This month, I want to highlight two exciting new features in the December release. First, we are pleased to announce that you can now use filters in enrollment restrictions for more granular control of device enrollment, such as personal devices, into endpoint management. This helps reduce efforts to manage devices you shouldn't need to manage and potentially reduce licensing costs from unnecessary app deployments. Second, we're further updating our ADMX (Administrative Template XML-based) ingestion capabilities, supporting all new settings up to Microsoft Edge 97, which will improve the user experience and give you time back by automating the process to keep settings up to date across all the software that is being managed.
As usual, I appreciate your feedback and I hope you appreciate these behind-the-scenes stories of features newly released or coming soon. Comment on this post or connect with me on LinkedIn.
Making it easier to enroll the devices you need and not the ones you don't: use filters in enrollment restrictions
In response to what we heard from customers using the filters preview over the past 8 months, we are pleased to announce the ability to use filters in device enrollment restrictions in the December release.
As work from home and hybrid work became the dominant scenario, enterprises saw a dramatic increase in personal devices (also known as "Bring Your Own Devices", or "BYOD"). For example, a worker may use a device with the Windows Home OS whereas their company's global default is a Windows Pro or Enterprise operating system. While the tactical solution of BYOD enables workers to bridge the immediate need to work, it also adds to the volume of devices to be managed, increasing potential threat surfaces. To mitigate that threat, devices that try to access company resources are enrolled with app and device protection.
However, workers could find their personal device unintentionally enrolled, and receive default organizational policies, apps, and restrictions. Lack of granular enrollment policy control for administrators causes inconvenience (and sometimes surprise) for the user when their personal device configuration is overridden by the global corporate endpoint management policies. As well, organizations could face a higher management overhead from the thousands of extra devices, an increase in helpdesk calls from surprised users, and the potential of adding licensing costs as personal devices are automatically enrolled in unnecessary global default apps and policies.
When we spoke to customers, we learned that in order to address these challenges they were developing manual work-arounds which added complexity to endpoint management. By providing filters in enrollment restrictions, we help simplify IT workloads and keep experiences as straightforward as possible, a key principle in our solution design.
We help achieve this simplification by building filters in enrollment restrictions in a way that is as consistent as possible across many Microsoft scenarios. We leveraged the same filtering approach used across Microsoft Endpoint Manager in addition to Azure Active Directory (AD) Conditional Access. By having a common approach, you can quickly move from the use case here—enrollment filters for Windows Home personal devices—to other scenarios where filters might be helpful, such as restricting a particular iOS app to only iPad users in the Finance group or excluding certain meeting room devices from a global compliance policy for other corporate devices.
Consistency remains important as this month we are also adding support for filters in enrollment status pages and proactive remediation scripts for Windows in the December release. Both of these capabilities use the same approach as enrollment restrictions and offer an improved filter creation experience that allows you to quickly model the impact in a "what-if" manner.
Don't just take our word for it. A few of our customers who tried a private preview of filters in enrollment restrictions shared their enthusiasm. For example, one said: "The Endpoint Manager filters feature has solved the challenges we faced with managing user-targeted settings and apps for users who have access to both a laptop and virtual desktop."
Another explained that "…filters helped us achieve complex assignment models, eliminating the need of manual assignment work.".
One last customer told us that "…filters also addressed a specific use case where we had to exclude virtual devices and critical systems from some of our assignments."
So, now that you understand the benefits and are considering turning on and trying out the preview, here's a video that walks you through how this works:
We're excited about the December rollout of filters in enrollment restrictions, especially as it is one step in a bigger story. The use cases for filters are endless, and we're looking forward to sharing more filter-centric solutions early in 2022.
For now, please:
The new experience for creating and assigning enrollment restrictions with filters.
Making it easier to keep settings current in Windows remote computing environments: ADMX ingestion
This month we're also updating our ADMX ingestion capabilities, supporting new settings up to Microsoft Edge build 97 ("Edge 97").
Making sure settings are up to date across all managed software and devices is a time-consuming task. This responsibility has become even more complicated with the dramatic changes to end user computing environments from the forced shift to remote and hybrid work. Previously you would have to download the latest settings from a Microsoft download site via an Administrative Template XML-based file (ADMX). You would then install them directly to a domain controller to deploy to Windows endpoints via Group Policy Object (GPO) that would then need to be connected to the domain to receive the policies.
Now with Microsoft Endpoint Manager, this process will be easier and enable you to quickly expand your reach to remote and hybrid workers. Each month, we’ll ingest all the new settings from Microsoft software (such as Office 365, Microsoft Edge web browser, or OneDrive) so they can be easily accessed and configured in the cloud with Endpoint Manager and applied to your Windows endpoints without the need to connect them to your on-premises infrastructure.
Let us know what you think
We've been rolling up key feature releases through these posts in FY21. Please share your feedback on the features so we can continue to improve the user experience and simplify IT administration. Please share comments, questions, and feedback by commenting on this post or connecting with me on LinkedIn.