We’re excited to announce support for new settings and updates that will be in place when iOS 13 releases around September. We’ll update documentation as we make changes on our side but we wanted to consolidate information here for your convenience.

 

Some Unsupervised iOS Device Restrictions Change to Supervised-Only
Eleven iOS device restrictions will change from unsupervised to supervised-only with the iOS 13.0 release: 

App Store, Doc Viewing, Gaming

  • App store (supervised only)
  • Explicit iTunes, music, podcast, or news content (supervised only)
  • Adding Game Center friends (supervised only)
  • Multiplayer gaming (supervised only)

Built-in Apps

  • Camera (supervised only)
  • FaceTime (supervised only)
  • Safari (supervised only)
  • Autofill (supervised only)

Cloud and Storage

  • Backup to iCloud (supervised only)
  • Block iCloud Document sync (supervised only)
  • Block iCloud Keychain sync (supervised only)


If these settings were configured and assigned to unsupervised devices prior to the iOS 13.0 release, the device restrictions will still apply to the unsupervised devices—even after the devices are upgraded to iOS 13.0. However, these device restrictions will be removed from unsupervised devices that are backed up and restored. These restrictions will not be applied to unsupervised devices enrolled after the iOS 13.0 release, even if they are running an OS version earlier than iOS 13.0.

For the complete list of supervised settings, see iOS device settings to allow or restrict features using Intune. 


For more additional information about supervised mode, see Turn on iOS supervised mode.


New Device Restriction Settings
We’re excited to announce that we are providing support for four new supervised-only iOS 13.0 settings and one new macOS 10.15 setting prior to the software releases. We want you to be able to use these restrictions as soon as Apple releases iOS 13.0 and macOS 10.15, so they are now available with the 1908 Intune release. 

 

Note that these restrictions do not apply to devices that are enrolled through User Enrollment.

 

iOS
Keyboard and Dictionary

  • Quickpath (supervised only)

Built-in Apps

  • Find my iPhone (supervised only)
  • Find My Friends (supervised only)

Wireless

  • Wi-Fi always turned on
    (with the 1910 release, this new setting is replacing the old one)

macOS
Cloud and Storage

  • Handoff


For the complete list of macOS device settings, see macOS device settings to allow or restrict features using Intune. 


New User Enrollment Device Restrictions
Apple has announced the introduction of a new type of enrollment called User Enrollment for iOS 13, iPadOS, and macOS 10.15 Catalina devices. To prepare for User Enrollment release, we are ensuring that your current Device Configuration policies will apply in a predictable manner to User Enrolled devices.

  • These settings are also available for devices enrolled through Device Enrollment and Automated Device Enrollment (previously known as DEP).
  • All settings supported by Intune that Apple allows on User Enrollment devices will continue to work on these devices using your current policies.
  • Settings that are available for devices enrolled through User Enrollment apply to all enrolled devices. 
  • Settings that are not marked as available for User Enrollment will not be applied to devices enrolled through User Enrollment. For example, if you block AirPrint on an iOS device that was enrolled through User Enrollment, AirPrint will not be blocked because that device restriction requires a supervised iOS device running iOS 11.0+. 


Some iOS/macOS profile types for Device Configuration that work for all enrollment types are listed below:

  • iOS and macOS >>  Wi-Fi, SCEP
  • macOS only >> VPN
  • iOS only  >> Email, PKCS certificate 


Settings Categorized by Enrollment Type
With the addition of User Enrollment alongside Device Enrollment and Automated Device Enrollment, we’re going to make it easier for you to intuitively navigate our settings UI by adding categorization headers to clarify which settings apply based on each of the enrollment types.

In the September Intune update or 1909, we’ll introduce categories that separate iOS and macOS settings by the enrollment type to which they apply. This new categorization pertains to device features and device restrictions for iOS and macOS profile types, along with the extensions profile type for macOS. This will make it easier to see which settings will apply to the devices you want to target based on how they were enrolled.

Note that these UI changes do not affect any existing profiles or Graph.

The new iOS/macOS enrollment headers and descriptions that will be on the blades are as follows: 


MacOS

  • All enrollment types: These settings work for all devices enrolled in Intune, regardless of enrollment type.
  • Device enrollment: These settings work for devices that were enrolled in Intune through device enrollment.
  • User approved and automated device enrollment: These settings work for devices that were enrolled in Intune with user approval, and for devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices.
  • Automated device enrollment: These settings work for devices that were enrolled in Intune using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices. 


iOS

  • All enrollment types: These settings work for devices that were enrolled in Intune through device enrollment or user enrollment, and for devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices.
  • Device enrollment and automated device enrollment: These settings work for devices that were enrolled in Intune through device enrollment, and for devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices. 
  • Automated device enrollment: These settings work for supervised devices that were enrolled in Intune using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes devices supervised through Apple Configurator. 


Some additional changes

  • For devices running macOS 10.15 or later, FileVault encryption policies will only be targeted to those devices that are enrolled with user approval. 
  • Be sure to read the important note in documentation under the Settings apply to: Device enrollment, Automated device enrollment (supervised) section related to  pin: https://docs.microsoft.com/intune/device-restrictions-ios#password 
  • allowFilesNetworkDriveAccess, allowFilesUSBDriveAccess, and forceWiFiPowerOn are device restrictions that were released in a later beta of iOS 13.0, and are all going to be available with the October or 1910 release. Once iOS 13.0/iPadOS 13.0 are released the Apple, you can configure these settings right away using Custom Configuration within Device Configuration.

 

Post Updated

  • Updated 9/26/19 with a few additional clarifications on supervised devices, WiFi, and passcode policy.
  •  Updated 10/1/19 to link to doc's for pin information, Wi-Fi update. 
11 Comments
New Contributor

Great news!

Does this mean Intune now supports `Data Separation for BYOD` and `Modern Authentication for Device Enrolment`  in iOS13?

Hi @Kengo Suzuki, thanks for reaching out, we’re excited too!

We'd also like to clarify both of these features, "Data Separation for BYOD" will be referred as "User Enrollment", and "Modern Authentication for Device Enrollment" will only be applied to Automated Device Enrollment.

Both are currently In-Development, keep an eye out in our In-Development and What’s New Docs for these features to be released!

New Contributor

@Intune Support Team  Great to hear! and sorry for the belated reply.

 

Thanks for the answer. We can't wait applying it.

Senior Member

Hi @Intune Support Team, in the comment above you clarified that "User Enrollment" is still in development... can you please confirm that it definitely will not be supported day zero?  And if that is true are you able to say that it might be "weeks" away or "months"?  

Regular Contributor

@Robin Griffin User enrollment is rolling out at the moment!
Have a look in your tenant under Device enrollment, Apple enrollment if you see Enrollment Types.

Senior Member

@Peter Klapwijk Thanks for the heads up Peter!  Sadly like many others I see the option but creating a profile fails with a generic error every time.

Regular Contributor

@Robin Griffin Yes same for me. Tried it on different tenants, located in Europe and Asia-pacific. Even now I cannot save a profile.

Senior Member

@Peter Klapwijk I got a reply in another thread that it should be fully rolled out to all tenants by Monday.

Regular Visitor

Am I right in assuming that even if an iOS device not registered through DEP will still register as personal device even if Company ownership type is selected during Microsoft iOS "Company Portal" registration process

 

I tested this multiple times and the above result is what I got, InTune still doesn't allow easy selection by end user if device is personal or company owned if the above is true

Occasional Visitor

Hello team ,

 

We have some issues while accessing links uploaded in one of the application Delmia Apriso.

Its throwing error " the document format is not supported ".

While the same pdf file download link inside the application is working in the enrolled devices having iOS devices lower than 13.

 
 

@Brendan Main, for non DEP devices such as BYOD, Corporate device identifiers can be used to pre-declare devices as corporate-owned. More information can be found in our docs here: Identify devices as corporate-owned.

 

Additionally, to make managing devices easier, you can also use Microsoft Intune device categories to automatically add devices to groups based on categories that you define. After you configure device groups, and users enroll their device, they are presented with a list of the categories you configured. After they choose a category and finish enrollment, their device is added to the Active Directory security group that corresponds with the category they chose.

 

@parthpattnk, are you still experiencing an issue with the error you've described? Would recommend validating the data transfer policy configured for your App Protection policies.

 

Sharing a couple of articles that may help determine what to look for:

Troubleshoot mobile application management

Review client app protection logs

 

If you continue facing an issue where MAM is applied and opening documents is still not working as expected, please open a support case via the Intune Admin console's Help and Support or any of the methods here, as this will help the team capture all the information needed to resolve the issue. Also, please direct message us with your support case number for follow up.

 

Hope this helps!