Microsoft Intune is excited to support Apple in their launch of iOS 13 and iPadOS. As we shared in August, our public beta testing shows all mobile device management (MDM) and App protection policies (APP) scenarios work as expected. Our post below focuses predominantly on today’s release. Apple has stated that iOS 13.1 and iPadOS will be generally available on September 24th; both are currently in beta and available for testing today. Look for an additional post from Intune when iOS 13.1 and iPadOS are made available.
Here’s the new iOS 13 and iPadOS scenarios we support and engineering updates we’ve made to provide the best MDM and APP experience:
- We support several new restrictions, including:
- iOS and iPadOS keyboard and dictionary - Quickpath (supervised only)
- iOS and iPadOS built-in apps - Find My iPhone (supervised only) and Find My Friends (supervised only)
- iOS and iPadOS wireless - modification of Wi-Fi state (supervised only)
- macOS 10.15 cloud and storage - Handoff
- We’ve reorganized settings to provide clarity on which ones will apply to various bring your own device (BYOD) and corporate device scenarios, as well as readying for the upcoming User Enrollment feature. You’ll hear more about this new feature towards the end of September although we did provide a few supportability highlights in this blog post.
- For Automated Device Enrollment (formerly Device Enrollment Program or DEP) for iOS and iPadOS, you can now use and customize the new screens introduced in iOS 13 and iPadOS. Note that the Intune September service release is finishing up today/tomorrow, so the UI update for you to see this feature is dependent on the service release completing.
- Voice control is here for kiosk mode applications! Voice control allows users to control their device without touch. Docs are being updated here as part of the broader Intune service release. There are three customization options:
- You can configure this setting as required for apps that have been optimized for voice control.
- Likewise, you can also disable voice control if the app isn’t optimized or doesn’t work well for voice.
- Since end users often like to control their own app UI experience, you can configure this setting so they can modify as needed.
- Finally – and we almost led with this one as we know many of you will be very happy – we support dark mode for the PIN screen in applications with APP applied. Office apps are already supporting dark mode so now you’ll have a seamless experience with APP.
Now, there’s a few items Apple has shared they are moving out of support and thus Intune will follow suit, including:
- There are a number of settings moving to supervised only. We provided settings details in this post.
- DEP-enrolled (Automated Device Enrollment) iOS devices running iOS 13 or above will automatically be supervised upon enrollment with no indication to the end user, providing you with all supervised mode capabilities including actions and restrictions on the device. However, if you have unsupervised DEP devices, your currently enrolled devices will not be impacted.
What should you do now?
- If you haven’t been testing with the public beta releases, be sure to test your scenarios now that iOS 13 and iOS 13.1/iPadOS are releasing.
- For supervised devices, if you are concerned about the unsupervised-supervised change, or if you haven’t completed your LOB app or scenario testing, you can use a device configuration policy to delay updates up to 90 days.
- As already shared, Apple introduced desktop-class browsing for the iPadOS. Azure AD has taken a change in how they recognize the browsers so Conditional Access will now work as expected when creating an iPad Conditional Access policy and browsing to the modern desktop-class browsing experience on iPadOS. The Identity team has updated the support statement here. MC190414 has been swapped out with MC196472 in the M365 message center. One note - if you applied the workaround and are seeing that the iOS policies are being applied to requests made from Safari and not from Apple Native Mail, then ask your users to sign out and sign back in to Apple Native Mail. One way to do this is to set a temporary Conditional Access policy using session control for macOS with a sign-in frequency of 24 hours. This will force the users to sign in after 24 hours. You will want to remove this policy later, though, since it will require your end users on a Mac to sign in every day. Also note, if you have end user enrollment or Company Portal end user guidance, Intune has added a check in the workflow to validate which type of device – iPad or Mac – so note that additional screen.
Keep us posted on your favorite new feature (ours is dark mode for the PIN screen!) and as always let us know if you have any additional questions or feedback. You can comment on this post or reach out to us on Twitter by tagging us at @intunesuppteam.
- Updated on 11/18/19 with updated information on Conditional Access, which can now differentiate between the macOS and iPadOS browsers.
- Updated on 11/25/19 with the new message center post number.