Microsoft EM+S (Enterprise Mobility + Security) and InTune both received a number of updates last month. Here’s a summary of the changes and new features…
Microsoft Enterprise Mobility + Security updates
New features and MacOS support for conditional access
Support for macOS devices was added to conditional access, along with a couple of new features. These are:
- Conditional access based on applications, which allows access to managed apps to be limited
- A new ‘Devices’ blade in Azure AD, which allows businesses to better manage devices in Azure portal
Reset passwords on Azure AD-joined devices
Customers using Azure AD-joined (AADJ) devices will now be able to access a link to reset their password directly from their lock screen. This handy convenience solution was introduced as part of the Windows 10 Fall Creators update.
Update 1711 for Configuration Manager Technical Preview Branch
Update 1711 allows users to test some new Configuration Manager features in preview, including:
- Improvements to the new Run Task Sequence step
- Allowing user interaction when installing applications as system
Configuration Manager Client Messaging SDK
A new version of the Configuration Manager Client Messaging SDK was released in November. This features various bug fixes and Cryptography Next Generation (CNG) certificate support for Configuration Manager 1710 and later.
Retirement of Azure AD classic portal
You might already have been aware that the admin experience in the Azure classic portal was due to be retired. That will now happen on 8 January 2018.
Also relating to the new Azure AD administration experience, functionality has been added to make it easier to migrate from v1 to v2 conditional access policies.
Manage Google Play Protect with Microsoft InTune
This update pertains to both Microsoft Enterprise + Security and Microsoft InTune. From 15 November it became possible to use Microsoft InTune to enable Google Play Protect on Android devices that access company data.
The SafetyNet Verify Apps API, SafetyNet Attestation API and Google Play Services can help verify the trustworthiness of apps, devices and communication channels respectively.
Microsoft InTune updates
A number of InTune device enrolment updates were introduced in November. A new enrolment status page can now be used to display a custom message and link to the end user, along with a progress view as policy settings are applied to the device. Device enrolment can now be restricted depending on the Windows OS version installed on the device and Windows 10 devices can now be co-managed through Configuration Manager and Microsoft InTune.
Enrolment issues can now be viewed in the Troubleshoot workspace, showing details of the issue and suggested solutions. InTune administrators can now create user group-assigned restrictions and a change has started rolling out allowing Android for Work devices to be managed independently from Android devices.
There were also numerous updates to apps and app management. A new Install Pending status has been added to the App install report and an app inventory API has been added for Mobile Threat Detection. Microsoft Planner has also been added to the mobile app management (MAM) list of approved apps.
Admins can now set the earliest required Android security patch that must be installed to allow access to managed apps and they can also set the requirement for a passcode rather than a PIN or mobile app management (MAM) at application launch. For now, the latter feature is available on iOS only.
There were a number of device management updates, including some important security-related issues. Admins can now switch firewalls on for devices and configure various protocols. The Windows Defender Application Control on Windows 10 Enterprise can now be set to only trust previously authorised apps and Window Defender Exploit Guard provides the following protections:
- Attack Surface Reduction (ASR) to protect against macro, script, and email threats
- Controlled folder access
- Network filter
- Exploit Protection via memory, control flow, and policy restrictions
You can now remotely restart supervised iOS devices using InTune and remotely lock managed macOS devices. Some data can now be retained during a factory reset on devices running Windows 10 v 1709 or later and a new Refresh button has been added to the Device list.
There are new device restriction settings available for Windows 10. These are:
- Messaging for mobile devices
- Password - allowing the use of FIPS and Windows Hello secondary devices for authentication purposes
- Display settings that can toggle GDI Scaling for legacy apps on or off
Monitoring and troubleshooting
Users can now capture current user data with the Intune Data Warehouse data model. Previously, only recent historical InTune data was included. The System Center Operations Manager (SCOM) can help users to parse the Exchange connector logs, providing additional ways to monitor the service.
Windows Defender Advanced Threat Protection (WDATP) also allows administrators to manage reporting frequency on devices.