Blog Post

Microsoft Intune Blog
3 MIN READ

What’s new in Microsoft Intune 2305 (May) edition

Ramya_Chitrakar's avatar
May 25, 2023

We're excited to announce our new May (2305) service release! This month we're highlighting three admin-requested capabilities that increase security and ease of use. First off, admins can now use filters to gain more options for assigning app protection and app configuration policies. In addition, Conditional Access has been integrated into Remote Help to help admins manage organizational access policies on the Remote Help app. Finally, we're excited to announce the release of Lifeguard Over-the-Air service updates which will provide an efficient and secure way to update ruggedized Zebra Android devices managed by Intune.

The entire list of What's new will be updated in the next few days as 2305 completes its production release. Earlier this week, Microsoft also announced several Windows features that are managed with Intune, like Organizational messages releasing this month and drivers and firmware updates coming soon. If you'd like to read more, see Expanding IT value in Windows 11 Enterprise and Intune. Let me know what you think of these new developments! Comment on this post or connect with me on LinkedIn.

New MAM app protection and app configuration filter options

Admins now have more flexibility in assigning and fine-tuning Intune app protection and app configuration policies with filters for mobile application management (MAM).

Previously, admins could only set app protection policies (APP) and app configuration policies (ACP) by platform, user group, and application. The new release supports assignment filters for both enrolled and unenrolled devices and allows admins to tailor MAM policy deployments to specific use cases.

When you create a new filter, you'll be able to target APP and ACP based on the following properties:

  • Device management type, including unmanaged devices
  • Device manufacturer
  • Device model
  • OS version
  • Application version
  • MAM client version

A screenshot of the new filter creation page

This capability will help IT pros solve complex workflows. Some of the scenarios requested by customers include the ability to target:

  • One policy to apps on one OS version and a different policy to apps on a later OS version to ensure each device has the latest security updates
  • Different ACP settings for users signing into a corporate shared device vs. when they use personal unmanaged devices
  • Specific device models, such as a unified communications device or a ruggedized device, with a particular APP/ACP policy or exclude those devices from APP/ACP policy

With the new release, your existing policies will stay as-is. However, we recommend moving your policies to filters with MAM to take advantage of the new assignment options. MAM filters will be available in all environments upon release, including our gov clouds—Government Community Cloud High (GCC High) and Department of Defense (DoD).

Remote Help now integrated with Conditional Access

The latest release introduces Conditional Access to Remote Help, providing admins better access management for specific user groups or devices. Conditional Access enables admins to control access based on categories, including users and groups, workload identities, directory roles, and external guests. The goal is to empower users to be productive wherever and whenever while protecting the organization's assets.

Customers requested this feature to help them set up and enforce organizational policies when using the Remote Help app, such as:

  • Setting up multifactor authentication
  • Installing security updates
  • Locking access to Remote Help to a specific region

In addition, this month we have also added access to Remote Help audit log sessions created in Intune. This enables admins to reference past events for troubleshooting and analyzing log activities. For more information on how to use Remote Help, see Remotely assist users that are authenticated by your organization.

Introducing Intune integration with the Zebra LifeGuard Over-the-Air service

Traditionally, updating ruggedized Android devices manually can be challenging as IT admins do not always have physical access to devices. This can cause security vulnerabilities if the devices are not updated, and also cause software compatibility issues for customers.

Intune has been working with Zebra to support firmware over-the-air solutions, and in 2305 we are announcing a public preview of integration with Zebra's Lifeguard Over-the-Air service, providing an efficient and secure way to update ruggedized Zebra Android devices managed by Intune. Admins can now update and manage Zebra devices from the Intune admin center and deploy updates through Wi-Fi or mobile broadband.

You can read more about this new capability in our public preview announcement. Note that this capability in public preview is not available in our gov clouds (GCCH and DoD).

Your feedback helps us get better

We'd love to know what you think of our new capabilities. Please share your thoughts by commenting on this post or connect with me on LinkedIn. We'll have more release news for you next month!

Updated May 23, 2023
Version 1.0
  • WKHO-jpa Thank you for your feedback! Regarding item 1, we’ve reproduced your experience and have filed a bug with engineering to fix ASAP. For item 2, you’ll see this behavior documented in the tool tip. Regarding item 3, we’ve shared your feedback with the feature PM. Thank you for taking the time to provide such detailed feedback!

  • StBlade's avatar
    StBlade
    Copper Contributor

    This update broke the ability to add custom URL indicators to the system.  Before the update, I could add URL indicators, now it is just giving a Failed to update error at the top of the screen.

  • StephanK's avatar
    StephanK
    Brass Contributor

    I tried to create a filter to only target Android Work Profiles, but there doesnt seem to be a filter for this? This used to be possible with application protection policy to only target work profiles.

  • WKHO-jpa's avatar
    WKHO-jpa
    Copper Contributor

    jrngsg , App filters are different, you need to create them in addition to what you already have for devices.

     

    Ramya_Chitrakar , here are results of my investigation for app filters:

     

    1. Intune admin center provides the wrong selection for filter rules for iOS. app.deviceManagementType can only have values of "Unmanaged" or "MDM", but what it offers from the dropdown is "Unmanaged" and "Managed". If you go with what is offered for "Managed", you are going to be lost. Manually editing and overruling the GUI to use "MDM" instead does the trick.
    2. Intune admin center is broken to offer selections of "Unmanaged" and "Managed" when editing App Protection Policies. It is greyed out and none can be selected. That makes editing of APP a problem and even more if you follow the suggestion from this article to change to filters instead of using the Device Type restriction of the policy itself (at least, if you hadn't resolved the problem from no.1 just yet). If you had lost the Device Type restriction for whatever reason, the only way to get this back into place is using Microsoft Graph API. That worked fine for us here but is not the level of quality you expect when such new function goes live and is even rolled out in waves (who does the testing, like nobody?).

    I was also hoping to get more properties to filter App Protection Policies for specific groups of managed devices. For example, I need to be able to distinguish between User-Enrolled iOS devices and Supervised iOS devices to assign different App Protection Policies. I still can't do this with the new app filters, making them unimportant for me to use. For managed devices, it should be possible for app filters to also rely on information from the device enrollment (e.g. device.enrollmentProfileName, device.deviceOwnership). I understand that this information is not available for unmanaged devices for obvious reasons, but when a device is known to be managed, this information is available in Intune already.

     

    Additions about Apple Account Driven User Enrollment (Just-In-Time Enrollment)

     

    1. When enrolling a device using Apple Account Driven User Enrollment, the enrollment profile name is no longer stored to the device object and left empty.
      That means that existing policies who rely on that data (e.g. when using filters with device.enrollmentProfileName) will not be assigned to the new device. That is very annoying for compliance policies in particular if you want granular control (like not a compliance policy for all Personal devices, but be more selective how they came into the system).
    2. UX is not as good as with Company Portal, it actually requires 3 logins instead of 2 with Company Portal. The promise of one single sign-in for the UX is not kept yet.
      The initial authentication is okay to receive the initial PRT / login credentials. However, these credentials are not accepted when the Managed Apple ID wants to login with their federated account, ending up with another login prompt. It least, CA is not happy to fulfill MFA at this point so it asks again for validation.
      It seems that the PRT that the Setup Assistant / Settings app receives is also not forwarded to the Authenticator app (yet). As a result, after the enrollment, the Authenticator app is empty and the accounts needs to be added manually, including authentication.
      Apples documentation about Account Driven User Enrollment states that the MDM can define one single app to be provisioned right during and/or after the enrollment. I suppose it receives the access token for further processing and that this app shall be the Microsoft Authenticator app. However, by assigning the Microsoft Authenticator app as just any other app in Intune, this requirement from Apple is not fulfilled and will not provide the experience we expect.
      Last, but not least: There is currently no good solution when the Authenticator app switches between personal and business context. That means by unenrolling the device, the Microsoft Authenticator app suddenly gets removed from the device (even though I had configure it differently in the Intune portal, but that settings seems to be overruled internally). This potentially leaves the user with no authentication methods and s/he has to call Service Desk for assisting with the recovery. Not good!
      In case the user had installed the Authenticator app before (or it wasn't pulled after unenrolling the device, as one would assume), this app is not transferred to the business context during user enrollment. The user is not prompted to confirm the transfer and the Authenticator app just stays in user context. That might be okay but again, I wonder how this would work with what Apple has in their design for the MDM to designate a single broker app during the enrollment process.

    I know this is a Public Preview and it is in Development. Still, kind of sad there was no information about the missing pieces.

  • jrngsg's avatar
    jrngsg
    Iron Contributor

    i have a lot of filters created.

     

    when i tried to use filters in app protection policy from deployment assignment, no result found.