This month, I want to share three highlights from our Microsoft Endpoint Manager March release. First, we are addressing the frequent requests from customers with large numbers of macOS devices, by expanding Endpoint Manager’s capabilities to manage their critical line of business apps. We are also updating the reporting experience to enhance consistency, accuracy, and data representation. Finally, 2203 will bring additional improvements to the policy settings experience, focusing on security templates for Windows and Windows Server.
I hope you enjoy these behind-the-scenes stories as deployment wraps up for the month, and I look forward to your feedback. Please comment on this post or connect with me on LinkedIn.
Simplifying macOS app management workflows
A recurring theme in our recent monthly release updates is macOS device management improvements. We are excited to announce a major improvement in IT admin workflows for macOS application management. You can now upload PKG installers directly to the admin console, without requiring the Intune app wrapping tool for Mac. The necessary app metadata is automatically extracted and shown to admins for review. This improvement means that IT admins looking to deploy PKG-type installers to managed Macs -- or even IT admins who may not have access to a Mac -- will be able to focus their efforts on more valuable tasks, not app deployment workflow.
A walkthrough of how best to use this new capability is demonstrated through the demo:
We are also continuing to improve the new macOS DMG app workflow that we announced at Ignite, adding the ability to uninstall DMG files from within Endpoint Manager. We have now added the ability for admins to uninstall certain assignments to the macOS app workflow. This way, they can remove apps more easily from managed Macs using Endpoint Manager. With this new capability, IT admins can remove the listed app or a specific version of the listed app in the macOS app profile. Historically, IT admins had to write specific scripts to remove apps. Now, IT admins can remove specific versions of an app that may have vulnerabilities or remove any apps that are not allowed on company-owned Macs. Ultimately, this gives admins greater control over available apps on managed Macs. Note that this capability will be rolling out after the service release, and it’s expected to be fully available by end of March.
Here’s walkthrough of using this capability:
A more consistent and accurate reporting approach for endpoint security policies
We continue our work on comprehensive reporting infrastructure, focusing on improving consistency, accuracy, and data representation. Customers rely on reports for many things: to monitor deployments, make decisions on configurations, troubleshoot issues, maintain tenant health, understand changes, and present data to management. This month’s reporting update will be particularly valuable to IT admins managing and creating device configuration policies, and to security admins managing and creating endpoint security policies.
In 2203, we’re providing a new reporting experience for device configuration profiles and endpoint security templates. The new experience moves away from the per policy donut charts to a sleeker overview chart that quickly updates as devices/users check in.
There are three reports of interest in the per policy view:
Device and user check-in status, which shows the count of devices and users in each state for a policy. This is automatically updated as devices check in.
Device assignment status, which shows status for devices targeted by a policy. This report also surfaces devices in a “pending” state.
Per setting status, which shows the status of device or user check in at a setting level within the policy. The states include error, conflict, and success.
This is more than just a superficial change. In addition to the updated reports, more drilldowns are available, additional assignment filters are supported, and a further report for certificates has been added.
Early customer feedback for the reporting improvements has been very encouraging. For example, a major oil company commented: “Huge improvements, especially with the ability to drill down and lay out. This is really useful and much needed.” A European financial services company called the reports “significantly improved.” And a major technology company said it was “exactly what we need.”
Screenshots of the new reporting experience highlight the extent of the changes.
Updated view of the policy summary chart within Endpoint Manager admin center
The reports all have the ability to search, filter and export data
The reporting pane shows 1 record per device based on the last active user
Our mantra during this project has been “done with the donuts!” User research helped show us better ways for end users to consume the necessary information; we hope you like the improvements!
Please read the following recent announcements that provide more context and far more reporting images screen shots to support our reporting improvements:
Further policy settings improvements in the 2203 release
In this month’s release, we’ve converged multiple policy experiences onto the same infrastructure. No matter where you interact with Endpoint Manager, endpoint security policy settings will now always have a consistent name, tooltip, and available values, even if “not configured”.
New Endpoint Security policy templates will allow for greater agility when adding new settings, improved reporting, and seamless configuration of security management policy. With these changes, new policy capabilities will be available, “Windows 10, Windows 11, and Windows Server”. IT admins will see no change to existing policies previously created in Endpoint Security templates; existing profiles will be changed automatically later.
We are also introducing one seemingly small change that’s generating a lot of excitement -- Google Chrome settings will be included in the Settings Catalog and Administrative Templates (ADMX). This will also remove the need for custom OMA-URI to install and configure Chrome settings.
Google Chrome is being added to the Settings Catalog
These improvements ultimately mean a simpler experience in the Endpoint Manager admin center. It also means endpoint security settings can be deployed alongside standard device configuration policy more easily (previously, endpoint security was built as a separate interface, creating more work for IT admins).
Let us know what you think
Please share your comments, questions, and feedback so we can continue to improve the endpoint user experience and simplify IT administration. Simply comment on this post or connect with me on LinkedIn.