Blog Post

Microsoft Intune Blog
4 MIN READ

What's new in Microsoft Endpoint Manager - 2201 (January) edition

Ramya_Chitrakar's avatar
Ramya_Chitrakar
Icon for Microsoft rankMicrosoft
Jan 28, 2022

This month, I want to highlight three exciting new developments from the January release. First, we are pleased to announce simpler mobile security for iOS users as Microsoft Tunnel client functionality is added to the Microsoft Defender for Endpoint iOS app. Second, our filters capability enters general availability enabling IT admins to filter faster and more easily by device type, app, user, or scenario. Third, we are streamlining the process for app installation on macOS devices by enabling .DMG app installation in preview.

As usual, I appreciate your feedback and I hope you enjoy these behind-the-scenes stories of features that are newly released or coming soon. Comment on this post or connect with me on LinkedIn.

Simpler mobile security for iOS users with the unified Microsoft Defender for Endpoint and Microsoft Tunnel

After last year’s announcement of the addition of Microsoft Tunnel client functionality to the Microsoft Defender for Endpoint app, we also saw huge interest and adoption when we released the Defender for Endpoint App for Android.

The iOS client version has been highly anticipated, and we’re excited to say that it’s now available in preview! This means that mobile devices—whether Android or iOS—will take another leap forward in VPN security.

Microsoft Defender for Endpoint with Tunnel is a secure, VPN connection for managed devices. So, employees that download the Defender for Endpoint app on their iOS device will get a more holistic mobile threat defense solution. This solution enables secure and productive remote work and is fully configurable from Endpoint Manager.

To use the new, Tunnel-enabled version of Defender for Endpoint, users can download it directly from the Apple App Store. After installing, you will be able to:

  • Use the same Microsoft Tunnel Gateway server environment—no network infrastructure changes are needed.
  • Deploy VPN profiles for Microsoft Tunnel for the new version of the Defender for Endpoint app.

Steps to migrate from the Microsoft Tunnel client app to the combined Defender for Endpoint client are at https://aka.ms/tunnelmigrate.

Try it out today and share your feedback! Watch the video linked below for a short demo:

Using filters to ensure the right policies are deployed to the right set of devices

I am beyond excited to announce the general availability of filters in Microsoft Endpoint Manager. It’s great to be able to bring filters to a broader audience, especially when our preview customers have said things like "the ability to easily include or exclude devices from policies and configurations based on device properties is extremely useful."

Filters can be used with apps, policies, and other Endpoint Manager workloads to achieve new granular targeting scenarios at lightning speed. They give IT admins more flexibility when managing a diverse fleet of users, devices, and scenarios. Filters also help IT admins protect data within apps, simplify app deployments, and accelerate first-time device setup.

Filters ensure that policies, updates and apps can be selectively deployed to a subset of devices

Here are some of the ways that customers have leveraged filters to accomplish granular targeting:

  • Deploying Settings Catalog profiles to only a subset of Windows devices (e.g., only applying to corporate devices or devices stamped with an "engineering" device category.)
  • Managing Device Firmware Configuration Interface (DFCI) settings for specific Autopilot devices, using naming convention or operating system version.
  • Applying Enrollment Restrictions to users so they block enrollment of Windows 10 Home Edition devices.
  • Customizing the Windows setup experience for users with the Enrollment Status page, targeting a different experience for Windows 11 devices while keeping the existing page for Windows 10.
  • Applying Windows device restriction policy to just corporate devices (not personal devices) for users in a specific department such as Marketing.
  • Deploying an iOS app to only iPads (not iPhones) for users in a single group, such as Finance.
  • Defining a company-wide compliance policy for all Android mobile devices but excluding Android-based meeting room devices which require different compliance settings.
  • Deploying script packages to a subset of Windows devices for proactive remediation, reducing support calls, and improving security.

We continue to improve filters, so keep the feedback coming and we will bring you more amazing ways to target workloads in 2022.

Making it easier to add third-party apps on macOS with .DMG installations

One of the top requested features from customers using Endpoint Manager for macOS devices has been support for installations of .DMG files. At Ignite, we announced our plans to deliver this, and today, I’m pleased to say that this feature is going into public preview.

To provide some context: for PC users, installing new apps is straightforward, using a .EXE file extension. Equally, the management of 3rd party installs on PCs has always been easy with Endpoint Manager.

The equivalent on macOS has, up to now, required a painstaking process for IT admins. Endpoint Manager previously only supported the installation of files in .PKG format. For customers needing to install macOS files in .DMG format, a conversion was required, from .DMG to .PKG, sign the app, and then use the wrapping tool to convert it to .INTUNEMAC format.

Customers have shared with us that the conversion process was either time-consuming, or, at smaller firms, costly, as they lacked the capabilities in house. This became a growing issue in recent times as admins have had to manage a broader array of devices (including a greater mix of macOS) as employees worked from home on their personal devices. Enabling .DMG file extension installations for macOS is an important step forward; as one of the top requested customer additions it’s one of several enhancements we look forward to adding for macOS management.

If you are already using Endpoint Manager, this new capability will be updated in the 2201 release. You can now simply upload the .DMG app and it will be deployed.

Further operational details are available in this short video:

Let us know what you think

We’ve been rolling up key feature releases through these posts. Please share your feedback on the features so we can continue to improve the user experience and simplify IT administration. You can also share comments, questions, and feedback by commenting on this post or connecting with me on LinkedIn.

Updated Jan 28, 2022
Version 1.0
Configuration Manager
Microsoft Endpoint Manager
microsoft intune
  • conectaredes's avatar
    conectaredes
    Copper Contributor
    Jan 28, 2022

    The news that we're going to buy time by making deployment faster for macOS apps comes at a great time.

    We are looking forward to putting it to work.

     

    Best regards.

     

    José Oliveira

  • Aaron Buckley's avatar
    Aaron Buckley
    Copper Contributor
    Jan 28, 2022

    Ohhhh, super pleased with both the availability of filters and MacOS .DMG deployment!

     

    I see the filters being used extensively to help our users with at-home secondary machines, like personal desktops, still access our cloud resources without needing to risk deployment of policies intended for corporate-owned devices.

  • ricardoteixeiraduarte's avatar
    ricardoteixeiraduarte
    Copper Contributor
    Jan 28, 2022

    Hi,

    Just gave a quick test with Microsoft Defender for Endpoint and Microsoft Tunnel for iOS, and while it does allow me to access internal sites, I can't access the Defender interface.

    It just says "we couldn't find your account or your license is expired. Please try another account".

    I guess this is due to the fact my user does not own a Defender license. But I expect it not to be required as for Microsoft Defender for Android and Tunnel integration.

    Is there any "Custom Setting", like with Android, to disable all Defender features except Tunnel to make it work, like the Android version "defendertoggle" and "antiphishing"? I can't see any documentation available.

    Thanks.

  • Msevarino1's avatar
    Msevarino1
    Copper Contributor
    Jan 31, 2022

    Just gave the .dmg install feature a test run and it doesn't appear to work. While I can create the app and assign in Intune, it doesn't install on the device. I have tried both compressed and uncompressed disk images and both device assignments and user assignments. All app assignments are required. 

     

     

    Update: Figured it out. I usually have the firewall set to block all incoming connections. This has never been a problem before with push installs with Intune. However, the disk image installs apparently require an incoming connection that can't be paired with a recipricol outgoing/request connection from the company portal or otherwise. tl;dr, turning off "block all incoming connections on firewall" fixed the problem.

  • rhynotheimpaler's avatar
    rhynotheimpaler
    Copper Contributor
    Jan 31, 2022

    I appreciate the addition of .DMG support in Endpoint Manager, but will there be an option to make the apps 'available' to assignment groups? Looks like right now there is only the option to make a .DMG deployment required.

  • jrngsg's avatar
    jrngsg
    Iron Contributor
    Feb 14, 2022

    custom installation parameters will not work with .dmg installation and has to still use shell scripts?