This month, we’re releasing new productivity and security capabilities. You can view the complete list of What’s New in the 2105 (May) release for details. Below you’ll find more about my favorite features shipped this month. As usual, I appreciate your feedback. Comment on this post, connect with me on LinkedIn, or tag me @RamyaChitrakar on Twitter.
Protecting data on different device types with filters
Filters let you maximize your current asset investments while protecting data on personal, company-owned, and shared devices. You can use filters to target policy and apps based on specific device attributes. The applications are endless. Out of many customer use cases, these three consistently guide our filters development:
You want to apply a consistent compliance policy setting the minimum OS version on all enrolled Android devices but omit Microsoft Teams Android devices from this policy. Now, you can simply apply one compliance policy across your entire portfolio and filter out the device type where it doesn’t make business sense to apply the policy.
Part of your device environment includes iPadOS devices that run a business-critical app certified by a regulatory agency for use with specific OS versions. Your iPadOS devices cannot update their OS until the app is certified for use with the latest OS. You also have bring your own device (BYOD) iOS devices, which meet your minimum OS policy but can update any time your user wants to take advantage of the latest features and security updates. You can now create one policy for updating all iOS devices but filter specific iPadOS devices from the policy. That way your BYOD devices stay current and your iPadOS devices remain under your update control.
Your device portfolio includes Autopilot-enrolled Windows 10 devices, BYOD Windows 10 devices, and Windows Virtual Desktops, which several of your developers have for testing. You have an app purchased for business use but due to licensing restrictions, you don’t want BYOD Windows devices or Windows 10 virtual devices to use the app licenses. You can now make the app available on all Windows 10 devices in your portfolio but omit BYOD and virtual OSs.
Check out this post for more details on filters and look for additional device attributes and capabilities in the future. Watch this video to see filters in action:
Several customers have asked how to best approach filters. We recommend that you:
Assess all the assignments in your organization. Many customers have a mix of corporate and personal devices.
Review each app assignment and policy.
Evaluate if these assignments and policies are correctly scoped or if there’s a device filter that you can apply to better meet the app or policy needs.
Determine if one filter can be used in multiple scenarios as a reusable entity – this simplifies the management and application of filters.
Test and apply filters.
I am incredibly proud of the engineering work done to build the filters capability. Our rules engine performance for filter evaluation is world class – our scale testing found filter evaluations for 350K device check-ins took less than 1 second! The feature works in conjunction with Azure Active Directory groups and complements your identity management group options to ensure you have flexibility for your business needs.
Supporting Windows 10 Enterprise multi-session (public preview)
You’ve likely used Windows Virtual Desktop – it delivers a Windows 10 desktop experience on any device, anywhere, integrated with Microsoft 365 security features and often at a reduced cost as you can use existing licenses to save cost with a modern-cloud-based virtual desktop infrastructure and pay only for what you use. This preview will enable your frontline workforce to share the same enterprise multi-session virtual machine! You can quickly and easily enroll, provision, and manage the virtual machine with a new, simplified policy authoring experience targeted to shared Windows multi-session devices.
See your organization’s multi-session virtual machines in the Microsoft Endpoint Manager admin center:
Customizing and managing policies more easily
The settings catalog makes it easier to customize, set, and manage device and user policy settings. Many customers have shared that managing policy configuration through custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy is cumbersome, difficult to report on, and often unsupportable. Our 2105 service release supports your move from Group Policy Objects (GPO) or custom OMA-URI to cloud-based consolidated policies. We’ve added 5,000 settings to the settings catalog for Edge, Office, and OneDrive, including additional settings for macOS and Windows!
With settings catalog, we aim to close the gap on available configuration service providers (CSP) settings in Windows, standardize policy settings across the console (such as with a “not configured” policy option), and simplify the policy creation workflow. Try these new settings in a few ways:
Start from an empty policy and simply select what you want from a library of available settings.
Use one of several pre-created templates that will provide the security, user experience, and productivity settings most used by customers.
Compare what you’ve set as your baseline with what’s configurable in the cloud through CSPs. This is a good option if you still have a number of GPO settings. Last month, we released a Group Policy analytics preview tool that makes it possible to compare your GPO settings with Mobile Device Management policy CSPs.
Review your custom OMA-URI policies and compare them to the options in the settings catalog. Reporting and conflict resolution greatly improve when you move off custom OMA-URI policies.
Add policies we’ve introduced this month into your existing already configured baselines.
Explore more detailed information on the settings catalog or watch a short demonstration of a few of the new settings:
We keep our customers’ needs top of mind. This month, we introduced several capabilities to improve your daily life. We listen to your feedback and make changes and investments aimed at improving the user experience as well as simplifying IT administration. Questions? Feedback? Comment on this post, connect with me on LinkedIn, or tag me @RamyaChitrakar on Twitter.