentication capable iOS and Android apps.
 

memdocs/intune/apps/manage-microsoft-edge.md

@@ -282,7 +282,7 @@ Edge for iOS and Android allows organizations to disable certain features that a
 
 |Key |Value |
 |:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.disabledFeatures|**password** disables prompts that offer to save passwords for the end user <br>**inprivate** disables InPrivate browsing <br>**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information <br>**translator** disables translator <br> **readaloud** disables read aloud <br> **drop** disables drop <br>**coupons** disables coupons <br>**extensions** disables extensions (Edge for Android only) <br>**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only) <br>**UIRAlert** suppress re-verify account popups in new tab page screen <br> **share** disables Share under menu <br> **sendtodevices** disables Send to devices under menu <br> **weather** disables weather in NTP (New Tab Page) <br><br>To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
+|com.microsoft.intune.mam.managedbrowser.disabledFeatures|**password** disables prompts that offer to save passwords for the end user <br>**inprivate** disables InPrivate browsing <br>**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information <br>**translator** disables translator <br> **readaloud** disables read aloud <br> **drop** disables drop <br>**coupons** disables coupons <br>**extensions** disables extensions (Edge for Android only) <br>**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only) <br>**UIRAlert** suppress re-verify account popups in new tab page screen <br> **share** disables Share under menu <br> **sendtodevices** disables Send to devices under menu <br> **weather** disables weather in NTP (New Tab Page) <br> **webinspector** disables Web Inspector setting (Edge for iOS only) <br><br>To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
 
 #### Disable import passwords feature
 

memdocs/intune/fundamentals/whats-new.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 12/06/2024
+ms.date: 12/09/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -77,6 +77,16 @@ You can use RSS to be notified when this page is updated. For more information,
 -->
 ## Week of December 2, 2024
 
+### Device enrollment  
+
+#### Change to enrollment behavior for iOS enrollment profile type<!-- 29068674 -->
+
+At Apple WWDC 2024, Apple ended support for profile-based Apple user enrollment. For more information, see [Support has ended for profile-based user enrollment with Company Portal](#support-has-ended-for-apple-profile-based-user-enrollment-with-company-portal). As a result of this change, we updated the behavior that occurs when you select **Determine based on user choice** as the enrollment profile type for bring-your-own-device (BYOD) enrollments.  
+
+Now when users select **I own this device** during a BYOD enrollment, Microsoft Intune enrolls them via account-driven user enrollment, rather than profile-based user enrollment, and then secures only work-related apps. Less than one percent of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices. There is no change for iOS users who select **My company owns this device** during a BYOD enrollment. Intune enrolls them via device enrollment with Intune Company Portal, and then secures their entire device.   
+
+If you currently allow users in BYOD scenarios to determine their enrollment profile type, you must take action to ensure account-driven user enrollment works by completing all prerequisites. For more information, see [Set up account driven Apple user enrollment](../enrollment/apple-account-driven-user-enrollment.md). If you don't give users the option to choose their enrollment profile type, there are no action items.  
+
 ### Device management
 
 #### Device Inventory for Windows<!-- 24853010 -->
@@ -94,6 +104,8 @@ Applies to:
 
 - Windows 10 and later (Corporate owned devices managed by Intune)
 
+
+
 ## Week of November 18, 2024 (Service release 2411)
 
 ### App management

memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Apple]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Apple Intelligence
@@ -38,7 +40,7 @@ To learn more, see:
 
 [!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
 
-This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Appple Intelligence**.
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Apple Intelligence**.
 
 ```msgraph-interactive
 POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies

memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Apple]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Common Education iPad device restrictions

memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Apple]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # iPads with no user affinity

memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Apple]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Optional restrictions

memdocs/intune/industry/education/tutorial-school-deployment/common-config-overview.md

@@ -8,6 +8,8 @@ author: yegor-a
 ms.author: egorabr
 ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot, Edge, Apple]
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Common Education configuration overview

memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-delivery-optimization.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Delivery Optimization

memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-device-restrictions.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Common Education device restrictions

memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot, Edge]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Microsoft Edge

memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # OneDrive Known Folder Move
@@ -31,7 +33,7 @@ To learn more, see:
 | **Category** | **Name** | **Value** | **Notes** | **CSP** |
 |---|---|---|---|---|
 | OneDrive |**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) |
-| OneDrive |**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations > Tenant ID: (Device)":::** | _tenant ID_ | **Important!** This is a tenant-specific value. [How to find your Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant)| [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) |
+| OneDrive |**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations > Tenant ID: (Device)":::** | _tenant ID_ | **!Important**: This is a tenant-specific value. [How to find your Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant)| [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) |
 | OneDrive |**:::no-loc text="Block file downloads when users are low on disk space":::** | Enabled | | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) |
 | OneDrive |**:::no-loc text="Block file downloads when users are low on disk space > Minimum available disk space: (Device)":::** | 1024 | Only enables the setting configuration. | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) |
 | OneDrive |**:::no-loc text="Convert synced team site files to online-only files":::** | Enabled | Files in currently syncing team sites are changed to online-only files, by default. Files later added or updated in the team site are also downloaded as online-only files. | [:::no-loc text="DehydrateSyncedTeamSites":::](/sharepoint/use-group-policy#convert-synced-team-site-files-to-online-only-files) |
@@ -41,7 +43,7 @@ To learn more, see:
 | OneDrive |**:::no-loc text="Prevent users from syncing personal OneDrive accounts (User)":::** | Enabled | | [:::no-loc text="DisablePersonalSync":::](/sharepoint/use-group-policy#prevent-users-from-syncing-personal-onedrive-accounts) |
 | OneDrive |**:::no-loc text="Set the sync app update ring":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="GPOSetUpdateRing":::](/sharepoint/use-group-policy#set-the-sync-app-update-ring) |
 | OneDrive |**:::no-loc text="Set the sync app update ring > Update ring: (Device)":::** | Production | Users get the latest features as they become available. | [:::no-loc text="GPOSetUpdateRing":::](/sharepoint/use-group-policy#set-the-sync-app-update-ring) |
-| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive":::** | Enabled | **Important!** Make sure to pick the setting with 5 sub-settings listed below.Redirect and move your users' Documents, Pictures, and/or Desktop folders to OneDrive without any user interaction. | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
+| OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive":::** | Enabled | **!Important**: Make sure to pick the setting with 5 sub-settings listed below. Redirect and move your users' Documents, Pictures, and/or Desktop folders to OneDrive without any user interaction. | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
 | OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Desktop (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
 | OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Documents (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
 | OneDrive |**:::no-loc text="Silently move Windows known folders to OneDrive > Pictures (Device)":::** | True | | [:::no-loc text="KFMSilentOptIn":::](/sharepoint/use-group-policy#silently-move-windows-known-folders-to-onedrive) |
@@ -50,7 +52,7 @@ To learn more, see:
 | OneDrive |**:::no-loc text="Silently sign in users to the OneDrive sync app with their Windows credentials":::** | Enabled | Users who are signed in on a PC that's joined to Microsoft Entra ID can set up the sync app without entering their account credentials. | [:::no-loc text="SilentAccountConfig":::](/sharepoint/use-group-policy#silently-sign-in-users-to-the-onedrive-sync-app-with-their-windows-credentials) |
 | OneDrive |**:::no-loc text="Use OneDrive Files On-Demand":::** | Enabled | New users who set up the sync app see online-only files in File Explorer, by default. | [:::no-loc text="FilesOnDemandEnabled":::](/sharepoint/use-group-policy#use-onedrive-files-on-demand) |
 | OneDrive |**:::no-loc text="Warn users who are low on disk space":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="WarningMinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#warn-users-who-are-low-on-disk-space) |
-| OneDrive |**:::no-loc text="Warn users who are low on disk space > Minimum available disk space: (Device)":::** | 2048 |  Specify a miminimum amount of available disk space in MB, and warn users when the OneDrive sync app (OneDrive.exe) downloads a file that causes them to have less than this amount. | [:::no-loc text="WarningMinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#warn-users-who-are-low-on-disk-space) |
+| OneDrive |**:::no-loc text="Warn users who are low on disk space > Minimum available disk space: (Device)":::** | 2048 |  Specify a minimum amount of available disk space in MB, and warn users when the OneDrive sync app (OneDrive.exe) downloads a file that causes them to have less than this amount. | [:::no-loc text="WarningMinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#warn-users-who-are-low-on-disk-space) |
 
 ## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
 

memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-start-menu.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Start menu customization

memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-windows-privacy.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Windows privacy

memdocs/intune/industry/education/tutorial-school-deployment/common-config-windows-update.md

@@ -9,6 +9,8 @@ ms.manager: dougeby
 no-loc: [Microsoft, Windows, Autopatch, Autopilot]
 ms.collection: 
 - graph-interactive
+ms.service: microsoft-intune
+ms.subservice: education
 ---
 
 # Windows Update

memdocs/intune/user-help/microsoft-intune-app-linux.md

@@ -52,21 +52,28 @@ Run the following commands in a command line to manually install the Microsoft I
 
 2. Install the Microsoft package signing key.  
 
-   For Ubuntu 20.04:  
+   For Ubuntu 24.04:
+
+   ```bash
+   curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
+   sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
+   sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/24.04/prod noble main" > /etc/apt/sources.list.d/microsoft-ubuntu-noble-prod.list'
+   sudo rm microsoft.gpg
+   ```
+   For Ubuntu 22.04:  
 
     ```bash
     curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
-    sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
-    sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/microsoft-ubuntu-focal-prod.list'
+    sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/ 
+    sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" > /etc/apt/sources.list.d/microsoft-ubuntu-jammy-prod.list' 
     sudo rm microsoft.gpg
     ```
-
-    For Ubuntu 22.04:  
+   For Ubuntu 20.04:  
 
     ```bash
     curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
-    sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/ 
-    sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" > /etc/apt/sources.list.d/microsoft-ubuntu-jammy-prod.list' 
+    sudo install -o root -g root -m 644 microsoft.gpg /usr/share/keyrings/
+    sudo sh -c 'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/microsoft-ubuntu-focal-prod.list'
     sudo rm microsoft.gpg
     ```