Microsoft Endpoint Manager support for iOS 14, iPadOS 14 and watchOS 7

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

Microsoft Intune is excited to support Apple in their launch of iOS 14, iPadOS 14, and watchOS 7. We are delighted to deliver new functionality alongside Apple’s launch – ensuring you can be at the cutting edge to support your users wherever they are working or learning this fall.

 

Here are the new Apple scenarios we support and updates we’ve made to provide the best MDM and APP experience:

  • In our September release, we support several new configurations for MDM enrolled iOS and iPadOS 14.0+ devices, including:
    • Disable iOS/iPadOS App Clips

    • 4096 bit SCEP certificate keys

    • Custom maximum transmission unit (MTU) values for IKEv2 VPN connections

    • Per-account VPN routing for the native Mail app

    • Prevent users from disabling automatic VPN

    • Associated domains for per-app VPN connections

    • Excluded domains for per-app VPN connections

  • Apple Business Manager and Apple School Manager have been updated with a new view for all devices and Custom Apps functionality for distributing apps internal to your organization. Last year’s integration with Microsoft Azure Active Directory to enable Federated Authentication for Managed Apple IDs now works alongside SCIM (System for Cross-domain Identity Management) to help keep account data in sync.

  • There have been improvements to the Apple Push Notification service (APNs) to improve communication, which Intune supports.

In upcoming releases, we plan to add even more features to support your Apple management journey, including skipping Restore Completed and Update Completed panes during Automated Device Enrollments on iOS and iPadOS 14.0+.

 

With iOS and iPadOS 14, devices will automatically present a randomized MAC address for enhanced privacy when connecting to networks rather than defaulting to physical MAC addresses. If you rely on static MAC addresses in your environment, which may be used for network access control (NAC), you can disable MAC address randomization on a per-network basis in your Wi-Fi profile configuration for iOS and iPadOS 14 in our September release.

 

When using the “Required” assignment type for apps on iOS and iPadOS 14 devices, apps are marked as non-removable. This ensures that these mission-critical apps cannot be uninstalled by the user. For existing apps assigned as “Required”, when enrolled devices update to iOS and iPadOS 14, these will start receiving the new non-removable setting for apps.

 

In iOS 14, users can set their default mail and browser apps. The latest Outlook version (4.55.1) supports this functionality and Edge is live with the functionality to set their default mail and browser apps as of version 45.8.9.

 

iOS and iPadOS 14 offer the ability for app developers to provide widgets that present key information from apps on users’ home screens. If an app creates a widget, that widget will show up on the user's device. Microsoft Endpoint Manager will not obscure the information displayed in widgets. If a widget from a protected app contains any links, APP will apply to protect that link as links within the app are protected.

 

In iOS and iPadOS 14, there are some updates to how pasteboard works. Here’s what this means for your apps protected with APP:

  • For apps that have not updated to the most recent version of the Intune SDK (12.9.0), managed accounts trigger pasteboard notifications frequently. This is because Intune checks the pasteboard when the app becomes active to ensure data on the pasteboard is being protected correctly. For iOS and iPadOS 14, Intune has made changes to restrict on paste/copy rather than on app launch/resume.
  • Because Intune can no longer read the content without triggering a pasteboard notification, it is not possible to hide the paste button (where we would have blocked the paste action) for accounts with a non-zero paste in exception policy. This paste button will only appear until a paste action has been taken and will paste "Your personal data cannot be pasted here. Only <admin-defined number> characters are allowed." when selected. After the first paste in the managed app, we will know of the contents and can properly hide the button.

In 2021, Apple will update the format of serial numbers for products to a randomized string of 10 characters. This should not impact your Intune enrollments.

 

We recently brought support for Shared iPad to iPadOS 13.0+ devices enrolled through Automated Device Enrollment and Apple Configurator 2 and are working hard to bring this support to iPadOS 14 devices as well.

 

We’re investigating an issue with iOS and iPadOS 14 and OneDrive where users cannot access OneDrive files through the Files app or FileProvider API when the device is enrolled with the following device restrictions:

  • “Viewing corporate documents in unmanaged apps” is blocked.
  • “Viewing non-corporate documents in corporate apps” is not configured.

We have recently made changes to our iPadOS enrollment service that are live for public cloud tenants already. These changes are rolling out to the government cloud in the next week. In the meantime, if you would like to enroll a device running iPadOS 14 through the Company Portal, you can follow a few simple steps:

  1. Go to iOS Settings > Safari > Request Desktop Websites and turn off “Request Desktop Website on All Websites”
  2. Go to iOS Settings > Safari and select the Clear History and Website Data option
  3. Log into the Company Portal app and enroll your device

Apple is posting updated versions of operating system software license agreements to Apple Business Manager on September 16, 2020. Once posted, your organization won’t be able to enroll devices or deploy new apps until an administrator has signed into Apple Business Manager and accepted the new terms.

 

For more information see the Apple Support article If Apple Business Manager or Apple School Manager asks you to approve new terms and conditions.

 

Known Issues:

MAC address randomization is on by default for both iOS 14 and iPadOS 14 which breaks network access control (NAC) for Wi-Fi where MAC address is being used as the lookup key.

We’re releasing the ability to turn this feature off within the 2009 service release. As this feature will be rolling out gradually over the next few days, there will be a gap where these devices won’t be able to connect to NAC-enabled Wi-Fi until the user turns off MAC address randomization.

As a workaround, impacted users will need to manually turn off MAC address randomization in the Wi-Fi Network Settings on their devices after they upgrade to iOS 14 and iPadOS 14. Note that this is a per-network setting and will need to be applied to each impacted Wi-Fi network on the device.

 

What should you do now?

  • If you haven’t been testing with the public beta releases, be sure to test your scenarios now that iOS and iPadOS 14 are releasing.
  • Test out new Endpoint Manager functionality and see how it might apply to scenarios in your organization.
  • Accept Apple’s new versions of operating system software license agreements in Apple Business Manager.

Keep us posted on your favorite new feature and as always let us know if you have any additional questions or feedback. You can comment on this post or reach out to us on Twitter by tagging us at @IntuneSuppTeam.

 

Blog post updates:

9/16/20: Included a known issue section.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.