Intune support for new settings and updates in iOS 13 and macOS 10.15

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

We’re excited to announce support for new settings and updates that will be in place when iOS 13 releases around September. We’ll update documentation as we make changes on our side but we wanted to consolidate information here for your convenience.

 

Some Unsupervised iOS Device Restrictions Change to Supervised-Only
Eleven iOS device restrictions will change from unsupervised to supervised-only with the iOS 13.0 release: 

App Store, Doc Viewing, Gaming

  • App store (supervised only)
  • Explicit iTunes, music, podcast, or news content (supervised only)
  • Adding Game Center friends (supervised only)
  • Multiplayer gaming (supervised only)

Built-in Apps

  • Camera (supervised only)
  • FaceTime (supervised only)
  • Safari (supervised only)
  • Autofill (supervised only)

Cloud and Storage

  • Backup to iCloud (supervised only)
  • Block iCloud Document sync (supervised only)
  • Block iCloud Keychain sync (supervised only)


If these settings were configured and assigned to unsupervised devices prior to the iOS 13.0 release, the device restrictions will still apply to the unsupervised devices—even after the devices are upgraded to iOS 13.0. However, these device restrictions will be removed from unsupervised devices that are backed up and restored. These restrictions will not be applied to unsupervised devices enrolled after the iOS 13.0 release, even if they are running an OS version earlier than iOS 13.0.

For the complete list of supervised settings, see iOS device settings to allow or restrict features using Intune. 


For more additional information about supervised mode, see Turn on iOS supervised mode.


New Device Restriction Settings
We’re excited to announce that we are providing support for four new supervised-only iOS 13.0 settings and one new macOS 10.15 setting prior to the software releases. We want you to be able to use these restrictions as soon as Apple releases iOS 13.0 and macOS 10.15, so they are now available with the 1908 Intune release. 

 

Note that these restrictions do not apply to devices that are enrolled through User Enrollment.

 

iOS
Keyboard and Dictionary

  • Quickpath (supervised only)

Built-in Apps

  • Find my iPhone (supervised only)
  • Find My Friends (supervised only)

Wireless

  • Wi-Fi always turned on
    (with the 1910 release, this new setting is replacing the old one)

macOS
Cloud and Storage

  • Handoff


For the complete list of macOS device settings, see macOS device settings to allow or restrict features using Intune. 


New User Enrollment Device Restrictions
Apple has announced the introduction of a new type of enrollment called User Enrollment for iOS 13, iPadOS, and macOS 10.15 Catalina devices. To prepare for User Enrollment release, we are ensuring that your current Device Configuration policies will apply in a predictable manner to User Enrolled devices.

  • These settings are also available for devices enrolled through Device Enrollment and Automated Device Enrollment (previously known as DEP).
  • All settings supported by Intune that Apple allows on User Enrollment devices will continue to work on these devices using your current policies.
  • Settings that are available for devices enrolled through User Enrollment apply to all enrolled devices. 
  • Settings that are not marked as available for User Enrollment will not be applied to devices enrolled through User Enrollment. For example, if you block AirPrint on an iOS device that was enrolled through User Enrollment, AirPrint will not be blocked because that device restriction requires a supervised iOS device running iOS 11.0+. 


Some iOS/macOS profile types for Device Configuration that work for all enrollment types are listed below:

  • iOS and macOS >>  Wi-Fi, SCEP
  • macOS only >> VPN
  • iOS only  >> Email, PKCS certificate 


Settings Categorized by Enrollment Type
With the addition of User Enrollment alongside Device Enrollment and Automated Device Enrollment, we’re going to make it easier for you to intuitively navigate our settings UI by adding categorization headers to clarify which settings apply based on each of the enrollment types.

In the September Intune update or 1909, we’ll introduce categories that separate iOS and macOS settings by the enrollment type to which they apply. This new categorization pertains to device features and device restrictions for iOS and macOS profile types, along with the extensions profile type for macOS. This will make it easier to see which settings will apply to the devices you want to target based on how they were enrolled.

Note that these UI changes do not affect any existing profiles or Graph.

The new iOS/macOS enrollment headers and descriptions that will be on the blades are as follows: 


MacOS

  • All enrollment types: These settings work for all devices enrolled in Intune, regardless of enrollment type.
  • Device enrollment: These settings work for devices that were enrolled in Intune through device enrollment.
  • User approved and automated device enrollment: These settings work for devices that were enrolled in Intune with user approval, and for devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices.
  • Automated device enrollment: These settings work for devices that were enrolled in Intune using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices. 


iOS

  • All enrollment types: These settings work for devices that were enrolled in Intune through device enrollment or user enrollment, and for devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices.
  • Device enrollment and automated device enrollment: These settings work for devices that were enrolled in Intune through device enrollment, and for devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices. 
  • Automated device enrollment: These settings work for supervised devices that were enrolled in Intune using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes devices supervised through Apple Configurator. 


Some additional changes

  • For devices running macOS 10.15 or later, FileVault encryption policies will only be targeted to those devices that are enrolled with user approval. 
  • Be sure to read the important note in documentation under the Settings apply to: Device enrollment, Automated device enrollment (supervised) section related to  pin: https://docs.microsoft.com/intune/device-restrictions-ios#password 
  • allowFilesNetworkDriveAccess, allowFilesUSBDriveAccess, and forceWiFiPowerOn are device restrictions that were released in a later beta of iOS 13.0, and are all going to be available with the October or 1910 release. Once iOS 13.0/iPadOS 13.0 are released the Apple, you can configure these settings right away using Custom Configuration within Device Configuration.

 

Post Updated

  • Updated 9/26/19 with a few additional clarifications on supervised devices, WiFi, and passcode policy.
  •  Updated 10/1/19 to link to doc's for pin information, Wi-Fi update. 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.