Later this month, Apple will release iOS 18 and macOS 15 to its users. To ensure that organizations can manage their devices with these new systems on day one, Microsoft has been working to update Intune so that existing features will work as expected. It"s also working to develop new features that integrate with the latest versions.
In iOS and iPadOS 18, Apple doesn"t let you do profile-based User Enrollment so Intune is going to end support for Apple User Enrollment with Company Portal soon. For this reason, you"ll need to use another management method to enroll devices, Microsoft recommends using account-driven User Enrollment which offers similar functionality and a better user experience. There is also a simpler option called web-based device enrollment for iOS/iPadOS.
For those already using User Enrollment with Company Portal, Microsoft says that devices won"t be impacted and will continue to be enrolled. You won"t be able to enroll new devices targeted with this enrollment method, and Microsoft"s Intune technical support will only be available for devices enrolled with this method.
Next up, Microsoft says that it has added support for new settings being released by Apple. Intune now supports new settings options added to iOS, iPadOS, and macOS by Apple in the latest versions. New settings include:
Disk Management
- External Storage: Control the mount policy for external storage
- Network Storage: Control the mount policy for network storage
Safari Extension Settings
- Allowed Domains: Control the domain and sub-domains that the extension can access
- Denied Domains: Control the domain and sub-domains that the extension cannot access
- Private Browsing: Control whether an extension is allowed in Private Browsing
- State: Control whether an extension is allowed, disallowed, or configurable by the user
Software Update Settings
- Allow Standard User OS Updates: Control whether a standard user can perform Major and Minor software updates
Software Update Settings > Automatic updates
- Allowed: Specifies whether automatic downloads of available updates can be controlled by the user
- Download: Specifies whether automatic downloads of available updates can be controlled by the user
- Install OS Updates: Specifies whether automatic install of available OS updates can be controlled by the user
- Install Security Update: Specifies whether automatic install of available security updates can be controlled by the user
Software Update Settings > Deferrals
- Combined Period In Days: Specifies the number of days to defer a major or minor OS software update on the device
- Major Period In Days: Specifies the number of days to defer a major OS software update on the device
- Minor Period In Days: Specifies the number of days to defer a minor OS software update on the device
- System Period In Days: Specifies the number of days to defer system or non-OS updates. When set, updates only appear after the specified delay, following the release of the update
- Notifications: Configure the behavior of notifications for enforced updates
Software Update Settings > Rapid Security Response
- Enable: Control whether users are offered Rapid Security Responses when available
- Enable Rollback: Control whether users are offered Rapid Security Response rollbacks
- Recommended Cadence: Specifies how the device shows software updates to the user
New settings for MDM include:
Extensible Single Sign On (SSO) > Platform SSO
- Authentication Grace Period: The amount of time after a "FileVault Policy", "Login Policy", or "Unlock Policy" is received or updated that unregistered local accounts can be used
- FileVault Policy: The policy to apply when using Platform SSO at FileVault unlock on Apple Silicon Macs
- Login Policy: The policy to apply when using Platform SSO at the login window
- Non Platform SSO Accounts: The list of local accounts that are not subject to the "FileVault Policy", "Login Policy", or "Unlock Policy"
- Offline Grace Period: The amount of time after the last successful Platform SSO login a local account password can be used offline
- Unlock Policy: The policy to apply when using Platform SSO at screensaver unlock
Extensible Single Sign On Kerberos
- Allow Password: Allow the user to switch the user interface to Password mode
- Allow SmartCard: Allow the user to switch the user interface to SmartCard mode
- Identity Issuer Auto Select Filter: A string with wildcards that can use used to filter the list of available SmartCards by issuer. e.g "*My CA2*"
- Start In Smart Card Mode: Control if the user interface will start in SmartCard mode
Restrictions
- Allow ESIM Outgoing Transfers
- Allow Personalized Handwriting Results
- Allow Video Conferencing Remote Control
- Allow Genmoji
- Allow Image Playground
- Allow Image Wand
- Allow iPhone Mirroring
- Allow Writing Tools
System Policy Control
- Enable XProtect Malware Upload
With the upcoming Intune September (2409) release, the new DDM settings will be:
Math
- Calculator
- Basic Mode
- Add Square Root
- Scientific Mode - Enabled
- Programmer Mode - Enabled
- Input Modes - Unit Conversion
- System Behavior - Keyboard Suggestions
- System Behavior - Math Notes
New MDM settings for Intune’s 2409 (September) release include:
System Extensions
- Non Removable System Extensions
- Non Removable System Extensions UI
Web Content Filter
- Hide Deny List URLs
Microsoft is also going to add six new Setup Assistant screens that admins can choose to show or hide when creating an Automated Device Enrollment (ADE) policy. These options include:
- Emergency SOS (iOS/iPadOS 16+)
- The IT admin can choose to show or hide the iOS/iPadOS Safety (Emergency SOS) setup pane that is displayed during Setup Assistant.
- Action button (iOS/iPadOS 17+)
- The IT admin can choose to show or hide the iOS/iPadOS Action button configuration pane that is displayed during Setup Assistant.
- Intelligence (iOS/iPadOS 18+)
- The IT admin can choose to show or hide the iOS/iPadOS Intelligence setup pane that is displayed during Setup Assistant.
- Wallpaper (macOS 14+)
- The IT admin can choose to show or hide the macOS Sonoma wallpaper setup pane that is displayed after an upgrade. If the screen is hidden, the Sonoma wallpaper will be set by default.
- Lockdown mode (macOS 14+)
- The IT admin can choose to show or hide the macOS Lockdown Mode setup pane that is displayed during Setup Assistant.
- Intelligence (macOS 15+)
- The IT admin can choose to show or hide the macOS Intelligence setup pane that is displayed during Setup Assistant.
All of these Apple operating system updates are due for release on September 16.