This month, we’ll highlight new capabilities for IT administrators. These improvements are part of our continued investment in increasing security, IT productivity, and helping companies improve workers’ endpoint experience. Please visit the complete list of What’s New in Endpoint Manager for 2108 (August) release. As usual, I appreciate your feedback. Comment on this post, connect with me on LinkedIn, or tag me @RamyaChitrakar on Twitter.
New macOS management capabilities
This month, we are introducing several new macOS configurations that have been customer-requested to ease manageability of macOS devices. These new capabilities help you manage and troubleshoot line-of-business (LOB) app installs, customize your app delivery channel, and additional manageability options on supervised devices. With these improvements and several more on the way, we’re expanding your manageability portfolio for macOS devices.
Review and edit app detection logic
IT admins can now review and edit the logic that Intune uses to detect whether an app is successfully installed on a managed Mac. Prior to this feature, admins would troubleshoot app errors on their own, often with limited success, and then open a support ticket with Microsoft for troubleshooting when apps successfully installed on a device, but the app report reflects "failed" or "pending". Often Intune was looking for helper apps that never installed or reporting back on apps that had incorrect app details, but because that detection logic was not transparent, it was trial and error to troubleshoot.
This feature, a major advance to macOS LOB app deployment, makes the app detection process transparent to the admin. That visibility will allow admins to review app detection rules before deployment rather than waiting for app reports to show up incorrectly, or if they do report as incorrect, it can result in better troubleshooting when LOB apps are incorrectly reported as “failed” or “pending”.
The app install and troubleshooting experience is best demonstrated by a short video, so here’s a short demo of how to use this new capability:
Customize device configuration profiles
When creating a custom configuration profile on macOS devices, you can use the new deployment channel setting to specify whether the profile is sent to the user channel or the device channel. Previously, all profiles deployed using custom configuration were sent to the device channel. This feature will give IT admin greater control over the custom profile they created and help prevent failed deployments due to a profile being sent to the wrong channel. For example, when you use custom configuration to deploy a profile that is only available on the user channel, you can ensure this profile is sent only to the user channel by configuring this setting.
To learn more about using a payload in a device profile or a user profile, see Profile-Specific Payload Keys. See the screen shot below for where the experience is in the Microsoft Endpoint Manager admin center.
Block Game Center on managed macOS devices
Mac devices may be enrolled in Supervised mode which is often used when the device is used in a school, a retail store, or on a manufacturing floor. These are typically purpose-driven, IT managed, and enrolled through Apple’s Automated Device Enrollment. In this release, we’ve enabled you to prevent users from adding friends to the Game Center – or block Game Center entirely and remove it from the home screen – with new settings you can configure on macOS 10.13 devices and newer. In addition, admins can now:
Prevent multiplayer gaming in the Game Center
Block any changes to wallpaper.
See the screen shot below for where to configure the settings in the Microsoft Endpoint Manager admin center.
Configure Google’s new SafetyNet Attestation API
We have been partnering closely with Google to incorporate customer feedback to build and strengthen Endpoint Manager’s security features. Google recently added the “hardware-backed key” evaluation type for SafetyNet Attestation, which helps to verify the integrity of an Android device. In response to customer requests, we developed the “required evaluation type” setting so security teams and IT admins can configure the evaluation type within Endpoint Manager.
To use SafetyNet in Endpoint Manager:
Review your Compliance policies and App Protection Policies specific to Android.
In the Compliance policy settings, you can now configure the Required SafetyNet evaluation type compliance setting for personally owned work profile devices. This new setting becomes available after you configure SafetyNet device attestation to either Check basic integrity or Check basic integrity & certified devices. You can then select the desired SafetyNet evaluation type. A hardware-backed key type is recommended because it will indicate greater integrity of a device. Devices that do not support hardware-backed key attestation will be marked as not compliant.
To use the App Protection Policies with Conditional launch, select SafetyNet device attestation in the Conditional launch Android policy setting and select the desired SafetyNet evaluation type. A hardware-backed key type is recommended because it will indicate greater integrity of a device. Devices that do not support hardware-backed keys attestation will be marked as not compliant and blocked by the mobile application management policy.
IT admins can now get scores, baselines, and insights for specific devices in endpoint analytics. Now in public preview, this feature will help admins identify devices impacting the user experience and fix issues – before a user must call the support desk. Prior to device scores, admins were only able to review scores at the tenant level in endpoint analytics.
Explore endpoint analytics scores, baselines, and insights documentation for details. Scores range from 0 to 100, with lower scores indicating room for improvement. Select a device to load a page with additional information. Here’s what the experience looks like in the admin center:
Share your feedback
We keep our customers’ needs top of mind and invest in areas that improve the user experience and simplify IT administration. Questions? Feedback? Comment on this post, connect with me on LinkedIn, or tag me @RamyaChitrakar on Twitter.