Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.From the frontlines: Frontline worker management with Microsoft Intune
So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal mobile devices, or corporate-owned productivity user based mobile devices. Maybe you just completed your migration efforts from another product to Intune for some portion of your device estate. Or this may be your first interaction with Intune. Regardless of where you’re starting from, managing frontline worker devices in Intune is simple, and you can even leverage existing Intune policies you already configured. So, get out that rugged bar code scanner, Android tablet, kiosk device, shared iPad, wearable device, or any other frontline worker device and let’s get started! My name is Dan Andersen, Principal PM Manager at Microsoft. My team partners directly with engineering to assist in product development and our worldwide team has assisted over 1,800 enterprises successfully onboard their device scenarios into Intune. In this post I’m introducing a blog series focused on frontline worker (FLW) device management. Why focus on FLW? This space represents a multitude of devices and use-cases that have enabled frontline workers, and we’ve worked with others like you to craft great FLW solutions. We will use this series to share these solutions and options with you and hopefully make your FLW journey with Intune seamless and exciting. Before getting into the series, if you’re looking for some background on FLW usage examples, check out the Microsoft Intune Blog: Microsoft Intune empowers frontline workers in retail and beyond. Throughout this year we’ll deliver monthly blogs delving into FLW use-cases and how to manage these devices. We’ll dive into key scenarios and explain how to approach them and at times, specifically how to configure them. Instead of rewriting product documentation, we’ll include links to more details when applicable, and keep the posts focused on enabling success. Each blog post will be published here in the Microsoft Intune Customer Success blog and include “From the Frontlines:” in the title for easy searching. For quick reference, we’ll keep this table updated as we publish the series, so stay tuned here or follow us @IntuneSuppTeam on X for more in the coming months! Blog Topics Publish date From the frontlines: Revolutionizing healthcare worker experience February 28, 2025 From the frontlines: Accelerating retail worker shared device experience (Part one) March 25, 2025From the frontlines: Revolutionizing healthcare workers experience
I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. In this “From the frontlines” blog, I want to share with you some of my learnings. Technology has revolutionized the healthcare sector, where hospitals are replacing paper with digital systems to ensure patient information is securely stored and easily accessible. Doctors can now check patient files and statuses on the go as they move around the hospital. Nurses can check their patients’ exams digitally and first responders in ambulances get access to essential information that helps save lives. As shared in From the frontlines: Frontline worker management with Microsoft Intune , Intune allows healthcare organizations to secure mobile devices and manage data access, while ensuring a great user experience. Intune supports multiple platforms, making it the ideal solution for unified endpoint management. It allows for the configuration of devices to meet specific needs, whether for individual users, shared devices, or dedicated use. Let's look at an example of how Intune can enhance healthcare operations and patient care: The Nurses station in the Hospital’s ICU Nurses in the Intensive Care Unit (ICU) manage some of the most complex patient cases within the hospital and are typically responsible for multiple patient beds on the same floor. They typically have a short time window to act, need access to patient records and must easily communicate with other departments in the hospital. To modernize workflows and improve patient care, IT admins of a hospital are looking at ways to implement the use of Android tablets in the nurses’ station of the ICU. With this device, they are hoping to provide the nurses access to essential information, such as a live feed of patient rooms, vital signs and recent exam results, allowing them to monitor significant changes in their patient’s health. To build such a reliable and safe solution, IT admins need to consider the following requirements: These Android devices are shared by different people throughout the day, as nurses work in shifts. Users must sign in using their credentials to ensure they are verified and authorized hospital staff. New versions of essential applications need to be tested before moving to production. System and application updates need to happen during a specified maintenance window. This device is used to communicate with other hospital services via message or voice. This device can only connect to approved networks. Considering these requirements, we can set up these devices as Android Enterprise Dedicated with Microsoft Entra Shared Device Mode (Fig. 1) to enable nurses to use them even as shifts change. Fig. 1 – Setting up a Corporate-Owned Android Enterprise Dedicated with Microsoft Entra shared mode enrolment profile. Nurses must sign in and authenticate to access this information, thereby protecting their patients' personal information. With Managed Home Screen, nurses will see a login screen that they can use to authenticate once (Fig. 2). From that point onward, during their shift, they’re signed in to all applications seamlessly and can trigger access using a PIN. IT admins work with the developers of essential applications to enable phased deployments of new application versions using testing tracks in assignments. IT admins can use application configuration policies to manage settings of essential applications. System and applications updates can be scheduled to occur during a maintenance window to avoid disruption in the critical ICU department. Lastly, by utilizing Intune configuration profiles, IT admins can set up Microsoft Teams to function as a walkie-talkie, enabling the voice feature. For security measures, Wi-Fi connectivity is limited to the hospital's network. These profiles can also be used to set up a custom wallpaper with hospital branding or even a widget to display weather conditions. This is just an example of how Intune can assist healthcare organizations in managing their FLW devices. Other examples include doctors being able to check patient files and calendars on their managed corporate iPhones, or hospitals having an admission system at the entrance that allows patients to check-in easily upon arrival for their consultation. This blog is part of a series: “From the frontlines:”. We’ll publish additional blogs on other healthcare scenarios and industries, such as retail and airlines, in the upcoming months. Check out From the frontlines: Frontline worker management with Microsoft Intune to see all other “From the frontlines:” blogs! Stay tuned! Please refer to the documentation here for more guidance: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune You can find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about how Microsoft Entra Shared Device Mode can help your users easily sign in and sign out leveraging single sign-on review: Shared Device Mode overview - Microsoft identity platform To learn about how to setup maintenance windows and define application update conditions refer to: Corporate-owned Android Enterprise device restriction settings in Microsoft Intune Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.From the frontlines: Accelerating retail worker shared device experience (Part one)
By: Yusuke Shinoki – Sr Product Manager | Microsoft Intune This is the second article in the "From the frontlines" series. I'm Yusuke Shinoki, I wanted to share the insights I’ve gained from my retail customers who often talk to me be about their frontline worker device scenarios. Technology has revolutionized the retail industry by enhancing operational efficiency and customer experiences. Retail employees now use shared devices to access inventory data, check product availability, and manage orders on the go. Store staff monitor sales and productivity digitally, enabling frontline workers to better serve customers by quickly accessing essential information. In supermarkets and pharmacies operating 24/7, shared devices are rotated among shift workers to perform tasks critical to the business operations. Collaboration and real time access to data is becoming increasingly important for frontline workers. Simultaneously, it’s essential to maintain secure access in line with the Zero Trust security strategy. Let’s discuss how retail associates can benefit from using Intune-managed devices at work while balancing productivity and security. Retail associates device needs Let’s say retail giant ‘Contoso’ wants to provide shared devices to retail associates, so they can help customers and drive sales. They want each associate to be able to pick up a device at the beginning of their shift and allow them to feel like it’s their own for the duration of the shift. Additionally, they want their associates to be able to collaborate with other associates via Microsoft Teams and access their internal employee portal. At the end of their shift, they want associates to log off and return their devices to the central pool, confident that their personal data won’t be seen by the next associate. To support this scenario on shared devices, use Intune’s Android Enterprise dedicate devices enrollment solution with Microsoft Entra shared mode (Fig. 1) and Managed Home Screen. Android Enterprise dedicated devices with Microsoft Entra shared mode and Managed Home Screen allows IT admins to provide consistent shared device user experience. In Contoso’s case, the Contoso IT team needs to provide user experiences for retail associates such as: Easy experience for device sign-in when starting their shift and sign-out at the end of their shift. Setting a temporary session PIN for individual associates during their shifts while using devices. Easy app switching. Associates experience The Contoso IT team must ensure seamless device sign-in to maximize associate productivity during limited shift hours. Intune and Managed Home Screen provide options to reduce shift swapping time by allowing workers to simply enter their Microsoft Entra ID account into the device and sign in. Microsoft Entra ID accounts require entering a User Principal Name such as "user@contoso.com". By configuring the "Domain name" setting in Managed Home Screen, associates will automatically see the domain name options available to them. This allows associates to quickly enter their ID and start using the device efficiently. (Fig. 2) After completing the initial Microsoft Entra ID authentication on the Managed Home Screen, associates set up a temporary session PIN (Fig. 3). This session PIN allows them to securely use shared devices for their tasks throughout their shift. The associates’ credentials are then used to enable a single sign-on experience with supported apps. Usually switching apps in Kiosk mode is cumbersome, but Managed Home Screen leverages the virtual app switcher button to switch between apps quickly, just like they do on their regular Android devices. (Fig. 4) This feature enhances the user experience by allowing seamless transitions between applications, ensuring that workers can maintain productivity without unnecessary delays. Once the associate's shift ends, they can easily log out and return the device to the pool. This ensures that all apps are securely signed out, preventing the next shift's associate from accessing any personal data handled by the previous user (Fig. 5). Even if the previous user forgets to sign out at the end of their shift, it's not a problem. The next user can easily start their session by using the “Switch User” option (Fig. 6). These streamlined user experiences allow retail associates to concentrate on their tasks without delays, improving productivity and user experience. Setting up Managed Home Screen and the new simplified sign-in option Configuring Managed Home Screen can be done through the device configuration profile (Fig. 7) but if you need advanced customization you can use app configuration policies (Fig. 8). This configuration is the same as described previously for the healthcare scenario: From the frontlines: Revolutionizing healthcare workers experience. For step-by-step instructions on setting up Managed Home Screen, refer to the blog: How to setup Microsoft Managed Home Screen in kiosk mode on Dedicated and Fully managed devices. In addition to “Domain name” configuration, we’ve been working on further simplifying the sign-in experience. As of March 2025, we introduced QR code sign-in as a public preview. This new feature aims to streamline the initial sign-in process for frontline workers. For additional details on QR code authentication, refer to the following information: Simplify frontline workers’ sign-in experience with QR code authentication | Microsoft Community Hub How to enable QR code authentication in Microsoft Entra ID (preview) - Microsoft Entra ID | Microsoft Learn. Summary In this post, we explored how retail shop associates can use Android Enterprise dedicated devices with Entra Shared Mode and Managed Home Screen powered by Microsoft Intune throughout their shifts. This same type of configuration can be used in many other Android shared device scenarios such as warehouse operations, factory floor, and more. For more guidance review the Microsoft Learn articles: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune You can find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about how Microsoft Entra Shared Device Mode can help your users easily sign in and sign out leveraging single sign-on review: Shared Device Mode overview - Microsoft identity platform To learn about how to setup maintenance windows and define application update conditions refer to: Corporate-owned Android Enterprise device restriction settings in Microsoft Intune For information on enabling new QR code authentication refer to: How to enable QR code authentication in Microsoft Entra ID (preview) - Microsoft Entra ID. If your device usage is similar to that of frontline workforces, consider using this solution and let us know how it works for you by leaving a comment below or reaching out to us on X @IntuneSuppTeam! In our next “From the frontlines”, we’ll dive into scenarios involving dedicated devices tailored for specific tasks that enhance customer service and efficiency in the retail industry. Check out From the frontlines: Frontline worker management with Microsoft Intune to see more “From the frontlines” blogs. Stay tuned!Intune ending support for custom profiles for personally owned work profile devices in April 2025
Years ago, before Microsoft Intune provided the many Android settings available today, Microsoft Intune introduced custom configuration profiles for Android Enterprise personally owned work profile devices. Custom profiles allow admins to configure settings that weren’t built into the Microsoft Intune admin center, leveraging Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings used by device manufacturers. Today, admins can configure all of the settings available in custom policies for personally owned work profile devices through other policy types in the Microsoft Intune admin center. The one exception is configuration of Basic Wi-Fi profiles with a pre-shared key, which will be supported in Wi-Fi configuration profiles in the first quarter of calendar year 2025. Because custom profiles are harder to configure, troubleshoot, and monitor, and offer no additional benefits now that equivalent settings are available in the Microsoft Intune admin center, we’re ending support for custom profiles for Android Enterprise personally owned work profile devices with Intune's April (2504) service release. Note: This change only applies to custom profiles for Android Enterprise personally owned work profile devices and doesn’t impact custom profiles for Android device administrator devices. How does this affect you or your users? After Intune ends support for custom profiles for personally owned work profile devices in April 2025: Admins won’t be able to create new custom profiles for personally owned work profile devices. However, admins can still view and edit previously created custom profiles. Android Enterprise personally-owned work profile devices that currently have a custom profile assigned will not experience any immediate change of functionality. Because these profiles are no longer supported, the functionality set by these profiles may change in the future. Intune technical support will no longer support custom profiles for personally owned work profile devices. How to prepare for this change To prepare for this change, follow these steps to check if you have custom profiles for personally owned work profile devices and learn how to set up alternate policy types: Navigate to the Microsoft Intune admin center. Identify the custom policies in use in your tenant: Select Devices > Android > Configuration. Filter the Platform column by Android Enterprise to get a list of Android Enterprise policies. Sort the Policy type column and look for all the policies with policy type listed as Custom. (If none are found, then no action is needed.) Create policies with equivalent settings. See tables below for settings mapping. Assign the new policies to the same groups that had been assigned the custom profiles. Unassign all groups from the custom profiles. Test and confirm device behavior is unchanged, that the new profile settings fully replace functionality from the old custom profiles. Delete the custom profiles. Replacements for custom settings Below is a mapping from custom settings to the alternate settings that you should use instead. Work profile settings Custom setting Equivalent setting ./Device/Vendor/MSFT/Container/ DisableRedactedNotifications Create a device restrictions policy > Work profile settings > General Settings > set Work profile notifications while device is locked to Block ./Device/Vendor/MSFT/WorkProfile/ CustomGmsWorkProfileDomainAllowList Create a device restrictions policy > Work profile settings > General Settings > Add and remove accounts, set to Allow all accounts types and configure Google domain allow-list ./Device/Vendor/MSFT/WorkProfile/ WorkProfileAllowWidgets Create a device restrictions policy > Work profile settings > General Settings > Allow widgets from work profile apps ./Microsoft/MSFT/WorkProfile/ DisallowCrossProfileCopyPaste Create a device restrictions policy > Work profile settings > General Settings > Copy and paste between work and personal profiles ./Vendor/MSFT/Policy/Config/DeviceLock/ MaxInactivityTimeDeviceLock Create a device restrictions policy > Password > Maximum minutes of inactivity until work profile locks ./Vendor/MSFT/WorkProfile/ DisallowModifyAccounts Create a device restrictions policy > Work profile settings > General Settings > set Add and remove accounts to Block all account types. ./Vendor/MSFT/WorkProfile/Applications/<package>/ PermissionActions Create an app configuration policy for Managed devices > Permissions > Add ./Device/Vendor/MSFT/WorkProfile/ WorkProfileEnableSystemApplications Follow the steps to Manage system apps Wi-Fi settings Custom setting Equivalent setting ./Vendor/MSFT/WiFi/Profile/<SSID>/Settings Create a Wi-Fi policy with your chosen Wi-Fi configurations for personally owned work profile devices. This also allows configuring Wi-Fi with a pre-shared key. ./Vendor/MSFT/WiFi/<SSID>/Settings ./Vendor/MSFT/DefenderATP/Vpn Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure VPN VPN settings Custom setting Equivalent setting ./Vendor/MSFT/VPN/Profile/<vpn name>/PackageList Create VPN profiles with your chosen VPN configuration for personally owned work profile devices ./Vendor/MSFT/VPN/Profile/<vpn name>/Mode ./Vendor/MSFT/DefenderATP/AntiPhishing Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Anti-Phishing. ./Vendor/MSFT/DefenderATP/DefenderExcludeAppInReport Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Hide app details in report and Hide app details in report for personal profile. ./Vendor/MSFT/DefenderATP/DefenderTVMPrivacyMode Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Enable TVM Privacy and Enable TVM Privacy for personal profile ./Vendor/MSFT/DefenderATP/Vpn Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure VPN Stay tuned to this blog for updates! If you have any questions or feedback on this change, leave a comment on this post or reach out on X @IntuneSuppteam. Post updates 12/10/24: Minor formatting fixes. 2/26/25: Wi-Fi with a pre-shared key is now configurable in the personally owned work profile. The timeline for this change, previously April 1, has been updated to align with Intune's April release.How to Setup Microsoft Launcher on Android Enterprise Fully Managed Devices with Intune
Read this post for end-to-end steps on how to use the Microsoft Launcher, Android Enterprise Fully Managed Devices, and Intune! Watch the video included at the end of the post so you can see the experience your end user will have.
