Over the last few weeks I’ve been talking to quite a few people who have started using the Intune preview in the Azure Portal for more of their day to day management tasks, and it’s always interesting to hear the things that most people are excited about. For a while the typical response was “No more Silverlight”, but over time this has changed as people are seeing more functionality light up, as well as new functionality that is being rolled in. Some of the more exciting ones for me are the Windows 10 ones that are opening up scenarios that target education, which is obviously setting the stage for Intune for Education when that becomes available. That’s not to say the Android and iOS updates aren’t welcome, because they certainly are, it’s just that for the next few months that’s the segment I’ll be heavily focused on.

Below is the full list of updates from docs, and as you can see it’s a pretty big list this month, with plenty of links for further information.

April 2017

Support for managed configuration options for Android apps

Android apps in the Play store that support managed configuration options can now be configure by Intune. This feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to allow them to configure those values.+

Remote assistance for Android devices

Intune now uses the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Android devices. For more information see Remote control Android devices using TeamViewer.+

New Android policy for complex PINs

You can now set a required password type of Numeric complex in an Android device profile for devices that run Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or consecutive numbers, like 1111, or 1234.+

Additional support for Android for Work devices

    • Manage password and work profile settings

      This new Android for Work device restriction policy now lets you manage password and work profile settings on Android for Work devices you manage.

    • Allow data sharing between work and personal profiles


This Android for Work device restriction profile now has new options to help you configure data sharing between work and personal profiles.+

    • Restrict copy and paste between work and personal profiles

      A new custom device profile for Android for Work devices now lets you restrict whether copy and paste actions between work and personal apps are allowed.


For more information, see Device restrictions for Android for Work.+

Assign LOB apps to iOS and Android devices

You can now assign line of business (LOB) apps for iOS (.ipa files) and Android (.apk files) to users or devices.+

New device policies for iOS

    • Apps on Home screen – Controls which apps users see on the Home screen of their iOS device. This policy changes the layout of the Home screen, but does not deploy any apps you specified that are not installed.
    • Connections to AirPrint devices – Controls which AirPrint devices (network printers) that end users of iOS device can connect to.
    • Connections to AirPlay devices – Controls which AirPlay devices (like Apple TV) that end users of iOS device can connect to.
    • Custom lock screen message – Configures a custom message that users will see on the lock screen of their iOS device, that replaces the default lock screen message. For more information, see Available device actions


Restrict push notifications for iOS apps

In an Intune device restriction profile, you can now configure the following notification settings for iOS devices:+

    • Fully turn on or off notification for a specified app.
    • Turn on or off, the notification in the notification center for a specified app.
    • Specify the alert type, either None, Banner, or Modal Alert.
    • Specify whether badges are allowed for this app.
    • Specify whether notification sounds are allowed.


Configure iOS apps to run in single app mode autonomously

You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when you configure an app that lets users take a test on the device. When the app’s actions are complete, or you remove this policy, the device returns to its normal state.+

Configure trusted domains for email and web browsing on iOS devices

From an iOS device restriction profile, you can now configure the following domain settings:+

    • Unmarked email domains – Emails that the user sends or receives which don’t match the domains you specify here will be marked as untrusted.
    • Managed web domains – Documents downloaded from the URLs you specify here will be considered managed (Safari only).
    • Safari password auto-fill domains – Users can save passwords in Safari only from URLs matching the patterns you specify here. To use this setting, the device must be in supervised mode and not configured for multiple users. (iOS 9.3+)


VPP apps available in iOS Company Portal

You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an Apple Store account to install the app.+

Synchronize eBooks from Apple VPP Store

You can now synchronize books you purchased from the Apple volume-purchase program store with Intune, and assign these to users.+

Multi-user management for Samsung KNOX Standard devices

Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is centrally managed whether it’s in use or not. When end users sign-in, they have access to apps and additionally get any policies applied to them. When users sign out, all app data is cleared.+

Additional Windows device restriction settings

We’ve added support for additional Windows device restriction settings like additional Edge browser support, device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy setting.+

Multi-user support for Windows 10 Creators Update

We’ve added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.+

Fresh Start for Windows 10 PCs

A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if user data is retained when this device action is issued.+

Additional Windows 10 upgrade paths

You can now create an edition upgrade policy to upgrade devices to the following additional Windows 10 editions:+

    • Windows 10 Professional
    • Windows 10 Professional N
    • Windows 10 Professional Education
    • Windows 10 Professional Education N


Bulk Enroll Windows 10 devices

You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.+

New MAM settings for PIN and managed storage locations

Two new app settings are now available to help you with mobile application management (MAM) scenarios:+

  • Disable app PIN when device PIN is managed – Detects if a device PIN is present on the enrolled device, and if so, bypasses the app PIN triggered by the app protection policies. This setting will allow for a reduction in the number of times a PIN prompt is displayed to users opening a MAM-enabled application on an enrolled device. This feature is available for both Android and iOS.
  • Select which storage services corporate data can be saved to -Allows you to specify which storage locations in which to save corporate data. Users can save to the selected storage location services, which means all other storage location services not listed will be blocked.

    List of supported storage location services:

    • OneDrive
    • Business SharePoint Online
    • Local storage