Tech Community Live: Microsoft Intune
Mar 20 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community
Microsoft Endpoint Manager support for iOS 14, iPadOS 14 and watchOS 7
Published Sep 16 2020 12:00 PM 37.8K Views

Microsoft Intune is excited to support Apple in their launch of iOS 14, iPadOS 14, and watchOS 7. We are delighted to deliver new functionality alongside Apple’s launch – ensuring you can be at the cutting edge to support your users wherever they are working or learning this fall.

 

Here are the new Apple scenarios we support and updates we’ve made to provide the best MDM and APP experience:

  • In our September release, we support several new configurations for MDM enrolled iOS and iPadOS 14.0+ devices, including:
    • Disable iOS/iPadOS App Clips

    • 4096 bit SCEP certificate keys

    • Custom maximum transmission unit (MTU) values for IKEv2 VPN connections

    • Per-account VPN routing for the native Mail app

    • Prevent users from disabling automatic VPN

    • Associated domains for per-app VPN connections

    • Excluded domains for per-app VPN connections

  • Apple Business Manager and Apple School Manager have been updated with a new view for all devices and Custom Apps functionality for distributing apps internal to your organization. Last year’s integration with Microsoft Azure Active Directory to enable Federated Authentication for Managed Apple IDs now works alongside SCIM (System for Cross-domain Identity Management) to help keep account data in sync.

  • There have been improvements to the Apple Push Notification service (APNs) to improve communication, which Intune supports.

In upcoming releases, we plan to add even more features to support your Apple management journey, including skipping Restore Completed and Update Completed panes during Automated Device Enrollments on iOS and iPadOS 14.0+.

 

With iOS and iPadOS 14, devices will automatically present a randomized MAC address for enhanced privacy when connecting to networks rather than defaulting to physical MAC addresses. If you rely on static MAC addresses in your environment, which may be used for network access control (NAC), you can disable MAC address randomization on a per-network basis in your Wi-Fi profile configuration for iOS and iPadOS 14 in our September release.

 

If you update an assignment from “Required” to “Available for enrolled devices”, new app installations will be installed as removable. Existing apps that are installed originally as “Required” continues to remain non-removable until the user requests to install the app from Company Portal. Then it updates the installed app’s property to removable.

 

Based on the customer feedback, iOS 14 apps deployed as “Required” will become removable when the November update of Intune is released. Managed iOS devices need to sync with Microsoft Endpoint Manager to reflect the change in required apps.

 

In iOS 14, users can set their default mail and browser apps. The latest Outlook version (4.55.1) supports this functionality and Edge is live with the functionality to set their default mail and browser apps as of version 45.8.9.

 

iOS and iPadOS 14 offer the ability for app developers to provide widgets that present key information from apps on users’ home screens. If an app creates a widget, that widget will show up on the user's device. Microsoft Endpoint Manager will not obscure the information displayed in widgets. If a widget from a protected app contains any links, APP will apply to protect that link as links within the app are protected.

 

In iOS and iPadOS 14, there are some updates to how pasteboard works. Here’s what this means for your apps protected with APP:

  • For apps that have not updated to the most recent version of the Intune SDK (12.9.0), managed accounts trigger pasteboard notifications frequently. This is because Intune checks the pasteboard when the app becomes active to ensure data on the pasteboard is being protected correctly. For iOS and iPadOS 14, Intune has made changes to restrict on paste/copy rather than on app launch/resume.
  • Because Intune can no longer read the content without triggering a pasteboard notification, it is not possible to hide the paste button (where we would have blocked the paste action) for accounts with a non-zero paste in exception policy. This paste button will only appear until a paste action has been taken and will paste "Your personal data cannot be pasted here. Only <admin-defined number> characters are allowed." when selected. After the first paste in the managed app, we will know of the contents and can properly hide the button.

In 2021, Apple will update the format of serial numbers for products to a randomized string of 10 characters. This should not impact your Intune enrollments.

 

We have fixed an issue on iPadOS 14, where Shared iPads could not complete enrollment and continue to show “awaiting final configuration from company”. The fix will be available in the October update of Microsoft Intune enabling you to successfully enroll Shared iPads running iPadOS 14.

 

We’re investigating an issue with iOS and iPadOS 14 and OneDrive where users cannot access OneDrive files through the Files app or FileProvider API when the device is enrolled with the following device restrictions:

  • “Viewing corporate documents in unmanaged apps” is blocked.
  • “Viewing non-corporate documents in corporate apps” is not configured.

We have recently made changes to our iPadOS enrollment service that are live for public cloud tenants already. These changes are rolling out to the government cloud in the next week. In the meantime, if you would like to enroll a device running iPadOS 14 through the Company Portal, you can follow a few simple steps:

  1. Go to iOS Settings > Safari > Request Desktop Websites and turn off “Request Desktop Website on All Websites”
  2. Go to iOS Settings > Safari and select the Clear History and Website Data option
  3. Log into the Company Portal app and enroll your device

Apple has posted updated versions of operating system software license agreements for both Apple Business Manager and Apple School Manager on September 16, 2020. Your organization won’t be able to enroll devices or deploy new apps until an administrator has signed into either Apple Business Manager or Apple School Manager and have accepted the new terms.

 

For more information see the Apple Support article If Apple Business Manager or Apple School Manager asks you to approve new terms and conditions.

 

Known Issues:

MAC address randomization is on by default for both iOS 14 and iPadOS 14 which breaks network access control (NAC) for Wi-Fi where MAC address is being used as the lookup key.

We’re releasing the ability to turn this feature off within the 2009 service release. As this feature will be rolling out gradually over the next few days, there will be a gap where these devices won’t be able to connect to NAC-enabled Wi-Fi until the user turns off MAC address randomization.

As a workaround, impacted users will need to manually turn off "Private Address" for the Wi-Fi Network they are connected to within the Settings app after they upgrade to iOS 14 and iPadOS 14. Note that this is a per-network setting and will need to be applied to each impacted Wi-Fi network on the device.

 

What should you do now?

  • If you haven’t been testing with the public beta releases, be sure to test your scenarios now that iOS and iPadOS 14 are releasing.
  • Test out new Endpoint Manager functionality and see how it might apply to scenarios in your organization.
  • Accept Apple’s new versions of operating system software license agreements in Apple Business Manager.

Keep us posted on your favorite new feature and as always let us know if you have any additional questions or feedback. You can comment on this post or reach out to us on Twitter by tagging us at @IntuneSuppTeam.

Thank you for all the feedback you have been providing regarding how you want to use the new app property in iOS and iPadOS 14 to mark an app as non-removable. We are actively investigating how we can best address your feedback. Stay tuned to In development and What’s New in Microsoft Intune to see future updates regarding this.

 

Blog post updates:

9/16/20: Included a known issue section.

9/17/20: With an update to clarify the Known Issue section, and an update to note that both Apple Business Manager and Apple School Manager administrators will need to accept the updated versions of operating system software license agreements to be able to enroll devices or update new apps.

9/24/20: With an update to clarify the “Required” assignment type scenario for apps on iOS and iPadOS 14 devices where apps are marked as non-removable.

10/6/20: With an update to to Shared iPads - We have fixed an issue on iPadOS 14, where Shared iPads could not complete enrollment and continue to show “awaiting final configuration from company”. The fix will be available in the October update of Microsoft Intune enabling you to successfully enroll Shared iPads running iPadOS 14.

10/21/20: We previously communicated that when using the “Required” assignment type for apps on iOS 14 devices, apps are marked as non-removable. As communicated in MC224749, based on the customer feedback, iOS 14 apps deployed as “Required” will become removable when the November update of Intune is released. Managed iOS devices need to sync with Microsoft Endpoint Manager to reflect the change in required apps. We are currently working on the ability for admins to toggle the setting in the UI and expect that feature to release in December.

47 Comments
Version history
Last update:
‎Dec 19 2023 01:24 PM
Updated by: