Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Microsoft Intune includes settings and features you can enable or disable on different devices within your
organization. These settings and features are added to "configuration profiles". You can create profiles for different
devices and different platforms, including iOS/iPadOS, Android, and Windows. Then, use Intune to apply or
"assign" the profile to the devices.
As part of your mobile device management (MDM ) solution, use these configuration profiles to complete different
tasks. Some profile examples include:
On Windows 10 devices, use a profile template that blocks ActiveX controls in Internet Explorer.
On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your organization.
Allow or prevent access to bluetooth on the device.
Create a WiFi or VPN profile that gives different devices access to your corporate network.
Manage software updates, including when they're installed.
Run an Android device as dedicated kiosk device that can run one app, or run many apps.
This article gives an overview of the different types of profiles you can create. Use these profiles to allow or
prevent some features on the devices.
Administrative templates
Administrative templates include hundreds of settings that you can configure for Internet Explorer, OneDrive,
remote desktop, Word, Excel, and other Office programs.
These templates give administrators a simplified view of settings similar to group-policy, but they're 100% cloud-
based.
This feature supports:
Windows 10 and later
Certificates
Certificates configure trusted, SCEP, and PKCS certificates that are assigned to devices. These certificates
authenticate WiFi, VPN, and email profiles.
This feature supports:
Android
Android Enterprise
iOS/iPadOS
macOS
Windows Phone 8.1
Windows 8.1
Windows 10 and later
Custom profile
Custom settings let administrators assign device settings that aren't built in to Intune. On Android devices, you can
enter OMA-URI values. For iOS/iPadOS devices, you can import a configuration file you created in the Apple
Configurator.
This feature supports:
Android
Android Enterprise
iOS/iPadOS
macOS
Windows Phone 8.1
Delivery optimization
Delivery optimization provides a better experience to delivery software updates. These settings are replacing the
Software Updates > Windows 10 update ring settings.
Use these settings to control how software updates are downloaded to devices in your organization. For example,
you can let users get their own updates, or get updates using the delivery optimization cloud services in a device
profile.
This feature supports:
Windows 10 and later
Device features
Device features controls features on iOS/iPadOS and macOS devices, such as AirPrint, notifications, and lock
screen messages.
This feature supports:
iOS/iPadOS
macOS
Device restrictions
Device restrictions controls security, hardware, data sharing, and more settings on the devices. For example, create
a device restriction profile that prevents iOS/iPadOS device users from using the device camera.
This feature supports:
Android
Android enterprise
iOS/iPadOS
macOS
Windows 10 and later
Windows 10 Team
Edition upgrade
Windows 10 edition upgrades automatically upgrades devices that run some versions of Windows 10 to a newer
edition.
This feature supports:
Windows 10 and later
Education
Education settings - Windows 10 configure options for the Windows Take a Test app. When you configure these
options, no other apps can run on the device until the test is complete.
Education settings - iOS/iPadOS uses the iOS/iPadOS Classroom app to guide learning, and control student
devices in the classroom. You can configure iPad devices so many students can share a single device.
Email
Email settings creates, assigns, and monitors Exchange ActiveSync email settings on the devices. Email profiles
help with consistency, reduce support calls, and let end-users access company email on their personal devices,
without any required setup on their part.
This feature supports:
Android
Android Enterprise
iOS/iPadOS
Windows Phone 8.1
Windows 10 and later
Endpoint protection
Endpoint protection settings for Windows 10 configures BitLocker and Microsoft Defender settings for Windows
10 devices.
To onboard Microsoft Defender Advanced Threat Protection (WDATP ) with Microsoft Intune, see Configure
endpoints using Mobile Device Management (MDM ) tools.
This feature supports:
Windows 10 and later
Identity protection
Identity protection controls the Windows Hello for Business experience on Windows 10 and Windows 10 Mobile
devices. Configure these settings to make Windows Hello for Business available to users and devices, and to
specify requirements for device PINs and gestures.
This feature supports:
Windows 10 and later
Windows Holographic for Business
Kiosk
Kiosk settings profile configures a device to run one app, or run many apps. You can also customize other features
on your kiosk, including a start menu and a web browser.
This feature supports:
Windows 10 and later
Kiosk settings also available as device restrictions for Android, Android Enterprise, and ios/iPadOS.
OEMConfig
OEMConfig is a standard that allows OEMs (original equipment manufacturers) and EMMs (enterprise mobility
management) to build and support OEM -specific features in a standardized way on Android Enterprise devices.
With OEMConfig, an OEM creates a schema that defines OEM -specific management features, and embeds it in an
app uploaded to Google Play. Intune reads the schema from the app, allows Intune administrators to configure the
settings in the schema.
This feature supports:
Android Enterprise (OEMConfig)
PowerShell scripts
PowerShell scripts on Windows 10 devices uses the Intune Management Extension to upload your PowerShell
scripts in Intune, and then run these scripts on your devices. Also see what's required to use the extension, how to
add them to Intune, and other important information.
This feature supports:
Windows 10 and later
Windows Holographic for Business
Update policies
iOS/iPadOS update policies shows you how to create and assign iOS/iPadOS policies to install software updates
on your iOS/iPadOS devices. You can also review the installation status.
For update policies on Windows devices, see Delivery optimization.
This feature supports:
iOS/iPadOS
VPN
VPN settings assigns VPN profiles to users and devices in your organization, so they can easily and securely
connect to the network.
Virtual private networks (VPNs) give users secure remote access to your company network. Devices use a VPN
connection profile to start a connection with your VPN server.
This feature supports:
Android
Android Enterprise
iOS/iPadOS
macOS
Windows Phone 8.1
Windows 8.1
Windows 10 and later
Wi-Fi
Wi-Fi settings assigns wireless network settings to users and devices. When you assign a WiFi profile, users get
access to your corporate WiFi without having to configure it themselves.
This feature supports:
Android
Android Enterprise
iOS/iPadOS
macOS
Windows 8.1 (import only)
Windows 10 and later
Windows Information Protection profile
Windows Information Protection helps protect against data leakage without interfering with the employee
experience. It also helps protect enterprise apps and data against accidental data leaks on enterprise-owned
devices and personal devices that employees use at work. Using Windows Information Protection doesn't require
changes to your environment or other apps.
This feature supports:
Windows 10 and later
Next steps
Choose your platform, and get started.
Quickstart: Create an email device profile for
iOS/iPadOS
2/19/2020 • 2 minutes to read • Edit Online
In this quickstart, you’ll see how to create an email device profile for iOS/iPadOS devices. This profile specifies the
settings that are required for the built-in email app on the iOS/iPadOS device to connect to company email. Email
device profiles help standardize settings across devices, and they let end users access company email on their
personal devices without any required setup on their part. To further safeguard your email, you can use an email
profile to determine if devices are compliant, and then set up Conditional Access to allow only compliant devices to
access email. For details about email profiles, see How to configure email settings in Microsoft Intune
If you don’t have an Intune subscription, sign up for a free trial account.
Sign in to Intune
Sign in to the Microsoft Endpoint Manager admin center as a Global Administrator or an Intune Service
Administrator. If you have created an Intune Trial subscription, the account you created the subscription with is the
Global administrator.
2. Under Name, enter a descriptive name for the new profile. For this example, enter iOS require work
email.
3. Enter the following profile information:
For Description, enter Require iOS/iPadOS devices to use work email.
For Platform, select iOS/iPadOS.
For Profile type, select Email.
4. Select Settings, and enter the following settings (leave the defaults for other settings):
Email server: For this quickstart, enter outlook.office365.com. This setting specifies the Exchange
location (URL ) of the email server that the iOS/iPadOS mail app will use to connect to email.
Account name: Enter Company Email.
Username attribute from AAD: This name is the attribute Intune gets from Azure Active Directory
(Azure AD ). Intune dynamically generates the username for this profile using this name. For this
quickstart, we’ll assume that we want the User Principal Name to be used as the username for the
profile (for example, user1@contoso.com).
Email address attribute from AAD: This setting is the email address from Azure AD that will be
used to sign in to Exchange. For this quickstart, select User Principal Name.
Authentication method: For this quickstart, select Username and password. (You can also choose
Certificate if you’ve already set up a certificate for Intune.)
5. Select OK > Create. The new profile appears on the profiles list with the dashboard displayed so you can
monitor how the profile has been assigned to iOS/iPadOS devices and iOS/iPadOS users.
6. Select Assignments.
7. Select the Include tab, and then select All Users & All Devices.
8. Select Save.
Clean up resources
If you don’t intend to use the profile you created for additional tutorials or testing, you can delete it now.
1. In Intune, select Device configuration, and then select Profiles.
2. Select the test profile you created, iOS/iPadOS require work email.
3. Select the ellipses (...) next to the profile, and then select Delete.
Next steps
In this quickstart, you created an email profile for iOS/iPadOS devices. Now you can use this profile to determine
whether an iOS/iPadOS device is compliant by creating a compliance policy that marks as noncompliant any
iOS/iPadOS devices that don't match the profile. For further protection, you can create a Conditional Access policy
that blocks noncompliant iOS/iPadOS devices from accessing email. For more information about device
compliance policies, see Get started with device compliance policies in Intune.
Tutorial: Protect Exchange Online email on managed devices
Tutorial: Use the cloud to configure group policy on
Windows 10 devices with ADMX templates and
Microsoft Intune
2/19/2020 • 16 minutes to read • Edit Online
NOTE
This tutorial was created as a technical workshop for Microsoft Ignite. It has more prerequisites than typical tutorials, as it
compares using and configuring ADMX policies in Intune and on-premises.
Group policy administrative templates, also known as ADMX templates, include settings you can configure on
Windows 10 devices, including PCs. The ADMX template settings are available by different services. These settings
are used by Mobile Device Management (MDM ) providers, including Microsoft Intune. For example, you can turn
on Design Ideas in PowerPoint, set a home page in Microsoft Edge, block ActiveX controls in Internet Explorer, and
more.
ADMX templates are available for the following services:
Microsoft Edge: Download at Microsoft Edge policy file.
Office: Download at Office 365 ProPlus, Office 2019, and Office 2016.
Windows: Built in to the Windows 10 OS.
For more information on ADMX policies, see Understanding ADMX-backed policies.
In Microsoft Intune, these templates are built in to the Intune service, and are available as Administrative
templates profiles. In this profile, you configure the settings you want to include, and then "assign" this profile to
your devices.
In this tutorial, you will:
Get introduced to the Microsoft Endpoint Manager admin center.
Create user groups and create device groups.
Compare the settings in Intune with on-premises ADMX settings.
Create different administrative templates, and configure the settings that target the different groups.
By the end of this lab, you’ll have the skills to get started using Intune and Microsoft 365 to manage your users,
and deploy administrative templates.
This feature applies to:
Windows 10 version 1703 and newer
Prerequisites
A Microsoft 365 E3 or E5 subscription, which includes Intune and Azure Active Directory (AD ) premium. If
you don't have an E3 or E5 subscription, try it for free.
For more information on what you get with the different Microsoft 365 licenses, see Transform your
Enterprise with Microsoft 365.
Microsoft Intune is configured as the Intune MDM Authority. For more information, see Set the mobile
device management authority.
Be sure you have internet access and administrator rights to the Microsoft 365 subscription, which
includes the Endpoint Manager admin center.
Open the Endpoint Manager admin center
1. Open a chromium web browser, such as Microsoft Edge version 77 and later.
2. Go to the Microsoft Endpoint Manager admin center (https://devicemanagement.microsoft.com). Sign in
with the following account:
User: Enter the administrator account of your Microsoft 365 tenant subscription.
Password: Enter its password.
This admin center is focused on device management, and includes Azure services, such as Azure AD and Intune.
You might not see the Azure Active Directory and Intune branding, but you're using them.
You can also open the Endpoint Manager admin center from the Microsoft 365 admin center:
1. Go to https://admin.microsoft.com.
2. Sign in with your administrator account of your Microsoft 365 tenant subscription.
3. Under Admin centers, select All admin centers > Endpoint management. The Endpoint Manager
admin center opens.
When users or devices meet the criteria you enter, they're automatically added to the dynamic
groups. In this example, devices are automatically added to this group when the operating
system is Windows. If you're using this tutorial in a production environment, then be careful.
The goal is to practice creating dynamic groups.
b. Save > Create to save your changes.
6. Create the All Teachers group with the following settings:
Group type: Select Security.
Group name: Enter All Teachers.
Membership type: Select Dynamic User.
Dynamic user members: Configure your query:
Property: Select department.
Operator: Select Equals.
Value: Enter Teachers.
a. Select Add expression. Your expression is shown in the Rule syntax.
When users or devices meet the criteria you enter, they're automatically added to the
dynamic groups. In this example, users are automatically added to this group when
their department is Teachers. You can enter the department and other properties when
users are added to your organization. If you're using this tutorial in a production
environment, then be careful. The goal is to practice creating dynamic groups.
b. Save > Create to save your changes.
Talking points
Dynamic groups are a feature in Azure AD Premium. If you don't have Azure AD Premium, then you're
licensed to only create assigned groups. For more information on dynamic groups, see:
Dynamic Group Membership in Azure Active Directory (Part 1)
Dynamic Group Membership in Azure Active Directory (Part 2)
Azure AD Premium includes other services that are commonly used when managing apps and devices,
including multi-factor authentication (MFA) and conditional access.
Many administrators ask when to use user groups and when to use device groups. For some guidance, see
User groups vs. device groups.
Remember, a user can belong to multiple groups. Consider some of the other dynamic user and device
groups you can create, such as:
All Students
All Android devices
All iOS/iPadOS devices
Marketing
Human Resources
All Charlotte employees
All Redmond employees
West coast IT administrators
East coast IT administrators
The users and groups created are also seen in the Microsoft 365 admin center, Azure AD in the Azure portal, and
Microsoft Intune in the Azure portal. You can create and manage groups in all these areas for your tenant
subscription. If your goal is device management, use the Microsoft Endpoint Manager admin center.
Review group membership
1. In the Endpoint Manager admin center, select Users > select the name of any existing user.
2. Review some of the information you can add or change. For example, look at the properties you can
configure, such as Job Title, Department, City, Office location, and more. You can use these properties in
your dynamic queries when creating dynamic groups.
3. Select Groups to see the membership of this user. You can also remove the user from a group.
4. Select some of the other options to see more information, and what you can do. For example, look at the
assigned license, the user's devices, and more.
What did I just do?
In the Endpoint Manager admin center, you created new security groups, and added existing users and devices to
these groups. We’ll use these groups in later steps in this tutorial.
OfficeandEdge is a group policy that includes the Office and Microsoft Edge ADMX templates. This policy
is described in prerequisites (in this article).
4. Expand Computer configuration > Policies > Administrative Templates > Control Panel >
Personalization. Notice the available settings.
Double-click Prevent enabling lock screen camera, and see the available options:
5. In the device management admin center, go to your Admin template - Windows 10 student devices
template.
6. Select All products from the drop-down list, and search for personalization:
Notice the available settings.
The setting type is Device, and the path is \Control Panel\Personalization. This path is similar to what
you just saw in Group Policy Management Editor. If you open the setting, you see the same Not
configured, Enabled, and Disabled options you see in Group Policy Management Editor.
Compare a user policy
1. In your admin template, search for inprivate browsing. Notice the path, and that the setting applies to
users and devices.
2. In Group Policy Management Editor, find the matching user and device settings:
Device: Expand Computer configuration > Policies > Administrative Templates > Windows
components > Internet Explorer > Privacy > Turn off InPrivate Browsing.
User: Expand User configuration > Policies > Administrative Templates > Windows components
> Internet Explorer > Privacy > Turn off InPrivate Browsing.
TIP
To see the built-in Windows policies, you can also use GPEdit (Edit group policy app).
2. In this window, notice the description and values you can set. These options are similar to what you see in
group policy.
3. Select Enabled > OK to save your changes.
4. Also configure the following Internet Explorer settings. Be sure to select OK to save your changes.
Allow drag and drop or copy and paste files
Type: Device
Path: \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet
Zone
Value: Disabled
Prevent ignoring certificate errors
Type: Device
Path: \Windows Components\Internet Explorer\Internet Control Panel
Value: Enabled
Disable changing home page settings
Type: User
Path: \Windows Components\Internet Explorer
Value: Enabled
Home page: Enter a URL, such as contoso.com .
5. Clear your search filter. Notice the settings you configured are listed at the top:
Assign your template
1. In your template, select Assignments. You may have to close your template, and then select it from the
Devices - Configuration profiles list:
2. Choose Select groups to include. A list of existing users and groups is shown.
3. Select the All Windows 10 student devices group you created earlier > Select.
If you're using this tutorial in a production environment, then consider adding groups that are empty. The
goal is to practice assigning your template.
4. Save your changes.
As soon as the profile is saved, it applies to the devices when they check in with Intune. If the devices are connected
to the internet, it can happen immediately. For more information on policy refresh times, see How long does it take
for devices to get a policy, profile, or app after they're assigned.
When assigning strict or restrictive policies and profiles, don't lock yourself out. Consider creating a group that's
excluded from your policies and profiles. The idea is to have access to troubleshoot. Monitor this group to confirm
it's being used as intended.
What did I just do?
In the Endpoint Manager admin center, you created an administrative template device configuration profile, and
assigned this profile to a group you created.
For more information on OneDrive client settings, see Use Group Policy to control OneDrive sync client settings.
Assign your template
1. In your template, select Assignments.
2. Choose Select groups to include. A list of existing users and groups is shown.
3. Select the All Windows devices group you created earlier > Select.
If you're using this tutorial in a production environment, then consider adding groups that are empty. The
goal is to practice assigning your template.
4. Save your changes.
At this point, you created some administrative templates, and assigned them to groups you created. The next step
is to create an administrative template using Windows PowerShell and the Microsoft Graph API for Intune.
Write down what it's set to, which may Restricted. When finished with the tutorial, set it back to its
original value.
b. Enter: Set-ExecutionPolicy -ExecutionPolicy Unrestricted
Enter Y if:
Asked to install the NuGet provider
Asked to install the modules from an untrusted repo
It can take several minutes to complete. When finished, a prompt similar to the following prompt is shown:
Import-Module c:\psscripts\Intune-PowerShell-
SDK_v6.1907.00921.0001\drop\outputs\build\Release\net471\Microsoft.Graph.Intune.psd1
c. When prompted, sign in with the same Microsoft 365 administrator account. These cmdlets create
the policy in your tenant organization.
User: Enter the administrator account of your Microsoft 365 tenant subscription.
Password: Enter its password.
d. Select Accept.
9. Create the Test Configuration configuration profile. Enter:
When these cmdlets succeed, the profile is created. To confirm, go to the Endpoint Manager admin center >
Configuration Profiles. Your Test Configuration profile should be listed.
10. Get all the SettingDefinitions. Enter:
11. Find the definition ID using the setting display name. Enter:
Invoke-MSGraphRequest -Url
"https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations('$($configuration.id)')/def
initionValues('$($configuredSetting.id)')" -Content ("{""enabled"":""false""}") -HttpMethod PATCH
Clean up resources
When no longer needed, you can:
Delete the groups you created:
All Windows 10 student devices
All Windows devices
All Teachers
Delete the admin templates you created:
Admin template - Windows 10 student devices
Admin template - OneDrive policies that apply to all Windows 10 users
Test Configuration
Set the Windows PowerShell execution policy back to its original value. The following example sets the
execution policy to Restricted:
Next steps
In this tutorial, you got more familiar with the Microsoft Endpoint Manager admin center, used the query builder
to create dynamic groups, and created administrative templates in Intune to configure ADMX settings. You also
compared using ADMX templates on-premises and in the cloud with Intune. As a bonus, you used PowerShell
cmdlets to create an administrative template.
For more information on administrative templates in Intune, see:
Use Windows 10 templates to configure group policy settings in Intune
Create a device profile in Microsoft Intune
2/19/2020 • 6 minutes to read • Edit Online
Devices profiles allow you to add and configure settings, and then push these settings to devices in your
organization. Apply features and settings on your devices using device profiles goes into more detail, including
what you can do.
This article:
Lists the steps to create a profile.
Shows you how to add a scope tag to "filter" the profile.
Describes applicability rules on Windows 10 devices, and shows you how to create a rule.
Lists the check-in refresh cycle times when devices receive profiles and any profile updates.
Scope tags
After you add the settings, you can also add a scope tag to the profile. Scope tags filter profiles to specific IT
groups, such as US-NC IT Team or JohnGlenn_ITDepartment .
For more information about scope tags, and what you can do, see Use RBAC and scope tags for distributed IT.
Add a scope tag
1. Select Scope (Tags).
2. Select Add to create a new scope tag. Or, select an existing scope tag from the list.
3. Select OK to save your changes.
Applicability rules
Applies to:
Windows 10 and later
Applicability rules allow administrators to target devices in a group that meet specific criteria. For example, you
create a device restrictions profile that applies to the All Windows 10 devices group. And, you only want the
profile assigned to devices running Windows 10 Enterprise.
To do this task, create an applicability rule. These rules are great for the following scenarios:
You use Windows 10 Education (EDU ). At Bellows College, you want to target all Windows 10 EDU devices
between RS3 and RS4.
You want to target all users in Human Resources at Contoso, but only want Windows 10 Professional or
Enterprise devices.
To approach these scenarios, you:
Create a devices group that includes all devices at Bellows College. In the profile, add an applicability rule
so it applies if the OS minimum version is 16299 and the maximum version is 17134 . Assign this profile to
the Bellows College devices group.
When it's assigned, the profile applies to devices between the minimum and maximum versions you enter.
For devices that aren't between the minimum and maximum versions you enter, their status shows as Not
applicable.
Create a users group that includes all users in Human Resources (HR ) at Contoso. In the profile, add an
applicability rule so it applies to devices running Windows 10 Professional or Enterprise. Assign this profile
to the HR users group.
When it's assigned, the profile applies to devices running Windows 10 Professional or Enterprise. For
devices that aren't running these editions, their status shows as Not applicable.
If there are two profiles with the exact same settings, then the profile without an applicability rule is applied.
For example, ProfileA targets the Windows 10 devices group, enables BitLocker, and doesn’t have an
applicability rule. ProfileB targets the same Windows 10 devices group, enables BitLocker, and has an
applicability rule to only apply the profile to Windows 10 Enterprise.
When both profiles are assigned, ProfileA is applied because it doesn’t have an applicability rule.
When you assign the profile to the groups, the applicability rules act as a filter, and only target the devices that
meet your criteria.
Add a rule
1. Select Applicability Rules. You can choose the Rule, Property, and OS edition:
2. In Rule, choose if you want to include or exclude users or groups. Your options:
Assign profile if: Includes users or groups that meet the criteria you enter.
Don't assign profile if: Excludes users or groups that meet the criteria you enter.
3. In Property, choose your filter. Your options:
OS edition: In the list, check the Windows 10 editions you want to include (or exclude) in your rule.
OS version: Enter the min and max Windows 10 version numbers of you want to include (or
exclude) in your rule. Both values are required.
For example, you can enter 10.0.16299.0 (RS3 or 1709) for minimum version and 10.0.17134.0
(RS4 or 1803) for maximum version. Or, you can be more granular and enter 10.0.16299.001 for
minimum version and 10.0.17134.319 for maximum version.
4. Select Add to save your changes.
Recommendations
When creating profiles, consider the following recommendations:
Name your policies so you know what they are, and what they do. All compliance policies and configuration
profiles have an optional Description property. In Description, be specific and include information so
others know what the policy does.
Some configuration profile examples include:
Profile name: Admin template - OneDrive configuration profile for all Windows 10 users
Profile description: OneDrive admin template profile that includes the minimum and base settings for all
Windows 10 users. Created by user@contoso.com to prevent users from sharing organizational data to
personal OneDrive accounts.
Profile name: VPN profile for all iOS/iPadOS users
Profile description: VPN profile that includes the minimum and base settings for all iOS/iPadOS users to
connect to Contoso VPN. Created by user@contoso.com so users automatically authenticate to VPN,
instead of prompting users for their username and password.
Create your profile by its task, such as configure Microsoft Edge settings, enable Microsoft Defender anti-
virus settings, block iOS/iPadOS jailbroken devices, and so on.
Create profiles that apply to specific groups, such as Marketing, Sales, IT Administrators, or by location or
school system.
Separate user policies from device policies.
For example, Administrative Templates in Intune have hundreds of ADMX settings. These templates show if
a settings applies to users or devices. When creating admin templates, assign your users settings to a users
group, and assign your device settings to a devices group.
The following image shows an example of a setting that can apply to users and/or apply to devices:
Every time you create a restrictive policy, communicate this change to your users. For example, if you're
changing the passcode requirement from 4 characters to 6 characters, let your users know before your
assign the policy.
Next steps
Assign the profile and monitor its status.
Use Windows 10 templates to configure group policy
settings in Microsoft Intune
1/8/2020 • 4 minutes to read • Edit Online
When managing devices in your organization, you want to create groups of settings that apply to different device
groups. For example, you have several device groups. For GroupA, you want to assign a specific set of settings.
For GroupB, you want to assign a different set of settings. You also want a simple view of the settings you can
configure.
You can complete this task using Administrative Templates in Microsoft Intune. The administrative templates
include hundreds of settings that control features in Microsoft Edge version 77 and later, Internet Explorer,
Microsoft Office programs, remote desktop, OneDrive, passwords and PINs, and more. These settings allow
group administrators to manage group policies using the cloud.
The Windows settings are similar to group policy (GPO ) settings in Active Directory (AD ). These settings are built
in to Windows, and are ADMX-backed settings that use XML. The Office and Microsoft Edge settings are ADMX-
ingested, and use the ADMX settings in Office administrative template files and Microsoft Edge administrative
template files. But, the Intune templates are 100% cloud-based. They offer a simple and straight-forward way to
configure the settings, and find the settings you want.
Administrative Templates are built in to Intune, and don't require any customizations, including using OMA-
URI. As part of your mobile device management (MDM ) solution, use these template settings as a one-stop shop
to manage your Windows 10 devices.
This article lists the steps to create a template for Windows 10 devices, and shows how to filter all the available
settings in Intune. When you create the template, it creates a device configuration profile. You can then assign or
deploy this profile to Windows 10 devices in your organization.
Create a template
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Configuration profiles > Create profile.
3. Enter the following properties:
Name: Enter a name for the profile.
Description: Enter a description for the profile. This setting is optional, but recommended.
Platform: Select Windows 10 and later.
Profile type: Select Administrative Templates.
4. Select Create. In the new window, select the drop-down list, and select All products. From the list, you
can also filter the settings to only show Windows settings, only show Office settings, or only show Edge
version 77 or later settings:
NOTE
Microsoft Edge settings apply to:
Microsoft Edge version 77 and newer. To configure Microsoft Edge version 45 and earlier, see Microsoft Edge
Browser device restriction settings.
Windows 10 RS4 and newer with KB 4512509 installed
Windows 10 RS5 and newer with KB 4512534 installed
Windows 10 19H1 and newer with KB 4512941 installed
5. Every setting is listed, and you can use the before and next arrows to see more settings:
TIP
The Windows settings in Intune correlate to the on-premises group policy path you see in Local Group Policy Editor
( gpedit ).
6. Select any setting. For example, filter on Office, and select Activate Restricted Browsing. A detailed
description of the setting is shown. Choose Enabled, Disabled, or leave the setting as Not configured
(default). The detailed description also explains what happens when you choose Enabled, Disabled, or
Not configured.
7. Select OK to save your changes.
Continue to go through the list of settings, and configure the settings you want in your environment. Here are
some examples:
Use the VBA Macro Notification Settings setting to handle VBA macros in different Microsoft Office
programs, including Word and Excel.
Use the Allow file downloads setting to allow or prevent downloads from Internet Explorer.
Use Require a password when a computer wakes (plugged in) to prompt users for a password when
devices wake from sleep mode.
Use the Download unsigned ActiveX controls setting to block users from downloading unsigned ActiveX
controls from Internet Explorer.
Use the Turn off System Restore setting to allow or prevent users from running a system restore on the
device.
Use the Allow importing of favorites setting to allow or block users from importing favorites from another
browser into Microsoft Edge.
And much more...
In your template, use the Search box to find specific settings. You can search by setting, or path. For
example, search for copy . All the settings with copy are shown:
In another example, search for microsoft word . You see all the settings you can set for the Microsoft Word
program. Search for explorer to see all the Internet Explorer settings you can add to your template.
Next steps
The template is created, but it's not doing anything yet. Next, assign the template, also called a profile and
monitor its status.
Update Office 365 using administrative templates.
Tutorial: Use the cloud to configure group policy on Windows 10 devices with ADMX templates and Microsoft
Intune
Use Update Channel and Target Version settings to
update Office 365 with Microsoft Intune
Administrative Templates
12/30/2019 • 5 minutes to read • Edit Online
In Intune, you can use Windows 10 templates to configure group policy settings. This article shows you how to
update Office 365 using an administrative template in Intune. It also gives guidance on confirming your policies
apply successfully. This information also helps when troubleshooting.
In this scenario, you create an administrative template in Intune that updates Office 365 on your devices.
For more information on administrative templates, see Windows 10 templates to configure group policy settings.
Applies to:
Windows 10 and later
Office 365
Prerequisites
Be sure to enable Office365 ProPlus Automatic Updates for your Office apps. You can do this using group policy,
or the Intune Office 2016 ADMX template:
2. Be sure to assign the policy to your Windows 10 devices. To test your policy sooner, you can also sync the
policy:
Sync the policy in Intune
Manually sync the policy on the device
TIP
The <Provider ID> in the registry key changes. To find the provider ID for your device, open the Registry Editor
app, and go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled . The provider
ID is shown.
When the policy is applied, you see the following registry keys:
L_UpdateBranch
L_UpdateTargetVersion
Looking at the following example, you see L_UpdateBranch has a value similar to
<enabled /><data id="L_UpdateBranchID" value="Deferred" /> . This value means it's set to Semi-Annual
Channel:
TIP
Manage Office 365 ProPlus with Configuration Manager lists the values, and what they mean. The registry values are
based on the distribution channel selected:
Monthly Channel - value="Current"
Monthly Channel (Targeted) - value="Current"
Semi-Annual Channel - value="Current"
Semi-Annual Channel (Targeted) - value="FirstReleaseDeferred"
Insider Fast - value="InsiderFast"
3. Look at the UpdateChannel value. The value tells you how frequently Office is updated. Manage Office 365
ProPlus with Configuration Manager lists the values, and what they're set to.
Looking at the following example, you see UpdateChannel is set to
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 , which is monthly:
This example means the policy isn't applied yet, as it's still set to monthly, instead of semi-annual.
This registry key is updated when the Task Scheduler > Office Automatic Updates 2.0 runs, or when a user
signs into the device. To confirm, open the Office Automatic Updates 2.0 task > Triggers. Depending on your
triggers, it can take at least a day and more before the UpdateChannel registry key is updated.
At this point, the Office update channel is successfully changed on the device. You can open an Office 365 app for a
user that receives this update to check status.
IMPORTANT
Be sure to assign the policy.
If you change an existing policy, your changes affect all assigned users.
If you're testing this feature, it's recommended to create a test policy, and assign the policy to a test group of users.
2. Look at the L_UpdateTargetVersion value. Once the policy applies, the value is set to the version you entered,
such as <enabled /><data id="L_UpdateTargetVersionID" value="16.0.10730.20344" /> .
At this point, the Intune policy is successfully applied to the device.
3. Next, you can force Office to update. Open an Office app, such as Excel. Choose to update now (possibly in
the Account menu).
The update takes several minutes. You can confirm Office is trying to get the version you enter:
a. On the device, go to C:\Program Files (x86)\Microsoft Office\Updates\Detection\Version .
b. Open the VersionDescriptor.xml file, and go to the <Version> section. The available version should
be the same version you entered in the Intune policy, such as:
4. After the update is installed, the Office app should show the new version (for example, on the Account
menu)
Next steps
Update channel values for Office 365 clients
Overview of the Office cloud policy service for Office 365 ProPlus
Use Windows 10 templates to configure group policy settings (ADMX templates) in Microsoft Intune
Add iOS, iPadOS, or macOS device feature settings
in Intune
2/19/2020 • 7 minutes to read • Edit Online
Intune includes many features and settings that help administrators control iOS, iPadOS, and macOS devices. For
example, administrators can:
Allow users access to AirPrint printers in your network
Add apps and folders to the home screen, including adding new pages
Choose if and how app notifications are shown
Configure the lock screen to show a message or the asset tag, especially for shared devices
Give users a secure single sign-on experience to share credentials between apps
Filter web sites that use adult language and allow or block specific web sites
Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After you
add these features in a profile, you then push or deploy the profile to iOS/iPadOS and macOS devices in your
organization.
This article describes the different features you can configure, and shows you how to create a device configuration
profile. You can also see all the available settings for iOS/iPadOS and macOS devices.
Airprint
Airprint is an Apple feature that allows devices to print to files over a wireless network. In Intune, you can add
AirPrint information to devices.
For a list of the settings you can configure in Intune, see AirPrint on iOS/iPadOS and AirPrint on macOS.
For more information on AirPrint, see About AirPrint on Apple's web site.
Applies to:
iOS 7.0 and newer
iPadOS 13.0 and newer
macOS 10.10 and newer
App notifications
Choose how apps on your iOS and iPadOS devices receive notifications. For example, from Intune, send app
notifications so they show in the notification center, show on the lock screen, or play a sound.
For a list of the settings you can configure in Intune, see App notifications on iOS/iPadOS.
For more information on this feature, see Notifications on Apple's web site.
Applies to:
iOS 9.3 and newer
iPadOS 13.0 and newer
Associated domains
Associated domains allow you to create a relationship between your domains, such as contoso.com , and your
apps. This feature allows you to:
Share data and sign in credentials between apps and websites in your organization.
Use app features that are based on your website, such as single sign-on app extension, universal links, and
password autofill.
For example, create an associated domain to allow password autofill to recommend credentials, such as a
password, for websites associated with your app.
For a list of the settings you can configure in Intune, see Associated domains on macOS.
For more information on this feature, see Setting Up an App’s Associated Domains on Apple's web site.
Applies to:
macOS 10.15 and newer
Login items
Use this feature to choose the apps, custom apps, files, and folders that open when users sign in to the devices.
For a list of the settings you can configure in Intune, see Login items on macOS.
Applies to:
macOS 10.13 and newer
Login window
Control the appearance of the login screen and functions available to users before they sign in. For example, add a
banner with a custom message, choose if the sleep button is shown, and more.
For a list of the settings you can configure in Intune, see Login window on macOS.
Applies to:
macOS 10.7 and newer
Single sign-on
Most Line of Business (LOB ) apps require some level of user authentication to support security. In many cases, the
authentication requires the user to enter the same credentials repeatedly. To improve the user experience,
developers can create apps that use single sign-on (SSO ). Using single sign-on reduces the number of times a
user must enter credentials.
To use single sign-on, be sure you have:
An app that's coded to look for the user credential store in single sign-on on the device.
Intune configured for iOS/iPadOS device single sign-on.
For a list of the settings you can configure in Intune, see Single sign-on on iOS/iPadOS.
Applies to:
iOS 7.0 and newer
iPadOS 13.0 and newer
NOTE
The Single sign-on app extension feature is different than the Single sign-on feature:
The Single sign-on app extension settings apply to iPadOS 13.0 (and newer), iOS 13.0 (and newer), and macOS
10.15 (and newer). Single sign-on settings apply to iPadOS 13.0 (and newer) and iOS 7.0 and newer.
The Single sign-on app extension settings define extensions for use by identity providers or organizations to
deliver a seamless enterprise sign-on experience. The Single sign-on settings define Kerberos account information
for when users access servers or apps.
The Single sign-on app extension uses the Apple operating system to authenticate. So, it might provide an end-
user experience that is better than that of Single sign-on.
From a development perspective, with Single sign-on app extension, you can use any type of redirect SSO or
credential SSO authentication. With Single sign-on, you can only use Kerberos SSO authentication.
The Kerberos Single sign-on app extension was developed by Apple and is built into the iOS/iPadOS 13.0+ and
macOS 10.15+ platforms. The built-in Kerberos extension can be used to log users into native apps and websites that
support Kerberos authentication. Single sign-on is not an Apple implementation of Kerberos.
The built-in Kerberos Single sign-on app extension handles Kerberos challenges for web pages and apps just like
Single sign-on. However, the built-in Kerberos extension supports password changes and behaves better in
enterprise networks. When deciding between the Kerberos Single sign-on app extension and Single sign-on, we
recommend using the extension due to improved performance and capabilities.
Applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
macOS 10.15 and newer
Wallpaper
Add a custom .png, .jpg, or .jpeg image to your supervised iOS/iPadOS devices. For example, use Intune to add a
company logo to the lock screen on your devices.
For a list of the settings you can configure in Intune, see Wallpaper on iOS/iPadOS.
Applies to:
iOS
iPadOS 13.0 and newer
Next steps
After the profile is created, it's ready to be assigned. Next, assign the profile and monitor its status.
View all the device feature settings for iOS/iPadOS and macOS devices.
Configure device restriction settings in Microsoft
Intune
2/19/2020 • 2 minutes to read • Edit Online
Intune includes device restriction policies that help administrators control Android, iOS/iPadOS, macOS, and
Windows devices. These restrictions let you control a wide range of settings and features to protect your
organization's resources. For example, administrators can:
Allow or block the device camera
Control access to Google Play, app stores, viewing documents, and gaming
Block built-in apps, or create a list of apps that allowed or prohibited
Allow or prevent backing up files to cloud and storage accounts
Set a minimum password length, and block simple passwords
These features are available in Intune, and are configurable by the administrator. Intune uses "configuration
profiles" to create and customize these settings for your organization's needs. After you add these features in a
profile, you can then push or deploy the profile to devices in your organization.
This article shows you how to create a device restrictions profile. You can also see all the available settings for the
different platforms.
Next steps
After the profile is created, it's ready to be assigned. Next, assign the profile and monitor its status.
Use Device Firmware Configuration Interface profiles
on Windows devices in Microsoft Intune (public
preview)
12/19/2019 • 8 minutes to read • Edit Online
When you use Intune to manage Autopilot devices, you can manage UEFI (BIOS ) settings after they're enrolled,
using the Device Firmware Configuration Interface (DFCI). For an overview of benefits, scenarios, and
prerequisites, see Overview of DFCI.
DFCI enables Windows to pass management commands from Intune to UEFI (Unified Extensible Firmware
Interface).
In Intune, use this feature to control BIOS settings. Typically, firmware is more resilient to malicious attacks. It
limits end users control over the BIOS, which is good in a compromised situation.
For example, you use Windows 10 devices in a secure environment, and want to disable the camera. You can
disable the camera at the firmware-layer, so it doesn't matter what the end user does. Reinstalling the OS or wiping
the computer won't turn the camera back on. In another example, lock down the boot options to prevent users
from booting up another OS, or an older version of Windows that doesn't have the same security features.
When you reinstall an older Windows version, install a separate OS, or format the hard drive, you can't override
DFCI management. This feature can prevent malware from communicating with OS processes, including elevated
OS processes. DFCI’s trust chain uses public key cryptography, and doesn't depend on local UEFI (BIOS )
password security. This layer of security blocks local users from accessing managed settings from the device’s
UEFI (BIOS ) menus.
This feature applies to:
Windows 10 RS5 (1809) and later on supported UEFI
WARNING
If you disable the Radios setting, the device requires a wired network connection. Otherwise, the device may
be unmanageable.
NOTE
Deleting the DFCI profile, or removing a device from the group assigned to the profile doesn't remove DFCI settings or re-
enable the UEFI (BIOS) menus. If you want to stop using DFCI, then update your existing DFCI profile. For more information
on the steps, see retire the device in this article.
Next steps
After the profile is assigned, monitor its status.
Delivery optimization settings in Microsoft Intune
2/10/2020 • 3 minutes to read • Edit Online
With Intune, use Delivery Optimization settings for your Windows 10 devices to reduce bandwidth consumption
when those devices download applications and updates. Configure delivery optimization as part of your device
configuration profiles.
This article describes how to configure delivery optimization settings as part of a device configuration profile.
After you create a profile, you then assign or deploy that profile to your Windows 10 devices.
To view a list of the delivery optimization settings that Intune supports, see Delivery Optimization settings for
Intune.
To learn about Delivery Optimization on Windows 10, see Delivery Optimization updates in the Windows
documentation.
Next steps
Assign the profile and monitor its status its status.
View the delivery optimization settings for Intune.
Upgrade Windows 10 editions or switch out of S
mode on devices using Microsoft Intune
12/19/2019 • 3 minutes to read • Edit Online
As part of your mobile device management (MDM ) solution, you may want to upgrade your Windows 10 devices.
For example, you want to upgrade your Windows 10 Professional devices to Windows 10 Enterprise. Or, you want
the device to switch out of S mode.
Windows 10 S mode (opens another Microsoft web site) is designed for security and performance. You can use
Intune to switch out of S mode. Switching out of S mode is one way. And once you switch out of S mode, you can't
go back to Windows 10 S mode.
See some commonly-asked questions about S mode.
This feature applies to:
Windows 10 and later
Windows 10 1809 or later for S mode
Windows Holographic for Business
These features are available in Intune, and are configurable by the administrator. Intune uses "configuration
profiles" to create and customize these settings for your organization's needs. After you add these features in a
profile, you can then push or deploy the profile to Windows 10 devices in your organization. When you deploy the
profile, Intune automatically upgrades the devices or switches out of S mode.
This article lists the supported upgrade paths, and shows you how to create the device configuration profile. You
can also see all the available upgrade and S mode settings for Windows 10.
NOTE
If you remove the policy assignment later, the version of Windows on the device isn't reverted. The device continues to run
normally.
Prerequisites
Before you upgrade devices, be sure you have the following prerequisites:
A valid product key to install the updated Windows version on all devices that you target with the policy (for
Windows 10 Desktop editions). You can use either Multiple Activation Keys (MAK) or Key Management Server
(KMS ) keys.
For Windows 10 Mobile and Windows 10 Holographic editions, you can use a Microsoft license file. The
license file includes the licensing information to install the updated edition on all devices that you target with
the policy.
The Windows 10 devices you assign the policy are enrolled in Microsoft Intune. You can't use the edition
upgrade policy with PCs that run the Intune PC client software.
Description: Enter a description for the profile. This setting is optional, but recommended.
Platform: Select Windows 10 and later.
Profile type: Select Edition upgrade.
Settings: Enter the settings you want to configure. For a list of all settings, and what they do, see:
Windows 10 upgrade and S mode
Windows Holographic for Business
4. Select OK > Create to save your changes.
The profile is created and shown in the list. Be sure to assign the profile and monitor its status.
Next steps
After the profile is created, it's ready to be assigned. Next, assign the profile and monitor its status.
View the upgrade and S mode settings for Windows 10 and Windows Holographic for Business devices.
Add email settings to devices using Intune
2/19/2020 • 4 minutes to read • Edit Online
Microsoft Intune includes different email settings you can deploy to devices in your organization. An IT
administrator creates email profiles with specific settings to connect to a mail server, such as Office 365 and
Gmail. End users then connect, authenticate, and synchronize their organizational email accounts on their mobile
devices. By creating and deploying an email profile, you can confirm settings are standard across many devices.
And, help reduce support calls from end users who don't know the correct email settings.
You can use email profiles to configure the built-in email settings for the following devices:
Android Samsung Knox Standard 4.0 and newer
Android Enterprise
iOS 8.0 and newer
iPadOS 13.0 and newer
Windows Phone 8.1 and newer
Windows 10 (desktop) and Windows 10 Mobile
This article shows you how to create an email profile in Microsoft Intune. It also includes links to the different
platforms for more specific settings.
Next steps
Once the profile is created, it isn't doing anything yet. Next, assign the profile.
Windows 10 and Windows Holographic for Business
device settings to run as a dedicated kiosk using
Intune
12/19/2019 • 2 minutes to read • Edit Online
On Windows 10 devices, use Intune to run devices as a kiosk, sometimes known as a dedicated device. A device in
kiosk mode can run one app, or run many apps. You can show and customize a start menu, add different apps,
including Win32 apps, add a specific home page to a web browser, and more.
This feature applies to devices running:
Windows 10 and later
Windows Holographic for Business
Intune supports one kiosk profile per device. If you need multiple kiosk profiles on a single device, you can use a
Custom OMA-URI.
Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After you
add these features in a profile, push or deploy these settings to groups in your organization.
This article shows you how to create a device configuration profile. For a list of all the settings, and what they do,
see Windows 10 kiosk settings and Windows Holographic for Business kiosk settings.
Next steps
Assign the profile and monitor its status.
You can create kiosk profiles for devices that run the following platforms:
Android
Android Enterprise
Windows 10 and later
Windows Holographic for Business
Control access, accounts, and power features on
shared PC or multi-user devices using Intune
12/19/2019 • 2 minutes to read • Edit Online
Devices that have multiple users are called shared devices, and are a common part of mobile device management
(MDM ) solutions. Using Microsoft Intune, you can customize shared devices running the following platforms:
Windows 10 Professional and newer
Windows 10 Enterprise and newer
Windows Holographic for Business, such as the HoloLens
For example, schools have devices that are typically used by many students. With this setting, the school Intune
administrator can turn on the Shared PC feature to allow one user at a time. Students can't switch between
different signed-in accounts on the device. When the student signs out, you also choose to remove all user-specific
settings.
End users can sign in to these shared devices with a guest account. After users sign in, the credentials are cached.
As they use the device, end-users only get access to features you allow. For example, you choose when the device
goes in to sleep mode, if users can see and save files locally, enable or disable power management settings, and
more. You also control if the guest account deletes when the user signs-off, or delete inactive accounts when a
threshold is reached.
This article shows you how to create a configuration profile, and includes links to the available settings with their
descriptions.
When the profile is created in Intune, you deploy or assign the profile to device groups in your organization. You
can also assign this profile to device groups with mixed device types and operating system (OS ) versions.
Next steps
See all the settings for Windows 10 and newer and Windows Holographic for Business.
Assign the profile and monitor its status.
Create VPN profiles to connect to VPN servers in
Intune
2/19/2020 • 3 minutes to read • Edit Online
Virtual private networks (VPNs) give your users secure remote access to your organization network. Devices use
a VPN connection profile to start a connection with the VPN server. VPN profiles in Microsoft Intune assign
VPN settings to users and devices in your organization, so they can easily and securely connect to your
organizational network.
For example, you want to configure all iOS/iPadOS devices with the required settings to connect to a file share on
the organization network. You create a VPN profile that includes these settings. Then, you assign this profile to all
users who have iOS/iPadOS devices. The users see the VPN connection in the list of available networks, and can
connect with minimal effort.
NOTE
You can use Intune custom configuration policies to create VPN profiles for the following platforms:
Android 4 and later
Enrolled devices that run Windows 8.1 and later
Windows Phone 8.1 and later
Enrolled devices that run Windows 10 desktop
Windows 10 Mobile
Windows Holographic for Business
Automatic Windows 10
F5 Access - Android
- Android Enterprise work profiles
- Android Enterprise device owner (fully managed)
- iOS/iPadOS
- macOS
- Windows 10
- Windows 8.1
- Windows Phone 8.1
IKEv2 - iOS/iPadOS
- Windows 10
L2TP Windows 10
Palo Alto Networks GlobalProtect - Android Enterprise work profiles: Use app configuration
policy
- iOS/iPadOS
- Windows 10
PPTP Windows 10
Learn how to create custom VPN profiles by using URI settings in Create a profile with custom settings.
Next steps
Once the profile is created, it isn't doing anything yet. Next, assign the profile to some devices.
You can also create and use per-app VPNs on Android and iOS/iPadOS devices.
Use a Microsoft Intune custom profile to create a per-
app VPN profile for Android devices
12/19/2019 • 2 minutes to read • Edit Online
You can create a per-app VPN profile for Android 5.0 and later devices that are managed by Intune. First, create a
VPN profile that uses either the Pulse Secure or Citrix connection type. Then, create a custom configuration policy
that associates the VPN profile with specific apps.
NOTE
To use per-app VPN on Android Enterprise devices, you can also use these steps. But, it's recommended to use an app
configuration policy for your VPN client app.
After you assign the policy to your Android device or user groups, users should start the Pulse Secure or Citrix
VPN client. The VPN client then allows only traffic from the specified apps to use the open VPN connection.
NOTE
Only the Pulse Secure and Citrix connection types are supported for this profile.
In Microsoft Intune, you can create and use Virtual Private Networks (VPNs) assigned to an app. This feature is
called "per-app VPN". You choose the managed apps that can use your VPN on devices managed by Intune. When
using a per-app VPNs, end users automatically connect through the VPN, and get access to organizational
resources, such as documents.
This feature applies to:
iOS 9 and newer
iPadOS 13.0 and newer
Check your VPN provider's documentation to see if your VPN supports per-app VPN.
This article shows you how to create a per-app VPN profile, and assign this profile to your apps. Use these steps to
create a seamless per-app VPN experience for your end users. For most VPNs that support per-app VPN, the user
opens an app, and automatically connects to the VPN.
Some VPNs allow username and password authentication with per-app VPN. Meaning, users need to enter a
username and password to connect to the VPN.
IMPORTANT
Per-app VPN is not supported for IKEv2 VPN profiles for iOS/iPadOS.
To prove its identity, the VPN server presents the certificate that must be accepted without a prompt by the device.
To confirm the automatic approval of the certificate, create a trusted certificate profile that contains the VPN
server's root certificate issued by the Certification Authority (CA).
Export the certificate and add the CA
1. On your VPN server, open the administration console.
2. Confirm that your VPN server uses certificate-based authentication.
3. Export the trusted root certificate file. It has a .cer extension, and you add it when creating a trusted
certificate profile.
4. Add the name of the CA that issued the certificate for authentication to the VPN server.
If the CA presented by the device matches a CA in the Trusted CA list on the VPN server, then the VPN
server successfully authenticates the device.
Next steps
To review iOS/iPadOS settings, see VPN settings for iOS/iPadOS devices in Microsoft Intune.
To learn more about VPN setting and Intune, see configure VPN settings in Microsoft Intune.
Add and use Wi-Fi settings on your devices in
Microsoft Intune
2/19/2020 • 2 minutes to read • Edit Online
Wi-Fi is a wireless network that's used by many mobile devices to get network access. Microsoft Intune includes
built-in Wi-Fi settings that can be deployed to users and devices in your organization. This group of settings is
called a "profile", and can be assigned to different users and groups. Once assigned, your users get access your
organization's Wi-Fi network without configuring it themselves.
For example, you install a new Wi-Fi network named Contoso Wi-Fi. You then want to set up all iOS/iPadOS
devices to connect to this network. Here's the process:
1. Create a Wi-Fi profile that includes the settings that connect to the Contoso Wi-Fi wireless network.
2. Assign the profile to a group that includes all users of iOS/iPadOS devices.
3. Users find the new Contoso Wi-Fi network in the list of wireless networks on their device. They can then
connect to the network, using the authentication method of your choosing.
This article lists the steps to create a Wi-Fi profile. It also includes links that describe the different settings for each
platform.
NOTE
For devices running Windows 8.1, you can import a Wi-Fi configuration that was previously exported from another device.
TIP
For Android Enterprise devices running as a dedicated device (kiosk), choose Device owner only >
Wi-Fi.
For Windows 8.1 and later, you can choose Wi-Fi import. This option lets you import Wi-Fi settings as
an XML file that you previously exported from a different device.
4. Some of the Wi-Fi settings are different for each platform. To see the settings for a specific platform,
choose your platform:
Android
Android Enterprise, including dedicated devices
iOS/iPadOS
macOS
Windows 10 and later
Windows 8.1 and later, including Windows Holographic for Business
5. When you're done, select Create Profile > Create.
The profile is created, and shown in the profiles list (Device configuration > Profiles).
Next steps
The profile is created, but it's not doing anything. Next, assign this profile and monitor its status..
Troubles Wi-Fi profiles in Intune.
Use a custom device profile to create a WiFi profile
with a pre-shared key in Intune
2/19/2020 • 5 minutes to read • Edit Online
Pre-shared keys (PSK) are typically used to authenticate users in WiFi networks, or wireless LANs. With Intune,
you can create a WiFi profile using a pre-shared key. To create the profile, use the Custom device profiles feature
within Intune. This article also includes some examples of how to create an EAP -based Wi-Fi profile.
This feature supports:
Android device administrator
Windows
EAP -based Wi-Fi
IMPORTANT
Using a pre-shared key with Windows 10 causes a remediation error to show in Intune. When this happens, the Wi-Fi
profile is properly assigned to the device, and the profile works as expected.
If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is protected. The key is in plain text, so it's your
responsibility to protect the key.
NOTE
Be sure to include the dot character at the beginning.
SSID is the SSID for which you’re creating the policy. For example, if the Wi-Fi is named Hotspot-1 ,
enter ./Vendor/MSFT/WiFi/Profile/Hotspot-1/Settings .
d. Data Type: Select String.
e. Value: Paste your XML code. See the examples in this article. Update each value to match your
network settings. The comments section of the code includes some pointers.
5. When you're done, select OK > Create to save your changes.
Your profile is shown in the profiles list. Next, assign this profile to your user groups. This policy can only be
assigned to user groups.
The next time each device checks in, the policy is applied, and a Wi-Fi profile is created on the device. The device
can then connect to the network automatically.
<WLANProfile
xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name><Name of wifi profile></name>
<SSIDConfig>
<SSID>
<hex>53534944</hex>
<name><SSID of wifi profile></name>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication><Type of authentication></authentication>
<encryption><Type of encryption></encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>password</keyMaterial>
</sharedKey>
<keyIndex>0</keyIndex>
</security>
</MSM>
</WLANProfile>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>testcert</name>
<SSIDConfig>
<SSID>
<hex>7465737463657274</hex>
<name>testcert</name>
</SSID>
<nonBroadcast>true</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<encryption>AES</encryption>
<useOneX>true</useOneX>
<FIPSMode xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
</authEncryption>
<PMKCacheMode>disabled</PMKCacheMode>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>false</cacheUserData>
<authMode>user</authMode>
<EAPConfig>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
<AcceptServerName
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<AllPurposeEnabled>true</AllPurposeEnabled>
<CAHashList Enabled="true">
<IssuerHash>75 f5 06 9c a4 12 0e 9b db bc a1 d9 9d d0 f0 75 fa 3b b8 78
</IssuerHash>
</CAHashList>
<EKUMapping>
<EKUMap>
<EKUName>Client Authentication</EKUName>
<EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true"/>
<AnyPurposeEKUList Enabled="false">
<EKUMapInList>
<EKUName>Client Authentication</EKUName>
</EKUMapInList>
</AnyPurposeEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>
Create the XML file from an existing Wi-Fi connection
You can also create an XML file from an existing Wi-Fi connection. On a Windows computer, use the following
steps:
1. Create a local folder for the exported W -Fi- profiles, such as c:\WiFi.
2. Open up a command prompt as an administrator (right-click cmd > Run as administrator).
3. Run netsh wlan show profiles . The names of all the profiles are listed.
4. Run netsh wlan export profile name="YourProfileName" folder=c:\Wifi . This command creates a file named
Wi-Fi-YourProfileName.xml in c:\Wifi.
If you're exporting a Wi-Fi profile that includes a pre-shared key, add key=clear to the command:
netsh wlan export profile name="YourProfileName" key=clear folder=c:\Wifi
key=clear exports the key in plain text, which is required to successfully use the profile.
After you have the XML file, copy and paste the XML syntax into OMA-URI settings > Data type. Create a custom
profile (in this article) lists the steps.
TIP
\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{guid} also includes all the profiles in XML format.
Best practices
Before you deploy a Wi-Fi profile with PSK, confirm that the device can connect to the endpoint directly.
When rotating keys (passwords or passphrases), expect downtime and plan your deployments. Consider
pushing new Wi-Fi profiles during non-working hours. Also, warn users that connectivity may be affected.
For a smooth transition, be sure the end user’s device has an alternate connection to the Internet. For
example, the end user can switch back to Guest WiFi (or some other WiFi network) or have cellular
connectivity to communicate with Intune. The extra connection allows the user to receive policy updates
when the corporate WiFi Profile is updated on the device.
Next steps
Be sure to assign the profile, and monitor its status.
Troubleshoot Wi-Fi device configuration profiles in
Microsoft Intune
2/19/2020 • 8 minutes to read • Edit Online
In Intune, you can create device configuration profiles that include connection settings for your WiFi network. Use
these settings to connect users' Android, iOS/iPadOS, and Windows devices to the organization network.
This article shows what a Wi-Fi profile looks like when it successfully applies to devices. It also includes log
information, common issues, and more. Use this article to help troubleshoot your Wi-Fi profiles.
For more information on Wi-Fi profiles in Intune, see Add and use Wi-Fi settings on your devices.
Android
In this section, we step through the end user experience when installing the configuration profiles on an Android
device.
End-user experience example
This scenario uses a Nokia 6.1 device. Before the Wi-Fi profile is installed on the device, install the Trusted Root
and SCEP profiles.
1. End users receive a notification to install the Trusted Root certificate profile:
2. The next notification prompts to install the SCEP certificate profile:
TIP
When using a device administrator-managed Android device, there may be multiple certificates listed. When a
certificate profile is revoked or removed, the certificate stays on the device. In this scenario, select the newest
certificate. It's usually the last certificate shown in the list.
This situation doesn’t occur on Android Enterprise and Samsung Knox devices. For more information, see Manage
Android work profile devices and Remove SCEP and PKCS certificates.
The following log shows your search results, and shows the Wi-Fi profile successfully applied:
2019-08-01T19:22:46.7340000 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118
04142 Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.7490000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Starting to parse OneX from Wifi XML.
2019-08-01T19:22:46.8100000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Completed parsing OneX from Wifi XML.
2019-08-01T19:22:46.8209999 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118
04142 Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:46.8240000 INFO com.microsoft.omadm.utils.CertificateSelector 15118 04142
Selected ca certificate with alias: 'user:205xxxxx.0' and thumbprint '<thumbprint>'.
2019-08-01T19:22:47.0990000 VERB com.microsoft.omadm.platforms.android.certmgr.CertificateChainBuilder
15118 04142 Complete certificate chain built with Complete certs.
2019-08-01T19:22:47.1010000 VERB com.microsoft.omadm.utils.CertUtils 15118 04142 1 cert(s)
matched criteria: User<ID>[i:
<ID>,17CECEA1D337FAA7D167AD83A8CC7A8FCBF9xxxx;eku:1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2]
2019-08-01T19:22:47.1090000 VERB com.microsoft.omadm.utils.CertUtils 15118 04142 0 cert(s)
excluded by criteria:
2019-08-01T19:22:47.1110000 INFO com.microsoft.omadm.utils.CertificateSelector 15118 04142
Selected client cert with alias 'User<ID>' and requestId 'ModelName=
<ModelName>%2FLogicalName_<LogicalName>;Hash=-912418295'.
2019-08-01T19:22:47.4120000 VERB com.microsoft.omadm.Services 15118 04142 Successfully applied,
enabled and saved wifi profile '<profile ID>'
2019-08-01T19:22:47.4240000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.4910000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.4970000 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118
04142 Starting to parse Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5080000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Starting to parse OneX from Wifi XML.
2019-08-01T19:22:47.5820000 VERB com.microsoft.omadm.platforms.android.wifimgr.OneX 15118 04142
Completed parsing OneX from Wifi XML.
2019-08-01T19:22:47.5900000 VERB com.microsoft.omadm.platforms.android.wifimgr.WifiProfile 15118
04142 Completed parsing Wifi Profile XML with name '<profile ID>'.
2019-08-01T19:22:47.5910000 INFO com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager
15118 04142 Applied profile <profile ID>
iOS/iPadOS
After the Wi-Fi profile is installed on the device, it's shown in the Management Profile:
Review the iOS/iPadOS console and device logs
On iOS/iPadOS devices, the Company Portal app log doesn't include information about Wi-Fi profiles. To see
installation details of your Wi-Fi profiles, use the Console/Device Logs:
1. Connect the iOS/iPadOS device to Mac. Go to Applications > Utilities, and open the Console app.
2. Under Action, select Include Info Messages and Include Debug Messages:
Windows
After the Wi-Fi profile is installed on the device, go to Settings > Accounts > Access work or school. Select
your account > Info:
In Areas managed by Microsoft, WiFi is shown:
To see the Wi-Fi connection, go to Settings > Network & Internet > Wi-Fi:
Common issues
Issue 1: The Wi-Fi profile isn't deployed to the device
Confirm the Wi-Fi profile is assigned to the correct group:
1. In the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles.
2. Select your profile > Assignments. Confirm the selected groups are correct.
3. In the Endpoint Manager, select Troubleshooting + Support. Review the Assignments information.
In the Endpoint Manager, select Troubleshooting + Support. Confirm the device can sync with Intune by
checking the Last check in time.
If the Wi-Fi profile is linked to the Trusted Root and SCEP profiles, confirm both profiles are deployed to the
device. The Wi-Fi profile has a dependency on these profiles.
On Windows 10 and newer devices, review the MDM Diagnostic Information log:
1. Go to Settings > Accounts > Access work or school.
2. Select your work or school account > Info.
3. At the bottom of the Settings page, select Create report.
4. A window opens that shows the path to the log files. Select Export.
5. Go to the \Users\Public\Documents\MDMDiagnostics path, and view the report:
TIP
For more information, see Diagnose MDM failures in Windows 10.
On Android devices, if the Trusted Root and SCEP profiles aren't installed on the device, you see the
following entry in the Company Portal app Omadmlog file:
When the Trusted Root and SCEP profiles are on the Android device and compliant, the Wi-Fi profile
might not be on the device. This issue happens when the CertificateSelector provider from the
Company Portal app doesn't find a certificate that matches the specified criteria. The specific criteria
can be in the Certificate Template or in the SCEP profile.
If the matching certificate isn't found, the certificates on the device aren't installed. The Wi-Fi profile
isn't applied because it doesn’t have the correct certificate. In this scenario, you see the following
entry in the Company Portal app Omadmlog file:
Skipping Wifi profile <profile ID> because it is pending certificates.
The following sample log shows certificates being excluded because the Any Purpose Extended Key
Usage (EKU ) criteria was specified. But, the certificates assigned to the device don’t have that EKU:
2018-11-27T21:10:37.6390000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948
Excluding cert with alias User<ID1> and requestId <requestID1> as it does not have any purpose
EKU.
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948
Excluding cert with alias User<ID2> and requestId <requestID2> as it does not have any purpose
EKU.
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948
0 cert(s) matched criteria:
2018-11-27T21:10:37.6400000 VERB com.microsoft.omadm.utils.CertUtils 14210 00948
2 cert(s) excluded by criteria:
2018-11-27T21:10:37.6400000 INFO
com.microsoft.omadm.platforms.android.wifimgr.WifiProfileManager 14210 00948
Skipping Wifi profile <profile ID> because it is pending certificates.
The following sample shows the SCEP profile entered the Any Purpose EKU. But, it's not entered in
the Certificate Template on the certificate authority (CA). To fix the issue, add the Any Purpose
option to the certificate template. Or, remove the Any Purpose option from the SCEP profile.
Confirm that all required certificates in the complete certificate chain are on the Android device.
Otherwise, the Wi-Fi profile can't be installed on the device. For more information, see Missing
intermediate certificate authority (opens Android's web site).
Filter Omadmlog with keywords to look for information, such as which certificate is used in the Wi-Fi
profile, and if the profile successfully applied.
For example, use CMTrace to read the logs. Use the search string to filter “wifimgr”:
The output looks similar to the following log:
If you see an error in the log, copy the time stamp of the error and unfilter the log. Then, use the
“find” option with the time stamp to see what happened right before the error.
Issue 2: The Wi-Fi profile is deployed to the device, but the device can't connect to the network
Typically, this issue is caused by something outside of Intune. The following tasks may help you understand and
troubleshoot connectivity issues:
Manually connect to the network using a certificate with the same criteria that's in the Wi-Fi profile.
If you can connect, look at the certificate properties in the manual connection. Then, update the Intune Wi-Fi
profile with the same certificate properties.
Connectivity errors are usually logged in the Radius server log. For example, it should show if the device
tried to connect with the Wi-Fi profile.
NOTE
macOS kernel extensions are being replaced with system extensions. For more information, see Support Tip: Using system
extensions instead of kernel extensions for macOS Catalina 10.15 in Intune.
On macOS devices, you can add features at the kernel-level. These features access parts of the OS that regular
programs can't access. Your organization may have specific needs or requirements that aren't available in an app, a
device feature, and so on.
To add kernel extensions that are always allowed to load on your devices, add "kernel extensions" (KEXT) in
Microsoft Intune, and then deploy these extensions to your devices.
For example, you have a virus scanning program that scans your device for malicious content. You can add this
virus scanning program's kernel extension as an allowed kernel extension in Intune. Then, "assign" the extension to
your macOS devices.
With this feature, administrators can allow users to override kernel extensions, add team identifiers, and add
specific kernel extensions in Intune.
This feature applies to:
macOS 10.13.2 and later
To use this feature, devices must be:
Enrolled in Intune using Apple's Device Enrollment Program (DEP ). Automatically enroll macOS devices
has more information.
OR
Enrolled in Intune with "user approved enrollment" (Apple's term). Prepare for changes to kernel extensions
in macOS High Sierra (opens Apple's web site) has more information.
Intune uses "configuration profiles" to create and customize these settings for your organization's needs. After you
add these features in a profile, you can then push or deploy the profile to macOS devices in your organization.
This article shows you how to create a device configuration profile using kernel extensions in Intune.
TIP
For more information on kernel extensions, see kernel extension overview (opens Apple's web site).
Next steps
After the profile is created, it's ready to be assigned. Next, assign the profile and monitor its status.
Use the Take a Test app on Windows 10 devices in
Microsoft Intune
12/19/2019 • 2 minutes to read • Edit Online
Education profiles in Intune are designed for students to take a test or exam on devices. This feature includes the
Take a Test app and settings to add a test URL, choose how end-users sign in to the test, and more. This feature
supports the following platform:
Windows 10 and later
When the user signs in, the Take a Test app automatically opens with the test you entered. No other apps can run
on the device while the test is in progress. Take tests in Windows 10 provides more details on the Take a Test app.
This article lists the steps to create a device configuration profile in Microsoft Intune. It also includes information
to read and learn about the available education settings for your Windows 10 devices.
Next steps
See a list of the Windows 10 education settings and their descriptions.
Assign the profile and monitor its status.
Use and manage Zebra devices with Zebra Mobility
Extensions in Microsoft Intune
12/19/2019 • 7 minutes to read • Edit Online
Intune includes a rich set of features, including managing apps and configuring device settings. These built-in
features and settings manage Android devices manufactured by Zebra Technologies, also known as "Zebra
devices".
On Android devices, use Zebra's Mobility Extensions (MX) profiles to customize or add more Zebra-specific
settings.
This article shows you how to use Zebra Mobility Extensions (MX) on Zebra devices in Microsoft Intune.
This feature applies to:
Android
Your company may use Zebra devices for retail, on the factory floor, and more. For example, you're a retailer and
your environment includes thousands of Zebra mobile devices used by sales associates. Intune can help manage
these devices as part of your mobile device management (MDM ) solution.
Using Intune, you can enroll Zebra devices to deploy your line-of-business apps to the devices. "Device
configuration" profiles let you create MX profiles to manage your Zebra-specific settings.
NOTE
By default, the Zebra MX APIs aren't locked down on devices. Before a device enrolls in Intune, it's possible the device can be
compromised in a malicious manner. When the device is in a clean state, we suggest you lock down MX APIs using Access
Manager (AccessMgr). For example, you can choose that only the Company Portal app and apps you trust are allowed to call
MX APIs.
For more information, see Locking down your device on Zebra's web site.
TIP
For more information on StageNow, and what it does, see StageNow Android device staging (opens Zebra's web site).
Step 2: Confirm the Company Portal app has device administrator role
The Company Portal app requires Device Administrator to manage Android devices. To activate the Device
Administrator role, some Zebra devices include a user interface (UI) on the device. If the device includes a UI, the
Company Portal app prompts the end user to grant Device Administrator during enrollment (in this article).
If a UI isn't available, use the DevAdmin Manager in StageNow to create a profile that manually grants Device
Administrator to the Company Portal app.
The following steps provide an overview. For specific details, see Zebra's documentation. Set battery swap mode
as device administrator (opens Zebra's website) may be a good resource.
1. In StageNow, create a profile and select Xpert Mode.
2. Add DevAdmin Manager to the profile.
3. Set Device Administration Action to Turn On as Device Administrator.
4. Set Device Admin Package Name to com.microsoft.windowsintune.companyportal .
5. Set Device Admin Class Name to com.microsoft.omadm.client.PolicyManagerReceiver .
Continue to publish the profile, and consume it with the StageNow app on the device. The Company Portal app is
granted the Device Administrator role.
WARNING
If multiple MX profiles are targeted to the same group, and configure the same property, there will be conflicts on
the device.
If the same property is configured multiple times in a single MX profile, the last configuration wins.
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
The next time the device checks for configuration updates, the MX profile is deployed to the device. Devices sync
with Intune when devices enroll, and then approximately every 8 hours. You can also force a sync in Intune. Or, on
the device, open the Company Portal app > Settings > Sync.
Next steps
Assign the profile and monitor its status.
Use StageNow logs to troubleshoot Zebra devices.
Use and manage Android Enterprise devices with
OEMConfig in Microsoft Intune
2/26/2020 • 8 minutes to read • Edit Online
In Microsoft Intune, you can use OEMConfig to add, create, and customize OEM -specific settings for Android
Enterprise devices. OEMConfig is typically used to configure settings that aren't built in to Intune. Different
original equipment manufacturers (OEM ) include different settings. The available settings depend on what the
OEM includes in their OEMConfig app.
This feature applies to:
Android Enterprise
This article describes OEMConfig, lists the prerequisites, shows how to create a configuration profile, and lists the
supported OEMConfig apps in Intune.
Overview
OEMConfig policies are a special type of device configuration policy similar to app configuration policy.
OEMConfig is a standard defined by Google that uses app configuration in Android to send device settings to
apps written by OEMs (original equipment manufacturers). This standard allows OEMs and EMMs (enterprise
mobility management) to build and support OEM -specific features in a standardized way. Learn more about
OEMConfig.
Historically, EMMs, such as Intune, manually build support for OEM -specific features after they're introduced by
the OEM. This approach leads to duplicated efforts and slow adoption.
With OEMConfig, an OEM creates a schema that defines OEM -specific management features. The OEM embeds
the schema into an app, and then puts this app on Google Play. The EMM reads the schema from the app, and
exposes the schema in the EMM administrator console. The console allows Intune administrators to configure the
settings in the schema.
When the OEMConfig app installs on a device, it uses the settings configured in the EMM administrator to
manage the device. Device settings are executed by the OEMConfig app, instead of an MDM agent built by the
EMM.
When the OEM adds and improves management features, the OEM also updates the app in Google Play. As an
administrator, you get these new features and updates (including fixes) without waiting for EMMs to include these
updates.
TIP
You can only use OEMConfig with devices that support this feature and have a corresponding OEMConfig app. Consult your
OEM for specific details.
Prerequisites
To use OEMConfig on your devices, be sure you have the following requirements:
An Android Enterprise device enrolled in Intune.
An OEMConfig app built by the OEM, and uploaded to Google Play. If it's not on Google Play, contact the OEM
for more information.
The Intune administrator has role-based access control (RBAC ) permissions for Mobile apps, Device
Configurations, and the "read" permission under Android for Work. These permissions are required because
OEMConfig profiles use managed app configurations to manage device configurations.
TIP
OEMConfig apps are specific to the OEM. For example, a Sony OEMConfig app installed on a Zebra Technologies device
doesn't do anything.
1. Get the OEMConfig app from the Managed Google Play Store. Add Managed Google Play apps to Android
enterprise devices lists the steps.
2. Some OEMs may ship devices with the OEMConfig app pre-installed. If the app isn't preinstalled, use Intune to
add and deploy the app to devices.
IMPORTANT
If you added an OEMConfig app and synced it to Google Play, but it's not listed as an Associated app, you may
have to contact Intune to onboard the app. See adding a new app (in this article).
7. Select Next.
8. In Configure settings, select the Configuration designer or JSON editor:
TIP
Read the OEM documentation to make sure you're configuring the properties correctly. These app properties are
included by the OEM, not Intune. Intune does minimal validation of the properties, or what you enter. For example, if
you enter abcd for a port number, the profile saves as-is, and is deployed to your devices with the values you
configure. Be sure you enter the correct information.
Configuration designer: When you select this option, the properties available within the app
schema are shown for you to configure.
Context menus in the configuration designer indicate that more options are available. For
example, the context menu might let you add, delete, and reorder settings. These options are
included by the OEM. Be sure to read the OEM app documentation to learn how these options
should be used to create profiles.
Many settings have default values supplied by the OEM. To see if there's a default value, hover
over the info icon next to the setting. A tooltip shows the default values for that setting (if
applicable), and more details provided by the OEM.
Clicking Clear deletes a setting from the profile. If a setting isn't in the profile, its value on the
device won't change when the profile is applied.
If you create an empty (unconfigured) bundle in the configuration designer, it's deleted when
switching to the JSON editor.
JSON editor: When you select this option, a JSON editor opens with a template for the full
configuration schema embedded in the app. In the editor, customize the template with values for the
different settings. If you use the Configuration designer to change your values, the JSON editor
overwrites the template with values from the configuration designer.
If you're updating an existing profile, the JSON editor shows the settings that were last saved
with the profile.
OEMConfig schemas can be large and complex. If you prefer to update these settings using a
different editor, select the Download JSON template button. Use an editor of your choice to
add your configuration values to the template. Then, copy and paste your updated JSON in to
the JSON editor property.
You can use the JSON editor to create a backup of your configuration. After you configure
your settings, use this feature to get the JSON settings with your values. Copy and paste the
JSON to a file, and save it. Now you have a backup file.
Any changes made in the configuration designer are also made automatically in the JSON editor. Likewise,
any changes made in the JSON editor are automatically made in the configuration designer. If your input
contains invalid values, you can't switch between the configuration designer and JSON editor until you fix
the issues.
9. Select Next.
10. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or
JohnGlenn_ITDepartment . For more information about scope tags, see Use RBAC and scope tags for
distributed IT.
Select Next.
11. In Assignments, select the users or groups that will receive your profile. Assign one profile to each device.
The OEMConfig model only supports one policy per device.
For more information on assigning profiles, see Assign user and device profiles.
Select Next.
12. In Review + create, review your settings. When you select Create, your changes are saved, and the profile
is assigned. The policy is also shown in the profiles list.
The next time the device checks for configuration updates, the OEM -specific settings you configured are applied to
the OEMConfig app.
NOTE
The OEMConfig standard doesn't currently include status reporting. So, by default, profiles show a Pending status.
Honeywell com.honeywell.oemconfig
Kyocera jp.kyocera.enterprisedeviceconfig
Seuic com.seuic.seuicoemconfig
If an OEMConfig application exists for your device, but it isn’t in the table above, or isn't showing up in the Intune
console, email IntuneOEMConfig@microsoft.com .
NOTE
OEMConfig apps must on-boarded by Intune before they can be configured with OEMConfig profiles. Once an app is
supported, you don't need to contact Microsoft about setting it up in your tenant. Just follow the instructions on this page.
Next steps
Monitor the profile status.
Configure eSIM cellular profiles in Intune - Public
preview
12/19/2019 • 7 minutes to read • Edit Online
eSIM is an embedded SIM chip, and lets you connect to the Internet over a cellular data connection on an eSIM -
capable device, such as the Surface LTE Pro. With an eSIM, you don't need to get a SIM card from your mobile
operator. As a global traveler, you can also switch between mobile operators and data plans to always stay
connected.
For example, you have a cellular data plan for work, and another data plan with a different mobile operator for
personal use. When traveling, you can get Internet access by finding mobile operators with data plans in that area.
In Intune, you can import one time use activation codes provided by your mobile operator. To configure cellular
data plans on the eSIM module, deploy those activation codes to your eSIM -capable devices. When Intune installs
the activation code, the eSIM hardware module uses the data in the activation code to contact the mobile operator.
Once complete, the eSIM profile is downloaded on the device, and configured for cellular activation.
To deploy eSIM to your devices using Intune, the following are needed:
eSIM capable devices, such as the Surface LTE: See if your device supports eSIM. Or, see a list of some of the
known eSIM capable devices (in this article).
Windows 10 Fall creators update PC (1709 or later) that is enrolled and MDM managed by Intune
Activation codes provided by your mobile operator. These one time-use activation codes are added to Intune,
and deployed to your eSIM capable devices. Contact your mobile operator to acquire eSIM activation codes.
3. The csv file name becomes the cellular subscription pool name in the Endpoint Manager admin center. In
the previous image, the file name is UnlimitedDataSkynet.csv . So, Intune names the subscription pool
UnlimitedDataSkynet.csv :
Step 2: Create an Azure AD device group
Create a Device group that includes the eSIM capable devices. Add groups lists the steps.
NOTE
Only devices are targeted, users aren't targeted.
We recommend creating a static Azure AD device group that includes your eSIM devices. Using a group confirms you
target only eSIM devices.
5. When you select your groups, you're choosing an Azure AD group. To select multiple groups, use the Ctrl
key, and select the groups.
6. When done, Save your changes.
eSIM activation codes are used once. After Intune installs an activation code on a device, the eSIM module
contacts the mobile operator to download the cellular profile. This contact finishes registering the device with
mobile operator network.
NOTE
Removing the profile may not stop billing. Contact your mobile operator to check the billing status for your device.
Next steps
Configure device profiles
Set up a telecom expense management service in
Intune
2/19/2020 • 6 minutes to read • Edit Online
Using Intune, you can manage telecom expenses from data usage on organization-owned mobile devices. Intune
integrates with Saaswedo’s Datalert telecom expense management. Datalert is a real-time telecom expense
management solution that manages telecom data usage. It can help avoid costly and unexpected data and roaming
charges for your Intune-managed devices.
The integration with Datalert can set, monitor, and enforce roaming and domestic data usage limits. When the
limits exceed your defined thresholds, alerts are automatically triggered. You can also configure the service to
apply different actions, such as disabling roaming or exceeding the threshold, to individuals or groups. The Datalert
management console includes reports that show data usage and monitoring information.
The following image shows how Intune integrates with Datalert:
To use the Datalert service with Intune, there are some configuration settings in Datalert and Intune. This article
shows you how to:
Configure settings in the Datalert console to connect the Datalert service to Intune.
Confirm this connection is active and enabled in Intune.
Use Intune to add the Datalert app to your devices.
Turn off the Datalert service and for Intune (optional).
Supported platforms
Android 4.4 and newer devices that are Knox capable (Samsung)
Android versions that support Knox (opens Samsung's web site) lists the Knox supported versions.
iOS 8.0 and newer
iPadOS 13.0 and newer
Prerequisites
A subscription to Microsoft Intune, and access to the Microsoft Endpoint Manager admin center
A subscription to Datalert (opens Datalert's web site)
Telecom expense management providers
Intune integrates with the following telecom expense management provider:
Saaswedo Datalert telecom expense management service (opens Datalert's web site)
7. In Datalert App / ADAL Consent, set the switch to On. On the Microsoft authentication page, select
Accept.
You're redirected to a Datalert thank you page that closes after a few moments. Datalert validates the
connection, and shows green check marks next to the items that validated. If validation fails, you see a
message in red. Contact Datalert support for help.
The following image shows the green check marks when the connection succeeds:
8. In MDM Profiles management (optional), set the switch to On. This setting allows Datalert to read the
available profiles in Intune to help you set up policies.
On the Microsoft authentication page, select Accept.
You're redirected to a Datalert thank you page that closes after a few moments. Datalert validates the
connection, and shows green check marks next to the items that validated. If validation fails, you see a
message in red. Contact Datalert support for help.
The following image shows the green check marks when the connection succeeds:
5. Enter any additional properties, such as app information and scope tags:
6. Select OK > Add to save your changes. The Datalert app is shown in the list.
Assign the Datalert app to the corporate device group
1. In Apps > All apps, select the Datalert app you added in the previous step.
2. Select Assignments > Add group. Choose how the app is assigned. Assign apps to groups in Intune has
more details on these settings.
In these steps, you'll choose to make the app installation required or optional for the group. The following
example shows the installation as required. When required, users must install the Datalert app after
enrolling their device.
IMPORTANT
If you disable the Datalert service in Intune:
All the actions that are applied to devices due to past violations of the usage limits, are undone.
Users are no longer blocked from data access and roaming.
Intune still receives the signals coming from the service, but Intune ignores the signals.
Next steps
Data usage reporting is available in Saaswedo’s Datalert management console.
Create a profile with custom settings in Intune
2/19/2020 • 2 minutes to read • Edit Online
Available platforms
Custom settings are configured differently for each platform. For example, to control features on Android and
Windows devices, you can enter Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values. For Apple
devices, you can import a file you created with the Apple Configurator or Apple Profile Manager.
Custom profiles are created similar to built-in profiles, and are available on the following platforms:
Android
Android Enterprise
iOS/iPadOS
macOS
Windows 10
Windows Holographic for Business
Windows Phone 8.1
Next steps
Choose your platform, and get started:
Android
Android Enterprise
iOS/iPadOS
macOS
Windows 10
Windows Holographic for Business
Windows Phone 8.1
Assign user and device profiles in Microsoft
Intune
2/19/2020 • 6 minutes to read • Edit Online
You create a profile, and it includes all the settings you entered. The next step is to deploy or "assign" the
profile to your Azure Active Directory (Azure AD ) user or device groups. When it's assigned, the users
and devices receive your profile, and the settings you entered are applied.
This article shows you how to assign a profile, and includes some information on using scope tags on
your profiles.
NOTE
When a profile is removed or no longer assigned to a device, different things can happen, depending on the
settings in the profile. The settings are based on CSPs, and each CSP can handle the profile removal differently.
For example, a setting might keep the existing value, and not revert back to a default value. The behavior is
controlled by each CSP in the operating system. For a list of Windows CSPs, see configuration service provider
(CSP) reference.
To change a setting to a different value, create a new profile, configure the setting to Not configured, and assign
the profile. Once applied to the device, users should have control to change the setting to their preferred value.
When configuring these settings, we suggest deploying to a pilot group. For more Intune rollout advice, see
create a rollout plan.
On Windows 10 devices, you can add applicability rules so the profile only applies to a specific OS
version or a specific Windows edition. Applicability rules has more information.
Next steps
See monitor device profiles for guidance on monitoring your profiles, and the devices running your
profiles.
Monitor device profiles in Microsoft Intune
12/19/2019 • 4 minutes to read • Edit Online
Intune includes some features to help monitor and manage your device configuration profiles. For
example, you can check the status of a profile, see which devices are assigned, and update the properties
of a profile.
DFCI profiles are reported on a per-setting basis, just like other device configuration profiles. Depending
on the manufacturer’s support of DFCI, some settings may not apply.
With your DFCI profile settings, you may see the following states:
Compliant: This state shows when a setting value in the profile matches the setting on the device.
This state can happen in the following scenarios:
The DFCI profile successful configured the setting in the profile.
The device doesn't have the hardware feature controlled by the setting, and the profile setting is
Disabled.
UEFI doesn't allow DFCI to disable the feature, and the profile setting is Enabled.
The device lacks the hardware to disable the feature, and the profile setting is Enabled.
Not Applicable: This state shows when a setting value in the profile is Enabled, and the matching
setting on the device isn't found. This state can happen if the device hardware doesn't have the
feature.
Noncompliant: This state shows when a setting value in the profile doesn't match the setting on
the device. This state can happen in the following scenarios:
UEFI doesn't allow DFCI to disable a setting, and the profile setting is Disabled.
The device lacks the hardware to disable the feature, and the profile setting is Disabled.
The device doesn't have the latest DFCI firmware version.
DFCI was disabled before being enrolled in Intune using a local “opt-out” control in the UEFI
menu.
The device was enrolled to Intune outside of Autopilot enrollment.
The device wasn't registered to Autopilot by a Microsoft CSP, or registered directly by the OEM.
Next steps
Common questions, issues, and resolutions with device profiles
Troubleshoot policies and profiles and in Intune
Troubleshoot policies and profiles and in Intune
2/19/2020 • 6 minutes to read • Edit Online
Microsoft Intune includes some built-in troubleshooting features. Use these features to help troubleshoot
compliance policies and configuration profiles in your environment.
This article lists some common troubleshooting techniques, and describes some issues you may experience.
2. Choose Select user > select the user having an issue > Select.
3. Confirm that Intune License and Account Status both show green checks:
Helpful links:
Assign licenses so users can enroll devices
Add users to Intune
4. Under Devices, find the device having an issue. Review the different columns:
Managed: For a device to receive compliance or configuration policies, this property must show
MDM or EAS/MDM.
If Managed isn't set to MDM or EAS/MDM, then the device isn't enrolled. It doesn't receive
compliance or configuration policies until it's enrolled.
App protection policies (mobile application management) don't require devices to be enrolled.
For more information, see create and assign app protection policies.
Azure AD Join Type: Should be set to Workplace or AzureAD.
If this column is Not Registered, there may be an issue with enrollment. Typically, unenrolling
and re-enrolling the device resolves this state.
Intune compliant: Should be Yes. If No is shown, there may be an issue with compliance policies,
or the device isn't connecting to the Intune service. For example, the device may be turned off, or may
not have a network connection. Eventually, the device becomes non-compliant, possibly after 30
days.
For more information, see get started with device compliance policies.
Azure AD compliant: Should be Yes. If No is shown, there may be an issue with compliance
policies, or the device isn't connecting to the Intune service. For example, the device may be turned
off, or may not have a network connection. Eventually, the device becomes non-compliant, possibly
after 30 days.
For more information, see get started with device compliance policies.
Last check in: Should be a recent time and date. By default, Intune devices check in every 8 hours.
If Last check in is more than 24 hours, there may be an issue with the device. A device that
can't check in can't receive your policies from Intune.
To force check-in:
On the Android device, open the Company Portal app > Devices > Choose the device
from list > Check Device Settings.
On the iOS/iPadOS device, open the Company portal app > Devices > Choose the device
from list > Check Settings.
On a Windows device, open Settings > Accounts > Access Work or School > Select the
account or MDM enrollment > Info > Sync.
Select the device to see policy-specific information.
Device Compliance shows the states of compliance policies assigned to the device.
Device Configuration shows the states of configuration policies assigned to the device.
If the expected policies aren't shown under Device Compliance or Device Configuration, then the
policies aren't targeted correctly. Open the policy, and assign the policy to this user or device.
Policy states:
Not Applicable: This policy isn't supported on this platform. For example, iOS/iPadOS policies
don't work on Android. Samsung KNOX policies don't work on Windows devices.
Conflict: There's an existing setting on the device that Intune can't override. Or, you deployed two
policies with the same setting using different values.
Pending: The device hasn't checked into Intune to get the policy. Or, the device received the
policy but hasn't reported the status to Intune.
Errors: Look up errors and possible resolutions at Troubleshoot company resource access
problems.
Helpful links:
Ways to deploy device compliance policies
Monitor device compliance policies
NOTE
When two policies with different levels of restriction apply to the same device or user, the more restrictive policy applies.
NOTE
Don't attempt to remove the client from Programs and Features.
3. On the start menu, type UAC to open the User Account Control settings.
4. Move the notification slider to the default setting.
ERROR: Cannot obtain the value from the computer, 0x80041013
Occurs if the time on the local system is out of sync by five minutes or more. If the time on the local computer is
out of sync, secure transactions fail because the time stamps are invalid.
To resolve this issue, set the local system time as close as possible to Internet time. Or, set it to the time on the
domain controllers on the network.
Next steps
Common issues and resolutions with email profiles
Get support help from Microsoft, or use the community forums.
Common issues and resolutions with email profiles in
Microsoft Intune
2/19/2020 • 2 minutes to read • Edit Online
Review some common email profile issues, and how to troubleshoot and resolve them.
Next steps
Get support help from Microsoft, or use the community forums.
Troubleshoot and see potential issues on Android
Zebra devices in Microsoft Intune
12/19/2019 • 4 minutes to read • Edit Online
In Microsoft Intune, you can use Zebra Mobility Extensions (MX) to manage Android Zebra devices. When using
Zebra devices, you create profiles in StageNow to manage settings, and upload them to Intune. Intune uses the
StageNow app to apply the settings on the devices. The StageNow app also creates a detailed log file on the
device that's used to troubleshoot.
This feature applies to:
Android
For example, you create a profile in StageNow to configure a device. When you create the StageNow profile, the
last step generates a file for you test the profile. You consume this file with the StageNow app on the device.
In another example, you create a profile in StageNow, and test it. In Intune, you add the StageNow profile, and
then assign it to your Zebra devices. When checking the status of the assigned profile, the profile shows a high-
level status.
In both these cases, you can get more details from the StageNow log file, which is saved on the device every time
a StageNow profile applies.
Some issues aren't related to the contents of the StageNow profile, and aren't reflected in the logs.
This article shows you how to read the StageNow logs, and lists some other potential issues with Zebra devices
that may not be reflected in the logs.
Use and manage Zebra devices with Zebra Mobility Extensions has more information on this feature.
Examples
For example, you have the following input profile:
<wap-provisioningdoc>
<characteristic type="Clock">
<parm name="AutoTime" value="false"/>
<parm name="TimeZone" value="GMT-5"/>
<parm name="Date" value="2014-12-03"/>
<parm name="Time" value="11:11:11"/>
</characteristic>
</wap-provisioningdoc>
In the log, the XML is identical to the input. This matching output means the profile successfully applied to the
device with no errors:
<wap-provisioningdoc>
<characteristic type="Clock" version="6.0">
<parm name="AutoTime" value="false"/>
<parm name="TimeZone" value="GMT-5"/>
<parm name="Date" value="2014-12-03"/>
<parm name="Time" value="11:11:11"/>
</characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
<characteristic type="XmlMgr" version="4.2" >
<parm name="ProcessingMode" value="1"/>
</characteristic>
<characteristic type="AppMgr" version="4.2" >
<parm name="Action" value="Install"/>
<parm name="APK" value="/sdcard/test.apk"/>
</characteristic>
</wap-provisioningdoc>
The log shows an error, as it contains a <characteristic-error> tag. In this scenario, the profile tried to install an
Android package (APK) that doesn't exist in the given path:
<wap-provisioningdoc>
<characteristic type="XmlMgr" version="4.2">
<parm name="ProcessingMode" value="1"/>
</characteristic>
<characteristic-error type="AppMgr" version="5.1" desc="missing">
<parm-error name="Action" value="Install" desc="apk doesnot exist in the path"/>
<parm name="APK" value="/sdcard/test.apk"/>
</characteristic-error>
</wap-provisioningdoc>
Next steps
Zebra discussion boards (opens Zebra's web site)
Use and manage Zebra devices with Zebra Mobility Extensions in Intune
Common questions, issues, and resolutions with
device policies and profiles in Microsoft Intune
2/19/2020 • 7 minutes to read • Edit Online
Get answers to common questions when working with device profiles and policies in Intune. This article also lists
the check-in time intervals, provides more detains on conflicts, and more.
How long does it take for devices to get a policy, profile, or app after
they are assigned?
Intune notifies the device to check in with the Intune service. The notification times vary, including immediately up
to a few hours. These notification times also vary between platforms.
If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts.
An offline device, such as turned off, or not connected to a network, may not receive the notifications. In this case,
the device gets the policy or profile on its next scheduled check-in with the Intune service. The same applies to
checks for non-compliance, including devices that move from a compliant to a non-compliant state.
Estimated frequencies:
If the device recently enrolled, the compliance, non-compliance, and configuration check-in runs more frequently,
which is estimated at:
PLATFORM FREQUENCY
iOS/iPadOS Every 15 minutes for 1 hour, and then around every 8 hours
macOS Every 15 minutes for 1 hour, and then around every 8 hours
Windows 10 PCs enrolled as devices Every 3 minutes for 15 minutes, then every 15 minutes for 2
hours, and then around every 8 hours
Windows Phone Every 5 minutes for 15 minutes, then every 15 minutes for 2
hours, and then around every 8 hours
Windows 8.1 Every 5 minutes for 15 minutes, then every 15 minutes for 2
hours, and then around every 8 hours
At any time, users can open the Company Portal app, Settings > Sync to immediately check for policy or profile
updates.
What happens when app protection policies conflict with each other?
Which one is applied to the app?
Conflict values are the most restrictive settings available in an app protection policy except for the number entry
fields, such as PIN attempts before reset. The number entry fields are set the same as the values, as if you created
a MAM policy using the recommended settings option.
Conflicts happen when two profile settings are the same. For example, you configured two MAM policies that are
identical except for the copy/paste setting. In this scenario, the copy/paste setting is set to the most restrictive
value, but the rest of the settings are applied as configured.
A policy is deployed to the app and takes effect. A second policy is deployed. In this scenario, the first policy takes
precedence, and stays applied. The second policy shows a conflict. If both are applied at the same time, meaning
that there isn't preceding policy, then both are in conflict. Any conflicting settings are set to the most restrictive
values.
Next steps
Need extra help? See How to get support for Microsoft Intune.
Android and Samsung Knox Standard device
restriction settings lists in Intune
12/19/2019 • 10 minutes to read • Edit Online
This article shows you all the Microsoft Intune device restrictions settings that you can configure for devices
running Android.
TIP
If the settings you want are not available, you might be able to configure your devices using a custom profile.
General
Camera: Choose Block to prevent access to the camera. Not configured allows access to the device's camera.
Copy and paste (Samsung Knox only): Choose Block to prevent copy-and-paste. Not configured allows
copy and paste functions on the device.
Clipboard sharing between apps (Samsung Knox only): Choose Block to prevent using the clipboard to
copy-and-paste between apps. Not configured allows using the clipboard to copy and paste between apps.
Diagnostic data submission (Samsung Knox only): Choose Block to stop the user from submitting
diagnostic data from the device. Not configured allows the user to submit the data.
Wipe (Samsung Knox only): Allows the user to run a wipe action on the device.
Geolocation (Samsung Knox only): Choose Block to disable the device from using location information.
Not configured allows the device to use the location information.
Power off (Samsung Knox only): Choose Block to prevent the user from powering off device. If this setting
is disabled, the Number of sign-in failures before wiping device setting can't be set, and doesn't work. Not
configured allows the user to power off the device.
Screen capture (Samsung Knox only): Choose Block to prevent screenshots. Not configured lets the user
capture the screen contents as an image.
Voice assistant (Samsung Knox only): Choose Block to disable the S Voice service. Not configured allows
the use of S Voice service and app on the device. This setting doesn't apply to Bixby or the voice assistant for
accessibility that reads the screen content aloud.
YouTube (Samsung Knox only): Choose Block to prevent users from using the YouTube app. Not
configured allows using the YouTube app on the device.
Shared devices (Samsung Knox only): Configure a managed Samsung Knox Standard device as shared.
When set to Allow, end users can sign in and out of the device with their Azure AD credentials. The device stays
managed, whether it’s in use or not.
When used in with a SCEP certificate profile, this feature allows end users to share a device with the same apps
for all users. But, each user has their own SCEP user certificate. When users sign out, all app data is cleared. This
feature is limited to LOB apps only.
Not configured prevents multiple end users from signing in to the Company Portal app on the device using
their Azure AD credentials.
Block date and time changes (Samsung Knox): Choose Block to prevent the user from changing the date
and time settings on the device. Not configured allows users to change the date and time settings.
Password
Password: Require the end user to enter a password to access the device. Not configured allows users to
access the device without entering a password.
NOTE
Samsung Knox devices automatically require a 4-digit PIN during MDM enrollment. Native Android devices may
automatically require a PIN to become compliant with Conditional Access.
Minimum password length: Enter the minimum length of password a user must enter (between 4 and 16
characters).
Maximum minutes of inactivity until screen locks: Enter the maximum number of minutes of inactivity
allowed on the device until the screen locks. On a device, an end user can’t set a time value greater than the
configured time in the profile. An end user can set a lower time value. For example, if the profile is set to 15
minutes, an end user can set the value to 5 minutes. An end user can’t set the value to 30 minutes.
Number of sign-in failures before wiping device: Enter the number of sign-in failures to allow before
the device is wiped.
Password expiration (days): Enter the number of days before the device password must be changed.
Required password type: Enter the required password complexity level, and whether biometric devices can
be used. Your options:
Device default
Low security biometric
At least numeric
Numeric complex: Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed.1
At least alphabetic
At least alphanumeric
At least alphanumeric with symbols
Prevent reuse of previous passwords: Stops the end user from creating a password they've used before.
Fingerprint unlock (Samsung Knox only): Choose Block to prevent using a fingerprint to unlock the
device. Not configured allows the user to unlock the device using a fingerprint.
Smart Lock and other trust agents: Choose Block to prevent Smart Lock or other trust agents from
adjusting lock screen settings (Samsung KNOX Standard 5.0+). This phone feature, sometimes known as a
trust agent, lets you disable or bypass the device lock screen password if the device is in a trusted location.
For example, this feature can be used when the device is connected to a specific Bluetooth device, or when
it's close to an NFC tag. You can use this setting to prevent users from configuring Smart Lock.
Encryption: Choose Require so that files on the device are encrypted. Not all devices support encryption.
To use this feature, also:
1. Set Password to Require.
2. Set Required password type to At least numeric.
3. Set Minimum password length to at least 4 to correctly report compliance for this setting.
NOTE
If an encryption policy is enforced, Samsung Knox devices require users to set a 6-character complex password as the
device passcode.
1 Before you assign this setting to devices, be sure to update the Company Portal app to the latest version on those
devices.
If you set Required password type to Numeric complex, and then assign it to a device running a version of
Android earlier than 5.0, then following behavior applies:
If the Company Portal app is running a version earlier than 1704, no PIN policy is applied to the device, and an
error is shown in the Microsoft Endpoint Manager admin center.
If the Company Portal app runs the 1704 version or later, only a simple PIN can be applied. Versions of Android
earlier than 5.0 don't support this setting. No error is shown in the Microsoft Endpoint Manager admin center.
Restricted apps
Use these settings to allow or prevent specific apps on the device. This feature is supported on Android and
Samsung Knox Standard devices:
Prohibited apps: A list of apps not managed by Intune that you don't want installed on the device. If a user
installs an app from this list, you're notified by Intune.
Approved apps: A list of apps that users are allowed to install. To stay compliant, users must not install other
apps. Apps that are managed by Intune are automatically allowed.
To add app to these lists, you can:
Add the Google Play Store URL of the app you want. For example, to add the Microsoft Remote Desktop app
for Android, enter https://play.google.com/store/apps/details?id=com.microsoft.rdc.android . To find the URL of
an app, open the Google Play store, and search for the app. For example, search for
Microsoft Remote Desktop Play Store or Microsoft Planner . Select the app, and copy the URL.
Import a CSV file with details about the app, including the URL. Use the <app url>, <app name>, <app
publisher> format. Or, Export an existing list that includes the restricted apps list in the same format.
IMPORTANT
Device profiles that use the restricted app settings must be assigned to groups of users.
Browser
Web browser (Samsung Knox only): Choose Block to prevent the default web browser from being used on
the device. Not configured allows the device's default web browser to be used.
Autofill (Samsung Knox only): Choose Block to prevent the autofill of text in the browser. Not configured
allows the autofill function of the web browser to be used.
Cookies (Samsung Knox only): Choose how you want to handle cookies from websites on the device. Your
options:
Allow
Block all cookies
Allow cookies from visited web sites
Allow cookies from current web site
Javascript (Samsung Knox only): Choose Block to prevent the web browser from running Java scripts. Not
configured allows the device web browser to run Java scripts.
Pop-ups (Samsung Knox only): Choose Block to prevent pop-ups in the web browser. Not configured
allows pop-ups in the web browser.
Kiosk
Kiosk settings apply only to Samsung Knox Standard devices, and only to apps you manage using Intune.
Add apps you want to run when the device is in kiosk mode. In kiosk mode, only the apps you add run; apps
not added don't run. Pre-installed browsers don't run as an app when the device is in kiosk mode. If a
browser is required, consider using the Managed Browser.
Your app options:
Add apps by package name: Primarily used for line-of-business apps. Enter the app name, and the
name of the app package.
Add apps by URL: Enter the app name, and its URL in the Google Play store.
Add store app: Select an app from the existing list of apps you manage in Intune.
Screen sleep button: Choose Block to prevent or hide the screen sleep button. Not configured allows
the screen sleep wake button on the device.
Volume buttons: Choose Block to prevent the user from adjusting the volume by disabling the volume
buttons. Not configured allows using the volume buttons on the device.
Next steps
Assign the profile and monitor its status.
You can also create kiosk profiles for Android Enterprise and Windows 10 devices.
Android device settings to configure email,
authentication, and synchronization in Intune
2/19/2020 • 2 minutes to read • Edit Online
This article lists and describes the different email settings you can control on Android Samsung Knox devices in
Intune. As part of your mobile device management (MDM ) solution, use these settings to configure an email
server, use SSL to encrypt emails, and more.
As an Intune administrator, you can create and assign email settings to Android Samsung Knox Standard devices.
To learn more about email profiles in Intune, see configure email settings.
sAM Account Name: Requires the domain, such as domain\user1 . sAM account name is only used
with Android devices.
Also enter:
User domain name source: Choose AAD (Azure Active Directory) or Custom.
When choosing to get the attributes from AAD, enter:
User domain name attribute from AAD: Choose to get the Full domain name or the
NetBIOS name attribute of the user
When choosing to use Custom attributes, enter:
Custom domain name to use: Enter a value that Intune uses for the domain name, such
as contoso.com or contoso
Email address attribute from AAD: This name is the email attribute Intune gets from Azure AD. Intune
dynamically generates the email address that's used by this profile. Your options:
User principal name: Uses the full principal name, such as user1@contoso.com or user1 , as the email
address.
Primary SMTP address: Uses the primary SMTP address, such as user1@contoso.com , to sign in to
Exchange.
Authentication method: Select either Username and Password or Certificates as the authentication
method used by the email profile.
If you select Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
Security settings
SSL: Use Secure Sockets Layer (SSL ) communication when sending emails, receiving emails, and
communicating with the Exchange server.
S/MIME: Send outgoing email using S/MIME encryption.
If you select Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
Synchronization settings
Amount of email to synchronize: Choose the number of days of email that you want to synchronize, or select
Unlimited to synchronize all available email.
Sync schedule: Select the schedule for devices to synchronize data from the Exchange server. You can also
select As Messages arrive, which synchronizes data when it arrives, or Manual, where the user of the device
must initiate the synchronization.
Content sync settings
Content type to sync: Select the content types that you want to synchronize on the devices. Not
configured disables this setting. When set to Not configured, if an end user enables synchronization on
the device, synchronization is disabled again when the device syncs with Intune, as the policy is reinforced.
You can sync the following content:
Contacts: Choose Enable to allow end users to sync contacts to their devices.
Calendar: Choose Enable to allow end users to sync the calendar to their devices.
Tasks: Choose Enable to allow end users to sync any tasks to their devices.
Next steps
Assign the profile and monitor its status.
You can also create email profiles for Android Enterprise - work profile, iOS/iPadOS, Windows 10 and later, and
Windows Phone 8.1.
Android device settings to configure VPN in Intune
2/19/2020 • 2 minutes to read • Edit Online
This article lists and describes the different VPN connection settings you can control on Android devices. As part
of your mobile device management (MDM ) solution, use these settings to create a VPN connection, choose how
the VPN authenticates, select a VPN server type, and more.
As an Intune administrator, you can create and assign VPN settings to Android devices.
To learn more about VPN profiles in Intune, see VPN profiles.
Base VPN
Connection name: Enter a name for this connection. End users see this name when they browse their
device for the available VPN connections. For example, enter Contoso VPN .
IP address or FQDN: Enter the IP address or fully qualified domain name (FQDN ) of the VPN server that
devices connect. For example, enter 192.168.1.1 or vpn.contoso.com.
Authentication method: Choose how devices authenticate to the VPN server. Your options:
Certificates: Select an existing SCEP or PKCS certificate profile to authenticate the connection.
Configure certificates lists the steps to create a certificate profile.
Username and password: When signing into the VPN server, end users are prompted to enter
their user name and password.
Connection type: Select the VPN connection type. Your options:
Check Point Capsule VPN
Cisco AnyConnect
SonicWall Mobile Connect
F5 Access
Pulse Secure
Citrix SSO
Fingerprint (Check Point Capsule VPN only): Enter a string, such as Contoso Fingerprint Code, to verify
that the VPN server can be trusted. A fingerprint is sent to the client so the client knows to trust any server
that has the same fingerprint. If the device doesn’t have the fingerprint, it prompts the user to trust the
VPN server while showing the fingerprint. The user manually verifies the fingerprint, and chooses to trust
to connect.
Enter key and value pairs for the Citrix VPN attributes (Citrix only): Enter key and value pairs,
provided by Citrix. These values configure the properties of the VPN connection.
You can also Import a comma-separated values file (.csv) with keys and value pairs. Be sure to review the
My data has headers and Key properties.
After you've added your key and values pairs, use Export to back up your data to a .csv file.
Next steps
Assign the profile and monitor its status.
You can also create VPN profiles for Android Enterprise, iOS/iPadOS, macOS, Windows 10 and later, Windows
8.1, and Windows Phone 8.1 devices.
Add Wi-Fi settings for devices running Android in
Microsoft Intune
2/26/2020 • 3 minutes to read • Edit Online
You can create a profile with specific WiFi settings, and then deploy this profile to your Android devices. Microsoft
Intune offers many features, including authenticating to your network, adding a PKS or SCEP certificate, and
more.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-level settings.
This article describes these settings.
Basic
Wi-Fi type: Choose Basic.
SSID: Enter the service set identifier, which is the real name of the wireless network that devices connect to.
However, users only see the network name you configured when they choose the connection.
Hidden network: Choose Enable to hide this network from the list of available networks on the device. The
SSID isn't broadcasted. Choose Disable to show this network in the list of available networks on the device.
Enterprise
Wi-Fi type: Choose Enterprise.
SSID: Enter the service set identifier, which is the real name of the wireless network that devices connect
to. However, users only see the network name you configured when they choose the connection.
Hidden network: Choose Enable to hide this network from the list of available networks on the device.
The SSID isn't broadcasted. Choose Disable to show this network in the list of available networks on the
device.
EAP type: Choose the Extensible Authentication Protocol (EAP ) type used to authenticate secured wireless
connections. Your options:
EAP -TLS: Also enter:
Server Trust - Root certificate for server validation: Choose an existing trusted root
certificate profile. This certificate is presented to the server when the client connects to the
network. It authenticates the connection.
Client Authentication - Client certificate for client authentication (Identity
certificate): Choose the SCEP or PKCS client certificate profile that is also deployed to the
device. This certificate is the identity presented by the device to the server to authenticate the
connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP identity
request. This text can be any value, such as anonymous . During authentication, this anonymous
identity is initially sent, and then followed by the real identification sent in a secure tunnel.
EAP -TTLS: Also enter:
Server Trust - Root certificate for server validation: Choose an existing trusted root
certificate profile. This certificate is presented to the server when the client connects to the
network. It authenticates the connection.
Client Authentication: Choose an Authentication method. Your options:
Username and Password: Prompt the user for a user name and password to
authenticate the connection. Also enter:
Non-EAP method (inner identity): Choose how you authenticate the
connection. Be sure you choose the same protocol that's configured on your Wi-
Fi network. Your options:
Unencrypted password (PAP )
Challenge Handshake Authentication Protocol (CHAP )
Microsoft CHAP (MS -CHAP )
Microsoft CHAP Version 2 (MS -CHAP v2)
Certificates: Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification
sent in a secure tunnel.
PEAP: Also enter:
Server Trust - Root certificate for server validation: Choose an existing trusted root
certificate profile. This certificate is presented to the server when the client connects to the
network. It authenticates the connection.
Client Authentication: Choose an Authentication method. Your options:
Username and Password: Prompt the user for a user name and password to
authenticate the connection. Also enter:
Non-EAP method for authentication (inner identity): Choose how you
authenticate the connection. Be sure you choose the same protocol that's
configured on your Wi-Fi network. Your options:
None
Microsoft CHAP Version 2 (MS -CHAP v2)
Certificates: Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification
sent in a secure tunnel.
Next steps
The profile is created, but it's not doing anything. Next, assign this profile.
More resources
Wi-Fi settings overview, including other platforms.
Using Android Enterprise or Android Kiosk devices? If yes, then look at Wi-Fi settings for devices running
Android Enterprise and dedicated devices.
Use custom settings for Android devices in Microsoft
Intune
12/19/2019 • 2 minutes to read • Edit Online
Using Microsoft Intune, you can add or create custom settings for your Android devices using a "custom profile".
Custom profiles are a feature in Intune. They are designed to add device settings and features that aren't built in to
Intune.
Android custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to configure
different features on Android devices. These settings are typically used by mobile device manufacturers to control
these features.
Using a custom profile, you can configure and assign the following Android settings. The following settings aren't
built in to Intune:
Create a Wi-Fi profile with a pre-shared key
Create a per-app VPN profile
Allow and block apps for Samsung Knox Standard devices
IMPORTANT
Only the settings listed can be configured by in a custom profile. Android devices don't expose a complete list of OMA-URI
settings you can configure. If you'd like to see more settings, then vote for more settings at the Intune Uservoice site.
This article shows you how to create a custom profile for Android devices.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Create a custom profile on Android Enterprise devices.
Use custom policies in Microsoft Intune to allow and
block apps for Samsung Knox Standard devices
12/19/2019 • 2 minutes to read • Edit Online
Use the procedure in this article to create a Microsoft Intune custom policy that creates one of the following:
A list of apps that are blocked from running on the device. Apps in this list are blocked from being run, even if
they were already installed when the policy was applied.
A list of apps that users of the device are allowed to install from the Google Play store. Only the apps you list
can be installed. No other apps can be installed from the store.
These settings can only be used by devices that run Samsung Knox Standard.
TIP
You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the
URL of the app's page. For example, the package ID of the Microsoft Word app is com.microsoft.office.word.
The next time each targeted device checks in, the app settings are applied.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Android Enterprise device settings to allow or restrict
features using Intune
2/5/2020 • 27 minutes to read • Edit Online
This article lists and describes the different settings you can control on Android Enterprise devices. As part of your
mobile device management (MDM ) solution, use these settings to allow or disable features, run apps on dedicated
devices, control security, and more.
IMPORTANT
When using single-app kiosk mode, dialer/phone apps may not function properly.
Multi-app: Users can access a limited set of apps on the device. When the device starts, only the apps you
add start. You can also add some web links that users can open. When the policy is applied, users see icons
for the allowed apps on the home screen.
IMPORTANT
For multi-app dedicated devices, the Managed Home Screen app from Google Play must be:
Added as a client app in Intune
Assigned to the device group created for your dedicated devices
The Managed Home Screen app isn't required to be in the configuration profile, but it is required to be added as a
client app. When the Managed Home Screen app is added as a client app, any other apps you add in the
configuration profile are shown as icons on the Managed Home Screen app.
When using multi-app kiosk mode, dialer/phone apps may not function properly.
NOTE
For most cases, we recommend starting with images of at least the following sizes:
Phone: 1080x1920 px
Tablet: 1920x1080 px
For the best experience and crisp details, it’s suggested that per device image assets be created to the display
specifications.
Modern displays have higher pixel densities and can display equivalent 2K/4K definition images.
Wi-Fi configuration: Enable shows the Wi-Fi control on the Managed Home Screen, and allows
end users to connect the device to different WiFi networks. Enabling this feature also turns on device
location. Not configured (default) doesn't show the Wi-Fi control on the Managed Home Screen. It
prevents users from connecting to Wi-Fi networks while using the Managed Home Screen.
Bluetooth configuration: Enable shows the Bluetooth control on the Managed Home Screen, and
allows end users to pair devices over Bluetooth. Enabling this feature also turns on device location.
Not configured (default) doesn't show the Bluetooth control on the Managed Home Screen. It
prevents users from configuring Bluetooth and pairing devices while using the Managed Home
Screen.
Flashlight access: Enable shows the flashlight control on the Managed Home Screen, and allows
end users to turn the flashlight on or off. Not configured (default) doesn't show the flashlight
control on Managed Home Screen. It prevents users from using the flashlight while using the
Managed Home Screen.
Media volume control: Enable shows the media volume control on the Managed Home Screen,
and allows end users to adjust the device's media volume using a slider. Not configured (default)
doesn't show the media volume control on Managed Home Screen. It prevents users from adjusting
the device's media volume while using the Managed Home Screen, unless their hardware buttons
support it.
Screen saver mode: Enable shows a screensaver on the Managed Home Screen when the device is
locked or times out. Not configured (default) doesn't show a screensaver on the Managed Home
Screen.
When enabled, also configure:
Set custom screen saver image: Enter the URL to a custom PNG, JPG, JPEG, GIF, BMP,
WebP, or ICOimage. For example, enter:
http://www.contoso.com/image.jpg
www.contoso.com/image.bmp
https://www.contoso.com/image.webp
If you don't enter a URL, then the device's default image is used, if there is a default image.
TIP
Any file resource URL that can be turned into a bitmap is supported.
Number of seconds the device shows screen saver before turning off screen: Choose
how long the device shows the screensaver. Enter a value between 0-9999999 seconds.
Default is 0 seconds. When left blank, or set to zero ( 0 ), the screen saver is active until a
user interacts with the device.
Number of seconds the device is inactive before showing screen saver: Choose how
long the device is idle before showing the screensaver. Enter a value between 1-9999999
seconds. Default is 30 seconds. You must enter a number greater than zero ( 0 ).
Detect media before starting screen saver: Enable (default) doesn't show the screen saver
if audio or video is playing on the device. Not configured shows the screen saver, even if
audio or video is playing.
Device password settings
Disable lock screen: Choose Disable to prevent users from using Keyguard lock screen feature on the
device. Not configured allows the user to use the Keyguard features.
Disabled lock screen features: When keyguard is enabled on the device, choose which features to disable.
For example, when Secure camera is checked, the camera feature is disabled on the device. Any features
not checked are enabled on the device.
These features are available to users when the device is locked. Users won't see or access features that are
checked.
Required password type: Define the type of password required for the device. Your options:
Device default
Password required, no restrictions
Weak biometric: Strong vs. weak biometrics (opens Android's web site)
Numeric: Password must only be numbers, such as 123456789 . Enter the minimum password
length a user must enter, between 4 and 16 characters.
Numeric complex: Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed.
Enter the minimum password length a user must enter, between 4 and 16 characters.
Alphabetic: Letters in the alphabet are required. Numbers and symbols aren't required. Enter the
minimum password length a user must enter, between 4 and 16 characters.
Alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters. Enter the
minimum password length a user must enter, between 4 and 16 characters.
Alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters,
punctuation marks, and symbols. Also enter:
Minimum password length: Enter the minimum length the password must have, between 4 and
16 characters.
Number of characters required: Enter the number of characters the password must have,
between 0 and 16 characters.
Number of lowercase characters required: Enter the number of lowercase characters the
password must have, between 0 and 16 characters.
Number of uppercase characters required: Enter the number of uppercase characters the
password must have, between 0 and 16 characters.
Number of non-letter characters required: Enter the number of non-letters (anything other
than letters in the alphabet) the password must have, between 0 and 16 characters.
Number of numeric characters required: Enter the number of numeric characters ( 1 , 2 , 3 ,
and so on) the password must have, between 0 and 16 characters.
Number of symbol characters required: Enter the number of symbol characters ( & , # , % ,
and so on) the password must have, between 0 and 16 characters.
Number of days until password expires: Enter the number of days, between 1-365, until the device
password must be changed. For example, to change the password after 60 days, enter 60 . When the
password expires, users are prompted to create a new password.
Number of passwords required before user can resuse a password: Enter the number of recent
passwords that can't be reused, between 1-24. Use this setting to restrict the user from creating previously
used passwords.
Number of sign-in failures before wiping device: Enter the number, between 4-11, of failed sign-ins to
allow before the device is wiped.
Power settings
Time to lock screen: Enter the maximum time a user can set until the device locks. For example, if you set
this setting to 10 minutes, then users can set the time from 15 seconds up to 10 minutes. When set to Not
configured (default), Intune doesn't change or control this setting.
Screen on while device plugged in: Choose which power sources cause the device's screen to stay on
when plugged in.
Users and Accounts settings
Add new users: Choose Block to prevent users from adding new users. Each user has a personal space on
the device for custom Home screens, accounts, apps, and settings. Not configured (default) allows users to
add other users to the device.
User removal: Choose Block to prevent users from removing users. Not configured (default) allows
users to remove other users from the device.
Account changes (dedicated devices only): Choose Block to prevent users from modifying accounts. Not
configured (default) allows users to update user accounts on the device.
NOTE
This setting isn't honored on device owner (fully managed) devices. If you configure this setting, then the setting is
ignored, and has no impact.
User can configure credentials: Block prevents users from configuring certificates assigned to devices,
even devices that aren't associated with a user account. Not configured might make it possible for users to
configure or change their credentials when they access them in the keystore.
Personal Google Accounts: Block prevents users from adding their personal Google account to the
device. Not configured (default) allows users to add their personal Google account.
Applications
Allow installation from unknown sources: Choose Allow so users can turn on Unknown sources. This
setting allows apps to install from unknown sources, including sources other than the Google Play Store. Not
configured prevents users from turning on Unknown sources.
Allow access to all apps in Google Play store: When set to Allow, users get access to all apps in Google
Play store. They don't get access to the apps the administrator blocks in Client Apps. Not configured forces
users to only access the apps the administrator makes available Google Play store, or apps required in Client
Apps.
App auto-updates: Choose when automatic updates are installed. Your options:
Not configured
User choice
Never
Wi-Fi only
Always
Connectivity
Always-on VPN: Choose Enable to set a VPN client to automatically connect and reconnect to the VPN.
Always-on VPN connections stay connected or immediately connect when the user locks their device, the
device restarts, or the wireless network changes.
Choose Not configured to disable always-on VPN for all VPN clients.
IMPORTANT
Be sure to deploy only one Always-on VPN policy to a single device. Deploying multiple Always-on VPN policies to a
single device isn't supported.
VPN client: Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Palo Alto Networks GlobalProtect
Pulse Secure
Custom
Package ID: Enter the package ID of the app in the Google Play store. For example, if the URL for
the app in the Play store is https://play.google.com/store/details?id=com.contosovpn.android.prod ,
then the package ID is com.contosovpn.android.prod .
IMPORTANT
The VPN client you choose must be installed on the device, and it must support per-app VPN in work profiles.
Otherwise, an error occurs.
You do need to approve the VPN client app in the Managed Google Play Store, sync the app to Intune, and
deploy the app to the device. After you do this, then the app is installed in the user's work profile.
You still need to configure the VPN client with a VPN profile, or through an app configuration profile.
There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. See F5's release notes for
F5 Access for Android 3.0.4 for more information.
Lockdown mode: Choose Enable to force all network traffic to use the VPN tunnel. If a connection to the
VPN isn't established, then the device won't have network access.
Choose Not configured to allow traffic to flow through the VPN tunnel or through the mobile network.
Recommended global proxy: Choose Enable to add a global proxy to the devices. When enabled, HTTP
and HTTPS traffic, including some apps on the device, use the proxy you enter. This proxy is only a
recommendation. It's possible some apps won't use the proxy. Not configured (default) doesn't add a
recommended global proxy.
For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).
When enabled, also enter the Type of proxy. Your options:
Direct: Choose this option to manually enter the proxy server details, including:
Host: Enter the hostname or IP address of your proxy server. For example, enter
proxy.contoso.com or 127.0.0.1 .
Port number: Enter the TCP port number used by the proxy server. For example, enter 8080 .
Excluded hosts: Enter a list of host names or IP addresses that won't use the proxy. This list can
include an asterisk ( * ) wildcard and multiple hosts separated by semicolons ( ; ) with no spaces.
For example, enter 127.0.0.1;web.contoso.com;*.microsoft.com .
Proxy Auto-Config: Enter the PAC URL to a proxy autoconfiguration script. For example, enter
https://proxy.contoso.com/proxy.pac .
For more information on PAC files, see Proxy Auto-Configuration (PAC ) file (opens a non-Microsoft
site).
NOTE
Google accounts can't be added to a work profile.
Contact sharing via Bluetooth: Enables access to work contacts from another device, such as a car, that is
paired using Bluetooth. By default, this setting isn't configured, and work profile contacts aren't shown.
Select Enable to allow this sharing, and show work profile contacts. This setting applies to Android work
profile devices on Android OS v6.0 and newer. Enabling this setting may allow certain Bluetooth devices to
cache work contacts upon first connection. Disabling this policy after an initial pairing/sync may not remove
work contacts from a Bluetooth device.
Screen capture: Choose Block to prevent screenshots or screen captures on the device in the work profile.
It also prevents the content from being shown on display devices that don't have a secure video output. Not
configured allows getting screenshots.
Display work contact caller-id in personal profile: When enabled (Not configured), the work contact
caller details are displayed in the personal profile. When set to Block, the work contact caller number isn't
displayed in the personal profile. Applies to Android OS v6.0 and newer versions.
Search work contacts from personal profile: Choose Block to prevent users from searching for work
contacts in apps in the personal profile. Not required allows searching for work contacts in the personal
profile.
Camera: Choose Block to prevent access to the camera on the device in the work profile. The camera on
the personal side is not affected by the setting. Not required allows access to the camera in the work
profile.
Allow widgets from work profile apps: Enable allows end users to put widgets exposed by apps on the
home screen. Not configured (default) disables this feature.
For example, Outlook is installed on your users' work profiles. When set to Enable, users can put the
agenda widget on the device home screen.
Work Profile Password
Require Work Profile Password: Applies to Android 7.0 and above with work profile enabled. Choose
Require to enter a passcode policy that applies only to the apps in the work profile. By default, the end user can
use the two separately defined PINs, or users can choose to combine the PINs into the stronger of the two
PINs. Not configured allows the user to use work apps, without entering a password.
Minimum password length: Enter the minimum number of characters the user's password must have, from
4-16.
Maximum minutes of inactivity until work profile locks: Select the amount of time before the work profile
locks. The user must then enter their credentials to regain access.
Number of sign-in failures before wiping device: Enter the number of times an incorrect password can be
entered before the work profile is wiped from the device.
Password expiration (days): Enter the number of days until an end user's password must be changed (from
1-255).
Required password type: Select the type of password that must be set on the device. Choose from:
Device default
Low security biometric
Required
At least numeric
Numeric complex: Repeating, or consecutive numbers like '1111' or '1234' aren't allowed
At least alphabetic
At least alphanumeric
At least alphanumeric with symbols
Prevent reuse of previous passwords: Enter the number of new passwords that must be used before an old
password can be reused (from 1-24).
Fingerprint unlock: Choose Block to prevent end users from using the device fingerprint scanner to unlock
the device. Not configured allows users to unlock devices with a fingerprint in the work profile.
Smart Lock and other trust agents: Choose Block to prevent Smart Lock or other trust agents from
adjusting lock screen settings on compatible devices. This feature, also known as a trust agent, lets you disable
or bypass the device lock screen password if the device is in a trusted location. For example, bypass the work
profile password when the device is connected to a specific Bluetooth device, or when it's close to an NFC tag.
Use this setting to prevent users from configuring Smart Lock.
Device password
These password settings apply to personal profiles on devices that use a work profile.
Minimum password length: Enter the minimum number of characters the user's password must have, from
4-14.
Maximum minutes of inactivity until screen locks: Select the amount of time before an inactive device
automatically locks
Number of sign-in failures before wiping device: Enter the number of times an incorrect password can be
entered before the work profile is wiped from the device.
Password expiration (days): Enter the number of days until an end user's password must be changed (from
1-255)
Required password type: Select the type of password that must be set on the device. Choose from:
Device default
Low security biometric
Required
At least numeric
Numeric complex: Repeating, or consecutive numbers like '1111' or '1234' are not allowed
At least alphabetic
At least alphanumeric
At least alphanumeric with symbols
Prevent reuse of previous passwords: Enter the number of new passwords that must be used before an old
password can be reused (from 1-24).
Fingerprint unlock: Choose Block to prevent end user from using the device fingerprint scanner to unlock the
device. Not configured allows the user to unlock the device using a fingerprint.
Smart Lock and other trust agents: Choose Block to prevent Smart Lock or other trust agents from
adjusting lock screen settings on compatible devices. This feature, also known as a trust agent, lets you disable
or bypass the device lock screen password if the device is in a trusted location. For example, bypass the work
profile password when the device is connected to a specific Bluetooth device, or when it's close to an NFC tag.
Use this setting to prevent users from configuring Smart Lock.
System security
Threat scan on apps: Require enforces that the Verify Apps setting is enabled for work and personal
profiles.
NOTE
This setting only works for devices that are Android 8 (Oreo) and above.
Prevent app installations from unknown sources in the personal profile: By design, Android
Enterprise work profile devices can't install apps from sources other than the Play Store. By nature, work
profile devices are intended to be dual-profile:
A work profile managed using MDM.
A personal profile that's isolated from MDM management.
This setting allows administrators more control of app installations from unknown sources. Not
configured (default) allows app installations from unknown sources in the personal profile. Block prevents
app installations from sources other than the Play Store in the personal profile.
Connectivity
Always-on VPN: Choose Enable to set a VPN client to automatically connect and reconnect to the VPN.
Always-on VPN connections stay connected or immediately connect when the user locks their device, the
device restarts, or the wireless network changes.
Choose Not configured to disable always-on VPN for all VPN clients.
IMPORTANT
Be sure to deploy only one Always On VPN policy to a single device. Deploying multiple Always VPN policies to a
single device isn't supported.
VPN client: Choose a VPN client that supports Always On. Your options:
Cisco AnyConnect
F5 Access
Palo Alto Networks GlobalProtect
Pulse Secure
Custom
Package ID: Enter the package ID of the app in the Google Play store. For example, if the URL for
the app in the Play store is https://play.google.com/store/details?id=com.contosovpn.android.prod ,
then the package ID is com.contosovpn.android.prod .
IMPORTANT
The VPN client you choose must be installed on the device, and it must support per-app VPN in work profiles.
Otherwise, an error occurs.
You do need to approve the VPN client app in the Managed Google Play Store, sync the app to Intune, and
deploy the app to the device. After you do this, then the app is installed in the user's work profile.
There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. See F5's release notes for
F5 Access for Android 3.0.4 for more information.
Lockdown mode: Choose Enable to force all network traffic to use the VPN tunnel. If a connection to the
VPN isn't established, then the device won't have network access.
Choose Not configured to allow traffic to flow through the VPN tunnel or through the mobile network.
Next steps
Assign the profile and monitor its status.
You can also create dedicated device kiosk profiles for Android and Windows 10 devices.
See also
Configuring and troubleshooting Android enterprise devices in Microsoft Intune
Android Enterprise device settings to configure email,
authentication, and synchronization in Intune
2/19/2020 • 2 minutes to read • Edit Online
This article lists and describes the different email settings you can control on Android Enterprise devices. As part of
your mobile device management (MDM ) solution, use these settings to configure an email server, use SSL to
encrypt emails, and more.
As an Intune administrator, you can create and assign email settings to Android Enterprise devices in the work
profile.
To learn more about email profiles in Intune, see configure email settings.
Android Enterprise
Email app: Select either Gmail or Nine Work
Email server: The host name of your Exchange server. For example, enter outlook.office365.com .
Username attribute from AAD: This name is the attribute Intune gets from Azure Active Directory (Azure
AD ). Intune dynamically generates the username that's used by this profile. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com
User name: Gets only the name, such as user1
Email address attribute from AAD: This name is the email attribute Intune gets from Azure AD. Intune
dynamically generates the email address that's used by this profile. Your options:
User principal name: Uses the full principal name, such as user1@contoso.com or user1 , as the email
address.
Primary SMTP address: Uses the primary SMTP address, such as user1@contoso.com , to sign in to
Exchange.
Authentication method: Select Username and Password or Certificates as the authentication method
used by the email profile.
If you select Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
SSL: Choose Enable to use Secure Sockets Layer (SSL ) communication when sending emails, receiving
emails, and communicating with the Exchange server.
Amount of email to synchronize: Choose the amount of time of email you want to synchronize. Or, select
Unlimited to synchronize all available email.
Content type to sync (Nine Work only): Choose which data you want to synchronize on the devices. Your
options:
Contacts: Choose Enable to allow end users to sync contacts to their devices.
Calendar: Choose Enable to allow end users to sync the calendar to their devices.
Tasks: Choose Enable to allow end users to sync any tasks to their devices.
Next steps
Assign the profile and monitor its status.
You can also create email profiles for Android Samsung Knox, iOS/iPadOS, Windows 10 and later, and Windows
Phone 8.1 devices.
Android Enterprise device settings to configure VPN
in Intune
2/19/2020 • 2 minutes to read • Edit Online
This article lists and describes the different VPN connection settings you can control on Android Enterprise
devices. As part of your mobile device management (MDM ) solution, use these settings to create a VPN
connection, choose how the VPN authenticates, select a VPN server type, and more.
As an Intune administrator, you can create and assign VPN settings to Android Enterprise devices.
To learn more about VPN profiles in Intune, see VPN profiles.
NOTE
To configure always-on VPN, you need to create a VPN profile and also create a device restrictions profile with the Always-
on VPN setting configured.
Next steps
Assign the profile and monitor its status.
You can also create VPN profiles for Android, iOS/iPadOS, macOS, Windows 10 and later, Windows 8.1, and
Windows Phone 8.1 devices.
Add Wi-Fi settings for Android Enterprise dedicated
and fully managed devices in Microsoft Intune
2/26/2020 • 8 minutes to read • Edit Online
You can create a profile with specific Wi-Fi settings, and then deploy this profile to your Android Enterprise fully
managed and dedicated devices. Microsoft Intune offers many features, including authenticating to your network,
using a pre-shared key, and more.
This article describes these settings. Use Wi-Fi on your devices includes more information about the Wi-Fi feature
in Microsoft Intune.
Using Microsoft Intune, you can add or create custom settings for your Android Enterprise Work Profile devices
using a "custom profile". Custom profiles are a feature in Intune. They are designed to add device settings and
features that aren't built in to Intune.
Android Enterprise custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to
control features on Android Enterprise devices. These settings are typically used by mobile device manufacturers
to control these features.
Intune supports the following limited number of Android Enterprise custom profiles:
./Vendor/MSFT/WiFi/Profile/SSID/Settings: Create a Wi-Fi profile with a pre-shared key has some examples.
./Vendor/MSFT/VPN/Profile/Name/PackageList: Create a per-app VPN profile has some examples.
./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste: See the example in this article. This setting is also
available in the user interface. For more information, see Android Enterprise device settings to allow or restrict
features.
If you need additional settings, see OEMConfig for Android Enterprise.
This article shows you how to create a custom profile for Android Enterprise devices. It also provides an example
of a custom profile that blocks copy-and-paste.
Example
In this example, you create a custom profile that restricts copy and paste actions between work and personal apps
on Android Enterprise devices.
1. Sign in to the Microsoft Endpoint Manager admin center.
2. Select Devices > Configuration profiles > Create profile.
3. Enter the following settings:
Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
For example, enter android ent block copy paste custom profile.
Description: Enter a description for the profile. This setting is optional, but recommended.
Platform: Select Android Enterprise.
Profile type: Select Custom.
4. In Custom OMA -URI Settings, select Add. Enter the following settings:
Name: Enter something like Block copy and paste .
Description: Enter something like Blocks copy/paste between work and personal apps .
OMA -URI: Enter ./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste .
Data type: Select Boolean so the value for this OMA-URI is True or False.
Value: Select True.
5. After you enter the settings, your environment should like similar to the following image:
When you assign this profile to Android Enterprise devices you manage, copy and paste is blocked between apps
in the work and personal profiles.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Create a custom profile on Android devices.
iOS and iPadOS device settings to use common
iOS/iPadOS features in Intune
2/19/2020 • 18 minutes to read • Edit Online
Intune includes some built-in settings to allow iOS/iPadOS users to use different Apple features on their devices.
For example, administrators can control how iOS/iPadOS users use AirPrint printers, add apps and folders to the
dock and pages on the home screen, show app notifications, show asset tag details on the lock screen, use single
sign-on authentication, and authenticate users with certificates.
Use these features to control iOS/iPadOS devices as part of your mobile device management (MDM ) solution.
This article lists these settings, and describes what each setting does. For more information on these features, go
to Add iOS/iPadOS or macOS device feature settings.
NOTE
These settings apply to different enrollment types, with some settings applying to all enrollment options. For more
information on the different enrollment types, see iOS/iPadOS enrollment.
AirPrint
Settings apply to: All enrollment types
NOTE
Be sure to add all printers to the same profile. Apple prevents multiple AirPrint profiles from targeting the same device.
IP address: Enter the IPv4 or IPv6 address of the printer. If you use hostnames to identify printers, you can get
the IP address by pinging the printer in the terminal. Get the IP address and path (in this article) provides more
details.
Path: The path is typically ipp/print for printers on your network. Get the IP address and path (in this article)
provides more details.
Port: Enter the listening port of the AirPrint destination. If you leave this property blank, AirPrint uses the
default port. Available on iOS 11.0+, and iPadOS 13.0+.
TLS: Choose Enable to secure AirPrint connections with Transport Layer Security (TLS ). Available on iOS
11.0+, and iPadOS 13.0+.
To add AirPrint servers, you can:
Add adds the AirPrint server to the list. Many AirPrint servers can be added.
Import a comma-separated file (.csv) with this information. Or, Export to create a list of the AirPrint servers
you added.
Get server IP address, resource path, and port
To add AirPrinter servers, you need the IP address of the printer, the resource path, and the port. The following
steps show you how to get this information.
1. On a Mac that’s connected to the same local network (subnet) as the AirPrint printers, open Terminal
(from /Applications/Utilities).
2. In the Terminal, type ippfind , and select enter.
Note the printer information. For example, it may return something similar to
ipp://myprinter.local.:631/ipp/port1 . The first part is the name of the printer. The last part ( ipp/port1 ) is
the resource path.
3. In the Terminal, type ping myprinter.local , and select enter.
Note the IP address. For example, it may return something similar to PING myprinter.local (10.50.25.21) .
4. Use the IP address and resource path values. In this example, the IP address is 10.50.25.21 , and the
resource path is /ipp/port1 .
NOTE
When you add icons using the Dock settings, the icons on the Home Screen and pages are locked, and can’t be moved. This
may be by design with iOS/iPadOS and Apple’s MDM policies.
Example
In the following example, the dock screen shows only the Safari, Mail, and Stocks apps. The Mail app is selected to
show its properties:
When you assign the policy to an iPhone, the dock looks similar to the following image:
Pages
Add the pages you want shown on the home screen, and the apps you want shown on each page. Apps that you
add to a page are arranged from left to right, in the same order as the list. If you add more apps than can fit on a
page, the apps are moved to another page.
TIP
To reorder items in any Home screen and pages lists, you can drag and drop them.
When you assign the policy to an iPhone, the page looks similar to the following image:
App notifications
Settings apply to: Automated device enrollment (supervised)
Add: Add notifications for apps:
App bundle ID: Enter the App Bundle ID of the app you want to add. See Bundle IDs for built-in
iOS/iPadOS apps for some examples.
App name: Enter the name of the app you want to add. This name is used for your reference in the
Microsoft Endpoint Manager admin center. It isn't shown on the device.
Publisher: Enter the publisher of the app you're adding. This name is used for your reference in the
Microsoft Endpoint Manager admin center. It isn't shown on the device.
Notifications: Enable or Disable the app from sending notifications to the device.
Show in Notification Center: Enable allows the app to show notifications in the device
Notification Center. Disable prevents the app from showing notifications in the Notification
Center.
Show in Lock Screen: Select Enable to see notifications from the app on the device lock screen.
Disable prevents the app from showing notifications on the lock screen.
Alert type: When the device is unlocked from, choose how the notification is shown. Your
options:
None: No notification is shown.
Banner: A banner is briefly shown with the notification.
Modal: The notification is shown and the user must manually dismiss it before continuing
to use the device.
Badge on app icon: Select Enable to add a badge to the app icon. The badge means the app
sent a notification.
Sounds: Select Enable to play a sound when a notification is delivered.
The text you enter is shown on the sign in window and lock screen on the device.
Lock screen footnote: If the device is lost or stolen, enter a note that might help get the device returned.
You can enter any text you want. For example, enter something like If found, call Contoso at ... .
Device tokens can also be used to add device-specific information to these fields. For example, to show the
serial number, enter Serial Number: {{serialnumber}} . On the lock screen, the text shows similar to
Serial Number 123456789ABC . When entering variables, be sure to use curly brackets {{ }} . App
configuration tokens includes a list of variables that can be used. You can also use deviceName or any other
device-specific value.
NOTE
Variables aren't validated in the UI, and are case sensitive. As a result, you may see profiles saved with incorrect
input. For example, if you enter {{DeviceID}} instead of {{deviceid}} , then the literal string is shown instead of
the device’s unique ID. Be sure to enter the correct information.
Single sign-on
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Username attribute from AAD: Intune looks for this attribute for each user in Azure AD. Intune then
populates the respective field (such as UPN ) before generating the XML that gets installed on the device.
Your options:
User principal name: The UPN is parsed in the following way:
You can also overwrite the realm with the text you enter in the Realm text box.
For example, Contoso has several regions, including Europe, Asia, and North America. Contoso
wants their Asia users to use SSO, and the app requires the UPN in the username@asia.contoso.com
format. When you select User Principal Name, the realm for each user is taken from Azure AD,
which is contoso.com . So for users in Asia, select User Principal Name, and enter
asia.contoso.com . The end user's UPN becomes username@asia.contoso.com , instead of
username@contoso.com .
Intune device ID: Intune automatically selects the Intune Device ID.
By default, apps only need to use the device ID. But if your app uses the realm and the device ID, you
can type the realm in the Realm text box.
NOTE
By default, keep the realm empty if you use device ID.
Azure AD device ID
Realm: Enter the domain part of the URL. For example, enter contoso.com .
URL prefixes that will use Single Sign On: Add any URLs in your organization that require user single
sign-on authentication.
For example, when a user connects to any of these sites, the iOS/iPadOS device uses the single sign-on
credentials. The user doesn't need to enter any additional credentials. If multi-factor authentication is
enabled, then users are required to enter the second authentication.
NOTE
These URLs must be properly formatted FQDN. Apple requires these to be in the http://<yourURL.domain>
format.
The URL matching patterns must begin with either http:// or https:// . A simple string match is run, so
the http://www.contoso.com/ URL prefix doesn't match http://www.contoso.com:80/ . With iOS 10.0+ and
iPadOS 13.0+, a single wildcard * may be used to enter all matching values. For example,
http://*.contoso.com/ matches both http://store.contoso.com/ and http://www.contoso.com .
The http://.com and https://.com patterns match all HTTP and HTTPS URLs, respectively.
Apps that will use Single Sign On: Add apps on end users' devices that can use single sign-on.
The AppIdentifierMatches array must include strings that match app bundle IDs. These strings may be
exact matches, such as com.contoso.myapp , or enter a prefix match on the bundle ID using the * wildcard
character. The wildcard character must appear after a period character (.), and may appear only once, at the
end of the string, such as com.contoso.* . When a wildcard is included, any app whose bundle ID begins
with the prefix is granted access to the account.
Use App Name to enter a user-friendly name to help you identify the bundle ID.
Credential renewal certificate: If using certificates for authentication (not passwords), select the existing
SCEP or PFX certificate as the authentication certificate. Typically, this certificate is the same certificate
that's deployed to the user for other profiles, such as VPN, Wi-Fi, or email.
NOTE
The URLs you enter are the URLs you don't want evauluated by the Apple web filter. These URLs
aren't a list of allowed web sites. To create a list of allowed websites, set the Filter Type to Specific
websites only.
Blocked URLs: Add the URLs you want to stop from opening, regardless of the Apple web
filter settings.
Specific websites only (for the Safari web browser only): These URLs are added to the Safari
browser’s bookmarks. The user is only allowed to visit these sites; no other sites can be opened. Use
this option only if you know the exact list of URLs that users can access.
URL: Enter the URL of the website you want to allow. For example, enter
https://www.contoso.com .
Bookmark Path: Apple changed this setting. All bookmarks go into the Approved Sites folder.
Bookmarks don't go in to the bookmark path you enter.
Title: Enter a descriptive title for the bookmark.
If you don't enter any URLs, then end users can't access any websites except for microsoft.com ,
microsoft.net , and apple.com . These URLs are automatically allowed by Intune.
TIP
With the Redirect and Credential types, you add your own configuration values to pass through the extension. If
you're using Credential, consider using built-in configuration settings provided by Apple in the Kerberos type.
Extension ID (Redirect and Credential): Enter the bundle identifier that identifies your SSO app extension,
such as com.apple.extensiblesso .
Team ID (Redirect and Credential): Enter the team identifier of your SSO app extension. A team identifier
is a 10-character alphanumerical (numbers and letters) string generated by Apple, such as ABCDE12345 . The
team ID isn't required.
Locate your Team ID (opens Apple’s website) has more information.
Realm (Credential and Kerberos): Enter the name of your authentication realm. The realm name should be
capitalized, such as CONTOSO.COM . Typically, your realm name is the same as your DNS domain name, but in
all uppercase.
Domains (Credential and Kerberos): Enter the domain or host names of the sites that can authenticate
through SSO. For example, if your website is mysite.contoso.com , then mysite is the host name, and
contoso.com is the domain name. When users connect to any of these sites, the app extension handles the
authentication challenge. This authentication allows users to use Face ID, Touch ID, or Apple
pincode/passcode to sign in.
All the domains in your single sign-on app extension Intune profiles must be unique. You can't repeat a
domain in any sign-on app extension profile, even if you're using different types of SSO app extensions.
These domains aren't case-sensitive.
URLs (Redirect only): Enter the URL prefixes of your identity providers on whose behalf the redirect app
extension performs SSO. When a user is redirected to these URLs, the SSO app extension will intervene
and prompt SSO.
All the URLs in your Intune single sign-on app extension profiles must be unique. You can’t repeat a
domain in any SSO app extension profile, even if you’re using different types of SSO app extensions.
The URLs must begin with http:// or https://.
Additional configuration (Redirect and Credential): Enter additional extension-specific data to pass to the
SSO app extension:
Key: Enter the name of the item you want to add, such as user name .
Type: Enter the type of data. Your options:
String
Boolean: In Configuration value, enter True or False .
Integer: In Configuration value, enter a number.
Value: Enter the data.
Add: Select to add your configuration keys.
Keychain usage (Kerberos only): Choose Block to prevent passwords from being saved and stored in the
keychain. Not configured (default) allows passwords to be saved and stored in the keychain.
Face ID, Touch ID, or passcode (Kerberos only): Require forces users to enter their Face ID, Touch ID, or
Apple passcode to sign in to the domains you added. Not configured (default) doesn't require users to
use biometrics or passcode to sign in.
Default realm (Kerberos only): Choose Enable to set the Realm value you entered as the default realm.
Not configured (default) doesn't set a default realm.
TIP
Enable this setting if you're configuring multiple Kerberos SSO app extensions in your organization.
Enable this setting if you're using multiple realms. It sets the Realm value you entered as the default realm.
If you only have one realm, leave it Not configured (default).
Principal name (Kerberos only): Enter the username of the Kerberos principal. You don't need to include
the realm name. For example, in user@contoso.com , user is the principal name, and contoso.com is the
realm name.
TIP
You can also use variables in the principal name by entering curly brackets {{ }} . For example, to show the
username, enter Username: {{username}} .
However, be careful with variable substitution because variables aren't validated in the UI and they are case
sensitive. Be sure to enter the correct information.
Active Directory site code (Kerberos only): Enter the name of the Active Directory site that the Kerberos
extension should use. You may not need to change this value, as the Kerberos extension may automatically
find the Active Directory site code.
Cache name (Kerberos only): Enter the Generic Security Services (GSS ) name of the Kerberos cache. You
most likely don't need to set this value.
App bundle IDs (Kerberos only): Add the app bundle identifiers that should use single sign-on on your
devices. These apps are granted access to the Kerberos Ticket Granting Ticket, the authentication ticket, and
authenticate users to services they’re authorized to access.
Domain realm mapping (Kerberos only): Add the domain DNS suffixes that should map to your realm.
Use this setting when the DNS names of the hosts don’t match the realm name. You most likely don't need
to create this custom domain-to-realm mapping.
PKINIT certificate (Kerberos only): Select the Public Key Cryptography for Initial Authentication
(PKINIT) certificate that can be used for Kerberos authentication. You can choose from PKCS or SCEP
certificates that you've added in Intune. For more information about certificates, see Use certificates for
authentication in Microsoft Intune.
Wallpaper
You may experience unexpected behavior when a profile with no image is assigned to devices with an existing
image. For example, you create a profile without an image. This profile is assigned to devices that already have an
image. In this scenario, the image may change to the device default, or the original image may stay on the device.
This behavior is controlled and limited by Apple's MDM platform.
Settings apply to: Automated device enrollment (supervised)
Wallpaper Display Location: Choose a location on the device to show the image. Your options:
Not configured: A custom image isn't added to the device. The device uses the operating system
default.
Lock screen: Adds the image to the lock screen.
Home screen: Adds the image to the home screen.
Lock screen and Home screen: Uses the same image on the lock screen and home screen.
Wallpaper Image: Upload an existing .png, .jpg, or .jpeg image you want to use. Be sure the file size is less
than 750 KB. You can also remove an image that you added.
TIP
To display different images on the lock screen and home screen, create a profile with the lock screen image. Create another
profile with the home screen image. Assign both profiles to your iOS/iPadOS user or device groups.
Next steps
Assign the profile and monitor its status.
You can also create device feature profiles for macOS devices.
iOS and iPadOS device settings to allow or restrict
features using Intune
2/19/2020 • 38 minutes to read • Edit Online
This article lists and describes the different settings you can control on iOS and iPadOS devices. As part of your
mobile device management (MDM ) solution, use these settings to allow or disable features, set password rules,
allow or restrict specific apps, and more.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your
iOS/iPadOS devices.
TIP
These settings use Apple's MDM settings. For more information on these settings, see Apple's mobile device management
settings (opens Apple's web site).
NOTE
These settings apply to different enrollment types, with some settings applying to all enrollment options. For more
information on the different enrollment types, see iOS/iPadOS enrollment.
General
Settings apply to: All enrollment types
Share usage data: Choose Block to prevent the device from sending diagnostic and usage data to Apple.
Not configured (default) allows this data to be sent.
Screen capture: Choose Block to prevent screenshots or screen captures on the device. In iOS/iPadOS 9.0
and newer, it also blocks screen recordings. Not configured (default) lets the user capture the screen
contents as an image or as a video.
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Untrusted TLS certificates: Choose Block to prevent untrusted Transport Layer Security (TLS ) certificates on
the device. Not configured (default) allows TLS certificates.
Block over-the-air PKI updates: Block prevents your users from receiving software updates unless the
device is connected to a computer. Not configured (default): allows a device to receive software updates
without being connected to a computer.
Limit ad tracking: Choose Limit to disable the device advertising identifier. Not configured (default) keeps it
enabled.
Settings apply to: Automated device enrollment (supervised)
Diagnostics submission settings modification: Block prevents the user from changing the diagnostic
submission and app analytics settings in Diagnostics and Usage (device Settings). Not configured
(default) allows the user to change these device settings.
To use this setting, set the Share usage data setting to Block.
This feature applies to:
iOS 9.3.2 and newer
iPadOS 13.0 and newer
Remote screen observation by Classroom app: Choose Block to prevent the Classroom app from
remotely viewing the screen on the device. Not configured (default) allows the Apple Classroom app to
view the screen.
To use this setting, set the Screen capture setting to Block.
This feature applies to:
iOS 9.3 and newer
iPadOS 13.0 and newer
Unprompted screen observation by Classroom app: If set to Allow, teachers can silently observe the
screen of students iOS/iPadOS devices using the Classroom app without the students' knowledge. Student
devices enrolled in a class using the Classroom app automatically give permission to that course’s teacher.
Not configured (default) prevents this feature.
To use this setting, set the Screen capture setting to Block.
Enterprise app trust: Choose Block to remove the Trust Enterprise Developer button in Settings >
General > Profiles & Device Management on the device. Not configured (default) lets the user choose to
trust apps that aren't downloaded from the app store.
Account modification: When set to Block, the user can't update the device-specific settings from the
iOS/iPadOS settings app. For example, the user can't create new device accounts, or change the user name
or password. Not configured (default) allows users to change these settings.
This feature also applies to settings accessible from the iOS/iPadOS settings app, such as Mail, Contacts,
Calendar, Twitter, and more. This feature doesn't apply to apps with account settings that aren't configurable
from the iOS/iPadOS settings app, such as the Microsoft Outlook app.
Screen time: Choose Block to prevent users from setting their own restrictions in Screen Time (device
settings). Not configured allows the user to configure device restrictions (such as parental controls or
content, and privacy restrictions) on the device.
This setting was renamed from Enabling restrictions in the device settings. Impact of this change:
iOS 11.4.1 and older: Block prevents end users from setting their own restrictions in the device settings.
The behavior is the same; and there are no changes for end users.
iOS 12.0 and newer: Block prevents end users from setting their own Screen Time in the device
settings (Settings > General > Screen Time), including content and privacy restrictions. Devices
upgraded to iOS 12.0 won't see the restrictions tab in the device settings anymore (Settings > General >
Device Management > Management Profile > Restrictions). These settings are in Screen Time.
Use of the erase all content and settings option on the device: Choose Block so users can't use the
erase all content and settings option on the device. Not configured (default) gives users access to these
settings.
Device name modification: Choose Block so the device name can't be changed. Not configured
(default) allows the user to change the name of the device.
Notification settings modification: Choose Block so the notification settings can't be changed. Not
configured (default) allows the user to change the device notification settings.
Wallpaper modification: Block prevents the wallpaper from being changed. Not configured (default)
allows the user to change the wallpaper on the device.
Enterprise app trust settings modification: Block prevents the user from changing the enterprise app
trust settings on supervised devices. Not configured (default) allows the user to trust apps that aren't
downloaded from the app store.
Configuration profile changes: Block prevents configuration profile changes on the device. Not
configured (default) allows the user to install configuration profiles.
Activation Lock: Choose Allow to enable Activation Lock on supervised iOS/iPadOS devices. Activation
Lock makes it harder for a lost or stolen device to be reactivated.
Block app removal: Choose Block to prevent users from removing apps. Not configured (default) allows
users to remove apps from the device.
Allow USB accessories while device is locked: Allow lets USB accessories exchange data with a device
that's been locked for over an hour. Not configured (default) doesn't update USB Restricted mode on the
device, and USB accessories will be blocked from transferring data from the device if locked for over an
hour.
Force automatic date and time: Require forces supervised devices to set the Date & Time automatically.
The device's time zone is updated when the device has cellular connections or has Wi-Fi with location
services enabled.
Require students to request permission to leave Classroom course: Require forces students enrolled
in an unmanaged course using the Classroom app to request permission from the teacher to leave the
course. Not configured (default) doesn't force the student to ask for permission.
This feature applies to:
iOS 11.3 and newer
iPadOS 13.0 and newer
Allow Classroom to lock to an app and lock the device without prompting: Enable allows teacher to
lock apps or lock the device using the Classroom app without prompting the student. Locking apps means
the device can only access teacher specified apps. Not configured (default) prevents teachers from locking
apps or devices using the Classroom app without prompting the student.
This feature applies to:
iOS 11.0 and newer
iPadOS 13.0 and newer
Automatically join Classroom classes without prompting: Enable automatically allows students to
join a class that is in the Classroom app without prompting the teacher. Not configured (default) prompts
the teacher that students want to join a class that is in the Classroom app.
This feature applies to:
iOS 11.0 and newer
iPadOS 13.0 and newer
Block VPN creation: Block prevents users from creating VPN configuration settings. Not configured
(default) lets users create VPNs on the device.
Modifying eSIM settings: Block prevents users from removing or adding a cellular plan to the eSIM on
the device. Not configured (default) allows users to change these settings.
This feature applies to:
iOS 12.1 and newer
iPadOS 13.0 and newer
Defer software updates: When set to Not configured (default), software updates are shown on the
device as Apple releases them. For example, if an iOS/iPadOS update gets released by Apple on a specific
date, then that update naturally shows up on the device around the release date.
Enable allows you to delay when software updates are shown on devices, from 0-90 days. This setting
doesn't control when updates are or aren't installed.
Delay visibility of software updates: Enter a value from 0-90 days. When the delay expires, users
get a notification to update to the earliest version of the OS available when the delay was triggered.
For example, if iOS 12.a is available on January 1, and Delay visibility is set to 5 days, then iOS
12.a isn't shown as an available update on end user devices. On the sixth day following the release,
that update is available, and end users can install it.
This setting applies to:
iOS 11.3 and newer
iPadOS 13.0 and newer
Password
Settings apply to: All enrollment types
Password: Require the end user to enter a password to access the device. Not configured (default) allows
users to access the device without entering a password.
Settings apply to: Device enrollment, Automated device enrollment (supervised)
IMPORTANT
On user-enrolled devices, if you configure any password setting, then the Simple passwords settings is automatically set to
Block, and a 6 digit PIN is enforced.
For example, you configure the Password expiration setting, and push this policy to user-enrolled devices. On the devices,
the following happens:
The Password expiration setting is ignored.
Simple passwords, such as 1111 or 1234 , aren't allowed.
A 6 digit pin is enforced.
Simple passwords: Choose Block to require more complex passwords. Not configured allows simple
passwords, such as 0000 and 1234 .
Required password type: Choose the type of password your organization require. Your options:
Device default
Numeric
Alphanumeric
Number of non-alphanumeric characters in password: Enter the number of symbol characters, such as
# or @ , that must be included in the password.
Minimum password length: Enter the minimum length a user must enter, between 4 and 14 characters.
On user enrolled devices, enter a length between 4 and 6 characters.
NOTE
For devices that are user enrolled, users can set a PIN greater than 6 digits. But, no more than 6 digits are enforced
on the device. For example, an administrator sets the minimum length to 8 . On user-enrolled devices, users are
only required to set a 6 digit PIN. Intune doesn't force a PIN greater than 6 digits on user-enrolled devices.
Number of sign-in failures before wiping device: Enter the number of failed sign-ins to allow before
the device is wiped (between 4-11).
iOS/iPadOS has built-in security that can impact this setting. For example, iOS/iPadOS may delay
triggering the policy depending on the number of sign in failures. It may also consider repeatedly entering
the same passcode as one attempt. Apple's iOS/iPadOS security guide (opens Apple's web site) is a good
resource, and provides more specific details on passcodes.
Maximum minutes after screen lock before password is required1: Enter how long the device stays
idle before the user must reenter their password. If the time you enter is longer than what's currently set on
the device, then the device ignores the time you enter. Supported on devices running iOS 8.0+, and iPadOS
13.0+.
Maximum minutes of inactivity until screen locks1: Enter the maximum number of minutes of
inactivity allowed on the device until the screen locks.
iOS/iPadOS options:
Not configured (Default): Intune doesn't touch this setting.
Immediately: Screen locks after 30 seconds of inactivity.
1: Screen locks after 1 minute of inactivity.
2: Screen locks after 2 minutes of inactivity.
3: Screen locks after 3 minutes of inactivity.
4: Screen locks after 4 minutes of inactivity.
5: Screen locks after 5 minutes of inactivity.
iPadOS options:
Not configured (Default): Intune doesn't touch this setting.
Immediately: Screen locks after 2 minutes of inactivity.
2: Screen locks after 2 minutes of inactivity.
5: Screen locks after 5 minutes of inactivity.
10: Screen locks after 10 minutes of inactivity.
15: Screen locks after 15 minutes of inactivity.
If a value doesn't apply to iOS and iPadOS, then Apple uses the closest lowest value. For example, if you
enter 4 minutes, then iPadOS devices use 2 minutes. If you enter 10 minutes, then iOS devices use 5
minutes. This is an Apple limitation.
NOTE
The Intune UI for this setting doesn't separate the iOS and iPadOS supported values. The UI might be updated in a
future release.
Password expiration (days): Enter the number of days before the device password must be changed.
Prevent reuse of previous passwords: Enter the number of new passwords that must be used until an old
one can be reused.
Touch ID and Face ID unlock: Choose Block to prevent using a fingerprint or face to unlock the device.
Not configured allows the user to unlock the device using these methods.
Blocking this setting also prevents using FaceID authentication to unlock the device.
Face ID applies to:
iOS 11.0 and newer
iPadOS 13.0 and newer
Settings apply to: Automated device enrollment (supervised)
Passcode modification: Choose Block to stop the passcode from being changed, added, or removed.
Changes to passcode restrictions are ignored on supervised devices after blocking this feature. Not
configured (default) allows passcodes to be added, changed, or removed.
Touch ID and Face ID modification: Block stops the user from changing, adding, or removing
TouchID fingerprints and Face ID. Not configured (default) allows the user to update the TouchID
fingerprints and Face ID on the device.
Blocking this setting also stops the user from changing, adding, or removing FaceID authentication.
Face ID applies to:
iOS 11.0 and newer
iPadOS 13.0 and newer
Block password AutoFill: Choose Block to prevent using the AutoFill Passwords feature on iOS/iPadOS.
Choosing Block also has the following impact:
Users aren't prompted to use a saved password in Safari or in any apps.
Automatic Strong Passwords are disabled, and strong passwords aren't suggested to users.
Not configured (default) allows these features.
Block password proximity requests: Choose Block so a user’s device doesn't request passwords from
nearby devices. Not configured (default) allows these password requests.
Block password sharing: Block prevents sharing passwords between devices using AirDrop. Not
configured (default) allows passwords to be shared.
Require Touch ID or Face ID authentication for password or credit card information AutoFill:
When set to Require, users must authenticate using TouchID or FaceID before passwords or credit card
information can be auto filled in Safari and other apps. Not configured (default) allows users to control
this feature in the device settings.
This feature applies to:
iOS 11.0 and newer
iPadOS 13.0 and newer
1 When you configure the Maximum minutes of inactivity until screen locks and Maximum minutes after
screen lock before password is required settings, they're applied in sequence. For example, if you set the value
for both settings to 5 minutes, the screen turns off automatically after five minutes, and the device is locked after
an additional five minutes. However, if the user turns off the screen manually, the second setting is immediately
applied. In the same example, after the user turns off the screen, the device locks five minutes later.
NOTE
When this setting is blocked, third party keyboards installed from the App Store are also blocked.
Allow unmanaged apps to read from managed contacts accounts: When set to Allow,
unmanaged apps, such as the built-in iOS/iPadOS Contacts app, can read and access contact
information from managed apps, including the Outlook mobile app. Not configured (default)
prevents reading, including removing duplicates, from the built-in Contacts app on the device.
This setting allows or prevents reading contact information. It doesn't control syncing contacts
between the apps.
To use this setting, set the Viewing corporate documents in unmanaged apps setting to Block.
For more information about these two settings, and their impact on Outlook for iOS/iPadOS contact export
synchronization, see Support Tip: Use Intune custom profile settings with the iOS/iPadOS Native Contacts
App.
Treat AirDrop as an unmanaged destination: Require forces AirDrop to be considered an unmanaged
drop target. It stops managed apps from sending data using Airdrop.
Viewing non-corporate documents in corporate apps: Block prevents viewing non-corporate
documents in corporate apps. Not configured (default) allows any document to be viewed in corporate
managed apps.
Setting to Block also prevents contact export synchronization in Outlook for iOS/iPadOS. For more
information, see Support Tip: Enabling Outlook iOS/iPadOS Contact Sync with iOS12 MDM Controls.
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Require iTunes Store password for all purchases: Require the user to enter the Apple ID password for
each in-app or ITunes purchase. Not configured (default) allows purchases without prompting for a
password every time.
In-app purchases: Choose Block to prevent in-app purchases from the store. Not configured (default)
allows store purchases within a running app.
Download content from iBook store flagged as 'Erotica': Choose Block to prevent stops users from
downloading media from the iBook store that's tagged as erotica. Not configured (default) allows the user
to download books with the "Erotica" category.
Allow managed apps to write contacts to unmanaged contacts accounts: When set to Allow,
managed apps, such as the Outlook mobile app, can save or sync contact information, including business
and corporate contacts, to the built-in iOS/iPadOS Contacts app. When set to Not configured (default),
managed apps can't save or sync contact information to the built-in iOS/iPadOS Contacts app on the
device.
To use this setting, set the Viewing corporate documents in unmanaged apps setting to Block.
Ratings region: Choose the ratings region you want to use for allowed downloads. And then choose the
allowed ratings for Movies, TV Shows, and Apps.
Settings apply to: Automated device enrollment (supervised)
App store: Block prevents access to the app store on supervised devices. Not configured (default) allows
access.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Installing apps from App Store: Choose Block to block the app store from the device home screen.
End users can continue to use iTunes or the Apple Configurator to install apps. Not configured
(default) allows the app store on the home screen.
Automatic app downloads: Choose Block to prevent automatic downloading of apps bought on other
devices. It doesn't affect updates to existing apps. Not configured (default) allows apps bought on other
iOS/iPadOS devices to download on the device.
Explicit iTunes music, podcast, or news content: Choose Block to prevent explicit iTunes music,
podcast, or news content. Not configured (default) allows the device to access content rated as adult from
the store.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Adding Game Center friends: Block prevents users from adding Game Center friends. Not configured
(default) allows the user to add friends in Game Center.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Game Center: Block the use of the Game Center app. Not configured (default) allows using the Game
Center app on the device.
Multiplayer gaming: Choose Block to prevent multiplayer gaming. Not configured (default) allows the
user to play multiplayer games on the device.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Access to network drive in Files app: Using the Server Message Block (SMB ) protocol, devices can
access files or other resources on a network server. Disable prevents accessing files on a network SMB
drive. Not configured (default) allows access.
This feature applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Built-in Apps
Settings apply to: All enrollment types
Siri: Block prevents access to Siri. Not configured (default) allows using the Siri voice assistant on the
device.
Siri while device is locked: Choose Block to prevent access to Siri when the device is locked. Not
configured (default) allows using the Siri voice assistant on the device when it's locked.
Safari fraud warnings: Require fraud warnings to be shown in the web browser on the device. Not
configured (default) disables this feature.
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Spotlight search to return results from internet: Block stops Spotlight from returning any results from
an Internet search. Not configured (default) allows Spotlight search connect to the Internet to provide
search results.
Safari cookies: Choose how cookies are handled on the device. Your options:
Allow
Block all cookies
Allow cookies from visited web sites
Allow cookies from current web site
Safari JavaScript: Block prevents Java scripts in the browser from running on the device. Not
configured (default) allows Java scripts.
Safari Pop-ups: Block to disable the pop-up blocker in the web browser. Not configured (default) allows
the pop-up blocker.
Settings apply to: Automated device enrollment (supervised)
Camera: Choose Block to prevent access to the camera on the device. Not configured (default) allows
access to the device's camera.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
FaceTime: Block to prevent access to the FaceTime app. Not configured (default) allows access to
the FaceTime app on the device.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Siri profanity filter: Require prevents Siri from dictating, or speaking profane language.
To use this setting, set the Siri setting to Block.
Siri to query user-generated content from the internet: Block prevents Siri from accessing websites to
answer questions. Not configured (default) allows Siri to access user-generated content from the internet.
To use this setting, set the Siri setting to Block.
Apple News: Choose Block to prevent access to the Apple News app on the device. Not configured
(default) allows using the Apple News app.
iBooks store: Block prevents access to the iBooks store. Not configured (default) allows users to browse
and buy books from the iBooks store.
Messages app on the device: Block prevents users from using the Messages app for iMessage. If the
device supports text messaging, the user can still send and receive text messages using SMS. Not
configured (default) allows using the Messages app to send and read messages over the internet.
Podcasts: Block prevents users using the Podcasts app. Not configured (default) allows using the
Podcasts app.
Music service: Block reverts the Music app to classic mode and disables the Music service. Not
configured (default) allows using the Apple Music app.
iTunes Radio service: Block prevents users from using the iTunes Radio app. Not configured (default)
allows using the iTunes Radio app.
iTunes store: Not configured (default) allows iTunes on the devices. Block prevents users from using
iTunes on the device.
This feature applies to:
iOS 4.0 and newer
iPadOS 13.0 and newer
Find my iPhone: Not configured (default) allows using this Find My app feature to get the approximate
location of the device. Block prevents this feature in the Find My app.
This feature applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Find my Friends: Not configured (default) allows using this Find My app feature to find family and
friends from an Apple device or iCloud.com. Block prevents this feature in the Find My app.
This feature applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Changes to the Find My Friends app settings: Block prevents changes to the Find My Friends app
settings. Not configured (default) allows the user to change settings for the Find My Friends app.
Spotlight search to return results from internet: Block stops Spotlight from returning any results from
an Internet search. Not configured (default) allows Spotlight search connect to the Internet to provide
search results.
Block removal of system apps from device: Choosing Block disables the ability to remove system apps
from the device. Not configured (default) allows users to remove system apps.
Safari: Block using the Safari browser on the device. Not configured (default) allows users to use the
Safari browser.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Safari Autofill: Block disables the autofill feature in Safari on the device. Not configured (default) allows
users to change autocomplete settings in the web browser.
Starting with iOS/iPadOS 13.0, this setting requires supervised devices.
Restricted apps
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Type of restricted apps list: Create a list of apps that users aren't allowed to install or use. Your options:
Not configured (default): There are no restrictions from Intune. Users have access to apps you assign,
and built-in apps.
Prohibited apps: Apps not managed by Intune that you don't want installed on the device. Users aren't
prevented from installing a prohibited app. But if a user installs an app from this list, it's reported in
Intune.
Approved apps: Apps that users are allowed to install. Users must not install apps that aren't listed.
Apps that are managed by Intune are automatically allowed. Users aren't prevented from installing an
app that isn't on the approved list. But if they do, it's reported in Intune.
To add apps to these lists, you can:
Add the iTunes App store URL of the app you want. For example, to add the Microsoft Work Folders app,
enter https://itunes.apple.com/us/app/work-folders/id950878067?mt=8 or
https://apps.apple.com/us/app/work-folders/id950878067?mt=8 .
To find the URL of an app, open the iTunes App Store, and search for the app. For example, search for
Microsoft Remote Desktop or Microsoft Word . Select the app, and copy the URL.
You can also use iTunes to find the app, and then use the Copy Link task to get the app URL.
Import a CSV file with details about the app, including the URL. Use the
<app url>, <app name>, <app publisher> format. Or, Export an existing list that includes the restricted apps
list in the same format.
IMPORTANT
Device profiles that use the restricted app settings must be assigned to groups of users.
You can also use iTunes to find the app, and then use the Copy Link task to get the app URL.
App Bundle ID: Enter the app bundle ID of the app you want. You can show or hide built-in apps and line-
of-business apps. Apple's web site has a list of built-in Apple apps.
App name: Enter the app name of the app you want. You can show or hide built-in apps and line-of-
business apps. Apple's web site has a list of built-in Apple apps.
Publisher: Enter the publisher of the app you want.
To add apps, you can:
Add: Select to create your list of apps.
Import a CSV file with details about the app, including the URL. Use the
<app url>, <app name>, <app publisher> format. Or, Export to create a list of the restricted apps you added, in
the same format.
Wireless
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Note needed for Data Roaming (Tip or important note to help with customer confusion): This setting will not show
up on the targeted device's management profile. That is because this setting is treated as a remote device action,
and every time the state of data roaming is changed on the device, it will become blocked again by the Intune
service. Even though it is not in the management profile, it is working if it showing as a success from the reporting
in the admin console.
Data roaming: Choose Block to prevent data roaming over the cellular network. Not configured
(default) allows data roaming when the device is on a cellular network.
IMPORTANT
This setting is treated as a remote device action. So, this setting isn't shown in the management profile on the device.
Every time the data roaming status changes on the device, Data roaming is blocked by the Intune service. In Intune,
if the reporting status shows a success, then know that it's working, even though the setting isn't shown in the
management profile on the device.
Global background fetch while roaming: Block prevents using the global background fetch feature
when roaming over the cellular network. Not configured (default) allows the device to fetch data, such as
email, when it's roaming on a cellular network.
Voice dialing: Choose Block to prevent users from using the voice dialing feature on the device. Not
configured (default) allows voice dialing on the device.
Voice roaming: Choose Block to prevent voice roaming over the cellular network. Not configured
(default) allows voice roaming when the device is on a cellular network.
Personal Hotspot: Block turns off the personal hotspot on the users' device with every device sync. This
setting might not be compatible with some carriers. Not configured (default) keeps the personal hotspot
configuration as the default set by the user.
IMPORTANT
This setting is treated as a remote device action. So, this setting isn't shown in the management profile on the device.
Every time the personal hotspot status changes on the device, Personal Hotspot is blocked by the Intune service. In
Intune, if the reporting status shows a success, then know that it's working, even though the setting isn't shown in
the management profile on the device.
Cellular usage rules (managed apps only): Define the data types that managed apps can use when on
cellular networks. Your options:
Block use of cellular data: Block using cellular data for All managed apps or Choose specific apps.
Block use of cellular data when roaming: Block using cellular data when roaming for All managed
apps or Choose specific apps.
Settings apply to: Automated device enrollment (supervised)
Changes to app cellular data usage settings: Choose Block to prevent changes to the app cellular data
usage settings. Not configured (default) allows the user to control which apps are allowed to use cellular
data.
Changes to cellular plan settings: Block prevents users from changing any settings in the cellular plan.
Not configured (default) allows users to make changes.
This feature applies to:
iOS 11.0 and newer
iPadOS 13.0 and newer
User modification of Personal Hotspot: When set to Block, the user can't change the personal hotspot
setting. Not configured (default) allows end users to enable or disable their personal hotspot.
If you block this setting and block the Personal Hotspot setting, the personal hotspot is turned off.
This feature applies to:
iOS 12.2 and newer
iPadOS 13.0 and newer
Join Wi-Fi networks only using configuration profiles: Require forces the device to use only Wi-Fi
networks set up through Intune configuration profiles. Not configured (default) allows the device to use
other Wi-Fi networks.
When set to Require, be sure the device has a Wi-Fi profile. If you don't assign a Wi-Fi profile, this setting
could prevent the device from connecting to the internet. In other words, if this device restrictions profile is
assigned before a Wi-Fi profile, the device might be blocked from connecting to the internet.
If it can't connect, then unenroll the device, and re-enroll with a Wi-Fi profile. Then, set this setting to
Require in a device restrictions profile, and assign the profile to the device.
Wi-Fi always turned on: When set to Require, Wi-Fi stays on in the Settings app. It can't be turned off in
Settings or in the Control Center, even when the device is in airplane mode. Not configured (default)
allows the user to control turning on or turning off Wi-Fi.
Configuring this setting doesn't prevent users from selecting a Wi-Fi network.
This feature applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Connected Devices
Settings apply to: All enrollment types
Wrist detection for paired Apple watch: Require forces a paired Apple watch to use wrist detection. When
required, the Apple Watch won't display notifications when it's not being worn.
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Require AirPlay outgoing requests pairing password: Require a pairing password when the user uses
AirPlay to stream content to other Apple devices. Not configured (default) allows the user to stream content
using AirPlay without entering a password.
Settings apply to: Automated device enrollment (supervised)
AirDrop: Block prevents using AirDrop on the device. Not configured (default) allows using the AirDrop
feature to exchange content with nearby devices.
Apple Watch pairing: Block prevents pairing with an Apple Watch. Not configured (default) allows the
device to pair with an Apple Watch.
Bluetooth modification: Block stops the end user from changing Bluetooth settings on the device. Not
configured (default) allows the user to change these settings.
Host pairing to control the devices an iOS/iPadOS device can pair with: Not configured (default)
allows host pairing to let the administrator control which devices an iOS/iPadOS device can pair with.
Block prevents host pairing.
Block AirPrint: Choose Block to prevent using the AirPrint feature on the device. Not configured
(default) allows the user to use AirPrint.
Block storage of AirPrint credentials in Keychain: Block prevents using Keychain storage for
username and password on the device. Not configured (default) allows storing the AirPrint username
and password in the Keychain app.
Require a trusted TLS certificate for AirPrint: Require forces the device to use trusted certificates for
TLS printing communication.
Block iBeacon discovery of AirPrint printers: Block prevents malicious AirPrint Bluetooth beacons
from phishing for network traffic. Not configured (default) allows advertising AirPrint printers on the
device.
Block setting up new nearby devices: Block disables the prompt to set up new devices that are nearby.
Not configured (default) allows prompts for users to connect to other nearby Apple devices.
This feature applies to:
iOS 11.0 and newer
iPadOS 13.0 and newer
Access to files on USB drive: Devices can connect and open files on a USB drive. Disable prevents device
access to the USB drive in the Files app when a USB is connected to the device. Disabling this feature also
blocks end users from transferring files onto a USB drive connected to an iPad. Not configured (default)
allows access to a USB drive in the Files app.
This feature applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Kiosk
Settings apply to: Automated device enrollment (supervised)
App to run in kiosk mode: Choose the type of apps you want to run in kiosk mode. Your options:
Not configured (default): Kiosk settings aren't applied. The device doesn't run in kiosk-mode.
Store App: Enter the URL to an app in the iTunes App store.
Managed App: Choose an app you added to Intune.
Built-In App: Enter the bundle ID of the built-in app.
Assistive touch: Require the Assistive Touch accessibility setting be on the device. This feature helps users
with on-screen gestures that might be difficult for them. Not configured doesn't run or enable this feature
in kiosk mode.
Invert colors: Require the Invert Colors accessibility setting so users with visual impairments can change
the display screen. Not configured doesn't run or enable this feature in kiosk mode.
Mono audio: Require the Mono audio accessibility setting be on the device. Not configured doesn't run
or enable this feature in kiosk mode.
Voice control: Require enables voice control on the device, and allows users to fully control the OS using
Siri commands. Not configured disables voice control on the device.
This setting applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
TIP
If you have LOB apps available for your organization, and they're not Voice Control ready on day 0 when iOS 13.0
releases, then we recommend you leave this setting as Not configured.
VoiceOver: Require the VoiceOver accessibility setting be on the device to read text on the screen out loud.
Not configured doesn't run or enable this feature in kiosk mode.
Zoom: Require the Zoom setting be on the device to let users use touch to zoom in on the screen. Not
configured doesn't run or enable this feature in kiosk mode.
Auto lock: Block prevents automatic locking of the device. Not configured allows this feature.
Ringer switch: Block disables the ringer (mute) switch on the device. Not configured allows this feature.
Screen rotation: Block prevents changing the screen orientation when the user rotates the device. Not
configured allows this feature.
Screen sleep button: Choose Block to disable the screen sleep wake button on the device. Not
configured allows this feature.
Touch: Block disables the touchscreen on the device. Not configured allows the user to use the
touchscreen.
Volume buttons: Block prevents using the volume buttons on the device. Not configured allows the
volume buttons.
Assistive touch control: Allow let users use the assistive touch function. Not configured disables this
feature.
Invert colors control: Allow invert color changes to let users adjust the invert colors function. Not
configured disables this feature.
Speak on selected text: Allow the Speak Selection accessibility settings be on the device. This feature
reads text that the user selects out loud. Not configured disables this feature.
Voice control modification: Allow users to change the state of voice control on their devices. Not
configured blocks users from changing the state of voice control on their devices.
This setting applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
VoiceOver control: Allow voiceover changes to let users update the VoiceOver function, such as how fast
on-screen text is read out loud. Not configured prevents voiceover changes.
Zoom control: Allow zoom changes by the user. Not configured prevents zoom changes.
NOTE
Before you can configure an iOS/iPadOS device for kiosk mode, you must use the Apple Configurator tool or the Apple
Device Enrollment Program to put the device into supervised mode. See Apple's guide on using the Apple Configurator tool.
If the iOS/iPadOS app you enter is installed after you assign the profile, then the device doesn't enter kiosk mode until the
device is restarted.
Domains
Settings apply to: Device enrollment, Automated device enrollment (supervised)
Unmarked email domains > Email Domain URL: Add one or more URLs to the list. When end users
receive an email from a domain other than the domains you enter, the email is marked as untrusted in the
iOS/iPadOS Mail app.
Managed web domains > Web Domain URL; Add one or more URLs to the list. When documents are
downloaded from the domains you enter, they're considered managed. This setting applies only to
documents downloaded using the Safari browser.
Settings apply to: Automated device enrollment (supervised)
Safari password autofill domains > Domain URL: Add one or more URLs to the list. Users can only
save web passwords from URLs in this list. This setting applies only to the Safari browser, and devices in
supervised mode. If you don't enter any URLs, then passwords can be saved from all web sites.
This setting applies to:
iOS 9.3 and newer
iPadOS 13.0 and newer
Settings that require supervised mode
iOS/iPadOS supervised mode can only be enabled during initial device setup through Apple’s Device Enrollment
Program, or by using Apple Configurator. Once supervised mode is enabled, Intune can configure a device with
the following functionality:
App Lock (Single App Mode)
Global HTTP Proxy
Disable Activation Lock
Autonomous Single App Mode
Web Content Filter
Set background and lock screen
Silent App Push
Always-On VPN
Allow managed app installation exclusively
iBookstore
iMessages
Game Center
AirDrop
AirPlay
Host pairing
Cloud Sync
Spotlight search
Handoff
Erase device
Restrictions UI
Installation of configuration profiles by UI
News
Keyboard shortcuts
Passcode modifications
Device name changes
Automatic app downloads
Changes to enterprise app trust
Apple Music
Mail Drop
Pair with Apple Watch
NOTE
Apple confirmed that certain settings move to supervised-only in 2019. We recommend taking this into consideration when
using these settings, instead of waiting for Apple to migrate them to supervised-only:
App installation by end users
App removal
FaceTime
Safari
iTunes
Explicit content
iCloud documents and data
Multiplayer gaming
Add Game Center friends
Siri
Next steps
Assign the profile and monitor its status.
You can also restrict device features and settings on macOS devices.
Add e-mail settings for iOS and iPadOS devices in
Microsoft Intune
2/19/2020 • 8 minutes to read • Edit Online
In Microsoft Intune, you can create and configure email to connect to an email server, choose how users
authenticate, use S/MIME for encryption, and more.
This article lists and describes all the email settings available for devices running iOS/iPadOS. You can create a
device configuration profile to push or deploy these email settings to your iOS/iPadOS devices.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see iOS/iPadOS
enrollment.
Custom: Get the attributes from a custom domain name. Also enter:
Custom domain name to use: Enter a value that Intune uses for the domain
name, such as contoso.com or contoso .
Email address attribute from AAD: Choose how the email address for the user is generated. Your
options:
User principal name: Use the full principal name as the email address, such as user1@contoso.com or
user1 .
Primary SMTP address: Use the primary SMTP address to sign in to Exchange, such as
user1@contoso.com .
Authentication method: Choose how users to authenticate to the email server. Your options:
Certificate: Select a client SCEP or PKCS certificate profile you previously created to authenticate the
Exchange connection. This option provides the most secure and seamless experience for your users.
Username and Password: Users are prompted to enter their user name and password.
Derived credential: Use a certificate that’s derived from a user’s smart card. For more information, see
Use derived credentials in Microsoft Intune.
NOTE
Azure multi-factor authentication isn't supported.
SSL: Enable uses Secure Sockets Layer (SSL ) communication when sending emails, receiving emails, and
communicating with the Exchange server.
OAuth: Enable uses Open Authorization (OAuth) communication when sending emails, receiving emails,
and communicating with Exchange. If your OAuth server uses certificate authentication, choose Certificate
as the Authentication method, and include the certificate with the profile. Otherwise, choose Username
and password as the Authentication method. When using OAuth, be sure to:
Confirm your email solution supports OAuth before targeting this profile to your users. Office 365
Exchange online support OAuth. On-premises Exchange and other partner or third-party solutions
may not support OAuth. On-premises Exchange can be configured for Modern Authentication (see
the Announcing Hybrid Modern Authentication for Exchange On-Premises blog post).
If the email profile uses Oauth, and the email service doesn't support it, then the Re-Enter
password option appears broken. For example, nothing happens when the user selects Re-Enter
password in Apple's device settings.
When OAuth is enabled, end users have a different “Modern Authentication” email sign-in
experience that supports multi-factor authentication (MFA).
Some organizations disable the end user’s ability to do self-service application access. In this
scenario, the Modern Authentication sign-in may fail until an Administrator creates the “iOS
Accounts” enterprise app, and grant users access to the app in Azure AD.
The default action is to add an application using the Application Access Panel Add App feature
without business approval. For more information, see assign users to applications.
NOTE
When you enable OAuth, the following happens:
1. Devices that are already targeted are issued a new profile.
2. End users are prompted to enter their credentials again.
Exchange data to sync: When using Exchange ActiveSync, choose the Exchange services that are synced
on the device: Calendar, Contacts, Reminders, Notes, and Email. Your options:
All data (default): Sync is enabled for all services.
Email only: Sync is enabled for Email only. Sync is disabled for the other services.
Calendar only: Sync is enabled for Calendar only. Sync is disabled for the other services.
Calendar and Contacts only: Sync is enabled for Calendar and Contacts only. Sync is disabled for the
other services.
Contacts only: Sync is enabled for Contacts only. Sync is disabled for the other services.
This feature applies to:
iOS 13.0 and newer
iPadOS 13.0 and newer
Allow users to change sync settings: Choose if users can change the Exchange ActiveSync settings for
the Exchange services on the device: Calendar, Contacts, Reminders, Notes, and Email. Your options:
Yes (default): Users can change the sync behavior of all services. Choosing Yes allows changes to all
services.
No: Users can't change the sync settings of all the services. Choosing No blocks changes to all services.
TIP
If you configured the Exchange data to sync setting to sync only some services, we recommend selecting No for
this setting. Choosing No prevents users from changing the Exchange service that's synced.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Configure email settings on Android, Android Enterprise, Windows 10, and Windows Phone 8.1 devices.
Add VPN settings on iOS and iPadOS devices in
Microsoft Intune
2/21/2020 • 10 minutes to read • Edit Online
Microsoft Intune includes many VPN settings that can be deployed to your iOS/iPadOS devices. These settings
are used to create and configure VPN connections to your organization's network. This article describes these
settings. Some settings are only available for some VPN clients, such as Citrix, Zscaler, and more.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see iOS/iPadOS
enrollment.
Connection type
Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco Legacy AnyConnect: Applicable to Cisco Legacy AnyConnect app version 4.0.5x and earlier.
Cisco AnyConnect: Applicable to Cisco AnyConnect app version 4.0.7x and later.
SonicWall Mobile Connect
F5 Access Legacy: Applicable to F5 Access app version 2.1 and earlier.
F5 Access: Applicable to F5 Access app version 3.0 and later.
Palo Alto Networks GlobalProtect (Legacy): Applicable to Palo Alto Networks GlobalProtect app version
4.1 and earlier.
Palo Alto Networks GlobalProtect: Applicable to Palo Alto Networks GlobalProtect app version 5.0 and
later.
Pulse Secure
Cisco (IPSec)
Citrix VPN
Citrix SSO
Zscaler: To use Conditional Access, or allow users to bypass the Zscaler sign in screen, then you must
integrate Zscaler Private Access (ZPA) with your Azure AD account. For detailed steps, see the Zscaler
documentation.
IKEv2: IKEv2 settings (in this article) describes the properties.
Custom VPN
NOTE
Cisco, Citrix, F5, and Palo Alto have announced that their legacy clients don't work on iOS 12. You should migrate to the
new apps as soon as possible. For more information, see the Microsoft Intune Support Team Blog.
Base VPN settings
The settings shown in the following list are determined by the VPN connection type you choose.
Connection name: End users see this name when they browse their device for a list of available VPN
connections.
Custom domain name (Zscaler only): Prepopulate the Zscaler app's sign in field with the domain your
users belong to. For example, if a username is Joe@contoso.net , then the contoso.net domain statically
appears in the field when the app opens. If you don't enter a domain name, then the domain portion of the
UPN in Azure Active Directory (AD ) is used.
IP address or FQDN: The IP address or fully qualified domain name (FQDN ) of the VPN server that
devices connect with. For example, enter 192.168.1.1 or vpn.contoso.com .
Organization's cloud name (Zscaler only): Enter the cloud name where your organization is provisioned.
The URL you use to sign in to Zscaler has the name.
Authentication method: Choose how devices authenticate to the VPN server.
Certificates: Under Authentication certificate, select an existing SCEP or PKCS certificate
profile to authenticate the connection. Configure certificates provides some guidance about
certificate profiles.
Username and password: End users must enter a username and password to sign in to the VPN
server.
NOTE
If username and password are used as the authentication method for Cisco IPsec VPN, they must deliver
the SharedSecret through a custom Apple Configurator profile.
Derived credential: Use a certificate that’s derived from a user’s smart card. If no derived
credential issuer is configured, Intune prompts you to add one. For more information, see Use
derived credentials in Microsoft Intune.
Excluded URLs (Zscaler only): When connected to the Zscaler VPN, the listed URLs are accessible
outside the Zscaler cloud.
Split tunneling: Enable or Disable to let devices decide which connection to use, depending on the
traffic. For example, a user in a hotel uses the VPN connection to access work files, but uses the hotel's
standard network for regular web browsing.
VPN identifier (Custom VPN, Zscaler, and Citrix): An identifier for the VPN app you're using, and is
supplied by your VPN provider.
Enter key/value pairs for your organization's custom VPN attributes (Custom VPN, Zscaler, and
Citrix): Add or import Keys and Values that customize your VPN connection. Remember, these values are
typically supplied by your VPN provider.
Enable network access control (NAC ) (Cisco AnyConnect, Citrix SSO, F5 Access): When you choose I
agree, the device ID is included in the VPN profile. This ID can be used for authentication to the VPN to
allow or prevent network access.
When using Cisco AnyConnect with ISE, be sure to:
If you have not already done so, integrate ISE with Intune for NAC as described under Configure
Microsoft Intune as an MDM Server in the Cisco Identity Services Engine Administrator Guide.
Enable NAC in the VPN profile.
When using Citrix SSO with Gateway, be sure to:
Confirm you're using Citrix Gateway 12.0.59 or higher.
Confirm your users have Citrix SSO 1.1.6 or later installed on their devices.
Integrate Citrix Gateway with Intune for NAC. See the Integrating Microsoft Intune/Enterprise Mobility
Suite with NetScaler (LDAP+OTP Scenario) Citrix deployment guide.
Enable NAC in the VPN profile.
When using F5 Access, be sure to:
Confirm you're using F5 BIG -IP 13.1.1.5 or later.
Integrate BIG -IP with Intune for NAC. See the Overview: Configuring APM for device posture checks
with endpoint management systems F5 guide.
Enable NAC in the VPN profile.
For the VPN partners that support device ID, the VPN client, such as Citrix SSO, can get the ID. Then, it
can query Intune to confirm the device is enrolled, and if the VPN profile is compliant or not compliant.
To remove this setting, recreate the profile, and don't select I agree. Then, reassign the profile.
IKEv2 settings
These settings apply when you choose Connection type > IKEv2.
Remote identifier: Enter the network IP address, FQDN, UserFQDN, or ASN1DN of the IKEv2 server.
For example, enter 10.0.0.3 or vpn.contoso.com . Typically, you enter the same value as the Connection
name (in this article). But, it does depend on your IKEv2 server settings.
Client Authentication type: Choose how the VPN client authenticates to the VPN. Your options:
User authentication (default): User credentials authenticate to the VPN.
Machine authentication: Device credentials authenticate to the VPN.
Authentication method: Choose the type of client credentials to send to the server. Your options:
Certificates: Uses an existing certificate profile to authenticate to the VPN. Be sure this certificate
profile is already assigned to the user or device. Otherwise, the VPN connection fails.
Certificate type: Select the type of encryption used by the certificate. Be sure the VPN server is
configured to accept this type of certificate. Your options:
RSA (default)
ECDSA256
ECDSA384
ECDSA521
Username and password (User authentication only): When users connect to the VPN, they're
prompted for their username and password.
Shared secret (Machine authentication only): Allows you to enter a shared secret to send to the
VPN server.
Shared secret: Enter the shared secret, also known as the pre-shared key (PSK). Be sure the
value matches the shared secret configured on the VPN server.
Server certificate issuer common name: Allows the VPN server to authenticate to the VPN client.
Enter the certificate issuer common name (CN ) of the VPN server certificate that's sent to the VPN client
on the device. Be sure the CN value matches the configuration on the VPN server. Otherwise, the VPN
connection fails.
Server certificate common name: Enter the CN for the certificate itself. If left blank, the remote
identifier value is used.
Dead peer detection rate: Choose how often the VPN client checks if the VPN tunnel is active. Your
options:
Not configured: Uses the iOS/iPadOS system default, which may be the same as choosing Medium.
None: Disables dead peer detection.
Low: Sends a keepalive message every 30 minutes.
Medium (default): Sends a keepalive message every 10 minutes.
High: Sends a keepalive message every 60 seconds.
TLS version range minimum: Enter the minimum TLS version to use. Enter 1.0 , 1.1 , or 1.2 . If left
blank, the default value of 1.0 is used.
TLS version range maximum: Enter the maximum TLS version to use. Enter 1.0 , 1.1 , or 1.2 . If left
blank, the default value of 1.2 is used.
NOTE
TLS version range minimum and maximum must be set when using user authentication and certificates.
Perfect forward secrecy: Select Enable to turn on perfect forward secrecy (PFS ). PFS is an IP security
feature that reduces the impact if a session key is compromised. Disable (default) doesn't use PFS.
Certificate revocation check: Select Enable to make sure the certificates aren't revoked before allowing
the VPN connection to succeed. This check is best-effort. If the VPN server times out before determining
if the certificate is revoked, access is granted. Disable (default) doesn't check for revoked certificates.
Configure security association parameters: Not configured (default) uses the iOS/iPadOS system
default. Select Enable to enter the parameters used when creating security associations with the VPN
server:
Encryption algorithm: Select the algorithm you want:
DES
3DES
AES -128
AES -256 (default)
AES -128-GCM
AES -256-GCM
Integrity algorithm: Select the algorithm you want:
SHA1-96
SHA1-160
SHA2-256 (default)
SHA2-384
SHA2-512
Diffie-Hellman group: Select the group you want. Default is group 2 .
Lifetime (minutes): Choose how long the security association stays active until the keys are rotated.
Enter a whole value between 10 and 1440 (1440 minutes is 24 hours). Default is 1440 .
Configure a separate set of parameters for child security associations: iOS/iPadOS allows you to
configure separate parameters for the IKE connection, and any child connections.
Not configured (default) uses the values you enter in the previous Configure security association
parameters setting. Select Enable to enter the parameters used when creating child security associations
with the VPN server:
Encryption algorithm: Select the algorithm you want:
DES
3DES
AES -128
AES -256 (default)
AES -128-GCM
AES -256-GCM
Integrity algorithm: Select the algorithm you want:
SHA1-96
SHA1-160
SHA2-256 (default)
SHA2-384
SHA2-512
Diffie-Hellman group: Select the group you want. Default is group 2 .
Lifetime (minutes): Choose how long the security association stays active until the keys are rotated.
Enter a whole value between 10 and 1440 (1440 minutes is 24 hours). Default is 1440 .
Proxy settings
If you're using a proxy, configure the following settings. Proxy settings aren't available for Zscaler VPN
connections.
Automatic configuration script: Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com ) that includes the configuration file.
Address: Enter the IP address of fully qualified host name of the proxy server.
Port number: Enter the port number associated with the proxy server.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Configure VPN settings on Android, Android Enterprise, macOS, and Windows 10 devices.
Add Wi-Fi settings for iOS and iPadOS devices in
Microsoft Intune
2/19/2020 • 6 minutes to read • Edit Online
You can create a profile with specific WiFi settings, and then deploy this profile to your iOS/iPadOS devices.
Microsoft Intune offers many features, including authenticating to your network, adding a PKCS or SCEP
certificate, and more.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-level settings.
This article describes these settings.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see iOS/iPadOS
enrollment.
Basic profiles
Wi-Fi type: Choose Basic.
Network name: Enter a name for this Wi-Fi connection. This value is the name that users see when they
browse the list of available connections on their device.
SSID: Short for service set identifier. This property is the real name of the wireless network that devices
connect to. However, users only see the network name you configured when they choose the connection.
Connect automatically: Choose Enable to automatically connect to this network when the device is in
range. Choose Disable to prevent devices from automatically connecting.
Hidden network: Choose Enable if the SSID of the network isn't broadcasted. Choose Disable if the
SSID of the network is broadcasted and visible.
Security type: Select the security protocol to authenticate to the Wi-Fi network. Your options:
Open (no authentication): Only use this option if the network is unsecured.
WPA/WPA2 - Personal: Enter the password in Pre-shared key. When your organization's network is
set up or configured, a password or network key is also configured. Enter this password or network key
for the PSK value.
WEP
Proxy settings: Your options:
None: No proxy settings are configured.
Manual: Enter the Proxy server address as an IP address, and its Port number.
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com ) that contains the configuration file.
Enterprise profiles
Wi-Fi type: Choose Enterprise.
SSID: Short for service set identifier. This property is the real name of the wireless network that devices
connect to. However, users only see the network name you configured when they choose the connection.
Connect automatically: Choose Enable to automatically connect to this network when the device is in
range. Choose Disable to prevent devices from automatically connecting.
Hidden network: Choose Enable to hide this network from the list of available networks on the device.
The SSID isn't broadcasted. Choose Disable to show this network in the list of available networks on the
device.
EAP type: Choose the Extensible Authentication Protocol (EAP ) type used to authenticate secured wireless
connections. Your options:
EAP -FAST: Enter the Protected Access Credential (PAC ) Settings. This option uses protected
access credentials to create an authenticated tunnel between the client and the authentication server.
Your options:
Do not use (PAC )
Use (PAC ): If an existing PAC file exists, use it.
Use and Provision PAC: Create and add the PAC file to your devices.
Use and Provision PAC Anonymously: Create and add the PAC file to your devices without
authenticating to the server.
EAP -SIM
EAP -TLS: Also enter:
Server Trust - Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA) to your wireless network access
servers. For example, add mywirelessserver.contoso.com or mywirelessserver . When you
enter this information, you can bypass the dynamic trust window displayed on user's devices
when they connect to this Wi-Fi network.
Root certificate for server validation: Choose an existing trusted root certificate profile.
This certificate allows the client to trust the wireless network access server’s certificate.
Client Authentication Choose an Authentication method. Your options:
Derived credential: Use a certificate that’s derived from a user’s smart card. If no
derived credential issuer is configured, Intune prompts you to add one. For more
information, see Use derived credentials in Microsoft Intune.
Certificates: Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP identity
request. This text can be any value, such as anonymous . During authentication, this anonymous
identity is initially sent, and then followed by the real identification sent in a secure tunnel.
EAP -TTLS: Also enter:
Server Trust - Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA) to your wireless network access
servers. For example, add mywirelessserver.contoso.com or mywirelessserver . When you
enter this information, you can bypass the dynamic trust window displayed on user's devices
when they connect to this Wi-Fi network.
Root certificate for server validation: Choose an existing trusted root certificate profile.
This certificate allows the client to trust the wireless network access server’s certificate.
Client Authentication - Choose an Authentication method. Your options:
Derived credential: Use a certificate that’s derived from a user’s smart card. If no
derived credential issuer is configured, Intune prompts you to add one. For more
information, see Use derived credentials in Microsoft Intune.
Username and Password: Prompt the user for a user name and password to
authenticate the connection. Also enter:
Non-EAP method (inner identity): Choose how you authenticate the
connection. Be sure you choose the same protocol that's configured on your Wi-
Fi network.
Your options: Unencrypted password (PAP ), Challenge Handshake
Authentication Protocol (CHAP ), Microsoft CHAP (MS -CHAP ), or
Microsoft CHAP Version 2 (MS -CHAP v2)
Certificates: Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification
sent in a secure tunnel.
LEAP
PEAP: Also enter:
Server Trust - Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA) to your wireless network access
servers. For example, add mywirelessserver.contoso.com or mywirelessserver . When you
enter this information, you can bypass the dynamic trust window displayed on user's devices
when they connect to this Wi-Fi network.
Root certificate for server validation: Choose an existing trusted root certificate profile.
This certificate allows the client to trust the wireless network access server’s certificate.
Client Authentication - Choose an Authentication method. Your options:
Derived credential: Use a certificate that’s derived from a user’s smart card. If no
derived credential issuer is configured, Intune prompts you to add one. For more
information, see Use derived credentials in Microsoft Intune.
Username and Password: Prompt the user for a user name and password to
authenticate the connection.
Certificates: Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification
sent in a secure tunnel.
Proxy settings: Your options:
None: No proxy settings are configured.
Manual: Enter the Proxy server address as an IP address, and its Port number.
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com ) that contains the configuration file.
Next steps
The profile is created, but it's not doing anything. Next, assign this profile, and monitor its status.
Configure Wi-Fi settings on Android, Android Enterprise, macOS, and Windows 10 devices.
Use custom settings for iOS and iPadOS devices in
Microsoft Intune
2/19/2020 • 2 minutes to read • Edit Online
Using Microsoft Intune, you can add or create custom settings for your iOS/iPadOS devices using "custom
profiles". Custom profiles are a feature in Intune. They're designed to add device settings and features that aren't
built in to Intune.
When using iOS/iPadOS devices, there are two ways to get custom settings into Intune:
Apple Configurator
Apple Profile Manager
You can use these tools to export settings to a configuration profile. In Intune, you import this file, and then assign
the profile to your iOS/iPadOS users and devices. Once assigned, the settings are distributed. They also create a
baseline or standard for iOS/iPadOS in your organization.
This article provides some guidance on using Apple Configurator and Apple Profile Manager, and describes the
properties you can configure.
NOTE
Variables aren't validated in the UI, and are case sensitive. As a result, you may see profiles saved with incorrect input.
For example, if you enter {{DeviceID}} instead of {{deviceid}} , then the literal string is shown instead of the
device’s unique ID. Be sure to enter the correct information.
Select OK > Create to save your changes. The profile is created and shown in the profiles list.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile.
See how to create the profile on macOS devices.
Bundle IDs for built-in iOS and iPadOS apps you can
use in Intune
2/19/2020 • 2 minutes to read • Edit Online
When you configure features on iOS/iPadOS devices, you can also add the built-in apps on iOS/iPadOS devices.
This article lists the bundle IDs of some common built-in iOS/iPadOS apps. To find the bundle ID of other apps,
contact your software vendor. See Apple's list of iOS/iPadOS bundle IDs (opens Apple's web site).
Bundle IDs
BUNDLE ID APP NAME PUBLISHER
com.apple.tv TV Apple
BUNDLE ID APP NAME PUBLISHER
Next steps
Use these bundle IDs to configure device features and to allow or restrict some settings on iOS/iPadOS devices.
macOS device feature settings in Intune
2/19/2020 • 13 minutes to read • Edit Online
Intune includes some built-in settings to customize features on your macOS devices. For example, administrators
can add AirPrint printers, choose how users sign in, configure the power controls, use single sign-on
authentication, and more.
Use these features to control macOS devices as part of your mobile device management (MDM ) solution.
This article lists these settings, and describes what each setting does. It also lists the steps to get the IP address,
path, and port of AirPrint printers using the Terminal app (emulator). For more information on device features, go
to Add iOS/iPadOS or macOS device feature settings.
NOTE
These settings apply to different enrollment types, with some settings applying to all enrollment options. For more
information on the different enrollment types, see macOS enrollment.
AirPrint
Settings apply to: Device enrollment and Automated device enrollment
IP address: Enter the IPv4 or IPv6 address of the printer. If you use host names to identify printers, you can
get the IP address by pinging the printer in the Terminal app. Get the IP address and path (in this article)
provides more details.
Path: Enter the path of the printer. The path is typically ipp/print for printers on your network. Get the IP
address and path (in this article) provides more details.
Port (iOS 11.0+, iPadOS 13.0+): Enter the listening port of the AirPrint destination. If you leave this
property blank, AirPrint uses the default port.
TLS (iOS 11.0+, iPadOS 13.0+): Select Enable to secure AirPrint connections with Transport Layer
Security (TLS ).
Add The AirPrint server. You can add many AirPrint servers.
You can also Import a comma-separated file (.csv) that includes a list of AirPrint printers. Also, after you add
AirPrint printers in Intune, you can Export this list.
Get the IP address and path
To add AirPrinter servers, you need the IP address of the printer, the resource path, and the port. The following
steps show you how to get this information.
1. On a Mac that’s connected to the same local network (subnet) as the AirPrint printers, open Terminal
(from /Applications/Utilities).
2. In the Terminal app, type ippfind , and select enter.
Note the printer information. For example, it may return something similar to
ipp://myprinter.local.:631/ipp/port1 . The first part is the name of the printer. The last part ( ipp/port1 ) is
the resource path.
3. In the Terminal, type ping myprinter.local , and select enter.
Note the IP address. For example, it may return something similar to PING myprinter.local (10.50.25.21) .
4. Use the IP address and resource path values. In this example, the IP address is 10.50.25.21 , and the
resource path is /ipp/port1 .
Login items
Settings apply to: All enrollment types
Files, folders, and custom apps: Add the path of a file, folder, custom app, or system app you want to
open when a user signs in to the device. System apps, or apps built or customized for your organization are
typically in the Applications folder, with a path similar to /Applications/AppName.app .
You can add many files, folders, and apps. For example, enter:
/Applications/Calculator.app
/Applications
/Applications/Microsoft Office/root/Office16/winword.exe
/Users/UserName/music/itunes.app
When adding any app, folder, or file, be sure to enter the correct path. Not all items are in the Applications
folder. If a user moves an item from one location to another, then the path changes. This moved item won't
be opened when the user signs in.
Login window
Settings apply to: Device enrollment and Automated device enrollment
Window Layout
Show additional information in the menu bar: When the time area on the menu bar is selected, Allow
shows the host name and macOS version. Not configured (default) doesn't show this information on the
menu bar.
Banner: Enter a message that's shown on the sign in screen on the device. For example, enter your
organization information, a welcome message, lost and found information, and so on.
Choose login format: Choose how users sign in to the device. Your options:
Prompt for username and password (default): Requires users to enter a username and password.
List all users, prompt for password: Requires users to select their username from a user list, and
then enter their password. Also configure:
Local users: Hide doesn't show the local user accounts in the user list, which may include the
standard and admin accounts. Only the network and system user accounts are shown. Not
configured (default) shows the local user accounts in the user list.
Mobile accounts: Hide doesn't show mobile accounts in the user list. Not configured (default)
shows the mobile accounts in the user list. Some mobile accounts may show as network users.
Network users: Select Show to list the network users in the user list. Not configured (default)
doesn't show the network user accounts in the user list.
Admin users: Hide doesn't show the administrator user accounts in the user list. Not
configured (default) shows the administrator user accounts in the user list.
Other users: Select Show to list Other... users in the user list. Not configured (default) doesn't
show the other user accounts in the user list.
Login screen power settings
Shut Down button: Hide doesn't show the shutdown button on the sign in screen. Not configured (default)
shows the shutdown button.
Restart button: Hide doesn't show the restart button on the sign in screen. Not configured (default) shows
the restart button.
Sleep button: Hide doesn't show the sleep button on the sign in screen. Not configured (default) shows the
sleep button.
Other
Disable user login from Console: Disable hides the macOS command line used to sign in. For typical users,
Disable this setting. Not configured (default) allows advanced users to sign in using the macOS command
line. To enter console mode, users enter >console in the Username field, and must authenticate in the console
window.
Apple Menu
After users sign in to the devices, the following settings impact what they can do.
Disable Shut Down: Disable prevents users from selecting the Shutdown option after the user signs in.
Not configured (default) allows users to select the Shutdown menu item on the device.
Disable Restart: Disable prevents users from selecting the Restart option after the user signs in. Not
configured (default) allows users to select the Restart menu item on the device.
Disable Power Off: Disable prevents users from selecting the Power off option after the user signs in. Not
configured (default) allows users to select the Power off menu item on the device.
Disable Log Out (macOS 10.13 and later): Disable prevents users from selecting the Log out option after
the user signs in. Not configured (default) allows users to select the Log out menu item on the device.
Disable Lock Screen (macOS 10.13 and later): Disable prevents users from selecting the Lock screen
option after the user signs in. Not configured (default) allows users to select the Lock screen menu item on
the device.
TIP
With the Redirect and Credential types, you add your own configuration values to pass through the extension. If
you're using Credential, consider using built-in configuration settings provided by Apple in the the Kerberos type.
Extension ID (Redirect and Credential): Enter the bundle identifier that identifies your SSO app extension,
such as com.apple.ssoexample .
Team ID (Redirect and Credential): Enter the team identifier of your SSO app extension. A team identifier
is a 10-character alphanumerical (numbers and letters) string generated by Apple, such as ABCDE12345 .
Locate your Team ID (opens Apple’s website) has more information.
Realm (Credential and Kerberos): Enter the name of your authentication realm. The realm name should be
capitalized, such as CONTOSO.COM . Typically, your realm name is the same as your DNS domain name, but in
all uppercase.
Domains (Credential and Kerberos): Enter the domain or host names of the sites that can authenticate
through SSO. For example, if your website is mysite.contoso.com , then mysite is the host name, and
contoso.com is the domain name. When users connect to any of these sites, the app extension handles the
authentication challenge. This authentication allows users to use Face ID, Touch ID, or Apple
pincode/passcode to sign in.
All the domains in your single sign-on app extension Intune profiles must be unique. You can't repeat a
domain in any sign-on app extension profile, even if you're using different types of SSO app extensions.
These domains aren't case-sensitive.
URLs (Redirect only): Enter the URL prefixes of your identity providers on whose behalf the redirect app
extension performs SSO. When a user is redirected to these URLs, the SSO app extension will intervene
and prompt SSO.
All the URLs in your Intune single sign-on app extension profiles must be unique. You can’t repeat a
domain in any SSO app extension profile, even if you’re using different types of SSO app extensions.
The URLs must begin with http:// or https://.
Additional configuration (Redirect and Credential): Enter additional extension-specific data to pass to the
SSO app extension:
Key: Enter the name of the item you want to add, such as user name .
Type: Enter the type of data. Your options:
String
Boolean: In Configuration value, enter True or False .
Integer: In Configuration value, enter a number.
Value: Enter the data.
Add: Select to add your configuration keys.
Keychain usage (Kerberos only): Choose Block to prevent passwords from being saved and stored in the
keychain. Not configured (default) allows passwords to be saved and stored in the keychain.
Face ID, Touch ID, or passcode (Kerberos only): Require forces users to enter their Face ID, Touch ID, or
Apple passcode to sign in to the domains you added. Not configured (default) doesn't require users to
use biometrics or passcode to sign in.
Default realm (Kerberos only): Choose Enable to set the Realm value you entered as the default realm.
Not configured (default) doesn't set a default realm.
TIP
Enable this setting if you're configuring multiple Kerberos SSO app extensions in your organization.
Enable this setting if you're using multiple realms. It sets the Realm value you entered as the default realm.
If you only have one realm, leave it Not configured (default).
Autodiscover (Kerberos only): When set to Block, the Kerberos extension doesn't automatically use LDAP
and DNS to determine its Active Directory site name. Not configured (default) allows the extension to
automatically find the Active Directory site name.
Password changes (Kerberos only): Block prevents users from changing the passwords they use to sign
in to the domains you entered. Not configured (default) allows password changes.
Password sync (Kerberos only): Choose Enable to sync your users’ local passwords to Azure AD. Not
configured (default) disables password sync to Azure AD. Use this setting as an alternative or backup to
SSO. This setting doesn't work if users are signed in with an Apple mobile account.
Windows Server Active Directory password complexity (Kerberos only): Choose Require to force
user passwords to meet Active Directory’s password complexity requirements. See Password must meet
complexity requirements for more information. Not configured (default) doesn't require users to meet
Active Directory’s password requirement.
Minimum password length (Kerberos only): Enter the minimum number of characters that can make up
a user’s password. Not configured (default) doesn't enforce a minimum password length on the users.
Password reuse limit (Kerberos only): Enter the number of new passwords, from 1-24, that must be used
until a previous password can be reused on the domain. Not configured (default) doesn't enforce a
password reuse limit.
Minimum password age (Kerberos only): Enter the number of days that a password must be used on the
domain before a user can change it. Not configured (default) doesn't enforce a minimum age of
passwords before they can be changed.
Password expiration notification (Kerberos only): Enter the number of days before a password expires
that users get notified that their password will expire. Not configured (default) uses 15 days.
Password expiration (Kerberos only): Enter the number of days before the device password must be
changed. Not configured (default) means user passwords never expire.
Password change URL (Kerberos only): Enter the URL that launches when the user initiates a Kerberos
password change.
Principal name (Kerberos only): Enter the username of the Kerberos principal. You don't need to include
the realm name. For example, in user@contoso.com , user is the principal name, and contoso.com is the
realm name.
TIP
You can also use variables in the principal name by entering curly brackets {{ }} . For example, to show the
username, enter Username: {{username}} .
However, be careful with variable substitution because variables aren't validated in the UI and they are case
sensitive. Be sure to enter the correct information.
Active Directory site code (Kerberos only): Enter the name of the Active Directory site that the Kerberos
extension should use. You may not need to change this value, as the Kerberos extension may automatically
find the Active Directory site code.
Cache name (Kerberos only): Enter the Generic Security Services (GSS ) name of the Kerberos cache. You
most likely don't need to set this value.
Password requirements message (Kerberos only): Enter a text version of your organization's password
requirements that's shown to users. The message is shown if you don’t require Active Directory’s password
complexity requirements, or don’t enter a minimum password length.
App bundle IDs (Kerberos only): Add the app bundle identifiers that should use single sign-on on your
devices. These apps are granted access to the Kerberos Ticket Granting Ticket, the authentication ticket, and
authenticate users to services they’re authorized to access.
Domain realm mapping (Kerberos only): Add the domain DNS suffixes that should map to your realm.
Use this setting when the DNS names of the hosts don’t match the realm name. You most likely don't need
to create this custom domain-to-realm mapping.
PKINIT certificate (Kerberos only): Select the Public Key Cryptography for Initial Authentication
(PKINIT) certificate that can be used for Kerberos authentication. You can choose from PKCS or SCEP
certificates that you've added in Intune. For more information about certificates, see Use certificates for
authentication in Microsoft Intune.
Associated domains
In Intune, you can:
Add many app-to-domain associations.
Associate many domains with the same app.
This feature applies to:
macOS 10.15 and newer
Settings apply to: All enrollment types
App ID: Enter the app identifier of the app to associate with a website. The app identifier includes the team
ID and a bundle ID: TeamID.BundleID .
The team ID is a 10-character alphanumerical (letters and numbers) string generated by Apple for your app
developers, such as ABCDE12345 . Locate your Team ID (opens Apple's web site) has more information.
The bundle ID uniquely identifies the app, and typically is formatted in reverse domain name notation. For
example, the bundle ID of Finder is com.apple.finder . To find the bundle ID, use the AppleScript in
Terminal:
osascript -e 'id of app "ExampleApp"'
Domain: Enter the website domain to associate with an app. The domain includes a service type and fully
qualified hostname, such as webcredentials:www.contoso.com .
You can match all subdomains of an associated domain by entering *. (an asterisk wildcard and a period)
before the beginning of the domain. The period is required. Exact domains have a higher priority than
wildcard domains. So, patterns from parent domains are matched if a match isn't found at the fully
qualified subdomain.
The service type can be:
authsrv: Single sign-on app extension
applink: Universal link
webcredentials: Password autofill
Add: Select to add your apps and associated domains.
TIP
To troubleshoot, on your macOS device, open System Preferences > Profiles. Confirm the profile you created is in the
device profiles list. If it's listed, be sure the Associated Domains Configuration is in the profile, and it includes the correct
app ID and domains.
Next steps
Assign the profile and monitor its status.
You can also configure device features on iOS/iPadOS.
macOS device settings to allow or restrict features
using Intune
2/19/2020 • 9 minutes to read • Edit Online
This article lists and describes the different settings you can control on macOS devices. As part of your mobile
device management (MDM ) solution, use these settings to allow or disable features, set password rules, allow or
restrict specific apps, and more.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your macOS
devices.
NOTE
These settings apply to different enrollment types. For more information on the different enrollment types, see macOS
enrollment.
General
Settings apply to: Device enrollment and Automated device enrollment
Definition Lookup: Block prevents user from highlighting a word, and then looking up its definition on
the device. Not configured (default) allows access to the definition lookup feature.
Dictation: Block stops the user from using voice input to enter text. Not configured (default) allows the
user to use dictation input.
Content caching: Choose Not configured (default) to enable content caching. Content caching stores
app data, web browser data, downloads, and more locally on the device. Select Block to prevent this data
from being stored in the cache.
For more information on content caching on macOS, see Manage content caching on Mac (opens another
website).
This feature applies to:
macOS 10.13 and newer
Defer software updates: When set to Not configured (default), software updates are shown on the
device as Apple releases them. For example, if a macOS update gets released by Apple on a specific date,
then that update naturally shows up on the device around the release date. Seed build updates are allowed
without delay.
Enable allows you to delay when software updates are shown on devices, from 0-90 days. This setting
doesn't control when updates are or aren't installed.
Delay visibility of software updates: Enter a value from 0-90 days. When the delay expires, users
get a notification to update to the earliest version of the OS available when the delay was triggered.
For example, if a macOS update is available on January 1, and Delay visibility is set to 5 days,
then the update isn't shown as an available update. On the sixth day following the release, that
update is available, and end users can install it.
This feature applies to:
macOS 10.13.4 and newer
Screenshots: Device must be enrolled in Apple's Automated Device Enrollment (DEP ). When set to Block,
users can't save a screenshot of the display. It also prevents the Classroom app from observing remote
screens. Not configured (default) allows users to capture screenshots, and allows the Classroom app to
view remote screens.
Settings apply to: Automated device enrollment
Remote screen observation through Classroom app: Disable prevents teachers from using the
Classroom app to see their students' screens. Not configured (default) allows teachers to see their
students' screens.
To use this setting, set the Screenshots setting to Not configured (screenshots are allowed).
Unprompted screen observation by Classroom app: Allow lets teachers see their students’ screens
without requiring the student to agree. Not configured (default) requires the student to agree before the
teacher can see the screens.
To use this setting, set the Screenshots setting to Not configured (screenshots are allowed).
Students must request permission to leave Classroom class: Require forces students enrolled in an
unmanaged Classroom course to get teacher approval to leave the course. Not configured (default) allows
student to leave the course whenever the student chooses.
Teachers can automatically lock devices or apps in the Classroom app: Allow lets teachers lock a
student's device or app without the student's approval. Not configured (default) requires the student to
agree before the teacher can lock the device or app.
Students can automatically join Classroom class: Allow lets students join a class without prompting
the teacher. Not configured (default) requires teacher approval to join a class.
Password
Settings apply to: Device enrollment and Automated device enrollment
Password: Require the end user to enter a password to access the device. Not configured (default)
doesn't require a password. It also doesn't force any restrictions, such as blocking simple passwords or
setting a minimum length.
Required password type: Specify whether the password can be Numeric only, or whether it must
be Alphanumeric (contain letters and numbers).
This feature applies to:
macOS 10.10.3 and newer
Number of non-alphanumeric characters in password: Specify the number of complex
characters required in the password (0 to 4).
A complex character is a symbol, for example "?".
Minimum password length: Enter the minimum length of password a user must configure
(between 4 and 16 characters).
Simple passwords: Allow the use of simple passwords such as 0000 or 1234.
Maximum minutes after screen lock before password is required: Specify how long the
computer must be inactive before a password is required to unlock it.
Maximum minutes of inactivity until screen locks: Specify the length of time that the computer
must be idle before the screen locks.
Password expiration (days): Specify how many days elapse before the user must change the
password (1 to 255 days).
Prevent reuse of previous passwords: Enter the number of previously used passwords that can't
be reused, from 1 to 24.
Block User from Modifying Passcode: Choose Block to stop the passcode from being changed, added,
or removed. Not configured (default) allows passcodes to be added, changed, or removed.
Block Fingerprint Unlock: Choose Block to prevent using a fingerprint to unlock the device. Not
configured (default) allows the user to unlock the device using a fingerprint.
Block password AutoFill: Choose Block to prevent using the AutoFill Passwords feature on macOS.
Choosing Block also has the following impact:
Users aren't prompted to use a saved password in Safari or in any apps.
Automatic Strong Passwords are disabled, and strong passwords aren't suggested to users.
Not configured (default) allows these features.
Block password proximity requests: Choose Block so a user’s device doesn't request passwords from
nearby devices. Not configured (default) allows these password requests.
Block password sharing: Block prevents sharing passwords between devices using AirDrop. Not
configured (default) allows passwords to be shared.
Built-in Apps
Settings apply to: Device enrollment and Automated device enrollment
Block Safari AutoFill: Block disables the autofill feature in Safari on the device. Not configured (default)
allows users to change autocomplete settings in the web browser.
Block Camera: Choose Block to prevent access to the camera on the device. Not configured (default)
allows access to the device's camera.
Block Apple Music: Block reverts the Music app to classic mode and disables the Music service. Not
configured (default) allows using the Apple Music app.
Block Spotlight Internet Search Results: Block stops Spotlight from returning any results from an
Internet search. Not configured (default) allows Spotlight search connect to the Internet to provide search
results.
Block File Transfer using iTunes: Block disables application file sharing services. Not configured
(default) allows application file sharing services.
This feature applies to:
macOS 10.13 and newer
Restricted apps
Settings apply to: Device enrollment and Automated device enrollment
Type of restricted apps list: Create a list of apps that users aren't allowed to install or use. Your options:
Not configured (default): There are no restrictions from Intune. Users have access to apps you assign,
and built-in apps.
Prohibited apps: Apps not managed by Intune that you don't want installed on the device. Users aren't
prevented from installing a prohibited app. But if a user installs an app from this list, it's reported in
Intune.
Approved apps: Apps that users are allowed to install. Users must not install apps that aren't listed.
Apps that are managed by Intune are automatically allowed. Users aren't prevented from installing an
app that isn't on the approved list. But if they do, it's reported in Intune.
App Bundle ID: Enter the app bundle ID of the app you want. You can show or hide built-in apps and line-
of-business apps. Apple's web site has a list of built-in Apple apps.
App name: Enter the app name of the app you want. You can show or hide built-in apps and line-of-
business apps. Apple's web site has a list of built-in Apple apps.
Publisher: Enter the publisher of the app you want.
To add apps to these lists, you can:
Add: Select to create your list of apps.
Import a CSV file with details about the app, including the URL. Use the
<app bundle ID>, <app name>, <app publisher> format. Or, Export to create a list of apps you added, in the
same format.
Connected devices
Settings apply to: Device enrollment and Automated device enrollment
Block AirDrop: Block prevents using AirDrop on the device. Not configured (default) allows using the
AirDrop feature to exchange content with nearby devices.
Block Apple Watch Auto Unlock: Block prevents users from unlocking their macOS device with their Apple
Watch. Not configured (default) allows users to unlock their macOS device with their Apple Watch.
Domains
Settings apply to: Device enrollment and Automated device enrollment
Email Domain URL: Add one or more URLs to the list. When users receive an email from a domain other
than one you configured, the email is marked as untrusted in the macOS Mail app.
Next steps
Assign the profile and monitor its status.
You can also restrict device features and settings on iOS/iPadOS devices.
MacOS endpoint protection settings in Intune
10/16/2019 • 3 minutes to read • Edit Online
This article shows you the endpoint protection settings that you can configure for devices that run macOS. You
configure these settings by using a macOS device configuration profile for endpoint protection in Intune.
Gatekeeper
Allow apps downloaded from these locations
Limit the apps a device can launch, depending on where the apps were downloaded from. The intent is to
protect devices from malware, and allow apps from only the sources you trust.
Not configured
Mac App Store
Mac App Store and identified developers
Anywhere
Default: Not configured
User can override Gatekeeper
Prevents users from overriding the Gatekeeper setting, and prevents users from Control clicking to install
an app. When enabled, users can Control-click any app, and install it.
Not configured - Users can Control-click to install apps.
Block - Prevents users from using Control-click to install apps.
Default: Not configured
Firewall
Use the firewall to control connections per-application, rather than per-port. Using per-application settings makes
it easier to get the benefits of firewall protection. It also helps prevent undesirable apps from taking control of
network ports that are open for legitimate apps.
General
Firewall
Enable Firewall to configure how incoming connections are handled in your environment.
Not configured
Enable
Default: Not configured
Incoming connections
Block all incoming connections except the connections required for basic Internet services, such as DHCP,
Bonjour, and IPSec. This feature also blocks all sharing services, such as File Sharing and Screen Sharing. If
you're using sharing services, then keep this setting as Not configured.
Not configured
Block
Default: Not configured
Allow or block incoming connections for specific apps.
Apps allowed
Select the apps that are explicitly allowed to receive incoming connections.
Apps blocked
Select the apps that should block incoming connections.
Stealth mode
To prevent the computer from responding to probing requests, enable stealth mode. The device continues to
answer incoming requests for authorized apps. Unexpected requests, such as ICMP (ping), are ignored.
Not configured
Enable
Default: Not configured
FileVault
For more information about Apple FileVault settings, see FDEFileVault in the Apple developer content.
IMPORTANT
As of macOS 10.15, FileVault configuration requires user approved MDM enrollment.
FileVault
You can enable Full Disk Encryption using XTS -AES 128 with FileVault on devices that run macOS 10.13
and later.
Not configured
Enable
Default: Not configured
Recovery key type
Personal key recovery keys are created for devices. Configure the following settings for the personal
key.
Location of personal recovery key - Specify a short message to the user that explains how
and where they can retrieve their personal recovery key. This text is inserted into the message
the user sees on their log in screen when prompted to enter their personal recovery key if a
password is forgotten.
Personal recovery key rotation - Specify how frequently the personal recovery key for a
device will rotate. You can select the default of Not configured, or a value of 1 to 12 months.
Disable prompt at sign out
Prevent the prompt to the user that requests they enable FileVault when they sign out. When set to
Disable, the prompt at sign-out is disabled and instead, the user is prompted when they sign in.
Not configured
Disable - Disable the prompt at sign-out.
Default: Not configured
Number of times allowed to bypass
Set the number of times a user can ignore prompts to enable FileVault before FileVault is required for
the user to sign in.
Not configured - Encryption on the device is required before the next sign-in is allowed.
1 to 10 - Allow a user to ignore the prompt from 1 to 10 times before requiring encryption on the
device.
No limit, always prompt - The user is prompted to enable FileVault but encryption is never
required.
Default: Varies - When the setting Disable prompt at sign out is set to Not configured, this setting
defaults to Not configured. When Disable prompt at sign out is set to Disable, this setting defaults
to 1 and a value of Not configured isn't an option.
For more information about FileVault with Intune, see FileVault recovery keys.
macOS device settings to configure and use kernel
extensions in Intune
12/19/2019 • 2 minutes to read • Edit Online
This article lists and describes the different kernel extension settings you can control on macOS devices. As part of
your mobile device management (MDM ) solution, use these settings to add and manage kernel extensions on your
devices.
To learn more about kernel extensions in Intune, and any prerequisites, see add macOS kernel extensions.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your macOS
devices.
NOTE
These settings apply to different enrollment types. For more information on the different enrollment types, see macOS
enrollment.
Kernel extensions
Settings apply to: User approved, Automated device enrollment
Allow User Overrides: Allow lets users approve kernel extensions not included in the configuration
profile. Not configured (default) prevents users from allowing extensions not included in the configuration
profile. Meaning, only extensions included in the configuration profile are allowed.
See user-approved kernel extension loading (opens Apple's web site) for more information on this feature.
Allowed Team Identifiers: Use this setting to allow one or many team IDs. Any kernel extensions signed
with the team IDs you enter are allowed and trusted. In other words, use this option to allow all kernel
extensions within the same team ID, which may be a specific developer or partner.
Add a team identifier of valid and signed kernel extensions that you want to load. You can add multiple
team identifiers. The team identifier must be alphanumeric (letters and numbers) and have 10 characters.
For example, enter ABCDE12345 .
After you add a team identifier, it can also be deleted.
Locate your Team ID (opens Apple's web site) has more information.
Allowed Kernel Extensions: Use this setting to allow specific kernel extensions. Only the kernel extensions
you enter are allowed or trusted.
Add the bundle identifier and team identifier of a kernel extension that you want to load. For unsigned
legacy kernel extensions, use an empty team identifier. You can add multiple kernel extensions. The team
identifier must be alphanumeric (letters and numbers) and have 10 characters. For example, enter
com.contoso.appname.macos for Bundle ID, and ABCDE12345 for Team identifier.
TIP
To get the Bundle ID of a kernel extension (Kext) on a macOS device, you can:
1. In the Terminal, run kextstat | grep -v com.apple , and note the output. Install the software or Kext that
you want. Run kextstat | grep -v com.apple again, and look for changes.
In the Terminal, kextstat lists all the kernel extensions on the OS.
2. On the device, open the Information Property List file (Info.plist) for a Kext. The bundle ID is shown. Each Kext
has an Info.plist file stored inside.
NOTE
You don't have to add team identifiers and kernel extensions. You can configure one or the other.
Next steps
Assign the profile and monitor its status.
Add a property list file to macOS devices using
Microsoft Intune
1/9/2020 • 2 minutes to read • Edit Online
Using Microsoft Intune, you can add a property list file (.plist) for macOS devices, or apps on macOS devices.
This feature applies to:
macOS devices running 10.7 and newer
Property list files typically include information about macOS applications. For more information, see About
Information Property List Files (Apple's website) and Custom payload settings.
This article lists and describes the different property list file settings you can add to macOS devices. As part of
your mobile device management (MDM ) solution, use these settings to add the app bundle ID (
com.company.application ), and add its .plist file.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your macOS
devices.
Preference file
Preference domain name: Property list files are typically used for web browsers (Microsoft Edge), Microsoft
Defender Advanced Threat Protection, and custom apps. When you create a preference domain, a bundle ID is
also created. Enter the bundle ID, such as com.company.application . For example, enter
com.Contoso.applicationName , com.Microsoft.Edge , or com.microsoft.wdav .
Property list file: Select the property list file associated with your app. Be sure it's a .plist or .xml file. For
example, upload a YourApp-Manifest.plist or YourApp-Manifest.xml file.
File contents: The key information in the property list file is shown. If you need to change the key information,
open the list file in another editor, and then reupload the file in Intune.
Be sure your file is formatted correctly. The file should only have key value pairs, and shouldn't be wrapped in
<dict> , <plist> , or <xml> tags. For example, your property list file should be similar to the following file:
<key>SomeKey</key>
<string>someString</string>
<key>AnotherKey</key>
<false/>
...
Select OK > Create to save your changes. The profile is created and shown in the profiles list.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
For more information on preference files for Microsoft Edge, see Configure Microsoft Edge policy settings on
macOS.
Add VPN settings on macOS devices in Microsoft
Intune
2/19/2020 • 2 minutes to read • Edit Online
This article shows you the Intune settings you can use to configure VPN connections on devices running macOS.
Depending on the settings you choose, not all values in the following list are configurable.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see macOS enrollment.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Configure VPN settings on Android, Android Enterprise, iOS/iPadOS, and Windows 10 devices.
Add Wi-Fi settings for macOS devices in Microsoft
Intune
2/19/2020 • 5 minutes to read • Edit Online
You can create a profile with specific WiFi settings, and then deploy this profile to your macOS devices. Microsoft
Intune offers many features, including authenticating to your network, adding a PKS or SCEP certificate, and
more.
These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise-level settings.
This article describes these settings.
NOTE
These settings are available for all enrollment types. For more information on the enrollment types, see macOS enrollment.
Basic profiles
Wi-Fi type: Choose Basic.
Network name: Enter a name for this Wi-Fi connection. This value is the name that users see when they
browse the list of available connections on their device.
SSID: Short for service set identifier. This property is the real name of the wireless network that devices
connect to. However, users only see the network name you configured when they choose the connection.
Connect automatically: Choose Enable to automatically connect to this network when the device is in
range. Choose Disable to prevent devices from automatically connecting.
Hidden network: Choose Enable to hide this network from the list of available networks on the device.
The SSID isn't broadcasted. Choose Disable to show this network in the list of available networks on the
device.
Security type: Select the security protocol to authenticate to the Wi-Fi network. Your options:
Open (no authentication): Only use this option if the network is unsecured.
WPA/WPA2 - Personal: Enter the password in Pre-shared key. When your organization's network is
set up or configured, a password or network key is also configured. Enter this password or network key
for the PSK value.
WEP
Proxy settings: Your options:
None: No proxy settings are configured.
Manual: Enter the Proxy server address as an IP address, and its Port number.
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com ) that contains the configuration file.
Enterprise profiles
Wi-Fi type: Choose Enterprise.
SSID: Short for service set identifier. This property is the real name of the wireless network that devices
connect to. However, users only see the network name you configured when they choose the connection.
Connect automatically: Choose Enable to automatically connect to this network when the device is in
range. Choose Disable to prevent devices from automatically connecting.
Hidden network: Choose Enable to hide this network from the list of available networks on the device.
The SSID isn't broadcasted. Choose Disable to show this network in the list of available networks on the
device.
EAP type: Choose the Extensible Authentication Protocol (EAP ) type used to authenticate secured wireless
connections. Your options:
EAP -FAST: Enter the Protected Access Credential (PAC ) Settings. This option uses protected
access credentials to create an authenticated tunnel between the client and the authentication server.
Your options:
Do not use (PAC )
Use (PAC ): If an existing PAC file exists, use it.
Use and Provision PAC: Create and add the PAC file to your devices.
Use and Provision PAC Anonymously: Create and add the PAC file to your devices without
authenticating to the server.
EAP -SIM
EAP -TLS: Also enter:
Server Trust - Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA). When you enter this information,
you can bypass the dynamic trust window displayed on user's devices when they connect to
this Wi-Fi network.
Root certificate for server validation: Choose an existing trusted root certificate profile.
This certificate is presented to the server when the client connects to the network, and is used
to authenticate the connection.
Client Authentication - Client certificate for client authentication (Identity
certificate): Choose the SCEP or PKCS client certificate profile that is also deployed to the
device. This certificate is the identity presented by the device to the server to authenticate the
connection.
EAP -TTLS: Also enter:
Server Trust - Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA). When you enter this information,
you can bypass the dynamic trust window displayed on user's devices when they connect to
this Wi-Fi network.
Root certificate for server validation: Choose an existing trusted root certificate profile.
This certificate is presented to the server when the client connects to the network, and is used
to authenticate the connection.
Client Authentication - Choose an Authentication method. Your options:
Username and Password: Prompt the user for a user name and password to
authenticate the connection. Also enter:
Non-EAP method (inner identity): Choose how you authenticate the
connection. Be sure you choose the same protocol that's configured on your Wi-
Fi network.
Your options: Unencrypted password (PAP ), Challenge Handshake
Authentication Protocol (CHAP ), Microsoft CHAP (MS -CHAP ), or
Microsoft CHAP Version 2 (MS -CHAP v2)
Certificates: Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification
sent in a secure tunnel.
LEAP
PEAP: Also enter:
Server Trust - Certificate server names: Add one or more common names used in the
certificates issued by your trusted certificate authority (CA). When you enter this information,
you can bypass the dynamic trust window displayed on user's devices when they connect to
this Wi-Fi network.
Root certificate for server validation: Choose an existing trusted root certificate profile.
This certificate is presented to the server when the client connects to the network, and is used
to authenticate the connection.
Client Authentication - Choose an Authentication method. Your options:
Username and Password: Prompt the user for a user name and password to
authenticate the connection.
Certificates: Choose the SCEP or PKCS client certificate profile that is also deployed
to the device. This certificate is the identity presented by the device to the server to
authenticate the connection.
Identity privacy (outer identity): Enter the text sent in the response to an EAP
identity request. This text can be any value, such as anonymous . During authentication,
this anonymous identity is initially sent, and then followed by the real identification
sent in a secure tunnel.
Proxy settings: Your options:
None: No proxy settings are configured.
Manual: Enter the Proxy server address as an IP address, and its Port number.
Automatic: Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com ) that contains the configuration file.
Next steps
The profile is created, but it's not doing anything. Next, assign this profile and monitor its status.
Configure Wi-Fi settings on Android, Android Enterprise, iOS/iPadOS, and Windows 10 devices.
Use custom settings for macOS devices in Microsoft
Intune
2/19/2020 • 2 minutes to read • Edit Online
Using Microsoft Intune, you can add or create custom settings for your macOS devices using a "custom profile".
Custom profiles are a feature in Intune. They're designed to add device settings and features that aren't built in to
Intune.
When using macOS devices, there are two ways to get custom settings into Intune:
Apple Configurator
Apple Profile Manager
You can use these tools to export settings to a configuration profile. In Intune, you import this file, and then assign
the profile to your macOS users and devices. Once assigned, the settings are distributed. They also create a
baseline or standard for macOS in your organization.
This article provides some guidance on using Apple Configurator and Apple Profile Manager, and describes the
properties you can configure.
NOTE
Variables aren't validated in the UI, and are case sensitive. As a result, you may see profiles saved with incorrect
input. For example, if you enter {{DeviceID}} instead of {{deviceid}} , then the literal string is shown instead of
the device’s unique ID. Be sure to enter the correct information.
Select OK > Create to save your changes. The profile is created and shown in the profiles list.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile.
See how to create the profile on iOS/iPadOS devices.
Delivery optimization settings for Intune
10/16/2019 • 7 minutes to read • Edit Online
This article lists the delivery optimization settings that Intune supports for devices that run Windows 10 or later.
Most options in the Intune console directly map to delivery optimization settings that are covered in-depth in the
Windows documentation, for which links to relevant content are provided. Settings or options that are specific to
Intune do not contain links to additional content.
The following tables include:
Setting: The setting as it appears in Intune. Settings that are links open the relevant entry in Configure
Delivery Optimization for Windows 10 updates in the Windows documentation where you can learn more
about the setting.
Windows version: The minimum version of Windows 10 that includes support for this setting.
Details: A brief description of how Intune implements the setting, including the Intune default. When
available, there are links to delivery optimization Policy configuration service provider (CSP ) entries.
To configure Intune to use these settings, see Deliver updates.
Delivery Optimization
SETTING WINDOWS VERSION DETAILS
SETTING WINDOWS VERSION DETAILS
Bandwidth
SETTING WINDOWS VERSION DETAILS
SETTING WINDOWS VERSION DETAILS
Bandwidth optimization type See details Select how Intune determines the
maximum bandwidth that delivery
optimization can use across all
concurrent download activities.
Options include:
Not configured
Policy CSP:
DOMaxDownloadBandwidth and
DOMaxUploadBandwidth
Policy CSP:
DOPercentageMaxForegroundB
andwidth and
DOPercentageMaxBackgroundB
andwidth
Policy CSP:
DOSetHoursToLimitBackground
DownloadBandwidth and
DOSetHoursToLimitForeground
DownloadBandwidth
SETTING WINDOWS VERSION DETAILS
Delay background HTTP download (in 1803 Use this setting to configure a
seconds) maximum time to delay a background
download of content over HTTP. This
applies only to downloads that support
a peer-to-peer download source.
During this delay, the device searches
for a peer with the content available.
While waiting for a peer source, the
download appears to be stuck for the
end user.
Recommended: 60 seconds
Policy CSP:
DODelayBackgroundDownloadFromHtt
p
Delay foreground HTTP download (in 1803 Configure a maximum time to delay a
seconds) foreground (interactive) download of
content over HTTP. This applies only to
downloads that support a peer-to-peer
download source. During this delay, the
device searches for a peer with the
content available. While waiting for a
peer source, the download appears to
be stuck for the end user.
Recommended: 60 seconds
Policy CSP:
DODelayForegroundDownloadFromHtt
p
Caching
SETTING WINDOWS VERSION DETAILS
Minimum RAM required for peer 1703 Specify the minimum RAM size in GBs
caching (in GB) that a device must have to use peer
caching.
Recommended: 4 GB
Minimum disk size required for peer 1703 Specify the minimum disk size in GBs
caching (in GB) that a device must have to use peer
caching.
Recommended: 32 GB
Policy CSP:
DOMinDiskSizeAllowedToPeer
Minimum content file size for peer 1703 Specify the minimum size in MB that a
caching (in MB) file must meet or exceeded to use peer
caching.
Recommended: 10 MB
Recommended: 40%
Policy CSP:
DOMinBatteryPercentageAllowedToUpl
oad
Default: %SystemDrive%
Maximum cache age (in days) 1511 Specify for how long after each file
successfully downloads that the file is
held in the delivery optimization cache
on a device.
Recommended: 7
Maximum cache size type See details Select how to manage the amount of
disk space on a device that is used by
delivery optimization. When not
configured, cache size defaults to 20%
of the free disk space available.
Not configured (Default)
Policy CSP:
DOAbsoluteMaxCacheSize
Default: 0
Policy CSP
DODelayCacheServerFallbackForegroun
d
Default: 0
Policy CSP:
DODelayCacheServerFallbackBackgroun
d
Next steps
Configure delivery optimization in Intune
Windows 10 (and newer) device settings to allow or
restrict features using Intune
1/28/2020 • 63 minutes to read • Edit Online
This article lists and describes all the different settings you can control on Windows 10 and newer devices. As part
of your mobile device management (MDM ) solution, use these settings to allow or disable features, set password
rules, customize the lock screen, use Microsoft Defender, and more.
These settings are added to a device configuration profile in Intune, and then assigned or deployed to your
Windows 10 devices.
NOTE
Not all options are available on all editions of Windows. To see the supported editions, refer to the policy CSPs (opens
another Microsoft web site).
App Store
These settings use the ApplicationManagement policy CSP, which also lists the supported Windows editions.
App store (mobile only): Block prevents end users from accessing the app store on mobile devices. When
set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might
allows end users access to the app store.
Auto-update apps from store: Block prevents updates from being automatically installed from the
Microsoft Store. When set to Not configured (default), Intune doesn't change or update this setting. By
default, the OS might allows apps installed from the Microsoft Store to be automatically updated.
ApplicationManagement/AllowAppStoreAutoUpdate CSP
Trusted app installation: Choose if non-Microsoft Store apps can be installed, also known as sideloading.
Sideloading is installing, and then running or testing an app that isn't certified by the Microsoft Store. For
example, an app that is internal to your company only. Your options:
Not configured (default): Intune doesn't change or update this setting.
Block: Prevents sideloading. Non-Microsoft Store apps can't be installed.
Allow: Allows sideloading. Non-Microsoft Store apps can be installed.
Developer unlock: Allow Windows developer settings, such as allowing sideloaded apps to be modified
by end users. Your options:
Not configured (default): Intune doesn't change or update this setting.
Block: Prevents developer mode and sideloading apps.
Allow: Allows developer mode and sideloading apps.
Enable your device for development has more information on this feature.
ApplicationManagement/AllowAllTrustedApps CSP
Shared user app data: Choose Allow to share application data between different users on the same
device and with other instances of that app. When set to Not configured (default), Intune doesn't change
or update this setting. By default, the OS might prevent sharing data with other users and other instances of
the same app.
ApplicationManagement/AllowSharedUserAppData CSP
Use private store only: Allow only allows apps to be downloaded from a private store, and not
downloaded from the public store, including a retail catalog. When set to Not configured (default), Intune
doesn't change or update this setting. By default, the OS might allows apps to be downloaded from a
private store and a public store.
ApplicationManagement/RequirePrivateStoreOnly CSP
Store originated app launch: Block disables all apps that were pre-installed on the device, or
downloaded from the Microsoft Store. When set to Not configured (default), Intune doesn't change or
update this setting. By default, the OS might allows these apps to open.
ApplicationManagement/DisableStoreOriginatedApps CSP
Install app data on system volume: Block stops apps from storing data on the system volume of the
device. When set to Not configured (default), Intune doesn't change or update this setting. By default, the
OS might allow apps to store data on the system disk volume.
ApplicationManagement/RestrictAppDataToSystemVolume CSP
Install apps on system drive: Block prevents apps from installing on the system drive on the device.
When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS
might allow apps to install on the system drive.
ApplicationManagement/RestrictAppToSystemVolume CSP
Game DVR (desktop only): Block disables Windows Game recording and broadcasting. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the OS might allow
recording and broadcasting of games.
ApplicationManagement/AllowGameDVR CSP
Apps from store only: This setting determines the user experience when users install apps from places
other than the Microsoft Store. Your options:
Not configured (default): Intune doesn't change or update this setting. By default, the OS might allow
end users to install apps from places other than the Microsoft Store, including apps defined in other
policy settings.
Anywhere: Turns off app recommendations, and allows users to install apps from any location.
Store Only: Forces end users to only install apps from the Microsoft Store.
Recommendations: When installing an app from the web that’s available in the Microsoft Store, users
see a message recommending they download it from the store.
Prefer Store: Warns users when they install apps from places other than the Microsoft Store.
SmartScreen/EnableAppInstallControl CSP
User control over installations: Block prevents users from changing the installation options typically
reserved for system administrators, such as entering the directory to install the files. When set to Not
configured (default), Intune doesn't change or update this setting. By default, Windows Installer might
prevent users from changing these installation options, and some of the Windows Installer security features
are bypassed.
ApplicationManagement/MSIAllowUserControlOverInstall CSP
Install apps with elevated privileges: Block directs Windows Installer to use elevated permissions when
it installs any program on the system. These privileges are extended to all programs. When set to Not
configured (default), Intune doesn't change or update this setting. By default, the system might apply the
current user's permissions when it installs programs that a system administrator doesn't deploy or offer.
ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges CSP
Startup apps: Enter a list of apps to open after a user signs in to the device. Be sure to use a semi-colon
delimited list of Package Family Names (PFN ) of Windows applications. For this policy to work, the
manifest in the Windows apps must use a startup task.
ApplicationManagement/LaunchAppAfterLogOn CSP
Cloud Printer
These settings use the EnterpriseCloudPrint policy CSP; which also lists the supported Windows editions.
Printer discovery URL: Enter the URL for finding cloud printers. For example, enter
https://cloudprinterdiscovery.contoso.com .
Printer access authority URL: Enter the authentication endpoint URL to get OAuth tokens. For example,
enter https://azuretenant.contoso.com/adfs .
Azure native client app GUID: Enter the GUID of a client application allowed to get OAuth tokens from the
OAuthAuthority. For example, enter E1CF1107-FF90-4228-93BF-26052DD2C714 .
Print service resource URI: Enter the OAuth resource URI for print service configured in the Azure portal.
For example, enter http://MicrosoftEnterpriseCloudPrint/CloudPrint .
Maximum printers to query: Enter the maximum number of printers that you want to be queried. The default
value is 20 .
Printer discovery service resource URI: Enter the OAuth resource URI for printer discovery service
configured in the Azure portal. For example, enter http://MopriaDiscoveryService/CloudPrint .
TIP
After you setup a Windows Server Hybrid Cloud Print, you can configure these settings, and then deploy to your Windows
devices.
Display
These settings use the display policy CSP; which also lists the supported Windows editions.
GDI DPI scaling enables applications that aren't DPI aware to become per monitor DPI aware.
Turn on GDI scaling for apps: Add the legacy apps that you want GDI DPI scaling turned on. For
example, enter filename.exe or %ProgramFiles%\Path\Filename.exe .
GDI DPI scaling is turned on for all legacy applications in your list.
Turn off GDI scaling for apps: Add the legacy apps that you want GDI DPI scaling turned off. For
example, enter filename.exe or %ProgramFiles%\Path\Filename.exe .
GDI DPI scaling is turned off for all legacy applications in your list.
You can also Import a .csv file with the list of apps.
General
These settings use the experience policy CSP; which also lists the supported Windows editions.
Screen capture (mobile only): Block prevents end users from getting screenshots on the device. When set
to Not configured (default), Intune doesn't change or update this setting.
Copy and paste (mobile only): Block prevents end users from using copy-and-paste between apps on
the device. When set to Not configured (default), Intune doesn't change or update this setting.
Manual unenrollment: Block prevents end users from deleting the workplace account using the
workplace control panel on the device. When set to Not configured (default), Intune doesn't change or
update this setting.
This policy setting doesn't apply if the computer is Azure AD joined and auto-enrollment is enabled.
Manual root certificate installation (mobile only): Block prevents end users from manually installing
root certificates, and intermediate CAP certificates. When set to Not configured (default), Intune doesn't
change or update this setting.
Camera: Block prevents end users from using the camera on the device. When set to Not configured
(default), Intune doesn't change or update this setting.
Camera CSP
OneDrive file sync: Block prevents end users from synchronizing files to OneDrive from the device.
When set to Not configured (default), Intune doesn't change or update this setting.
Removable storage: Block prevents end users from using external storage devices, like SD cards with the
device. When set to Not configured (default), Intune doesn't change or update this setting.
Geolocation: Block prevents end users from turning on location services on the device. When set to Not
configured (default), Intune doesn't change or update this setting.
Internet sharing: Block prevents Internet connection sharing on the device. When set to Not configured
(default), Intune doesn't change or update this setting.
Phone reset: Block prevents end users from wiping or doing a factory reset on the device. When set to
Not configured (default), Intune doesn't change or update this setting.
USB connection: Block prevents access to external storage devices through a USB connection on the
device. When set to Not configured (default), Intune doesn't change or update this setting. USB charging
isn't affected by this setting.
AntiTheft mode (mobile only): Block prevents end users from selecting AntiTheft mode preference on the
device. When set to Not configured (default), Intune doesn't change or update this setting.
Cortana: Block disable the Cortana voice assistant on the device. When Cortana is off, users can still search
to find items on the device. Not configured (default) allows Cortana.
Voice recording (mobile only): Block prevents end users from using the device voice recorder on the
device. Not configured (default) allows voice recording for apps.
Device name modification (mobile only): Block prevents end users from changing the name of the
device. When set to Not configured (default), Intune doesn't change or update this setting.
Add provisioning packages: Block prevents the run time configuration agent that installs provisioning
packages on the device. When set to Not configured (default), Intune doesn't change or update this
setting.
Remove provisioning packages: Block prevents the run time configuration agent that removes
provisioning packages from the device. When set to Not configured (default), Intune doesn't change or
update this setting.
Device discovery: Block prevents the device from being discovered by other devices. When set to Not
configured (default), Intune doesn't change or update this setting.
Task Switcher (mobile only): Block prevents task switching on the device. When set to Not configured
(default), Intune doesn't change or update this setting.
SIM card error dialog (mobile only): Block error messages from showing on the device if no SIM card is
detected. Not configured (default) shows the error messages.
Ink Workspace: Choose if and how user access the ink workspace. Your options:
Not configured (default): Turns on the ink workspace, and the user is allowed to use it above the lock
screen.
Disabled on lock screen: The ink workspace is enabled and feature is turned on. But, the user can't
access it above the lock screen.
Disabled: Access to ink workspace is disabled. The feature is turned off.
WindowsInkWorkspace policy CSP
Automatic redeployment: Choose Allow so users with administrative rights can delete all user data and
settings using CTRL + Win + R at the device lock screen. The device is automatically reconfigured and re-
enrolled into management. Not configured (default) prevents this feature.
Require users to connect to network during device setup: Choose Require so the device connects to a
network before going past the Network page during Windows setup. Not configured (default) allows
users to go past the Network page, even if it's not connected to a network.
The setting becomes effective the next time the device is wiped or reset. Like any other Intune configuration,
the device must be enrolled and managed by Intune to receive configuration settings. But once it's enrolled,
and receiving policies, then resetting the device enforces the setting during the next Windows setup.
TenantLockdown CSP
Direct Memory Access: Block prevents direct memory access (DMA) for all hot pluggable PCI
downstream ports until a user signs into Windows. Enabled (default) allows access to DMA, even when a
user isn't signed in.
DataProtection/AllowDirectMemoryAccess CSP
End processes from Task Manager: This setting determines whether non-administrators can use Task
Manager to end tasks. Block prevents standard users (non-administrators) from using Task Manager to
end a process or task on the device. Not configured (default) allows standard users to end a process or
task using Task Manager.
Messaging
These settings use the messaging policy CSP; which also lists the supported Windows editions.
Message sync (mobile only): Block disables text messages from being backed up and restored, and from
syncing messages between Windows devices. Disabling helps avoid information being stored on servers
outside of the organization's control. Not configured (default) allows users to change these settings, and sync
their messages.
MMS (mobile only): Block disables MMS send and receive functionality on the device. For enterprises, use
this policy to disable MMS on devices as part of the auditing or management requirement. Not configured
(default) allows MMS send and receive.
RCS (mobile only): Block disables Rich Communication Services (RCS ) send and receive functionality on the
device. For enterprises, use this policy to disable RCS on devices as part of the auditing or management
requirement. Not configured (default) allows RCS send and receive.
TIP
For more information on what these options do, see Microsoft Edge kiosk mode configuration types.
This device restrictions profile is directly related to the kiosk profile you create using the Windows kiosk settings.
To summarize:
1. Create the Windows kiosk settings profile to run the device in kiosk mode. Select Microsoft Edge as the
application and set the Microsoft Edge Kiosk Mode in the Kiosk profile.
2. Create the device restrictions profile described in this article, and configure specific features and settings
allowed in Microsoft Edge. Be sure to choose the same Microsoft Edge kiosk mode type as selected in your
kiosk profile (Windows kiosk settings).
Supported kiosk mode settings is a great resource.
IMPORTANT
Be sure to assign this Microsoft Edge profile to the same devices as your kiosk profile (Windows kiosk settings).
ConfigureKioskMode CSP
Start experience
Start Microsoft Edge with: Choose which pages open when Microsoft Edge starts. Your options:
Custom start pages: Enter the start pages, such as http://www.contoso.com . Microsoft Edge loads the
start pages you enter.
New Tab page: Microsoft Edge load whatever is entered in the New Tab URL setting.
Last session’s page: Microsoft Edge loads the last session page.
Start pages in local app settings: Microsoft Edge start with the default start page defined by the OS.
Allow user to change start pages: Yes (default) lets users change the start pages. Administrators can use
the EdgeHomepageUrls to enter the start pages that users see by default when open Microsoft Edge. No
blocks users from changing the start pages.
Allow web content on new tab page: When set to Yes (default), Microsoft Edge opens the URL entered
in the New Tab URL setting. If the New Tab URL setting is blank, Microsoft Edge opens the new tab page
listed in Microsoft Edge settings. Users can change it. When set to No, Microsoft Edge opens a new tab
with a blank page. Users can't change it.
New Tab URL: Enter the URL to open on the New Tab page. For example, enter https://www.bing.com or
https://www.contoso.com .
Home button: Choose what happens when the home button is selected. Your options:
Start pages: Opens the option you chose in the Start Microsoft Edge with setting
New Tab page: Opens the URL you entered in the New Tab URL setting.
Home button URL: Enter the URL to open. For example, enter https://www.bing.com or
https://www.contoso.com .
Hide Home button: Hides the home button
Allow users to change home button: Yes lets users change the home button. The user's changes
override any administrator settings to the home button. No (default) blocks users from changing how the
administrator configured the home button.
Show First Run Experience page (Mobile only): Yes (default) shows the first use introduction page in
Microsoft Edge. No stops the introduction page from showing the first time you run Microsoft Edge. This
feature allows enterprises, such as organizations enrolled in zero emissions configurations, to block this
page.
First Run Experience URL list location (Windows 10 Mobile only): Enter the URL that points to the XML
file containing the first run page URL (s). For example, enter https://www.contoso.com/sites.xml .
Refresh browser after idle time: Enter the number of idle minutes until the browser is refreshed, from 0-
1440 minutes. Default is 5 minutes. When set to 0 (zero), the browser doesn't refresh after being idle.
This setting is only available when running in InPrivate Public browsing (single-app kiosk).
Allow pop-ups (desktop only): Yes (default) allows pop-ups in the web browser. No prevents pop-up
windows in the browser.
Send intranet traffic to Internet Explorer (Desktop only): Yes lets users open intranet websites in
Internet Explorer instead of Microsoft Edge. This setting is for backwards compatibility. No (default) allows
users to use Microsoft Edge.
Enterprise mode site list location (Desktop only): Enter the URL that points to the XML file containing a
list of web sites that open in Enterprise mode. Users can't change this list. For example, enter
https://www.contoso.com/sites.xml .
Message when opening sites in Internet Explorer: Use this setting to configure Microsoft Edge to show
a notification before a site opens in Internet Explorer 11. Your options:
Don't show message: The OS default behavior is used, which may not show a message.
Show message that site is opened in Internet Explorer 11: Show the message when opening sites
in IE. Sites open in IE.
Show message with option to open sites in Microsoft Edge: Show the message when opening sites
in Microsoft Edge. The message includes a Keep going in Microsoft Edge link so users can choose
Microsoft Edge instead of IE.
IMPORTANT
This setting requires you to use the Enterprise mode site list location setting, the Send intranet traffic to
Internet Explorer setting, or both settings.
Allow Microsoft compatibility list: Yes (default) allows using a Microsoft compatibility list. No prevents
the Microsoft compatibility list in Microsoft Edge. This list from Microsoft helps Microsoft Edge properly
display sites with known compatibility issues.
Preload start pages and New Tab page: Yes (default) uses the OS default behavior, which may be to
preload these pages. Preloading minimizes the time to start Microsoft Edge, and load new tabs. No
prevents Microsoft Edge from preloading start pages and the new tab page.
Prelaunch Start pages and New Tab page: Yes (default) uses the OS default behavior, which may be to
prelaunch these pages. Pre-launching helps the performance of Microsoft Edge, and minimizes the time
required to start Microsoft Edge. No prevents Microsoft Edge from pre-launching the start pages and new
tab page.
Favorites and search
Show Favorites bar: Choose what happens to the favorites bar on any Microsoft Edge page. Your options:
On Start and new Tab pages: Shows the favorites bar when Microsoft Edge starts, and on all Tab
pages. End users can change this setting.
On all pages: Shows the favorites bar on all pages. End users can't change this setting.
Hidden: Hides the favorites bar on all pages. End users can't change this setting.
Allow changes to favorites: Yes (default) uses the OS default, which allows users to change the list. No
prevents end users from adding, importing, sorting, or editing the Favorites list.
Favorites List: Add a list of URLs to the favorites file. For example, add
http://contoso.com/favorites.html .
Sync favorites between Microsoft browsers (Desktop only): Yes forces Windows to synchronize
favorites between Internet Explorer and Microsoft Edge. Additions, deletions, modifications, and order
changes to favorites are shared between browsers. No (default) uses the OS default, which may give users
the choice to sync favorites between the browsers.
Default search engine: Choose the default search engine on the device. End users can change this value at
any time. Your options:
Search engine in client Microsoft Edge settings
Bing
Google
Yahoo
Custom value: In OpenSearch Xml URL, enter an HTTPS URL with the XML file that includes the short
name and the URL to the search engine, at minimum. For example, enter
https://www.contoso.com/opensearch.xml .
Show search suggestions: Yes (default) lets your search engine suggest sites as you type search phrases
in the address bar. No prevents this feature.
Allow changes to search engine: Yes (default) allows users to add new search engines, or change the
default search engine in Microsoft Edge. Choose No to prevent users from customizing the search engine.
This setting is only available when running in Normal mode (multi-app kiosk).
Privacy and security
Allow InPrivate browsing: Yes (default) allows InPrivate browsing in Microsoft Edge. After closing all
InPrivate tabs, Microsoft Edge deletes the browsing data from the device. No prevents end users from opening
InPrivate browsing sessions.
Save browsing history: Yes (default) allow saving the browsing history in Microsoft Edge. No prevents
saving the browsing history.
Clear browsing data on exit (desktop only): Yes clears the history, and browsing data when the user exits
Microsoft Edge. No (default) uses the OS default, which may cache the browsing data.
Sync browser settings between user's devices: Choose how you want to sync browser settings between
devices. Your options:
Allow: Allow syncing of Microsoft Edge browser settings between user’s devices
Block and enable user override: Block syncing of Microsoft Edge browser settings between user’s
devices. Users can override this setting.
Block: Block syncing of Microsoft Edge browser setting between users devices. Users can't override this
setting.
When "block and enable user override" is selected, user can override admin designation.
Allow Password Manager: Yes (default) allows Microsoft Edge to automatically use Password Manager,
which allows users to save and manage passwords on the device. No prevents Microsoft Edge from using
Password Manager.
Cookies: Choose how cookies are handled in the web browser. Your options:
Allow: Cookies are stored on the device.
Block all cookies: Cookies aren't stored on the device.
Block only third party cookies: Third party or partner cookies aren't stored on the device.
Allow Autofill in forms: Yes (default) allows users to change autocomplete settings in the browser, and
populate form fields automatically. No disables the Autofill feature in Microsoft Edge.
Send do-not-track headers: Yes sends do-not-track headers to websites requesting tracking info
(recommended). No (default) does not send headers which allows websites to track the user. User can
configure.
Show WebRTC localhost IP address: Yes (default) allows users' localhost IP address to be shown when
making phone calls using this protocol. No prevents users' localhost IP address from being shown.
Allow live tile data collection: Yes (default) allows Microsoft Edge to collect information from Live Tiles
pinned to the start menu. No prevents collecting this information, which may provide users with a limited
experience.
User can override certificate errors: Yes (default) allows users to access websites that have Secure Sockets
Layer/Transport Layer Security (SSL/TLS ) errors. No (recommended for increased security) prevents users
from accessing websites with SSL or TLS errors.
Additional
Allow Microsoft Edge browser (mobile only): Yes (default) allows using the Microsoft Edge web browser
on the mobile device. No prevents using Microsoft Edge on the device. If you choose No, the other
individual settings only apply to desktop.
Allow address bar dropdown: Yes (default) allows Microsoft Edge to show the address bar drop-down
with a list of suggestions. No stops Microsoft Edge from showing a list of suggestions in a drop-down list
when you type. When set to No, you:
Help minimize network bandwidth between Microsoft Edge and Microsoft services.
Disable the Show search and site suggestions as I type in Microsoft Edge > Settings.
Allow full screen mode: Yes (default) allows Microsoft Edge to use fullscreen mode, which shows only the
web content and hides the Microsoft Edge UI. No prevents fullscreen mode in Microsoft Edge.
Allow about flags page: Yes (default) uses the OS default, which may allow accessing the about:flags
page. The about:flags page allows users to change developer settings and enable experimental features.
No prevents end users from accessing the about:flags page in Microsoft Edge.
Allow developer tools: Yes (default) allows users to use the F12 developer tools to build and debug web
pages by default. No prevents end users from using the F12 developer tools.
Allow JavaScript: Yes (default) allows scripts, such as Javascript, to run in the Microsoft Edge browser. No
prevents Java scripts in the browser from running.
User can install extensions: Yes (default) allows end users to install Microsoft Edge extensions on the
device. No prevents the installation.
Allow sideloading of developer extensions: Yes (default) uses the OS default, which may allow
sideloading. Sideloading installs and runs unverified extensions. No prevents Microsoft Edge from
sideloading using the Load extensions feature. It doesn't prevent sideloading extensions using other ways,
such as PowerShell.
Required extensions: Choose which extensions can't be turned off by end users in Microsoft Edge. Enter
the package family names, and select Add. Find a package family name (PFN ) for per app VPN provides
some guidance.
You can also Import a CSV file that includes the package family names. Or, Export the package family
names you enter.
Network proxy
These settings use the NetworkProxy policy CSP, which also lists the supported Windows editions.
Automatically detect proxy settings: Block disables the device from automatically detecting a proxy auto
config (PAC ) script. Not configured (default) enables this feature. When enabled, the device tries to find the
path to a PAC script.
Use proxy script: Choose Allow to enter a path to your PAC script to configure the proxy server. Not
configured (default) doesn't let you enter the URL to a PAC script.
Setup script address URL: Enter the URL of a PAC script you want to use to configure the proxy server.
Use manual proxy server: Choose Allow to manually enter the name or IP address, and TCP port number of
a proxy server. Not configured (default) doesn't let you manually enter details of a proxy server.
Address: Enter the name, or IP address of the proxy server.
Port number: Enter the port number of your proxy server.
Proxy exceptions: Enter any URLs that must not use the proxy server. Use a semicolon to separate
each item.
Bypass proxy server for local address: Not configured (default) prevents using a proxy server for
local addresses on your intranet. Allow uses a proxy server for local addresses.
Password
These settings use the DeviceLock policy CSP, which also lists the supported Windows editions.
Password: Require the end user to enter a password to access the device. Not configured (default) allows
access to the device without a password. Applies to local accounts only. Domain account passwords remain
configured by Active Directory (AD ) and Azure AD.
Required password type: Choose the type of password. Your options:
Not configured: Password can include numbers and letters.
Numeric: Password must only be numbers.
Alphanumeric: Password must be a mix of numbers and letters.
Minimum password length: Enter the minimum number or characters required, from 4-16. For
example, enter 6 to require at least six characters in the password length.
IMPORTANT
When the password requirement is changed on a Windows desktop, users are impacted the next time they
sign in, as that’s when the device goes from idle to active. Users with passwords that meet the requirement
are still prompted to change their passwords.
Number of sign-in failures before wiping device: Enter the number of authentication failures
allowed before the device may be wiped, up to 11. The valid number you enter depends on the
edition. DeviceLock/MaxDevicePasswordFailedAttempts CSP lists the supported values. 0 (zero)
may disable the device wipe functionality.
This setting also has a different impact depending on the edition. For specific details on this setting,
see the DeviceLock/MaxDevicePasswordFailedAttempts CSP.
Maximum minutes of inactivity until screen locks: Enter the length of time a device must be idle
before the screen is locked.
Password expiration (days): Enter the length of time in days when the device password must be
changed, from 1-365. For example, enter 90 to expire the password after 90 days.
Prevent reuse of previous passwords: Enter the number of previously used passwords that can't
be used, from 1-24. For example, enter 5 so users can't set a new password to their current
password or any of their previous four passwords.
Require password when device returns from idle state (Mobile and Holographic): Choose
Require so users must enter a password to unlock the device after being idle. Not configured
(default) doesn't require a PIN or password when the device resumes from an idle state.
Simple passwords: Set to Block so users can't create simple passwords, such as 1234 or 1111 . Set
to Not configured (default) to let users create passwords like 1234 or 1111 . This setting also
allows or blocks the use of Windows picture passwords.
Automatic encryption during AADJ: Block prevents automatic BitLocker device encryption when the
device is prepared for first use, when the device is Azure AD joined. When set to Not configured (default),
Intune doesn't change or update this setting. More on BitLocker device encryption.
Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices CSP
Federal Information Processing Standard (FIPS ) policy: Allow uses the Federal Information
Processing Standard (FIPS ) policy, which is a U.S. government standard for encryption, hashing, and
signing. When set to Not configured (default), Intune doesn't change or update this setting. The operating
system default may not use FIPS.
Cryptography/AllowFipsAlgorithmPolicy CSP
Windows Hello device authentication: Allow users to use a Windows Hello companion device, such as
a phone, fitness band, or IoT device, to sign in to a Windows 10 computer. When set to Not configured
(default), Intune doesn't change or update this setting. The operating system default may prevent Windows
Hello companion devices from authenticating with Windows.
Authentication/AllowSecondaryAuthenticationDevice CSP
Web sign-in: Enables Windows sign in support for non-ADFS (Active Directory Federation Services)
federated providers, such as Security Assertion Markup Language (SAML ). SAML uses secure tokens that
provide web browsers a single sign-on (SSO ) experience. Your options:
Not configured (default): Intune doesn't change or update this setting.
Enabled: The Web Credential Provider is enabled for sign in.
Disabled: The Web Credential Provider is disabled for sign in.
Authentication/EnableWebSignIn CSP
Preferred Azure AD tenant domain: Enter an existing domain name in your Azure AD organization.
When users in this domain sign in, they don't have to type the domain name. For example, enter
contoso.com . Users in the contoso.com domain can sign in using their user name, such as abby , instead of
abby@contoso.com .
Authentication/PreferredAadTenantDomainName CSP
Personalization
These settings use the personalization policy CSP, which also lists the supported Windows editions.
Desktop background picture URL (Desktop only): Enter the URL to a picture in .jpg, .jpeg or .png format
that you want to use as the Windows desktop wallpaper. Users can't change the picture. For example, enter
https://contoso.com/logo.png .
Printer
Printers: List of local printers that have been added.
Default printer: Set the default printer.
User access to add new printers: Allow or block use of local printers.
Privacy
These settings use the privacy policy CSP, which also lists the supported Windows editions.
Input personalization: Block prevents using voice for dictation and to talk to Cortana and other apps that use
Microsoft cloud-based speech recognition. It's disabled and users can't enable online speech recognition using
settings. Not configured (default) lets users choose. If you allow these services, Microsoft may collect voice
data to improve the service.
Automatic acceptance of the pairing and privacy user consent prompts: Choose Allow so Windows can
automatically accept pairing and privacy consent messages when running apps. Not configured (default)
prevents the automatic acceptance of the pairing and privacy user consent window when opening apps.
Publish user activities: Block prevents shared experiences and discovery of recently used resources in the
activity feed. Not configured (default) enables this feature so apps can publish end user activities.
Local activities only: Block prevents shared experiences and the discovery of recently used resources in task
switcher, based only on local activity. When set to Not configured (default), Intune doesn't change or update
this setting.
You can configure information that all apps on the device can access. Also, define exceptions on a per-app basis
using Per-app privacy exceptions.
Exceptions
Account information: Define whether this app can access the user name, picture, and other contact info.
Background apps: Define whether this app can run in the background.
Calendar: Define whether this app can access the calendar.
Call history: Define whether this app can access my call history.
Camera: Define whether this app can access the camera.
Contacts: Define whether this app can access contacts.
Email: Define whether this app can access and send email.
Location: Define whether this app can access location information.
Messaging: Define whether this app can read or send text or MMS messages.
Microphone: Define whether this app can use the microphone.
Motion: Define whether this app can access device motion information.
Notifications: Define whether this app can access notifications.
Phone: Define whether this app can access the phone.
Radios: Some apps use radios (for example, Bluetooth) in your device to send and receive data and need to
turn these radios on or off. Define whether this app can control these radios.
Tasks: Define whether this app can access your tasks.
Trusted devices: Choose if this app can use trusted devices. Trusted devices are hardware you've already
connected, or hardware that comes with the device. For example, use TVs, projectors, and so on, as trusted
devices.
Feedback and diagnostics: Choose if this app can access diagnostic information.
Sync with devices -Define whether this app can automatically share and sync info with wireless devices that
don't explicitly pair with this PC, tablet, or phone.
Projection
These settings use the WirelessDisplay policy CSP, which also lists the supported Windows editions.
User input from wireless display receivers: Block prevents user input from wireless display receivers. Not
configured (default) allows a wireless display to send keyboard, mouse, pen, and touch input back to the
source device.
Projection to this PC: Block prevents other devices from finding the device for projection. Not configured
(default) allows the device to be discoverable, and can project to the device above the lock screen.
Require PIN for pairing: Choose Require to always prompt for a PIN when connecting to a projection
device. Not configured (default) doesn't require a PIN to pair the device to a projection device.
IPv4: 192.246.246.106:100
IPv6: [2001:4898:4010:4013:95c1:a8b2:953c:c633]:100
FQDN: www.contoso.com:345
System/TelemetryProxy CSP
Select OK to save your changes.
Search
These settings use the search policy CSP, which also lists the supported Windows editions.
Safe Search (mobile only): Control how Cortana filters adult content in search results. Your options:
User defined: Allow end users to choose their own settings.
Strict: Highest filtering against adult content.
Moderate: Moderate filtering against adult content. Valid search results aren't filtered.
Display web results in search: When set to Block, users can't search, and web results aren't shown in Search.
Not configured (default) allows users to search the web, and the results are shown on the device.
Start
These settings use the start policy CSP, which also lists the supported Windows editions.
Start menu layout: Override the default start layout and customize the start menu on desktop devices. Upload
an XML file that includes your customizations, including the order the apps are listed, and more. Users can't
change the start menu layout you enter.
Pin websites to tiles in Start menu: Import images from Microsoft Edge that are shown as links in the
Windows Start menu for desktop devices.
Unpin apps from task bar: Block prevents users from unpinning apps from the task bar. Not configured
(default) allows users to unpin apps from the task bar.
Fast user switching: Block prevents switching between users that are logged on simultaneously without
logging off. Not configured (default) shows the Switch user on the user tile.
Most used apps: Block hides the most used apps from showing on the start menu. It also disables the
corresponding toggle in the Settings app. Not configured (default) shows the most used apps.
Recently added apps: Block hides recently added apps from showing on the start menu. It also disables the
corresponding toggle in the Settings app. Not configured (default) shows the recently added apps on the start
menu.
Start screen mode: Choose how the start screen is shown. Your options:
User defined: Doesn't force the size of Start. Users can set the size.
Full screen: Forces a fullscreen size of Start.
Non-full screen: Force non-fullscreen size of Start.
Recently opened items in Jump Lists: Block hides recent jump lists from being shown on the start menu
and taskbar. It also disables the corresponding toggle in the Settings app. Not configured (default) shows
recently opened items in the jumplists.
App list: Choose how the all apps lists are shown. Your options:
User defined: No setting is forced. Users choose how the app list is shown on the device.
Collapse: Hide all apps list.
Collapse and disable the Settings app: Hide all apps list, and disable Show app list in Start menu
in the Settings app.
Removes and disables the Settings app: Hide all apps list, remove all apps button, and disable Show
app list in Start menu in the Settings app.
Power button: Block hides the power button from showing in the start menu. Not configured (default)
shows the power button.
User Tile: Block hides the user tile from showing in the start menu. Not configured (default) shows the user
tile, and also sets the following settings:
Lock: Block hides the Lock option from showing in the user tile in the start menu. Not configured
(default) shows the Lock option.
Sign out: Block hides the Sign out option from showing in the user tile in the start menu. Not
configured (default) shows the Sign out option.
Shut Down: Block hides the Update and shut down and Shut down options from showing in the power
button in the start menu. When set to Not configured (default), Intune doesn't change or update this setting.
Sleep: Block hides the Sleep option from showing in the power button in the start menu. When set to Not
configured (default), Intune doesn't change or update this setting.
Hibernate: Block hides the Hibernate option from showing in the power button in the start menu. When set
to Not configured (default), Intune doesn't change or update this setting.
Switch Account: Block hides the Switch account from showing in the user tile in the start menu. When set
to Not configured (default), Intune doesn't change or update this setting.
Restart Options: Block hides the Update and restart and Restart options from showing in the power button
in the start menu. When set to Not configured (default), Intune doesn't change or update this setting.
Documents on Start: Hide or show the Documents folder in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Downloads on Start: Hide or show the Downloads folder in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
File Explorer on Start: Hide or show File Explorer in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
HomeGroup on Start: Hide or show the HomeGroup shortcut in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Music on Start: Hide or show the Music folder in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Network on Start: Hide or show Network in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Personal folder on Start: Hide or show Personal folder in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Pictures on Start: Hide or show the folder for pictures in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Settings on Start: Hide or show the Settings shortcut in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Videos on Start: Hide or show the folder for videos in the Windows Start menu. Your options:
Not configured (default): No setting is forced. Users choose to show or hide the shortcut.
Hide: The shortcut is hidden, and disables the setting in the Settings app.
Show: The shortcut is shown, and disables the setting in the Settings app.
Windows Spotlight
These settings use the experience policy CSP, which also lists the supported Windows editions.
Windows Spotlight: Block turns off Windows spotlight on the lock screen, Windows Tips, Microsoft
consumer features, and other related features. If your goal is to minimize network traffic from devices, set
this to Block. Not configured (default) allows Windows spotlight features and may be controlled by end
users. When enabled, you can also allow or block the following settings:
Windows Spotlight on lock screen: Block stops Windows Spotlight from showing information on
the device lock screen. When set to Not configured (default), Intune doesn't change or update this
setting.
Third-party suggestions in Windows Spotlight: Block stops Windows Spotlight from suggesting
content that isn't published by Microsoft. Not configured (default) allows app and content suggestions
from partner software publishers in Windows spotlight features, like lock screen spotlight, suggested
apps in the Start menu, and Windows tips.
Consumer Features: Block turns off experiences that are typically for consumers only, such as start
suggestions, membership notifications, post-out of box experience app installation, and redirect tiles.
When set to Not configured (default), Intune doesn't change or update this setting.
Windows Tips: Block disables pop-up Windows Tips. Not configured (default) allows the Windows
Tips to show.
Windows Spotlight in action center: Block prevents Windows spotlight notifications from showing
in the Action Center. Not configured (default) may show notifications in the Action Center that suggest
apps or features to help users be more productive on Windows.
Windows Spotlight personalization: Block prevents Windows from using diagnostic data to provide
customized experiences to the user. Not configured (default) allows Microsoft to use diagnostic data to
provide personalized recommendations, tips, and offers to tailor Windows for the user's needs.
Windows welcome experience: Block turns off the Windows spotlight Windows welcome experience
feature. The Windows welcome experience won't show when there are updates and changes to
Windows and its apps. Not configured (default) allows Windows welcome experience that shows the
user information about new, or updated features.
TIP
This setting may conflict with the Time to perform a daily quick scan setting. Some recommendations:
If you want to schedule a daily quick scan, and a weekly full scan, then:
1. Configure the Time to perform a daily quick scan setting.
2. Configure the Type of system scan to perform to do a full scan.
If you only want one quick scan daily (no full scan), then use either setting: Time to perform a daily quick
scan or Type of system scan to perform. For example, to run a quick scan every Tuesday at 6 AM,
configure the Type of system scan to perform setting.
Don't configure the Time to perform a daily quick scan setting simultaneously with the Type of system
scan to perform set to Quick scan. These settings may conflict, and a scan may not run.
Defender/ScanParameter CSP
Defender/ScheduleScanDay CSP
Defender/ScheduleScanTime CSP
Detect potentially unwanted applications: Choose the level of protection when Windows detects
potentially unwanted applications. Your options:
Not configured (default): Microsoft Defender potentially unwanted applications protection is disabled.
Block: Microsoft Defender detects potentially unwanted applications, and detected items are blocked.
These items show in history along with other threats.
Audit: Microsoft Defender detects potentially unwanted applications, but takes no action. You can
review information about the applications Microsoft Defender would take action against. For example,
search for events created by Microsoft Defender in the Event Viewer.
For more information about potentially unwanted apps, see Detect and block potentially unwanted
applications.
Defender/PUAProtection CSP
Submit samples consent: Currently, this setting has no impact. Don't use this setting. It may be removed
in a future release.
On Access Protection: Block prevents scanning files that have been accessed or downloaded. Users can't
turn it on.
When set to Not configured (default), Intune doesn't change or update this setting. If you block the setting
and then change it back to Not configured, Intune leaves the setting in its previously OS -configured state.
By default, the OS enables this feature and allows users to change it.
Intune doesn't turn on this feature. To enable it, use a custom URI.
Defender/AllowOnAccessProtection CSP
Actions on detected malware threats: Choose how you want to handle malware threads. Not
configured (default) lets Microsoft Defender choose the best option. When set to Enable, choose the
actions you want Defender to take for each threat level it detects: low, moderate, high, and severe. Your
options:
Clean
Quarantine
Remove
Allow
User defined
Block
If your action isn't possible, then Microsoft Defender chooses the best option to ensure the threat is
remediated.
Defender/ThreatSeverityDefaultAction CSP
Microsoft Defender Antivirus Exclusions
Files and folders to exclude from scans and real-time protection: Adds one or more files and folders like
C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list. These files and folders aren't included
in any real-time or scheduled scans.
File extensions to exclude from scans and real-time protection: Add one or more file extensions like jpg
or txt to the exclusions list. Any files with these extensions aren't included in any real-time or scheduled scans.
Processes to exclude from scans and real-time protection: Add one or more processes of the type .exe,
.com, or .scr to the exclusions list. These processes aren't included in any real-time, or scheduled scans.
Power settings
Battery
Battery level to turn Energy Saver on: When the device is using battery power, enter the battery charge
level to turn on Energy Saver from 0-100. Enter a percentage value that indicates the battery charge level.
The default value is 70%. When set to 70%, Energy Saver turns on when the battery has 70% charge or less
available.
Power/EnergySaverBatteryThresholdOnBattery CSP
Lid close (mobile only): When the device is using battery power, choose what happens when the lid is
closed. Your options:
Not configured (default): Intune doesn't change or update this setting.
No action: The device stays on, and continues to use battery power.
Sleep: The device goes into sleep mode and uses a small amount of battery charge. The computer is still
on, and opened apps and files are stored in random access memory (RAM ).
Hibernate: The device goes into hibernate mode. Opened apps and files are stored on the hard disk,
and the device turns off.
Shutdown: The device shuts down. Opened apps and files are closed without saving.
Power/SelectLidCloseActionOnBattery CSP
Power button: When the device is using battery power, choose what happens when the Power button is
selected. Your options:
Not configured (default): Intune doesn't change or update this setting.
No action: The device stays on, and continues to use battery power.
Sleep: The device goes into sleep mode and uses a small amount of battery charge. The computer is still
on, and opened apps and files are stored in random access memory (RAM ).
Hibernate: The device goes into hibernate mode. Opened apps and files are stored on the hard disk,
and the device turns off.
Shutdown: The device shuts down. Opened apps and files are closed without saving.
Power/SelectPowerButtonActionOnBattery CSP
Sleep button: When the device is using battery power, choose what happens when the Sleep button is
selected. Your options:
Not configured (default): Intune doesn't change or update this setting.
No action: The device stays on, and continues to use battery power.
Sleep: The device goes into sleep mode and uses a small amount of battery charge. The computer is still
on, and opened apps and files are stored in random access memory (RAM ).
Hibernate: The device goes into hibernate mode. Opened apps and files are stored on the hard disk,
and the device turns off.
Shutdown: The device shuts down. Opened apps and files are closed without saving.
Power/SelectSleepButtonActionOnBattery CSP
Hybrid sleep: When the device is using battery power, Disable prevents the device from going into hybrid
sleep mode. When in hybrid sleep mode, opened apps and files are stored in random access memory
(RAM ) and on the hard disk. It uses a small amount of battery charge. When set to Not configured
(default), Intune doesn't change or update this setting.
Power/TurnOffHybridSleepOnBattery CSP
PluggedIn
Battery level to turn Energy Saver on: When the device is plugged in, enter the battery charge level to
turn on Energy Saver from 0-100. Enter a percentage value that indicates the battery charge level. The
default value is 70%. When set to 70%, Energy Saver turns on when the battery has 70% charge or less
available.
Power/EnergySaverBatteryThresholdPluggedIn CSP
Lid close (mobile only): When the device is plugged in, choose what happens when the lid is closed. Your
options:
Not configured (default): Intune doesn't change or update this setting.
No action: The device stays on.
Sleep: The device goes into sleep mode. The computer is still on, and opened apps and files are
stored in random access memory (RAM ).
Hibernate: The device goes into hibernate mode. Opened apps and files are stored on the hard disk,
and the device turns off.
Shutdown: The device shuts down. Opened apps and files are closed without saving.
Power/SelectLidCloseActionPluggedIn CSP
Power button: When the device is plugged in, choose what happens when the Power button is selected.
Your options:
Not configured (default): Intune doesn't change or update this setting.
No action: The device stays on.
Sleep: The device goes into sleep mode. The computer is still on, and opened apps and files are stored in
random access memory (RAM ).
Hibernate: The device goes into hibernate mode. Opened apps and files are stored on the hard disk,
and the device turns off.
Shutdown: The device shuts down. Opened apps and files are closed without saving.
Power/SelectPowerButtonActionPluggedIn CSP
Sleep button: When the device is plugged in, choose what happens when the Sleep button is selected.
Your options:
Not configured (default): Intune doesn't change or update this setting.
No action: The device stays on.
Sleep: The device goes into sleep mode. The computer is still on, and opened apps and files are stored in
random access memory (RAM ).
Hibernate: The device goes into hibernate mode. Opened apps and files are stored on the hard disk,
and the device turns off.
Shutdown: The device shuts down. Opened apps and files are closed without saving.
Power/SelectSleepButtonActionPluggedIn CSP
Hybrid sleep: When the device is plugged in, Disable prevents the device from going into hybrid sleep
mode. When in hybrid sleep mode, opened apps and files are stored in random access memory (RAM ) and
on the hard disk. When set to Not configured (default), Intune doesn't change or update this setting.
Power/TurnOffHybridSleepPluggedIn CSP
Next steps
For additional technical details on each setting and what editions of Windows are supported, see Windows 10
Policy CSP Reference
Microsoft Intune Windows 10 Team device restriction
settings
12/19/2019 • 2 minutes to read • Edit Online
This article shows you the Microsoft Intune device restrictions settings that you can configure for devices running
Windows 10 Team.
Maintenance
Maintenance window for updates - Configures the window when updates can take place to the device. You
can configure the Start time of the window and the Duration in hours (from 1-5 hours).
Wireless projection
PIN for wireless projection - Specifies whether you must enter a PIN before you can use the wireless
projection capabilities of the device.
Miracast wireless projection - If you want to let the Windows 10 Team device use Miracast enabled devices
to project, select this option.
Miracast wireless projection channel - Choose the Miracast channel that is used to establish the connection.
Next steps
Use the information in How to configure device restriction settings to save, and assign the profile to users and
devices.
Windows 10 (and newer) device settings to upgrade
editions or enable S mode in Intune
10/16/2019 • 2 minutes to read • Edit Online
Microsoft Intune includes many settings to help manage and protect your devices. This article lists and describes
the settings to upgrade editions or enable S mode on Windows 10 devices. These settings are created in an
upgrade configuration profile in Intune that are pushed or deployed to devices.
As part of your mobile device management (MDM ) solution, use these settings to control the edition and S mode
options for your Windows 10 devices.
For more information on this feature, see Upgrade Windows 10 editions or enable S mode.
Edition upgrade
Edition to upgrade to: Select the Windows 10 edition that you're upgrading to. The devices targeted by this
policy are upgraded to the edition you choose.
Product Key: Enter the product key that you received from Microsoft. After you create the policy with the
product key, the key can't be updated, and is hidden for security reasons. To change the product key, enter the
entire key again.
License File: For Windows 10 Holographic for Business or Windows 10 Mobile edition, choose Browse
to select the license file you received from Microsoft. This license file includes license information for the
editions you're upgrading the devices to.
Mode switch
No configuration: An S mode device stays in S mode. An end user can switch the device out of S mode.
Keep in S mode: Disables the end user from switching the device out of S mode.
Switch: Switches the device out of S mode.
Next steps
The profile is created, but it may not be doing anything yet. Be sure to assign the profile, and monitor its status.
You can also create edition upgrade profiles for Windows Holographic for Business devices.
Email profile settings for devices running Windows 10
- Intune
10/16/2019 • 2 minutes to read • Edit Online
Use the email profile settings to configure the Mail app on your devices running Windows 10.
Email server: Enter the host name of your Exchange server.
Account name: Enter the display name for the email account. This name is shown to users on their
devices.
Username attribute from AAD: This name is the attribute Intune gets from Azure Active Directory
(AAD ). Intune dynamically generates the username that's used by this profile. Your options:
User Principal Name: Gets the name, such as user1 or user1@contoso.com
Primary SMTP address: Gets the name in email address format, such as user1@contoso.com
Security settings
SSL: Use Secure Sockets Layer (SSL ) communication when sending emails, receiving emails, and
communicating with the Exchange server.
Synchronization settings
Amount of email to synchronize: Choose the number of days of email that you want to synchronize. Or
select Unlimited to synchronize all available email.
Sync schedule: Select the schedule for devices to synchronize data from the Exchange server You can also
select As Messages arrive, which synchronizes data as soon as it arrives, or Manual, where the user of the
device must initiate the synchronization.
Next steps
Configure email settings in Intune
Windows 10 (and later) settings to protect devices
using Intune
11/13/2019 • 47 minutes to read • Edit Online
Microsoft Intune includes many settings to help protect your devices. This article describes all the settings you can
enable and configure in Windows 10 and newer devices. These settings are created in an endpoint protection
configuration profile in Intune to control security, including BitLocker and Microsoft Defender.
To configure Microsoft Defender Antivirus, see Windows 10 device restrictions.
Windows Encryption
Windows Settings
Encrypt devices
Default: Not configured
BitLocker CSP: RequireDeviceEncryption
Require - Prompt users to enable device encryption. Depending on the Windows edition and system
configuration, users may be asked:
To confirm that encryption from another provider isn't enabled.
Be required to turn off BitLocker Drive Encryption, and then turn BitLocker back on.
Not configured
If Windows encryption is turned on while another encryption method is active, the device might become
unstable.
Encrypt storage card (mobile only)
This setting only applies to Windows 10 mobile.
Default: Not configured
BitLocker CSP: RequireStorageCardEncryption
Require to encrypt any removable storage cards used by the device.
Not configured - Don't require storage card encryption, and don't prompt the user to turn it on.
BitLocker base settings
Base settings are universal BitLocker settings for all types of data drives. These settings manage what drive
encryption tasks or configuration options the end user can modify across all types of data drives.
Warning for other disk encryption
Default: Not configured
BitLocker CSP: AllowWarningForOtherDiskEncryption
Block - Disable the warning prompt if another disk encryption service is on the device.
Not configured - Allow the warning for other disk encryption to be shown.
When set to Block, you can then configure the following setting:
Allow standard users to enable encryption during Azure AD Join
This setting only applies to Azure Active Directory Joined (Azure ADJ ) devices, and depends on the
previous setting, Warning for other disk encryption .
Default: Not configured
BitLocker CSP: AllowStandardUserEncryption
Allow - Standard users (non-administrators) can enable BitLocker encryption when signed in.
Not configured only Administrators can enable BitLocker encryption on the device.
Configure encryption methods
Default: Not configured
BitLocker CSP: EncryptionMethodByDriveType
Enable - Configure encryption algorithms for operating system, data, and removable drives.
Not configured - BitLocker uses XTS -AES 128 bit as the default encryption method, or uses the
encryption method specified by any setup script.
When set to Enable, you can configure the following settings:
Encryption for operating system drives
Default: XTS -AES 128-bit
Choose the encryption method for operating system drives. We recommend you use the XTS -AES
algorithm.
AES -CBC 128-bit
AES -CBC 256-bit
XTS -AES 128-bit
XTS -AES 256-bit
Encryption for fixed data-drives
Default: AES -CBC 128-bit
Choose the encryption method for fixed (built-in) data drives. We recommend you use the XTS -AES
algorithm.
AES -CBC 128-bit
AES -CBC 256-bit
XTS -AES 128-bit
XTS -AES 256-bit
Encryption for removable data-drives
Default: AES -CBC 128-bit
Choose the encryption method for removable data drives. If the removable drive is used with devices
that aren't running Windows 10, then we recommend you use the AES -CBC algorithm.
AES -CBC 128-bit
AES -CBC 256-bit
XTS -AES 128-bit
XTS -AES 256-bit
BitLocker OS drive settings
These settings apply specifically to operating system data drives.
Additional authentication at startup
Default: Not configured
BitLocker CSP: SystemDrivesRequireStartupAuthentication
Require - Configure the authentication requirements for computer startup, including the use of Trusted
Platform Module (TPM ).
Not configured - Configure only basic options on devices with a TPM.
When set to Require, you can configure the following settings:
BitLocker with non-compatible TPM chip
Default: Not configured
Block - Disable use of BitLocker when a device doesn't have a compatible TPM chip.
Not configured - Users can use BitLocker without a compatible TPM chip. BitLocker may
require a password or a startup key.
Compatible TPM startup
Default: Allow TPM
Configure if TPM is allowed, required, or not allowed.
Allow TPM
Do not allow TPM
Require TPM
Compatible TPM startup PIN
Default: Allow startup PIN with TPM
Choose to allow, not allow, or require using a startup PIN with the TPM chip. Enabling a startup PIN
requires interaction from the end user.
Allow startup PIN with TPM
Do not allow startup PIN with TPM
Require startup PIN with TPM
Compatible TPM startup key
Default: Allow startup key with TPM
Choose to allow, not allow, or require using a startup key with the TPM chip. Enabling a startup key
requires interaction from the end user.
Allow startup key with TPM
Do not allow startup key with TPM
Require startup key with TPM
Compatible TPM startup key and PIN
Default: Allow startup key and PIN with TPM
Choose to allow, not allow, or require using a startup key and PIN with the TPM chip. Enabling
startup key and PIN requires interaction from the end user.
Allow startup key and PIN with TPM
Do not allow startup key and PIN with TPM
Require startup key and PIN with TPM
Minimum PIN Length
Default: Not configured
BitLocker CSP: SystemDrivesMinimumPINLength
Enable Configure a minimum length for the TPM startup PIN.
Not configured - Users can configure a startup PIN of any length between 6 and 20 digits.
When set to Enable, you can configure the following setting:
Minimum characters
Default: Not configured BitLocker CSP: SystemDrivesMinimumPINLength
Enter the number of characters required for the startup PIN from 4-20.
OS drive recovery
Default: Not configured
BitLocker CSP: SystemDrivesRecoveryOptions
Enable - Control how BitLocker-protected operating system drives recover when the required start-up
information isn't available.
Not configured - Default recovery options are supported for BitLocker recovery. By default, a DRA is
allowed, the recovery options are chosen by the user, including the recovery password and recovery key,
and recovery information isn't backed up to AD DS.
When set to Enable, you can configure the following settings:
Certificate-based data recovery agent
Default: Not configured
Block - Prevent use of data recovery agent with BitLocker-protected OS drives.
Not configured - Allow data recovery agents to be used with BitLocker-protected operating
system drives.
User creation of recovery password
Default: Allow 48-digit recovery password
Choose if users are allowed, required, or not allowed to generate a 48-digit recovery password.
Allow 48-digit recovery password
Do not allow 48-digit recovery password
Require 48-digit recovery password
User creation of recovery key
Default: Allow 256-bit recovery key
Choose if users are allowed, required, or not allowed to generate a 256-bit recovery key.
Allow 256-bit recovery key
Do not allow 256-bit recovery key
Require 256-bit recovery key
Recovery options in the BitLocker setup wizard
Default: Not configured
Block - Users can't see and change the recovery options. When set to
Not configured - Users can see and change the recovery options when they turn on BitLocker.
Save BitLocker recovery information to Azure Active Directory
Default: Not configured
Enable - Store the BitLocker recovery information to Azure Active Directory (Azure AD ).
Not configured - BitLocker recovery information isn't stored in AAD.
BitLocker recovery Information stored to Azure Active Directory
Default: Backup recovery passwords and key packages
Configure what parts of BitLocker recovery information are stored in Azure AD. Choose from:
Backup recovery passwords and key packages
Backup recovery passwords only
Client-driven recovery password rotation
Default: Key rotation enabled for Azure AD -joined devices
BitLocker CSP: ConfigureRecoveryPasswordRotation
This setting initiates a client-driven recovery password rotation after an OS drive recovery (either by
using bootmgr or WinRE ).
Not configured
Key rotation disabled
Key rotation enabled for Azure AD -joined deices
Key rotation enabled for Azure AD and Hybrid-joined devices
Store recovery information in Azure Active Directory before enabling BitLocker
Default: Not configured
Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker
recovery information to Azure Active Directory.
Require - Stop users from turning on BitLocker unless the BitLocker recovery information is
successfully stored in Azure AD.
Not configured - Users can turn on BitLocker, even if recovery information isn't successfully
stored in Azure AD.
Pre-boot recovery message and URL
Default: Not configured
BitLocker CSP: SystemDrivesRecoveryMessage
Enable - Configure the message and URL that display on the pre-boot key recovery screen.
Not configured - Disable this feature.
When set to Enable, you can configure the following setting:
Pre-boot recovery message
Default: Use default recovery message and URL
Configure how the pre-boot recovery message displays to users. Choose from:
Use default recovery message and URL
Use empty recovery message and URL
Use custom recovery message
Use custom recovery URL
BitLocker fixed data-drive settings
These settings apply specifically to fixed data drives.
Write access to fixed data-drive not protected by BitLocker
Default: Not configured
BitLocker CSP: FixedDrivesRequireEncryption
Block - Give read-only access to data drives that aren't BitLocker-protected.
Not configured - By default, read and write access to data drives that aren't encrypted.
Fixed drive recovery
Default: Not configured
BitLocker CSP: FixedDrivesRecoveryOptions
Enable - Control how BitLocker-protected fixed drives recover when the required start-up information
isn't available.
Not configured - Disable this feature.
When set to Enable, you can configure the following settings:
Data recovery agent
Default: Not configured
Block - Prevent use of the data recovery agent with BitLocker-protected fixed drives Policy Editor.
Not configured - Enables use of data recovery agents with BitLocker-protected fixed drives.
User creation of recovery password
Default: Allow 48-digit recovery password
Choose if users are allowed, required, or not allowed to generate a 48-digit recovery password.
Allow 48-digit recovery password
Do not allow 48-digit recovery password
Require 48-digit recovery password
User creation of recovery key
Default: Allow 256-bit recovery key
Choose if users are allowed, required, or not allowed to generate a 256-bit recovery key.
Allow 256-bit recovery key
Do not allow 256-bit recovery key
Require 256-bit recovery key
Recovery options in the BitLocker setup wizard
Default: Not configured
Block - Users can't see and change the recovery options. When set to
Not configured - Users can see and change the recovery options when they turn on BitLocker.
Save BitLocker recovery information to Azure Active Directory
Default: Not configured
Enable - Store the BitLocker recovery information to Azure Active Directory (Azure AD ).
Not configured - BitLocker recovery information isn't stored in AAD.
BitLocker recovery Information stored to Azure Active Directory
Default: Backup recovery passwords and key packages
Configure what parts of BitLocker recovery information are stored in Azure AD. Choose from:
Backup recovery passwords and key packages
Backup recovery passwords only
Client-driven recovery password rotation
Default: Key rotation enabled for Azure AD -joined devices
BitLocker CSP: ConfigureRecoveryPasswordRotation
This setting initiates a client-driven recovery password rotation after an OS drive recovery (either by
using bootmgr or WinRE ).
Not configured
Key rotation disabled
Key rotation enabled for Azure AD -joined deices
Key rotation enabled for Azure AD and Hybrid-joined devices
Store recovery information in Azure Active Directory before enabling BitLocker
Default: Not configured
Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker
recovery information to Azure Active Directory.
Require - Stop users from turning on BitLocker unless the BitLocker recovery information is
successfully stored in Azure AD.
Not configured - Users can turn on BitLocker, even if recovery information isn't successfully
stored in Azure AD.
BitLocker removable data-drive settings
These settings apply specifically to removable data drives.
Write access to removable data-drive not protected by BitLocker
Default: Not configured
BitLocker CSP: RemovableDrivesRequireEncryption
Block - Give read-only access to data drives that aren't BitLocker-protected.
Not configured - By default, read and write access to data drives that aren't encrypted.
When set to Enable, you can configure the following setting:
Write access to devices configured in another organization
Default: Not configured
Block - Block write access to devices configured in another organization.
Not configured - Deny write access.
IMPORTANT
To allow proper installation and execution of LOB Win32 apps, anti-malware settings should exclude the following directories
from being scanned:
On X64 client machines:
C:\Program Files (x86)\Microsoft Intune Management Extension\Content
C:\windows\IMECache
On X86 client machines:
C:\Program Files\Microsoft Intune Management Extension\Content
C:\windows\IMECache
NOTE
If you use this setting, and then later want to disable Credential Guard, you must set the Group Policy to
Disabled. And, physically clear the UEFI configuration information from each computer. As long as the UEFI
configuration persists, Credential Guard is enabled.
Enable without UEFI lock - Allows Credential Guard to be disabled remotely by using Group
Policy. The devices that use this setting must be running Windows 10 version 1511 and newer.
When you enable Credential Guard, the following required features are also enabled:
Virtualization-based Security (VBS )
Turns on during the next reboot. Virtualization-based security uses the Windows Hypervisor to provide
support for security services.
Secure Boot with Directory Memory Access
Turns on VBS with Secure Boot and direct memory access (DMA) protections. DMA protections require
hardware support, and are only enabled on correctly configured devices.
Xbox services
Xbox Game Save Task
Default: Not configured
CSP: TaskScheduler/EnableXboxGameSaveTask
This setting determines whether the Xbox Game Save Task is Enabled or Disabled.
Enabled
Not configured
Xbox Accessory Management Service
Default: Manual
CSP: SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
This setting determines the Accessory Management Service's start type.
Manual
Automatic
Disabled
Xbox Live Auth Manager Service
Default: Manual
CSP: SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
This setting determines the Live Auth Manager Service's start type.
Manual
Automatic
Disabled
Xbox Live Game Save Service
Default: Manual
CSP: SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
This setting determines the Live Game Save Service's start type.
Manual
Automatic
Disabled
Xbox Live Networking Service
Default: Manual
CSP: SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
This setting determines the Networking Service's start type.
Manual
Automatic
Disabled
User Rights
Access Credential Manager as trusted caller
Default: Not configured
CSP: UserRights/AccessCredentialManagerAsTrustedCaller
This user right is used by Credential Manager during Backup and Restore operations. Users' saved
credentials might be compromised if this privilege is given to other entities.
Not configured
Allow
Allow local log on
Default: Not configured
CSP: UserRights/AllowLocalLogOn
This user right determines which users can log on to the computer.
Not configured
Allow
Allow Access From Network
Default: Not configured
CSP: UserRights/AccessFromNetwork
This user right determines which users and groups are allowed to connect to the computer over the
network.
Not configured
Allow
Act As Part Of The OS
Default: Not configured
CSP: UserRights/ActAsPartOfTheOperatingSystem
Act As Part Of The OS
Not configured
Allow
Backup files and directories
Default: Not configured
CSP: UserRights/BackupFilesAndDirectories
This user right determines which users can bypass file, directory, registry, and other persistent objects
permissions when backing up files and directories.
Not configured
Allow
Change the system time
Default: Not configured
CSP: UserRights/ChangeSystemTime
This user right determines which users and groups can change the time and date on the internal clock of the
computer.
Not configured
Allow
Create global objects
Default: Not configured
CSP: UserRights/CreateGlobalObjects
This security setting determines whether users can create global objects that are available to all sessions.
Users who can create global objects could affect processes that run under other users' sessions, which could
lead to application failure or data corruption.
Not configured
Allow
Create pagefile
Default: Not configured
CSP: UserRights/CreatePageFile
This user right determines which users and groups can call an internal API to create and change the size of a
page file.
Not configured
Allow
Create permanent shared objects
Default: Not configured
CSP: UserRights/CreatePermanentSharedObjects
This user right determines which accounts can be used by processes to create a directory object using the
object manager.
Not configured
Allow
Create symbolic links
Default: Not configured
CSP: UserRights/CreateSymbolicLinks
This user right determines if the user can create a symbolic link from the computer to which they are logged
on.
Not configured
Allow
Create tokens
Default: Not configured
CSP: UserRights/CreateToken
This user right determines which users/groups can be used by processes to create a token that can then be
used to get access to any local resources when the process uses an internal API to create an access token.
Not configured
Allow
Debug programs
Default: Not configured
CSP: UserRights/DebugPrograms
This user right determines which users can attach a debugger to any process or to the kernel.
Not configured
Allow
Deny Access From Network
Default: Not configured
CSP: UserRights/DenyAccessFromNetwork
This user right determines which users are prevented from accessing a computer over the network.
Not configured
Allow
Deny log on as a service
Default: Not configured
CSP: UserRights/DenyLocalLogOn
This security setting determines which service accounts are prevented from registering a process as a
service.
Not configured
Allow
Deny log on through Remote Desktop Services
Default: Not configured
CSP: UserRights/DenyRemoteDesktopServicesLogOn
This user right determines which users and groups are prohibited from logging on as a Remote Desktop
Services client.
Not configured
Allow
Enable delegation
Default: Not configured
CSP: UserRights/EnableDelegation
This user right determines which users can set the Trusted for Delegation setting on a user or computer object.
Not configured
Allow
Generate security audits
Default: Not configured
CSP: UserRights/GenerateSecurityAudits
This user right determines which accounts can be used by a process to add entries to the security log. The
security log is used to trace unauthorized system access.
Not configured
Allow
Impersonate a client
Default: Not configured
CSP: UserRights/ImpersonateClient
Assigning this user right to a user allows programs running on behalf of that user to impersonate a client.
Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a
client to connect to a service that they have created and then impersonating that client, which can elevate
the unauthorized user's permissions to administrative or system levels.
Not configured
Allow
Increase scheduling priority
Default: Not configured
CSP: UserRights/IncreaseSchedulingPriority
This user right determines which accounts can use a process with Write Property access to another process
to increase the execution priority assigned to the other process.
Not configured
Allow
Load and unload device drivers
Default: Not configured
CSP: UserRights/LoadUnloadDeviceDrivers
This user right determines which users can dynamically load and unload device drivers or other code in to
kernel mode.
Not configured
Allow
Lock pages in memory
Default: Not configured
CSP: UserRights/LockMemory
This user right determines which accounts can use a process to keep data in physical memory, which
prevents the system from paging the data to virtual memory on disk.
Not configured
Allow
Manage auditing and security log
Default: Not configured
CSP: UserRights/ManageAuditingAndSecurityLog
This user right determines which users can specify object access auditing options for individual resources,
such as files, Active Directory objects, and registry keys.
Not configured
Allow
Perform volume maintenance tasks
Default: Not configured
CSP: UserRights/ManageVolume
This user right determines which users and groups can run maintenance tasks on a volume, such as remote
defragmentation.
Not configured
Allow
Modify firmware environment values
Default: Not configured
CSP: UserRights/ModifyFirmwareEnvironment
This user right determines who can modify firmware environment values.
Not configured
Allow
Modify an object label
Default: Not configured
CSP: UserRights/ModifyObjectLabel
This user right determines which user accounts can modify the integrity label of objects, such as files,
registry keys, or processes owned by other users.
Not configured
Allow
Profile single process
Default: Not configured
CSP: UserRights/ProfileSingleProcess
This user right determines which users can use performance monitoring tools to monitor the performance
of system processes.
Not configured
Allow
Remote shutdown
Default: Not configured
CSP: UserRights/RemoteShutdown
This user right determines which users are allowed to shut down a computer from a remote location on the
network. Misuse of this user right can result in a denial of service.
Not configured
Allow
Restore files and directories
Default: Not configured
CSP: UserRights/RestoreFilesAndDirectories
This user right determines which users can bypass file, directory, registry, and other persistent objects
permissions when restoring backed up files and directories, and determines which users can set any valid
security principal as the owner of an object.
Not configured
Allow
Take ownership of files or objects
Default: Not configured
CSP: UserRights/TakeOwnership
This user right determines which users can take ownership of any securable object in the system, including
Active Directory objects, files and folders, printers, registry keys, processes, and threads.
Not configured
Allow
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile, and monitor its status.
Configure endpoint protections settings on macOS devices.
Windows 10 device settings to enable Windows Hello
for Business in Intune
10/16/2019 • 4 minutes to read • Edit Online
This article lists and describes the Windows Hello for Business settings you can control on Windows 10 devices in
Intune. As an Intune administrator, you can configure and assign these settings to Windows 10 devices as part of
your mobile device management (MDM ) solution.
You can find additional information about these settings in Configure Windows Hello for Business Policy settings,
in the Windows Hello documentation.
To learn more about Windows Hello for Business profiles in Intune, see configure identity protection.
Next steps
Assign the profile and monitor its status.
Windows 10 and later device settings to run as a
kiosk in Intune
12/2/2019 • 10 minutes to read • Edit Online
On Windows 10 and later devices, you can configure these devices to run in single-app kiosk mode, or multi-app
kiosk mode.
This article lists and describes the different settings you can control on Windows 10 and later devices. As part of
your mobile device management (MDM ) solution, use these settings to configure your Windows 10 and later
devices to run in kiosk mode.
As an Intune administrator, you can create and assign these settings to your devices.
To learn more about the Windows kiosk feature in Intune, see configure kiosk settings.
IMPORTANT
Be sure to assign this kiosk profile to the same devices as your Microsoft Edge profile.
NOTE
This setting enables the Microsoft Edge browser on the device. To configure Microsoft Edge-specific
settings, create a device configuration profile (Device Configuration > Profiles > Create profile >
Windows 10 for platform > Device Restrictions > Microsoft Edge Browser). Microsoft Edge browser
lists and describes the available settings.
Add Kiosk browser: Select Kiosk browser settings. These settings control a web browser app on
the kiosk. Be sure you get the Kiosk browser app from the Store, add it to Intune as a Client App.
Then, assign the app to the kiosk devices.
Enter the following settings:
Default home page URL: Enter the default URL shown when the kiosk browser opens or
when the browser restarts. For example, enter http://bing.com or http://www.contoso.com .
Home button: Show or hide the kiosk browser's home button. By default, the button isn't
shown.
Navigation buttons: Show or hide the forward and back buttons. By default, the
navigation buttons aren't shown.
End session button: Show or hide the end session button. When shown, the user selects
the button, and the app prompts to end the session. When confirmed, the browser clears all
browsing data (cookies, cache, and so on), and then opens the default URL. By default, the
button isn't shown.
Refresh browser after idle time: Enter the amount of idle time (1-1440 minutes) until the
kiosk browser restarts in a fresh state. Idle time is the number of minutes since the user’s
last interaction. By default, the value is empty or blank, which means there isn't any idle
timeout.
Allowed websites: Use this setting to allow specific websites to open. In other words, use
this feature to restrict or prevent websites on the device. For example, you can allow all
websites at http://contoso.com to open. By default, all websites are allowed.
To allow specific websites, upload a file that includes a list of the allowed websites on
separate lines. If you don't add a file, all websites are allowed. By default, Intune supports
wild card. So, when you enter the domain, such as sharepoint.com , allow subdomains are
automatically allowed, such as contoso.sharepoint.com , my.sharepoint.com , and so on.
Your sample file should look similar to the following list:
http://bing.com
https://bing.com
http://contoso.com
https://contoso.com
office.com
NOTE
Windows 10 Kiosks with Autologon enabled using Microsoft Kiosk Browser must use an offline license from
the Microsoft Store for Business. This requirement is because Autologon uses a local user account with no
Azure Active Directory (AD) credentials. So, online licenses can't be evaluated. For more information, see
Distribute offline apps.
Add Store app: Select Add a store app, and choose an app from the list.
Don't have any apps listed? Add some using the steps at Client Apps.
Specify Maintenance Window for App Restarts: Default is "Not Configured," select "Require" to check
for apps that require a restart to complete installation.
If using Kiosk browser or other Microsoft Store for business app, decide how often to check for app
updates that require restart in order to complete the application install. If not configured, Microsoft Store
for Business apps will restart at an unscheduled time 3 days after an app update is installed.
Maintenance Window Start Time: Select the date and time of day to begin checking clients for
any app updates that require restart. The default start time is midnight, or zero minutes.
Maintenance Window Recurrence: Default is daily. Set how often Maintenance windows for app
updates will take place. Recommendation is daily to avoid unscheduled app restarts.
ApplicationManagement/ScheduleForceRestartForUpdateFailures CSP
Multi-app kiosks
Apps in this mode are available on the start menu. These apps are the only apps the user can open. If an app has
a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-
bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet
explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”.
Select a kiosk mode: Choose Multi app kiosk.
Target Windows 10 in S mode devices:
Yes: Allows store apps and AUMID apps (excludes Win32 apps) in the kiosk profile.
No: Allows store apps, Win32 apps, and AUMID apps in the kiosk profile. This kiosk profile isn't
deployed to S -mode devices.
User logon type: The apps you add run as the user account you enter. Your options:
Auto logon (Windows 10 version 1803 and later): Use on kiosks in public-facing environments that
don't require the user to sign in, similar to a guest account. This setting uses the AssignedAccess CSP.
Local user account: Add the local (to the device) user account. The account you enter signs in to the
kiosk.
Azure AD user or group (Windows 10 version 1803 and later): Select Add, and choose Azure AD
users or groups from the list. You can select multiple users and groups. Choose Select to save your
changes.
HoloLens visitor: The visitor account is a guest account that doesn't require any user credentials or
authentication, as described in shared PC mode concepts.
Browser and Applications: Add the apps to run on the kiosk device. Remember, you can add several
apps.
Browsers
Add Microsoft Edge: Microsoft Edge is added to the app grid, and all applications can run
on this kiosk. Choose the Microsoft Edge kiosk mode type:
Normal mode (full version of Microsoft Edge): Runs a full-version of Microsoft Edge
with all browsing features. User data and state are saved between sessions.
Public browsing (InPrivate): Runs a multi-tab version of Microsoft Edge InPrivate with
a tailored experience for kiosks that run in full-screen mode.
For more information on these options, see Deploy Microsoft Edge kiosk mode.
NOTE
This setting enables the Microsoft Edge browser on the device. To configure Microsoft Edge-specific
settings, create a device configuration profile (Device Configuration > Profiles > Create profile
> Windows 10 for platform > Device Restrictions > Microsoft Edge Browser). Microsoft Edge
browser lists and describes the available settings.
Add Kiosk browser: These settings control a web browser app on the kiosk. Be sure you
deploy a web browser app to the kiosk devices using Client Apps.
Enter the following settings:
Default home page URL: Enter the default URL shown when the kiosk browser
opens or when the browser restarts. For example, enter http://bing.com or
http://www.contoso.com .
Home button: Show or hide the kiosk browser's home button. By default, the
button isn't shown.
Navigation buttons: Show or hide the forward and back buttons. By default, the
navigation buttons aren't shown.
End session button: Show or hide the end session button. When shown, the user
selects the button, and the app prompts to end the session. When confirmed, the
browser clears all browsing data (cookies, cache, and so on), and then opens the
default URL. By default, the button isn't shown.
Refresh browser after idle time: Enter the amount of idle time (1-1440 minutes)
until the kiosk browser restarts in a fresh state. Idle time is the number of minutes
since the user’s last interaction. By default, the value is empty or blank, which means
there isn't any idle timeout.
Allowed websites: Use this setting to allow specific websites to open. In other words,
use this feature to restrict or prevent websites on the device. For example, you can
allow all websites at contoso.com* to open. By default, all websites are allowed.
To allow specific websites, upload a .csv file that includes a list of the allowed websites.
If you don't add a .csv file, all websites are allowed.
NOTE
Windows 10 Kiosks with Autologon enabled using Microsoft Kiosk Browser must use an offline
license from the Microsoft Store for Business. This requirement is because Autologon uses a local
user account with no Azure Active Directory (AD) credentials. So, online licenses can't be evaluated.
For more information, see Distribute offline apps.
Applications
Add store app: Add an app from the Microsoft Store for Business. If you don't have any
apps listed, then you can get apps, and add them to Intune. For example, you can add Kiosk
Browser, Excel, OneNote, and more.
Add Win32 App: A Win32 app is a traditional desktop app, such as Visual Studio Code or
Google Chrome. Enter the following properties:
Application name: Required. Enter a name for the application.
Local path: Required. Enter the path to the executable, such as
C:\Program Files (x86)\Microsoft VS Code\Code.exe or
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe .
Application user model ID (AUMID ): Enter the Application user model ID (AUMID ) of
the Win32 app. This setting determines the start layout of the tile on the desktop. To get
this ID, see Get-StartApps.
Add by AUMID: Use this option to add inbox Windows apps, such as Notepad or
Calculator. Enter the following properties:
Application name: Required. Enter a name for the application.
Application user model ID (AUMID ): Required. Enter the Application user model ID
(AUMID ) of the Windows app. To get this ID, see find the Application User Model ID of
an installed app.
AutoLaunch: Optional. Choose an application to AutoLaunch when the user signs in. Only a
single app can be AutoLaunched.
Tile size: Required. Choose a Small, Medium, Wide, or Large app tile size.
TIP
After you add all the apps, you can change the display order by clicking-and-dragging the apps in the list.
Use alternative Start layout: Choose Yes to enter an XML file that describes how the apps appear on
the start menu, including the order of the apps. Use this option if you require more customization in your
start menu. Customize and export Start layout provides some guidance, and sample XML.
Windows Taskbar: Choose to Show or hide the taskbar. By default, the taskbar isn't shown. Icons, such
as the Wi-Fi icon, are shown, but the settings can't be changed by end users.
Allow Access to Downloads Folder: Choose Yes to allow users to access the Downloads folder in
Windows Explorer. By default, access to the Downloads folder is disabled. This feature is commonly used
for end users to access items downloaded from a browser.
Next steps
Assign the profile and monitor its status.
You can also create kiosk profiles for Android, Android Enterprise, and Windows Holographic for Business
devices.
Also see set up a single-app kiosk or set up a multi-app kiosk in the Windows guidance.
Windows 10 and Windows Holographic device
settings to add VPN connections using Intune
2/19/2020 • 7 minutes to read • Edit Online
You can add and configure VPN connections for devices using Microsoft Intune. This article lists and describes
commonly used settings and features when creating virtual private networks (VPNs). These VPN settings and
features are used in device configuration profiles in Intune that are pushed or deployed to devices.
As part of your mobile device management (MDM ) solution, use these settings to allow or disable features,
including using a VPN vendor, enabling always on, using DNS, adding a proxy, and more.
These settings apply to devices running:
Windows 10
Windows Holographic for Business
Depending on the settings you choose, not all values may be configurable.
<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>
<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging>
<packetCapture>False</packetCapture></MobileConnect>
IMPORTANT
We recommend that you secure all app lists created for per-app VPNs. If an unauthorized user changes this list, and
you import it into the per-app VPN app list, then you potentially authorize VPN access to apps that shouldn't have
access. One way you can secure app lists is using an access control list (ACL).
Network traffic rules for this VPN connection: Select which protocols, and which local & remote port
and address ranges, are enabled for the VPN connection. If you don't create a network traffic rule, then all
protocols, ports, and address ranges are enabled. After you create a rule, the VPN connection uses only the
protocols, ports, and address ranges that you enter in that rule.
Conditional Access
Conditional Access for this VPN connection: Enables device compliance flow from the client. When
enabled, the VPN client communicates with Azure Active Directory (AD ) to get a certificate to use for
authentication. The VPN should be set up to use certificate authentication, and the VPN server must trust
the server returned by Azure AD.
Single sign-on (SSO ) with alternate certificate: For device compliance, use a certificate different from
the VPN authentication certificate for Kerberos authentication. Enter the certificate with the following
settings:
Name: Name for extended key usage (EKU )
Object Identifier: Object identifier for EKU
Issuer hash: Thumbprint for SSO certificate
DNS Settings
DNS suffix search list: In DNS suffixes, enter a DNS suffix, and Add. You can add many suffixes.
When using DNS suffixes, you can search for a network resource using its short name, instead of the fully
qualified domain name (FQDN ). When searching using the short name, the suffix is automatically
determined by the DNS server. For example, utah.contoso.com is in the DNS suffix list. You ping DEV-comp
. In this scenario, it resolves to DEV-comp.utah.contoso.com .
DNS suffixes are resolved in the order listed, and the order can be changed. For example,
colorado.contoso.com and utah.contoso.com are in the DNS suffix list, and both have a resource called
DEV-comp . Since colorado.contoso.com is first in the list, it resolves as DEV-comp.colorado.contoso.com .
To change the order, click the dots to the left of the DNS suffix, and then drag the suffix to the top:
Name Resolution Policy table (NRPT) rules: Name Resolution Policy table (NRPT) rules define how
DNS resolves names when connected to the VPN. After the VPN connection is established, you choose
which DNS servers the VPN connection uses.
You can add rules to the table that include the domain, DNS server, proxy, and other details to resolve the
domain you enter. The VPN connection uses these rules when users connect to the domains you enter.
Select Add to add a new rule. For each server, enter:
Domain: Enter the fully qualified domain name (FQDN ) or a DNS suffix to apply the rule. You can also
enter a period (.) at the beginning for a DNS suffix. For example, enter contoso.com or
.allcontososubdomains.com .
DNS servers: Enter the IP address or DNS server that resolves the domain. For example, enter
10.0.0.3 or vpn.contoso.com .
Proxy: Enter the web proxy server that resolves the domain. For example, enter http://proxy.com .
Automatically connect: When Enabled, the device automatically connects to the VPN when a device
connects to a domain you enter, such as contoso.com . When Not configured (default), the device
doesn't automatically connect to the VPN
Persistent: When set to Enabled, the rule stays in the Name Resolution Policy table (NRPT) until the
rule is manually removed from the device, even after the VPN disconnects. When set to Not
configured (default), NRPT rules in the VPN profile are removed from the device when the VPN
disconnects.
Proxy settings
Automatic configuration script: Use a file to configure the proxy server. Enter the Proxy server URL, such
as http://proxy.contoso.com , that includes the configuration file.
Address: Enter the proxy server address, such as an IP address or vpn.contoso.com
Port number: Enter the TCP port number used by your proxy server
Bypass proxy for local addresses: If you don't want to use a proxy server for local addresses, then choose
Enable. This setting applies if your VPN server requires a proxy server for the connection.
Split Tunneling
Split tunneling: Enable or Disable to let devices decide which connection to use depending on the traffic.
For example, a user in a hotel uses the VPN connection to access work files, but uses the hotel's standard
network for regular web browsing.
Split tunneling routes for this VPN connection: Add optional routes for third-party VPN providers. Enter
a destination prefix, and a prefix size for each connection.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile, and monitor its status.
Configure VPN settings on Android, iOS/iPadOS, and macOS devices.
Add Wi-Fi settings for Windows 10 and later devices
in Intune
10/16/2019 • 8 minutes to read • Edit Online
You can create a profile with specific WiFi settings, and then deploy this profile to your Windows 10 and later
devices. Microsoft Intune offers many features, including authenticating to your network, using a pre-shared key,
and more.
This article describes these settings.
Basic profile
Wi-Fi type: Choose Basic.
Wi-Fi name (SSID ): Short for service set identifier. This value is the real name of the wireless network
that devices connect to. However, users only see the Connection name you configure when they choose
the connection.
Connection name: Enter a user-friendly name for this Wi-Fi connection. The text you enter is the name
users see when they browse the available connections on their device.
Connect automatically when in range: When Yes, devices connect automatically when they're in range
of this network. When No, devices don't automatically connect.
Connect to more preferred network if available: If the devices are in range of a more preferred
network, then choose Yes to use the preferred network. Choose No to use the Wi-Fi network in this
configuration profile.
For example, you create a ContosoCorp Wi-Fi network, and use ContosoCorp within this
configuration profile. You also have a ContosoGuest Wi-Fi network within range. When your
corporate devices are within range, you want them to automatically connect to ContosoCorp. In
this scenario, set the Connect to more preferred network if available property to No.
Connect to this network, even when it is not broadcasting its SSID: Choose Yes for the
configuration profile to automatically connect to your network, even when the network is hidden
(meaning, its SSID isn't broadcast publicly). Choose No if you don't want this configuration profile
to connect to your hidden network.
Metered Connection Limit: An administrator can choose how the network's traffic is metered.
Applications can then adjust their network traffic behavior based on this setting. Your options:
Unrestricted: Default. The connection isn't metered and there are no restrictions on traffic.
Fixed: Use this option if the network is configured with fixed limit for network traffic. After this limit is
reached, network access is prohibited.
Variable: Used this option if network traffic is charged per byte (cost per byte).
Wireless Security Type: Enter the security protocol used to authenticate devices on your network. Your
options are:
Open (no authentication): Only use this option if the network is unsecured.
WPA/WPA2-Personal: A more secure option, and is commonly used for Wi-Fi connectivity. For
more security, you can also enter a pre-shared key password or network key.
Pre-shared key (PSK): Optional. Shown when you choose WPA/WPA2-Personal as the
security type. When your organization's network is set up or configured, a password or
network key is also configured. Enter this password or network key for the PSK value. Enter a
string between 8-64 characters. If your password or network key is 64 characters, enter
hexadecimal characters.
NOTE
When you save the Wi-Fi profile, the PSK value you entered isn't shown for security reasons. The
pre-shared key watermark still shows Not configured even though the PSK is saved in the profile.
To change the PSK, enter a new key, and save the profile. If you save a PSK, edit the policy, and leave
the PSK blank, then the existing PSK is still used.
IMPORTANT
The PSK is the same for all devices you target the profile to. If the key is compromised, it can be used
by any device to connect to the Wi-Fi network. Keep your PSKs secure to avoid unauthorized access.
Company Proxy settings: Choose to use the proxy settings within your organization. Your options:
None: No proxy settings are configured.
Manually configure: Enter the Proxy server IPaddress and its Port number.
Automatically configure: Enter the URL pointing to a proxy autoconfiguration (PAC ) script. For
example, enter http://proxy.contoso.com/proxy.pac .
Select OK > Create to save your changes. The profile is created and is shown in the profiles list.
Enterprise profile
Wi-Fi type: Choose Enterprise.
Wi-Fi name (SSID ): Short for service set identifier. This value is the real name of the wireless network
that devices connect to. However, users only see the Connection name you configure when they choose
the connection.
Connection name: Enter a user-friendly name for this Wi-Fi connection. The text you enter is the name
users see when they browse the available connections on their device.
Connect automatically when in range: When Yes, devices connect automatically when they're in range
of this network. When No, devices don't automatically connect.
Connect to more preferred network if available: If the devices are in range of a more preferred
network, then choose Yes to use the preferred network. Choose No to use the Wi-Fi network in this
configuration profile.
For example, you create a ContosoCorp Wi-Fi network, and use ContosoCorp within this
configuration profile. You also have a ContosoGuest Wi-Fi network within range. When your
corporate devices are within range, you want them to automatically connect to ContosoCorp. In
this scenario, set the Connect to more preferred network if available property to No.
Connect to this network, even when it is not broadcasting its SSID: Choose Yes for the
configuration profile to automatically connect to your network, even when the network is hidden
(meaning, its SSID isn't broadcast publicly). Choose No if you don't want this configuration profile
to connect to your hidden network.
Metered Connection Limit: An administrator can choose how the network's traffic is metered.
Applications can then adjust their network traffic behavior based on this setting. Your options:
Unrestricted: Default. The connection isn't metered and there are no restrictions on traffic.
Fixed: Use this option if the network is configured with fixed limit for network traffic. After this limit is
reached, network access is prohibited.
Variable: Used this option if network traffic is costed per byte.
Single sign-on (SSO ): Allows you to configure single sign-on (SSO ), where credentials are shared for
computer and Wi-Fi network sign-in. Your options are:
Disable: Disables SSO behavior. The user needs to authenticate to the network separately.
Enable before user signs into device: Use SSO to authenticate to the network just before the user
sign-in process.
Enable after user signs into device: Use SSO to authenticate to the network immediately after the
user sign-in process completes.
Maximum time to authenticate before timeout: Enter the maximum number of seconds to wait
before authenticating to the network, from 1-120 seconds.
Allow Windows to prompt user for additional authentication credentials: Choosing Yes allows
the Windows system to prompt the user for additional credentials if the authentication method requires
it. Choose No to hide these prompts.
Enable pairwise master key (PMK) caching: Select Yes to cache the PMK used in authentication. This
caching typically allows authentication to the network to complete faster. Choose No to force the
authentication handshake when connecting to the Wi-Fi network every time.
Maximum time a PMK is stored in cache: Enter the number of minutes a pairwise master key
(PMK) is stored in the cache, from 5-1440 minutes.
Maximum number of PMKs stored in cache: Enter the number of keys stored in cache, from 1-255.
Enable pre-authentication: Pre-authentication allows the profile to authenticate to all access points for
the network in the profile before connecting. When moving between access points, pre-authentication
reconnects the user or devices more quickly. Choose Yes for the profile to authenticate to all access points
for this network that are within range. Choose No to require the user or device to authenticate to each
access point separately.
Maximum pre-authentication attempts: Enter the number of tries to preauthenticate, from 1-16.
EAP type: Choose the Extensible Authentication Protocol (EAP ) type to authenticate secured wireless
connections. Your options:
EAP -SIM
EAP -TLS
EAP -TTLS
Protected PEAP (PEAP )
EAP -TLS, EAP -TTLS, and PEAP additional settings:
NOTE
Currently, only SCEP certificate profiles are supported when using an EAP type. PKCS certificate profiles are
not supported. Anytime a user is asked to enter a certificate, be sure to choose an SCEP certificate.
Server Trust
Certificate server names: Use with EAP -TLS, EAP -TTLS, or PEAP EAP types. Enter one
or more common names used in the certificates issued by your trusted certificate authority
(CA). If you enter this information, you can bypass the dynamic trust dialog shown on user
devices when they connect to this Wi-Fi network.
Root certificate for server validation: Use with EAP -TLS, EAP -TTLS, or PEAP EAP
types. Choose the trusted root certificate profile used to authenticate the connection.
Identity privacy (outer identity): Use with PEAP EAP type. Enter the text sent in response
to an EAP identity request. This text can be any value. During authentication, this anonymous
identity is initially sent, and then followed by the real identification sent in a secure tunnel.
Client Authentication
Client certificate for client authentication (Identity certificate): Use with EAP -TLS
EAP type. Choose the certificate profile used to authenticate the connection.
Authentication method: Use with EAP -TTLS EAP type. Select the authentication method
for the connection:
Certificates: Select the client certificate that is the identity certificate presented to the
server.
Username and Password: Enter a Non-EAP method (inner identity) method for
authentication. Your options:
Unencrypted password (PAP )
Challenge Handshake (CHAP )
Microsoft CHAP (MS -CHAP )
Microsoft CHAP Version 2 (MS -CHAP v2)
Identity privacy (outer identity): Use with EAP -TTLS EAP type. Enter the text sent in
response to an EAP identity request. This text can be any value. During authentication, this
anonymous identity is initially sent, and then followed by the real identification sent in a
secure tunnel.
Company Proxy settings: Choose to use the proxy settings within your organization. Your options:
None: No proxy settings are configured.
Manually configure: Enter the Proxy server IPaddress and its Port number.
Automatically configure: Enter the URL pointing to a proxy auto-configuration (PAC ) script. For
example, enter http://proxy.contoso.com/proxy.pac .
Force Wi-Fi profile to be compliant with the Federal Information Processing Standard (FIPS ):
Choose Yes when validating against the FIPS 140-2 standard. This standard is required for all US federal
government agencies that use cryptography-based security systems to protect sensitive but unclassified
information stored digitally. Choose No to not be FIPS -compliant.
Select OK > Create to save your changes. The profile is created and is shown in the profiles list.
Use an imported settings file
For any settings not available in Intune, you can export Wi-Fi settings from another Windows device. This export
creates an XML file with all the settings. Then, import this file in to Intune, and use it as the Wi-Fi profile. See
Export and import Wi-Fi settings for Windows devices.
Next steps
The profile is created, but it's not doing anything. Next, assign this profile.
More resources
See the settings available for Windows 8.1.
Wi-Fi settings overview, including other platforms.
Configure the Take a Test app on Windows 10 devices
using Intune
10/16/2019 • 2 minutes to read • Edit Online
The Take a Test app lets you securely administer online tests on your classroom's Windows 10 devices. To set up
the Take a Test app, you'll need to create a device configuration profile in Intune and configure the secure
assessment settings. This article describes the settings you'll find for the Take a Test app.
After you've configured the profile, assign and deploy it to your students.
Take a Test app in Intune provides more information on this feature.
Next steps
Be sure to assign the profile, and monitor its status.
Windows 10 and later settings to manage shared
devices using Intune
12/5/2019 • 4 minutes to read • Edit Online
Windows 10 and later devices, such as the Microsoft Surface, can be used by many users. Devices that have
multiple users are called shared devices, and are a part of mobile device management (MDM ) solutions.
Using Microsoft Intune, end-users can sign in to these shared devices with a guest account. As they use the device,
they only get access to features you allow. As the Intune administrator, you configure access, choose when
accounts are deleted, control power management settings, and more for your shared Windows 10 devices.
This article lists and describes the settings you use in a Windows 10 (and later) device configuration profile. When
the profile is created in Intune, you deploy or assign the profile to device groups in your organization. You can also
assign this profile to device groups with mixed device types and OS versions.
For more information on this feature in Intune, see Control access, accounts, and power features on shared PC or
multi-user devices. For more information on the Windows CSP, see SharedPC CSP.
TIP
Set up a shared or guest PC (opens another docs web site) is a great resource on this Windows 10 feature, including
concepts and group policies that can be set in shared mode.
Next steps
Assign the profile and monitor its status.
See the settings for Windows Holographic for Business.
Use custom settings for Windows 10 devices in Intune
12/19/2019 • 2 minutes to read • Edit Online
Using Microsoft Intune, you can add or create custom settings for your Windows 10 devices using "custom
profiles". Custom profiles are a feature in Intune. They're designed to add device settings and features that aren't
built in to Intune.
Windows 10 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to
configure different features. These settings are typically used by mobile device manufacturers to control features
on the device.
Windows 10 makes many Configuration Service Provider (CSP ) settings available, such as Policy Configuration
Service Provider (Policy CSP ).
If you're looking for a specific setting, remember that the Windows 10 device restriction profile includes many
built-in settings. So, you may not need to enter custom values.
This article shows you:
How to create a custom profile for Windows 10 devices
Includes a list of the recommended OMA-URI settings
Provides an example of a custom profile that opens a VPN connection
Example
In the following example, the Connectivity/AllowVPNOverCellular setting is enabled. This setting allows a
Windows 10 device to open a VPN connection when on a cellular network.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Windows Holographic for Business device settings to
allow or restrict features using Intune
12/19/2019 • 3 minutes to read • Edit Online
This article lists and describes the different settings you can control on Windows Holographic for Business devices,
such as Microsoft Hololens. As part of your mobile device management (MDM ) solution, use these settings to
allow or disable features, control security, and more.
General
Manual unenrollment: Lets the user manually delete the workplace account from the device.
Cortana: Enable or disable the Cortana voice assistant.
Geolocation: Specifies whether the device can use location services information.
Password
Password: Require the end user to enter a password to access the device.
Require password when device returns from idle state: Specifies that the user must enter a password to
unlock the device.
App Store
Auto-update apps from store: Allows apps installed from the Microsoft Store to be automatically updated.
Trusted app installation: Allows apps signed with a trusted certificate to be sideloaded.
Developer unlock: Allow Windows developer settings, such as allowing sideloaded apps to be modified by
the end user.
Search
Search location -Specify if search can use location. information
Cloud and Storage
Microsoft account: Lets the user associate a Microsoft account with the device.
Kiosk - Obsolete
These settings are read-only, and can't be changed. To configure kiosk mode, see Kiosk settings.
A kiosk device typically runs a specific app. Users are prevented from accessing any features or functions on the
device outside of the kiosk app.
Kiosk mode: Identifies the type of kiosk mode supported by the policy. Options include:
Not Configured (default): The policy does not enable a kiosk mode.
Single app kiosk: The profile enables the device to only run one app. When the user signs in, a
specific app starts. This mode also restricts the user from opening new apps, or changing the running
app.
Multi-app kiosk: The profile enables the device to run multiple apps. Only the apps you add are
available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-
to-understand experience for individuals by only accessing apps they need. And, removing the apps
they don’t need from their view.
When you add apps for a multi-app kiosk experience, you also add a start menu layout file. Start
menu layout file includes sample XML that can be used in Intune.
Single app kiosks
Enter the following settings:
User account: Enter the local (to the device) user account or the Azure AD account login associated with
the kiosk app. For accounts joined to Azure AD domains, enter the account using the
domain\username@tenant.org format.
For kiosks in public-facing environments with auto logon enabled, a user type with the least privilege (such
as the local standard user account) should be used. To configure an Azure Active Directory (AD ) account for
kiosk mode, use the AzureAD\user@contoso.com format.
Application user model ID (AUMID ) of app: Enter the AUMID of the kiosk app. To learn more, see Find
the Application User Model ID of an installed app.
Next steps
Assign the profile and monitor its status.
Windows Holographic for Business settings to
manage shared devices using Intune
10/16/2019 • 2 minutes to read • Edit Online
Windows Holographic for Business devices, such as the Microsoft HoloLens, can be used by multiple users.
Devices that have multiple users are called shared devices, and are a part of mobile device management (MDM )
solutions.
Using Microsoft Intune, users can sign in to these shared devices with a guest account. As they use the device,
they only get access to features you allow.
This article lists and describes the settings you use in a Windows Holographic for Business device configuration
profile. When the profile is created in Intune, you then deploy or assign the profile to device groups in your
organization. You can also assign this profile to a device group with mixed device types and OS versions.
For more information on this feature in Intune, see Control access, accounts, and power features on shared PC or
multi-user devices. For more information on the Windows CSP, see AccountManagement CSP.
Account management: Set to Enable to automatically delete local accounts created by guests, and
accounts in AD and Azure AD. When a user signs off the device, or when system maintenance runs, these
accounts are deleted. When enabled, also set:
Account Deletion: Choose when accounts are deleted: At storage space threshold, At storage
space threshold and inactive threshold, or Immediately after log-out. Also enter:
Start delete threshold(%): Enter a percentage (0-100) of disk space. When the total
disk/storage space drops below the value you enter, the cached accounts are deleted. It
continuously deletes accounts to reclaim disk space. Accounts that are inactive the longest are
deleted first.
Stop delete threshold(%): Enter a percentage (0-100) of disk space. When the total
disk/storage space meets the value you enter, the deleting stops.
Set to Disable to keep the local, AD, and Azure AD accounts created by guests.
NOTE
Microsoft HoloLens devices only support the Account management settings.
Next steps
Assign the profile and monitor its status.
See the settings for Windows 10 and newer.
Upgrade devices running Windows Holographic to
Windows Holographic for Business
10/16/2019 • 2 minutes to read • Edit Online
Microsoft Intune includes many settings to help manage and protect your devices. This article lists and describes
the settings to upgrade Windows Holographic devices to Windows Holographic for Business. These settings are
created in an upgrade configuration profile in Intune that are pushed or deployed to devices.
As part of your mobile device management (MDM ) solution, use these settings to upgrade your Windows
Holographic devices. For the Microsoft HoloLens, you can purchase the Commercial Suite to get the required
license for the upgrade. For more information, see Unlock Windows Holographic for Business features.
For more information on this feature, see Upgrade Windows 10 editions or enable S mode.
Edition upgrade
Edition to upgrade to: Select Windows 10 Holographic for Business.
License File: Browse to and select the XML license file that was provided to you.
Next steps
The profile is created, but it may not be doing anything yet. Be sure to assign the profile, and monitor its status.
You can also create edition upgrade profiles for Windows 10 and later devices.
Windows Holographic for Business device settings to
run as a kiosk in Intune
10/16/2019 • 3 minutes to read • Edit Online
On Windows Holographic for Business devices, you can configure these devices to run in single-app kiosk mode,
or multi-app kiosk mode. Some features aren't supported on Windows Holographic for Business.
This article lists and describes the different settings you can control on Windows Holographic for Business
devices. As part of your mobile device management (MDM ) solution, use these settings to configure your
Windows Holographic for Business devices to run in kiosk mode.
As an Intune administrator, you can create and assign these settings to your devices.
To learn more about the Windows kiosk feature in Intune, see configure kiosk settings.
Multi-app kiosks
Apps in this mode are available on the start menu. These apps are the only apps the user can open. When you
choose multi app kiosk mode, enter the following settings:
Target Windows 10 in S mode devices: Choose No. S mode isn't supported on Windows Holographic
for Business.
User logon type: Add one or more user accounts that can use the apps you add. Your options:
Auto logon: Not supported on Windows Holographic for Business.
Local user accounts: Add the local (to the device) user account. The account you enter is used to sign
in to the kiosk.
Azure AD user or group (Windows 10, version 1803 and later): Requires user credentials to sign in
to the device. Select Add to choose Azure AD users or groups from the list. You can select multiple
users and groups. Choose Select to save your changes.
HoloLens visitor: The visitor account is a guest account that doesn't require any user credentials or
authentication, as described in shared PC mode concepts.
Applications: Add the apps to run on the kiosk device. Remember, you can add several apps.
Add Store apps: Select an existing app you added or deployed to Intune as Client Apps, including
LOB apps. If you don't have any apps listed, Intune supports many app types that you add to Intune.
Add Win32 app: Not supported on Windows Holographic for Business.
Add by AUMID: Use this option to add inbox Windows apps. Enter the following properties:
Application name: Required. Enter a name for the application.
Application user model ID (AUMID ): Required. Enter the Application user model ID (AUMID )
of the Windows app. To get this ID, see find the Application User Model ID of an installed app.
Tile size: Required. Choose a Small, Medium, Wide, or Large app tile size.
Kiosk browser settings: Not supported on Windows Holographic for Business.
Use alternative Start layout: Choose Yes to enter an XML file that describes how the apps appear on the
start menu, including the order of the apps. Use this option if you require more customization in your start
menu. Customize and export start layout provides some guidance, and includes a specific XML file for
Windows Holographic for Business devices.
Windows Taskbar: Not supported on Windows Holographic for Business.
Next steps
Assign the profile and monitor its status.
You can also create kiosk profiles for Android, Android Enterprise, and Windows 10 and later devices.
Use custom settings for Windows Holographic for
Business devices in Intune
12/19/2019 • 4 minutes to read • Edit Online
Using Microsoft Intune, you can add or create custom settings for your Windows Holographic for Business
devices using "custom profiles". Custom profiles are a feature in Intune. They're designed to add device settings
and features that aren't built in to Intune.
Windows Holographic for Business custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-
URI) settings to configure different features. These settings are typically used by mobile device manufacturers to
control features on the device.
Windows Holographic for Business makes many configuration service providers (CSPs) settings available. For a
CSP overview, see Introduction to configuration service providers (CSPs) for IT pros. For specific CSPs supported
by Windows Holographic, see CSPs supported in Windows Holographic.
If you're looking for a specific setting, remember that the Windows Holographic for Business device restriction
profile includes many built-in settings. So, you may not need to enter custom values.
This article shows you how to create a custom profile for Windows Holographic for Business devices. It also
includes a list of the recommended OMA-URI settings.
./Vendor/MSFT/Policy/Config/Authentication/AllowFastReconn Integer
ect 0 - not allowed
1 - allowed (default)
AllowUpdateService
OMA-URI DATA TYPE
./Vendor/MSFT/Policy/Config/Update/AllowUpdateService Integer
0 – Update service is not allowed
1 – Update service is allowed (default).
AllowVPN
OMA-URI DATA TYPE
./Vendor/MSFT/Policy/Config/Settings/AllowVPN Integer
0 - not allowed
1 - allowed (default)
RequireUpdatesApproval
OMA-URI DATA TYPE
./Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval Integer
0 – Not configured. The device installs all applicable updates.
1 – The device only installs updates that are both applicable
and on the Approved Updates list. Set this policy to 1 if IT
wants to control the deployment of updates on devices, such
as when testing is required prior to deployment.
ScheduledInstallTime
OMA-URI DATA TYPE
OMA-URI DATA TYPE
UpdateServiceURL
OMA-URI DATA TYPE
./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl String
URL - the device checks for updates from the WSUS server at
the specified URL.
Not configured - The device checks for updates from
Microsoft Update.
ApprovedUpdates
OMA-URI DATA TYPE
ApplicationLaunchRestrictions
OMA-URI DATA TYPE
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Gro String
uping/ApplicationType/Policy For more information, see AppLocker CSP.
Important
The AppLocker CSP article uses escaped XML examples. To
configure the settings with Intune custom profiles, you must
use plain XML.
DeletionPolicy
OMA-URI DATA TYPE
./Vendor/MSFT/AccountManagement/UserProfileManagemen Integer
t/DeletionPolicy 0 - delete immediately when the device returns to a state with
no currently active users
1 - delete at storage capacity threshold (default)
2 - delete at both storage capacity threshold and profile
inactivity threshold
EnableProfileManager
OMA-URI DATA TYPE
./Vendor/MSFT/AccountManagement/UserProfileManagemen Boolean
t/EnableProfileManager True - enable
False - disable (default)
ProfileInactivityThreshold
OMA-URI DATA TYPE
./Vendor/MSFT/AccountManagement/UserProfileManagemen Integer
t/ProfileInactivityThreshold Default value is 30.
StorageCapacityStartDeletion
OMA-URI DATA TYPE
./Vendor/MSFT/AccountManagement/UserProfileManagemen Integer
t/StorageCapacityStartDeletion Default value is 25.
StorageCapacityStopDeletion
OMA-URI DATA TYPE
./Vendor/MSFT/AccountManagement/UserProfileManagemen Integer
t/StorageCapacityStopDeletion Default value is 50.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Create a custom profile on Windows 10 devices.
Microsoft Intune Windows 8.1 device restriction
settings
12/19/2019 • 3 minutes to read • Edit Online
This article shows you the Microsoft Intune device restrictions settings that you can configure for devices running
Windows 8.1.
General
Diagnostic data submission - Enables the device to submit diagnostic information to Microsoft.
Firewall - Requires that the Windows Firewall is turned on.
User Account Control - Requires the use of User Account Control (UAC ) on devices.
Password
Required password type - Require the end user to enter a password to access the device.
Minimum password length - Configures the minimum required length (in characters) for the password.
Number of sign-in failures before wiping device - Wipes the device if the sign-in attempts fail this number
of times.
Maximum minutes of inactivity until screen locks - Specifies the number of minutes a device must be idle
before a password is required to unlock it.
Password expiration (days) - Specifies the number of days before the device password must be changed.
Prevent reuse of previous passwords - Specifies whether the user can configure previously used passwords.
Picture password and PIN - Enables the use of a picture password and PIN. A picture password lets the user
sign in with gestures on a picture. A PIN lets users quickly sign in with a four-digit code.
Encryption - Requires that files on the device are encrypted.
To enforce encryption on devices that run Windows 8.1, you must install the December 2014 MDM client
update for Windows on each device. If you enable this setting for Windows 8.1 devices, all users of the device
must have a Microsoft account. For encryption to work, the device must meet the Microsoft InstantGo
hardware certification requirements. When you enforce encryption on a device, the recovery key is only
accessible from the user's Microsoft account, which is accessed from their OneDrive account. You cannot
recover this key on behalf of a user.
Browser
Autofill - Enables users to change autocomplete settings in the browser.
Fraud warnings - Enables or disables warnings for potential fraudulent websites.
SmartScreen - Enables or disables warnings for potential fraudulent websites.
JavaScript - Enables the browser to run scripts, such as Java script.
Pop-ups - Enables or disables the browser pop-up blocker.
Send do-not-track headers - Sends a do-not-track header to visited sites in Internet Explorer.
Plugins - Enables users to add plug-ins to Internet Explorer.
Single word entry on intranet site - Enables use of a single word to direct Internet Explorer to a web site,
such as Bing.
Auto detect of intranet site - Helps configure security for intranet sites in Internet Explorer.
Internet security level - Sets the Internet Explorer security level for Internet sites.
Intranet security level - Sets the Internet Explorer security level for intranet sites.
Trusted sites security level - Configures the security level for the trusted sites zone.
High security for restricted sites - Configures the security level for the restricted sites zone.
Enterprise mode menu access - Lets users access the Enterprise Mode menu options from Internet Explorer.
If you select this setting, you can also specify a Logging report location, which contains a URL to a report that
shows websites for which users have turned on Enterprise Mode access.
Enterprise mode site list location - Specifies the location of the list of websites that use Enterprise Mode
when it is active.
Cellular
Data roaming - Enables data roaming when the device is on a cellular network.
Next steps
Create a device restrictions profile on Windows 10 and newer.
Add VPN settings on Windows 8.1 devices in
Microsoft Intune
12/19/2019 • 3 minutes to read • Edit Online
This article shows you the Intune settings you can use to configure VPN connections on devices running
Windows 8.1.
Depending on the settings you choose, not all values in the following list are configurable.
<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging>
<packetCapture>False</packetCapture></MobileConnect>
<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>
For more information on writing custom XML commands, see the manufacturer's VPN documentation.
Proxy settings
Automatically detect proxy settings: If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings.
Automatic configuration script: Use a file to configure the proxy server. Enter the Proxy server URL that
contains the configuration file. For example, enter http://proxy.contoso.com .
Use proxy server: Enable this option if you want to manually enter the proxy server settings.
Address: Enter the proxy server address (as an IP address).
Port number: Enter the port number associated with the proxy server.
Bypass proxy for local addresses: If your VPN server requires a proxy server for the connection, and you
don't want to use the proxy server for local addresses you enter, then select this option.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Configure VPN settings on Android, Android Enterprise, macOS, and Windows 10 devices.
Import Wi-Fi settings for Windows devices in Intune
12/19/2019 • 2 minutes to read • Edit Online
For devices that run Windows, you can import a Wi-Fi configuration profile that was previously exported to a file.
For Windows 10 and later devices, you can also create a Wi-Fi profile directly in Intune.
Applies to:
Windows 8.1 and later
Windows 10 and later
Windows 10 desktop or mobile
Windows Holographic for Business
IMPORTANT
If you are exporting a Wi-Fi profile that includes a pre-shared key, you must add key=clear to the command.
For example, enter: netsh wlan export profile name="ProfileName" key=clear folder=c:\Wifi
Using a pre-shared key with Windows 10 causes a remediation error to show in Intune. When this happens, the
Wi-Fi profile is properly assigned to the device, and the profile works as expected.
If you export a Wi-Fi profile that includes a pre-shared key, be sure the file is protected. The key is in plain text, so
it's your responsibility to protect the key.
Next steps
The profile is created, but it's not doing anything. Next, assign the profile and monitor its status.
See the Wi-Fi settings overview, including other available platforms.
Microsoft Intune Windows Phone 8.1 device
restriction settings
12/19/2019 • 3 minutes to read • Edit Online
This article shows you the Microsoft Intune device restrictions settings that you can configure for devices running
Windows Phone 8.1.
General
Camera - Enables or blocks the device's camera.
Copy and paste - Enables or blocks copy and paste functionality on devices.
Removable storage - Lets the device use removable storage such as SD cards.
Geolocation - Enables the device to utilize location information.
Microsoft account - Enable or block the user from linking a Microsoft account to the device.
Screen capture - Lets the user capture the contents of the screen as an image file.
Diagnostic data submission - Enables the device to submit diagnostic information to Microsoft.
Custom email accounts sync - Enables the device to connect to non-Microsoft email accounts.
Password
Password - Require the end user to enter a password to access the device.
Required password type - Specifies the type of password that is required, such as alphanumeric or
numeric only.
Minimum password length - Specifies the minimum number of characters that are required in the
password.
Simple passwords - Specifies that simple passwords such as ‘0000’ and ‘1234’ can be used.
Number of sign-in failures before wiping device - Specifies the number of times an incorrect
password can be entered before the device is wiped.
Maximum minutes of inactivity until screen locks - Specifies the amount of time a device must
remain idle before the screen is automatically locked.
Password expiration (days) - Specifies the number of days before the device password must be
changed.
Prevent reuse of previous passwords - Specifies how many previously used passwords are
remembered.
Encryption - Requires that the data on supported mobile devices be encrypted.
App Store
App store - Lets users connect to the app store from the device.
Restricted apps
In the restricted apps list, you can configure one of the following lists:
A Blocked apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Allowed apps list - List the apps that users are allowed to install. Apps that are managed by Intune are
automatically allowed.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the allowed and blocked apps list, use the following format:
From the Windows Phone Store page, search for the app that you want to use.
Open the app’s page, and copy the URL to the clipboard. You can now use this as the URL in either the allowed or
blocked apps list.
Example: Search the store for the Skype app. The URL you use is
http://www.windowsphone.com/store/app/skype/c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51 .
Additional options
You can also click Import to populate the list from a csv file in the format <app url>, <app name>, <app
publisher>, or click Export to create a csv file containing the contents of the restricted apps list in the same format.
Browser
Web browser - Enables or blocks the built-in web browser on devices.
This article shows you the email profile settings you can configure for your devices running Windows Phone 8.1.
IMPORTANT
Windows Phone 8.1 email profiles are also applied to Windows 10 devices.
Security settings
SSL - Use Secure Sockets Layer (SSL ) communication when sending emails, receiving emails, and
communicating with the Exchange server.
Synchronization settings
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule - Select the schedule by which devices synchronize data from the Exchange server. You can
also select As Messages arrive, which synchronizes data as soon as it arrives, or Manual, where the user of
the device must initiate the synchronization.
This article shows you the Intune settings you can use to configure VPN connections on devices running
Windows Phone 8.1.
Depending on the settings you choose, not all values in the following list are configurable.
IMPORTANT
Windows Phone 8.1 VPN profiles are also applied to Windows 10 devices.
Custom XML: Specify any custom XML commands that configure the VPN connection.
Pulse Secure example:
<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>
<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging>
<packetCapture>False</packetCapture></MobileConnect>
<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>
For more information on writing custom XML commands, see the manufacturer's VPN documentation.
Split tunneling: Enable or Disable this option that lets devices decide which connection to use
depending on the traffic. For example, a user in a hotel uses the VPN connection to access work files, but
use the hotel's standard network for regular web browsing.
Proxy settings
Automatically detect proxy settings: If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings.
Automatic configuration script: Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com ) which contains the configuration file.
Use proxy server: Enable this option if you want to manually enter the proxy server settings.
Address: Enter the proxy server address (as an IP address).
Port number: Enter the port number associated with the proxy server.
Bypass proxy for local addresses: If your VPN server requires a proxy server for the connection, and you
don't want to use the proxy server for local addresses you enter, then select this option.
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Configure VPN settings on Android, Android Enterprise, macOS, and Windows 10 devices.
Use custom settings for Windows Phone 8.1 devices
in Intune
12/19/2019 • 2 minutes to read • Edit Online
Using Microsoft Intune, you can add or create custom settings for your Windows Phone 8.1 devices using "custom
profiles". Custom profiles are a feature in Intune. They're designed to add device settings and features that aren't
built in to Intune.
Windows Phone 8.1 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings
to configure different features. These settings are typically used by mobile device manufacturers to control
features on the device. Windows Phone 8.1 MDM protocol documentation lists the settings.
This article shows you how to create a custom profile for Windows Phone 8.1 devices.
Example
In the following example, Windows 8.1 phone devices are prevented from changing cellular networks when
traveling outside the carrier coverage area.
Name: Allow Cellular Data Roaming
Description: Allow or disallow cellular data roaming
OMA -URI (case sensitive): ./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularDataRoaming
Data type: Integer
Value: 0
Next steps
The profile is created, but it's not doing anything yet. Next, assign the profile and monitor its status.
Create a custom profile on Windows 10 devices.