| Singletrack for Intune lets users access their CRM data anywhere and at any time, while supporting the Mobile Application Management (MAM) policies offered by Microsoft Intune. Users can connect with contacts and send out research. They can also log new interactions, as well as view and update existing ones.
You can choose to receive local notifications of recently finished Interactions and log draft interactions to be completed on your desktop at a later date. You can also work offline to capture data when convenient. | [App Store link (iOS)](https://apps.apple.com/us/app/singletrack-for-intune/id6502955456) | | :::no-loc text="Slack for Intune":::
| Slack for Intune is for Slack customers that have enabled Microsoft Intune Mobile Application Management (MAM). | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.Slack.intune), [App Store link (iOS)](https://apps.apple.com/app/slack-for-intune/id1558736484) |
| :::no-loc text="PK Protect for Intune":::
| PK Protect for Intune is specifically designed for existing PKWARE customers operating in an Intune environment. PK Protect lets you get your work done on the go. It's fast, secure and simple to use so you can be productive from anywhere. If you're unsure if you have PK Protect, contact your company's IT administrator. With PK Protect, you can: Encrypt and decrypt files using Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage Smartkeys, Perform digital signing and authentication of data with X.509 Digital Certificates, Encrypt and decrypt files with Strong Passphrase encryption, including AE2, Log in with existing Active Directory credentials, Create and view unencrypted zip archives. PK Protect armors data at its core, eliminating vulnerabilities everywhere data is used, shared or stored. For nearly three decades, PKWARE has provided encryption and compression software to more than 30,000 enterprise customers and over 200 government agencies. Available for iOS/iPadOS and Android. | [App Store link (iOS)](https://apps.apple.com/app/smartcrypt-for-intune/id1489232256) |
-| :::no-loc text="ServiceNow Agent - Intune":::
| ServiceNow Mobile Agent app delivers out-of-the-box, mobile-first experiences for the most common service desk agent workflows, making it easy for agents to triage, act on and resolve requests on the go. The app enables service desk agents to promptly manage and resolve end user issues from their mobile devices. Agents use the app’s intuitive interface to accept and update work even without Internet connectivity. The app greatly simplifies work by using native device capabilities for tasks like navigation, barcode scanning, or collecting a signature.
The app comes with out-of-the-box workflows for service desk agents in IT, Customer Service, HR, Field Services, Security Ops and IT Asset Management. Organizations can easily configure and extend the workflows to meet their own unique needs.
With Mobile Agent you can:
| Slack for Intune is for Slack customers that have enabled Microsoft Intune Mobile Application Management (MAM). | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.Slack.intune), [App Store link (iOS)](https://apps.apple.com/app/slack-for-intune/id1558736484) |
| :::no-loc text="PK Protect for Intune":::
| PK Protect for Intune is designed for existing PKWARE customers operating in an Intune environment. PK Protect lets you get your work done on the go. It's fast, secure and simple to use so you can be productive from anywhere. If you are unsure if you have PK Protect, contact your company's IT administrator. With PK Protect, you can: Encrypt and decrypt files using Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage Smartkeys, Perform digital signing and authentication of data with X.509 Digital Certificates, Encrypt and decrypt files with Strong Passphrase encryption, including AE2, Log in with existing Active Directory credentials, Create and view unencrypted zip archives. PK Protect armors data at its core, eliminating vulnerabilities everywhere data is used, shared or stored. For nearly three decades, PKWARE has provided encryption and compression software to more than 30,000 enterprise customers and over 200 government agencies. Available for iOS/iPadOS and Android. | [App Store link (iOS)](https://apps.apple.com/app/smartcrypt-for-intune/id1489232256) |
| :::no-loc text="Speaking Email":::
| Get more time in your day by having your email read to you on the move. Voice commands and simple gestures designed to be safe to use while driving give you the ability to archive, flag or even reply on the move.
Smart content detection skips over disclaimers, reply headers, and email signatures to speak only the content without the clutter.
Employees can sign in via Intune to access Microsoft 365 Exchange email. | [App Store link (iOS)](https://apps.apple.com/app/apple-store/id991406423?ct=intune) |
diff --git a/memdocs/intune/apps/mam-faq.yml b/memdocs/intune/apps/mam-faq.yml
index e382cc3c825..5b20f335105 100644
--- a/memdocs/intune/apps/mam-faq.yml
+++ b/memdocs/intune/apps/mam-faq.yml
@@ -59,7 +59,7 @@ sections:
questions:
- question: Which apps can be managed by app protection policies?
answer: |
- Any app that has been integrated with the [Intune App SDK](../developer/app-sdk.md) or wrapped by the [Intune App Wrapping Tool](../developer/apps-prepare-mobile-application-management.md) can be managed using Intune app protection policies. See the official list of [Intune-managed apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps) available for public use.
+ Any app that has been integrated with the [Intune App SDK](../developer/app-sdk.md) or wrapped by the [Intune App Wrapping Tool](../developer/apps-prepare-mobile-application-management.md) can be managed using Intune app protection policies. See the official list of [Intune-managed apps](/mem/intune/apps/apps-supported-intune-apps) available for public use.
- question: What are the baseline requirements to use app protection policies on an Intune-managed app?
answer: |
diff --git a/memdocs/intune/apps/mamedge-1-mamca.md b/memdocs/intune/apps/mamedge-1-mamca.md
index 622ace2452c..084bbfad370 100644
--- a/memdocs/intune/apps/mamedge-1-mamca.md
+++ b/memdocs/intune/apps/mamedge-1-mamca.md
@@ -102,7 +102,7 @@ In the previous steps, you implemented conditional access as a required app prot
:::image type="content" alt-text="Device Platform - Conditional Access policy - Microsoft Intune admin center." source="./media/securing-data-edge-for-business/securing-data-edge-for-business59.png" lightbox="./media/securing-data-edge-for-business/securing-data-edge-for-business59.png":::
-7. Select **Grant** and select **Require device to be market as compliant.** This will provide access through desktop apps only for enrolled and compliant devices.
+7. Select **Grant** and select **Require device to be marked as compliant.** This will provide access through desktop apps only for enrolled and compliant devices.
:::image type="content" alt-text="Grant - Conditional Access policy - Microsoft Intune admin center." source="./media/securing-data-edge-for-business/securing-data-edge-for-business60.png" lightbox="./media/securing-data-edge-for-business/securing-data-edge-for-business60.png":::
diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md
index eff856589ac..e1477d4fce6 100644
--- a/memdocs/intune/apps/manage-microsoft-edge.md
+++ b/memdocs/intune/apps/manage-microsoft-edge.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/27/2024
+ms.date: 10/24/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -282,7 +282,7 @@ Edge for iOS and Android allows organizations to disable certain features that a
|Key |Value |
|:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.disabledFeatures|**password** disables prompts that offer to save passwords for the end user
**inprivate** disables InPrivate browsing
**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information
**translator** disables translator
**readaloud** disables read aloud
**drop** disables drop
**coupons** disables coupons
**extensions** disables extensions (Edge for Android only)
**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only)
**UIRAlert** suppress re-verify account popups in new tab page screen
To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
+|com.microsoft.intune.mam.managedbrowser.disabledFeatures|**password** disables prompts that offer to save passwords for the end user
**inprivate** disables InPrivate browsing
**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information
**translator** disables translator
**readaloud** disables read aloud
**drop** disables drop
**coupons** disables coupons
**extensions** disables extensions (Edge for Android only)
**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only)
**UIRAlert** suppress re-verify account popups in new tab page screen
**share** disables Share under menu
**sendtodevices** disables Send to devices under menu
**weather** disables weather in NTP (New Tab Page)
To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
#### Disable import passwords feature
@@ -316,9 +316,12 @@ Edge for Android can be enabled as a kiosk app with the following settings:
|com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode |**true** shows the address bar in kiosk mode
**false** (default) hides the address bar when kiosk mode is enabled|
|com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode |**true** shows the bottom action bar in kiosk mode
**false** (default) hides the bottom bar when kiosk mode is enabled |
+> [!NOTE]
+> Kiosk mode is not supported on iOS devices. However, you may want to use Locked View Mode (MDM policy only) to achieve a similar user experience, where users are unable to navigate to other websites, as the URL address bar becomes read-only in Locked View Mode.
+
### Locked view mode
-Edge for iOS and Android can be enabled as locked view mode with MDM policy EdgeLockedViewModeEnabled.
+Edge for iOS and Android can be enabled as locked view mode with MDM policy **[EdgeLockedViewModeEnabled](/deployedge/microsoft-edge-mobile-policies#edgelockedviewmodeenabled)**.
|Key |Value |
|:---------|:---------|
@@ -485,16 +488,6 @@ Organizations can configure a search provider for users. To configure a search p
|com.microsoft.intune.mam.managedbrowser.DefaultSearchProviderName | The corresponding value is a string
**Example** `My Intranet Search` |
|com.microsoft.intune.mam.managedbrowser.DefaultSearchProviderSearchURL | The corresponding value is a string
**Example** `https://search.my.company/search?q={searchTerms}`|
-### Open external apps
-When a web page requests to open an external app, users will see a pop-up asking them to open the external app or not. Organizations can manage the behavior.
-
-|Key |Value |
-|:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.OpeningExternalApps |**0** (default) Show the pop-up for users to choose stay in Edge or open by external apps.
**1** Always open within Edge without showing the pop-up.
**2** Always open with external apps without showing the pop-up. If external apps aren't installed, the behavior will be the same as value 1|
-
-> [!NOTE]
-> As of version 120.2210.99, the app jump blocker feature is removed. External apps will be opened from Edge by default. Therefore, this policy is no longer valid from version 120.2210.99.
-
### Copilot
> [!NOTE]
@@ -549,6 +542,16 @@ Organizations can define which sites users can access within the work or school
Organizations also define what happens when a user attempts to navigate to a restricted web site. By default, transitions are allowed. If the organization allows it, restricted web sites can be opened in the personal account context, the Microsoft Entra account’s InPrivate context, or whether the site is blocked entirely. For more information on the various scenarios that are supported, see [Restricted website transitions in Microsoft Edge mobile](https://techcommunity.microsoft.com/t5/intune-customer-success/restricted-website-transitions-in-microsoft-edge-mobile/ba-p/1381333). By allowing transitioning experiences, the organization's users stay protected, while keeping corporate resources safe.
+To enhance the profile-switching experience by reducing the need for users to manually switch to personal profiles or InPrivate mode to open blocked URLs, we’ve introduced two new policies:
+- `com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock`
+- `com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork`
+
+Since these policies bring different results based on their configurations and combinations, we recommend trying our policy suggestions below for a quick evaluation to see if the profile-switching experience aligns well with your organization’s needs before exploring detailed documentation. Suggested profile-switching configuration settings include the following values:
+- `com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock=true`
+- `com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true`
+- `com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock=1`
+- `com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork=2`
+
> [!NOTE]
> Edge for iOS and Android can block access to sites only when they're accessed directly. It doesn't block access when users use intermediate services (such as a translation service) to access the site. URLs that start with **Edge**, such as `Edge://*`, `Edge://flags`, and `Edge://net-export`, aren't supported in app configuration policy **AllowListURLs** or **BlockListURLs** for managed apps. You can disable these URLs with **com.microsoft.intune.mam.managedbrowser.InternalPagesBlockList**.
If your devices are managed, you can also use app configuration policy [URLAllowList](/deployedge/microsoft-edge-mobile-policies#urlallowlist) or [URLBlocklist](/deployedge/microsoft-edge-mobile-policies#urlblocklist) for managed devices. For related information, see [Microsoft Edge mobile policies](/deployedge/microsoft-edge-mobile-policies).
@@ -556,8 +559,8 @@ Use the following key/value pairs to configure either an allowed or blocked site
|Key |Value |
|:--|:----|
-|com.microsoft.intune.mam.managedbrowser.AllowListURLs |The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
-|com.microsoft.intune.mam.managedbrowser.BlockListURLs |The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
+|com.microsoft.intune.mam.managedbrowser.AllowListURLs
This policy name has been replaced by the UI of **Allowed URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
+|com.microsoft.intune.mam.managedbrowser.BlockListURLs
This policy name has been replaced by the UI of **Blocked URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock |**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked
This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
|com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | Enter the number of seconds that users will see the snack bar notification "Access to this site is blocked by your organization. We’ve opened it in InPrivate mode for you to access the site." By default, the snack bar notification is shown for 7 seconds.|
@@ -571,6 +574,22 @@ The following sites except copilot.microsoft.com are always allowed regardless o
- `https://*.microsoftonline.com/*`
- `https://*.microsoftonline-p.com/*`
+### Control the behavior of the Site Blocked popup
+When attempting to access blocked websites, users will be prompted to use either switch to InPrivate or personal account to open the blocked websites. You can choose preferences between InPrivate and personal account.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock |**0**: (Default) Always show the popup window for user to choose.
**1**: Automatically switch to personal account when personal account is signed in.If personal account is not signed in, the behavior will be changed to value 2.
**2**:Automatically switch to InPrivate if InPrivate switch is allowed by com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true. |
+
+### Control the behavior of switching personal profile to work profile
+When Edge is under the personal profile and users are attempting to open a link from Outlook or Microsoft Teams which are under the work profile, by default, Intune will use the Edge work profile to open the link because both Edge, Outlook, and Microsoft Teams are managed by Intune. However, when the link is blocked, the user will be switched to the the personal profile. This causes a friction experience for users
+
+You can configure a policy to enhance users' experience. This policy is recommended to be used together with AutoTransitionModeOnBlock as it may switch users to the personal profile according to the policy value you configured.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. |
+
#### URL formats for allowed and blocked site list
You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
@@ -607,25 +626,6 @@ You can use various URL formats to build your allowed/blocked sites lists. These
- `http://www.contoso.com:*`
- `http://www.contoso.com: /*`
-### Control the behavior of the Site Blocked popup
-When attempting to access blocked websites, users will be prompted to use either switch to InPrivate or personal account to open the blocked websites. You can choose preferences between InPrivate and personal account.
-
-|Key |Value |
-|:--|:----|
-|com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock |**0**: (Default) Always show the popup window for user to choose.
**1**: Automatically switch to personal account when personal account is signed in.If personal account is not signed in, the behavior will be changed to value 2.
**2**:Automatically switch to InPrivate if InPrivate switch is allowed by com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true. |
-
-### Control the behavior of switching personal profile to work profile
-When Edge is under the personal profile and users are attempting to open a link from Outlook or Microsoft Teams which are under the work profile, by default, Intune will use the Edge work profile to open the link because both Edge, Outlook, and Microsoft Teams are managed by Intune. However, when the link is blocked, the user will be switched to the the personal profile. This causes a friction experience for users
-
-You can configure a policy to enhance users' experience. This policy is recommended to be used together with AutoTransitionModeOnBlock as it may switch users to the personal profile according to the policy value you configured.
-
-|Key |Value |
-|:--|:----|
-|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: URLs that are blocked by Edge policy will not be switched to work profile. |
-
-> [!NOTE]
-> This policy takes effect when Edge is in personal profile and is receiving URL from a managed apps such as Outlook and Microsoft Teams by Intune. Edge also needs to have both personal profile and work profile signed in.
-
### Disable Edge internal pages
You can disable Edge internal pages such as `Edge://flags` and `Edge://net-export`. More pages can be found from `Edge://about`
diff --git a/memdocs/intune/configuration/kiosk-settings-windows.md b/memdocs/intune/configuration/kiosk-settings-windows.md
index ab12dbee5b8..5324b12ffb8 100644
--- a/memdocs/intune/configuration/kiosk-settings-windows.md
+++ b/memdocs/intune/configuration/kiosk-settings-windows.md
@@ -100,7 +100,7 @@ Runs only one app on the device, such as a web browser or Store app.
For more information on these options, see [Deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy#supported-configuration-types).
- - **Add Kiosk browser**: Select **Kiosk browser settings**. These settings control a web browser app on the kiosk. Be sure you get the [Kiosk browser app](https://businessstore.microsoft.com/store/details/kiosk-browser/9NGB5S5XG2KP) from the Store, add it to Intune as a [Client App](../apps/apps-add.md). Then, assign the app to the kiosk devices.
+ - **Add Kiosk browser**: Select **Kiosk browser settings**. These settings control a web browser app on the kiosk. Be sure you get the [Kiosk browser app](https://apps.microsoft.com/detail/9ngb5s5xg2kp?) from the Store, add it to Intune as a [Client App](../apps/apps-add.md). Then, assign the app to the kiosk devices.
Enter the following settings:
diff --git a/memdocs/intune/developer/app-sdk-android-phase1.md b/memdocs/intune/developer/app-sdk-android-phase1.md
index 0204f285ba7..34b1b8afb35 100644
--- a/memdocs/intune/developer/app-sdk-android-phase1.md
+++ b/memdocs/intune/developer/app-sdk-android-phase1.md
@@ -7,7 +7,7 @@ keywords: SDK
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/31/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk-android-phase2.md b/memdocs/intune/developer/app-sdk-android-phase2.md
index 1e2db119a18..bc9f9a82ba2 100644
--- a/memdocs/intune/developer/app-sdk-android-phase2.md
+++ b/memdocs/intune/developer/app-sdk-android-phase2.md
@@ -7,7 +7,7 @@ keywords: SDK
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/31/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk-android-phase5.md b/memdocs/intune/developer/app-sdk-android-phase5.md
index e2ab3520f59..c396bf1daf7 100644
--- a/memdocs/intune/developer/app-sdk-android-phase5.md
+++ b/memdocs/intune/developer/app-sdk-android-phase5.md
@@ -7,7 +7,7 @@ keywords: SDK
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/31/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
@@ -509,6 +509,11 @@ Calling `protectForOID` with empty string for the identity parameter will tag th
This operation will remove encryption from the file/directory if it was previously encrypted.
When a selective wipe command is issued, the file/directory won't be deleted.
+> [!WARNING]
+> It is important to ensure that only files belonging to a particular identity become protected
+> with that identity. Otherwise, other identities may experience data loss when the owning identity
+> signs out, as files will be wiped and encryption key access will be lost.
+
#### Displaying Protected File Content
It is equally critical to have the correct identity set when file content is being *displayed* to prevent unauthorized users from viewing managed data.
@@ -597,6 +602,17 @@ An app can prevent these buffers becoming unreadable by calling `MAMDataProtecti
It is also safe to call `protectForOID` during this notification, if you wish to preserve identity information.
Encryption is guaranteed to be disabled during the notification and calling `protectForOID` in the handler won't encrypt data buffers.
+> [!WARNING]
+> Encryption operations should be avoided early in the app process. The SDK will perform encryption
+> initialization asynchronously as early as possible after app startup. However, if an app makes
+> an encryption request in app startup, it may be blocked until encryption initialization is
+> complete.
+
+> [!NOTE]
+> The Intune App SDK encryption API should be used only to encrypt data as required by Intune
+> policy. No protection will be applied to accounts that are not targeted with encryption policy
+> enabled, so it cannot be used as general-purpose encryption library.
+
### Content Providers
A multi-identity app must also protect data shared through `ContentProvider`s to prevent inappropriately sharing managed content.
diff --git a/memdocs/intune/developer/app-sdk-android-phase7.md b/memdocs/intune/developer/app-sdk-android-phase7.md
index 3618077dda8..6a74718ff22 100644
--- a/memdocs/intune/developer/app-sdk-android-phase7.md
+++ b/memdocs/intune/developer/app-sdk-android-phase7.md
@@ -7,7 +7,7 @@ keywords: SDK
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/31/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk-ios-phase5.md b/memdocs/intune/developer/app-sdk-ios-phase5.md
index 252dde06b86..255ec1e0e3c 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase5.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase5.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/09/2023
+ms.date: 10/31/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk-ios-phase7.md b/memdocs/intune/developer/app-sdk-ios-phase7.md
index 342c6225034..1b66db3ba1c 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase7.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase7.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/09/2023
+ms.date: 10/31/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk.md b/memdocs/intune/developer/app-sdk.md
index fc7f2a69c4b..551be1445a5 100644
--- a/memdocs/intune/developer/app-sdk.md
+++ b/memdocs/intune/developer/app-sdk.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/31/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-api-url.md b/memdocs/intune/developer/reports-api-url.md
index fb4e9b1ee1f..6677f4f4d7f 100644
--- a/memdocs/intune/developer/reports-api-url.md
+++ b/memdocs/intune/developer/reports-api-url.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-nav-create-intune-reports.md b/memdocs/intune/developer/reports-nav-create-intune-reports.md
index 8a57446e962..2ac865af0e6 100644
--- a/memdocs/intune/developer/reports-nav-create-intune-reports.md
+++ b/memdocs/intune/developer/reports-nav-create-intune-reports.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-nav-intune-data-warehouse.md b/memdocs/intune/developer/reports-nav-intune-data-warehouse.md
index 2fe0637168a..5656f76d0c2 100644
--- a/memdocs/intune/developer/reports-nav-intune-data-warehouse.md
+++ b/memdocs/intune/developer/reports-nav-intune-data-warehouse.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-proc-create-with-odata.md b/memdocs/intune/developer/reports-proc-create-with-odata.md
index 9054b36ce5b..e4eac8782bd 100644
--- a/memdocs/intune/developer/reports-proc-create-with-odata.md
+++ b/memdocs/intune/developer/reports-proc-create-with-odata.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-proc-get-a-link-powerbi.md b/memdocs/intune/developer/reports-proc-get-a-link-powerbi.md
index e9ffe091f65..1f3ed1f056a 100644
--- a/memdocs/intune/developer/reports-proc-get-a-link-powerbi.md
+++ b/memdocs/intune/developer/reports-proc-get-a-link-powerbi.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-application.md b/memdocs/intune/developer/reports-ref-application.md
index 367c037cdd4..1067a49df4d 100644
--- a/memdocs/intune/developer/reports-ref-application.md
+++ b/memdocs/intune/developer/reports-ref-application.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-data-model.md b/memdocs/intune/developer/reports-ref-data-model.md
index 53876b5c4e1..688507216a0 100644
--- a/memdocs/intune/developer/reports-ref-data-model.md
+++ b/memdocs/intune/developer/reports-ref-data-model.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-date.md b/memdocs/intune/developer/reports-ref-date.md
index f4bab925ab8..da548477cd9 100644
--- a/memdocs/intune/developer/reports-ref-date.md
+++ b/memdocs/intune/developer/reports-ref-date.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-devices.md b/memdocs/intune/developer/reports-ref-devices.md
index 5237e1544c3..392a27a9b9f 100644
--- a/memdocs/intune/developer/reports-ref-devices.md
+++ b/memdocs/intune/developer/reports-ref-devices.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-intunemanagementextension.md b/memdocs/intune/developer/reports-ref-intunemanagementextension.md
index ee8d7b4640e..aefaf67746f 100644
--- a/memdocs/intune/developer/reports-ref-intunemanagementextension.md
+++ b/memdocs/intune/developer/reports-ref-intunemanagementextension.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-mobile-app-management.md b/memdocs/intune/developer/reports-ref-mobile-app-management.md
index ff38b2631ba..29c6fae53f1 100644
--- a/memdocs/intune/developer/reports-ref-mobile-app-management.md
+++ b/memdocs/intune/developer/reports-ref-mobile-app-management.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-policy.md b/memdocs/intune/developer/reports-ref-policy.md
index 40b942f1fe8..ef57e85b2d0 100644
--- a/memdocs/intune/developer/reports-ref-policy.md
+++ b/memdocs/intune/developer/reports-ref-policy.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-user-device.md b/memdocs/intune/developer/reports-ref-user-device.md
index b2818133d17..e5f54eb0f81 100644
--- a/memdocs/intune/developer/reports-ref-user-device.md
+++ b/memdocs/intune/developer/reports-ref-user-device.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-user-timeline.md b/memdocs/intune/developer/reports-ref-user-timeline.md
index f13f251519b..1f6c6f6ff13 100644
--- a/memdocs/intune/developer/reports-ref-user-timeline.md
+++ b/memdocs/intune/developer/reports-ref-user-timeline.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/reports-ref-user.md b/memdocs/intune/developer/reports-ref-user.md
index 3da3153785d..df8cefff46d 100644
--- a/memdocs/intune/developer/reports-ref-user.md
+++ b/memdocs/intune/developer/reports-ref-user.md
@@ -7,7 +7,7 @@ keywords: Intune Data Warehouse
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 12/04/2023
+ms.date: 10/30/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md b/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
index a0578dc8780..d6a511ea3a4 100644
--- a/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
+++ b/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/17/2024
+ms.date: 10/28/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -34,7 +34,7 @@ ms.collection:
Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate and personal use.
-End users can keep their work and personal data separate and are guaranteed that personal data and applications will remain private. Admins can control some settings and features for the entire device, including:
+End users can keep their work and personal data separate and are guaranteed that personal data and applications remain private. Admins can control some settings and features for the entire device, including:
- Setting requirements for the device password
- Controlling Bluetooth and data roaming
@@ -47,7 +47,8 @@ Intune helps you deploy apps and settings to Android Enterprise corporate-owned
Devices must meet these requirements to be managed as Android Enterprise corporate-owned work profile devices:
- Android OS version 8.0 and above.
-- Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
+- Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
+
## Set up Android Enterprise corporate-owned work profile device management
@@ -92,14 +93,14 @@ You must create an enrollment profile so that users can enroll corporate-owned w
8. Select **Next** to continue to **Scope tags**.
-9. Optionally, apply one or more scope tags to limit restriction visibility and management to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md).
+9. Optionally, apply one or more scope tags to limit restriction visibility and management to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md).
10. Choose **Next** to continue to **Create + review**.
11. Review your choices, and then select **Create** to finish creating the profile.
### Access enrollment token
-After you create a profile, Intune generates a token that's needed for enrollment.
+After you create a profile, Intune generates the token you need for enrollment.
1. Return to **Devices** > **Enrollment**, and select the Android tab.
@@ -167,7 +168,7 @@ When you create the enrollment profile in the admin center, you have to select a
The default token, *corporate-owned work profile*, enrolls devices into Microsoft Intune as standard Android Enterprise corporate-owned devices with work profiles. This token requires you to complete pre-provisioning steps before you distribute the devices. End users complete the remaining steps on the device when they sign in with their work or school account.
-The device staging token, *Corporate-owned work profile, via staging*, enrolls devices into Microsoft Intune in a staging mode so that you or a third party vendor can complete all pre-provisioning steps. End users complete the last step of provisioning by signing into the Microsoft Intune app with their work or school account. Devices are ready to use upon sign-in. Intune supports device staging for Android Enterprise devices running Android 8 or later.
+The device staging token, *Corporate-owned work profile, via staging*, enrolls devices into Microsoft Intune in a staging mode so that you or a partner vendor can complete all pre-provisioning steps. End users complete the last step of provisioning by signing into the Microsoft Intune app with their work or school account. Devices are ready to use upon sign-in. Intune supports device staging for Android Enterprise devices running Android 8 or later.
For more information, see [Device staging overview](device-staging-overview.md).
@@ -181,6 +182,12 @@ To remove an app from Android Enterprise corporate-owned work profile devices, y
- Delete the Required app deployment.
- Create an uninstall deployment for the app.
+## Limitations
+
+The limitations in this section apply to corporate-owned devices with a work profile.
+
+Private space is a feature introduced with Android 15 that lets people create a space on their device for sensitive apps and data they want to keep hidden. The private space is considered a personal profile. Microsoft Intune doesn't support mobile device management within the private space or provide technical support for devices that attempt to enroll the private space.
+
## Next steps
- [Deploy Android apps](../apps/apps-deploy.md)
- [Add Android configuration policies](../configuration/device-profiles.md)
diff --git a/memdocs/intune/enrollment/android-enroll-device-administrator.md b/memdocs/intune/enrollment/android-enroll-device-administrator.md
index 6415449397b..c13c4eac4ec 100644
--- a/memdocs/intune/enrollment/android-enroll-device-administrator.md
+++ b/memdocs/intune/enrollment/android-enroll-device-administrator.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 04/05/2024
+ms.date: 10/28/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -34,7 +34,7 @@ ms.collection:
[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
-Android device administrator (sometimes referred to *legacy* Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is available with [Android Enterprise](https://www.android.com/enterprise/management/) in [countries where Android Enterprise is available](https://support.google.com/work/android/answer/6270910). In an effort to move to modern, richer, and more secure device management, Google deprecated Android device administrator management in 2020 and Intune will be ending support for device administrator devices with access to Google Mobile Services at the end of 2024.
+Android device administrator (sometimes referred to *legacy* Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is available with [Android Enterprise](https://www.android.com/enterprise/management/) in [countries/regions where Android Enterprise is available](https://support.google.com/work/android/answer/6270910). Google deprecated Android device administrator management in 2020. Intune is ending support for device administrator devices with access to Google Mobile Services at the end of 2024.
Therefore, we advise against enrolling new devices using the device administrator process described here and we also recommend that you migrate devices off of device administrator management.
@@ -44,7 +44,7 @@ If you still decide to have users enroll their Android devices with device admin
## Set up device administrator enrollment
-1. To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to **Microsoft Intune**. See [Set the MDM authority](../fundamentals/mdm-authority-set.md) for instructions. You set this item only once, when you are first setting up Intune for mobile device management.
+1. To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to **Microsoft Intune**. See [Set the MDM authority](../fundamentals/mdm-authority-set.md) for instructions. You only need to configure this setting in your tenant once.
2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
3. Go to **Devices** > **Enrollment.
4. Select the **Android** tab.
@@ -52,11 +52,13 @@ If you still decide to have users enroll their Android devices with device admin
6. Select the checkmark next to **Use device administrator to manage devices**.
7. [Tell your users how to enroll their devices](../user-help/enroll-device-android-company-portal.md).
-After a user has enrolled, you can begin managing their devices in Intune, including [assigning compliance policies](../protect/compliance-policy-create-android.md), [managing apps](../apps/app-management.md), and more.
+After a user enrolls, you can begin managing their devices in Intune, including [assigning compliance policies](../protect/compliance-policy-create-android.md), [managing apps](../apps/app-management.md), and more.
-For information about other user tasks, see these articles:
-- [Resources about the end-user experience with Microsoft Intune](../fundamentals/intune-planning-guide.md)
-- [Using your Android device with Intune](../user-help/why-enroll-android-device.md)
+For information about other user tasks, see these articles:
+
+- [Microsoft Intune planning guide](../fundamentals/intune-planning-guide.md)
+
+- [Android device enrollment overview ](../user-help/why-enroll-android-device.md)
## Block device administrator enrollment
To block Android device administrator devices, or to block only personally owned Android device administrator devices from enrollment, see [Set device type restrictions](enrollment-restrictions-set.md).
@@ -65,7 +67,24 @@ To block Android device administrator devices, or to block only personally owned
[Microsoft Teams certified Android devices](/microsoftteams/devices/teams-ip-phones) should continue being managed with device administrator management until [AOSP user-associated](android-aosp-corporate-owned-user-associated-enroll.md) management becomes available for these devices.
-To unenroll a Microsoft Teams certified Android device that's enrolled in Android device administrator, sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/) and deselect the Intune license from the Teams account for the Android device. After you remove an Intune license, there is a 30 day grace period in which the device still functions. The device will have to sign in again after this step to avoid enrolling in Intune under device administrator management again.
+To unenroll a Microsoft Teams-certified Android device you manage with Android device administrator, you must:
+
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/).
+1. Deselect the Intune license from the Teams account for the Android device.
+
+After you remove an Intune license, there's a 30 day grace period, during which the device still functions. The device must sign in again after this step to avoid enrolling in Intune under device administrator management again.
+
+## Limitations
+
+The limitations in this section apply to devices managed with device administrator.
+
+Private space is a feature introduced with Android 15 that lets people create a space on their device for sensitive apps and data they want to keep hidden.
+
+ * The private space is considered a personal profile. Microsoft Intune doesn't support mobile device management within the private space or provide technical support for devices that attempt to enroll the private space.
+
+ * Users might try to create a work profile-like experience on their devices by enrolling only the private space, leading to partial device management. Microsoft Intune doesn't provide support for this scenario. To avoid this issue, we recommend using [personal work profile management](android-work-profile-enroll.md) or [corporate-owned work profile management](android-corporate-owned-work-profile-enroll.md) instead of device administrator management.
+
+ * After a user enrolls their personal device, if they attempt to enroll the private space, Intune will initiate the personal work profile enrollment flow. However, in this scenario the enrollment process will fail without any notification.
## Next steps
- [Assign compliance policies](../protect/compliance-policy-create-android.md)
diff --git a/memdocs/intune/enrollment/android-work-profile-enroll.md b/memdocs/intune/enrollment/android-work-profile-enroll.md
index a0bcad7f741..a76861d2d56 100644
--- a/memdocs/intune/enrollment/android-work-profile-enroll.md
+++ b/memdocs/intune/enrollment/android-work-profile-enroll.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 6/28/2024
+ms.date: 10/28/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -33,7 +33,7 @@ ms.collection:
# Set up enrollment of Android Enterprise personally owned work profile devices
-Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the *Android Enterprise personally owned work profile* management solution. During enrollment, a work profile is created on the device to house work apps and work data. The work profile can be managed by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
+Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the *Android Enterprise personally owned work profile* management solution. During enrollment, a work profile is created on the device to house work apps and work data. You can use Microsoft Intune policies to manage the work profile and its contents. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
For more information about Android Enterprise work profile features, see [Work profiles](https://support.google.com/work/android/answer/9563584) (opens Android Enterprise Help).
@@ -68,7 +68,7 @@ Complete these steps to set up enrollment for Android Enterprise devices in BYOD
[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
10. Select **Next** to continue to **Scope tags**.
-11. Optionally, apply one or more scope tags to limit visibility and management of restrictions to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md).
+11. Optionally, apply one or more scope tags to limit visibility and management of restrictions to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md).
12. Select **Next** to continue to **Assignments**.
13. Assign the restriction to all users, or select specific groups.
14. Select **Next** to continue to **Review + create**.
@@ -86,7 +86,17 @@ For more information and screenshots of the end user experience, see [Enroll dev
## Data shared with Google
-Microsoft Intune shares certain user and device information with Google when Android Enterprise device management is enabled. For more information, see [Data Intune sends to Google](../protect/data-intune-sends-to-google.md).
+Microsoft Intune shares certain user and device information with Google when Android Enterprise device management is enabled. For more information, see [Data Intune sends to Google](../protect/data-intune-sends-to-google.md).
+
+## Limitations
+
+The limitations in this section apply to personal devices with a work profile.
+
+Private space is a feature introduced with Android 15 that lets people create a space on their device for sensitive apps and data they want to keep hidden.
+
+ * The private space is considered a personal profile. Microsoft Intune doesn't support mobile device management within the private space or provide technical support for devices that attempt to enroll the private space.
+
+ * If users attempt to enroll the private space after they enroll the device, Intune will initiate the device administrator enrollment process. The second enrollment causes two enrollment records to appear in the Microsoft Intune admin center: one under work profile management and one under device administrator management. Microsoft Intune doesn't provide support for this scenario.
## Next steps
- [Deploy Android Enterprise apps](../apps/apps-add-android-for-work.md)
diff --git a/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md b/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
index f1c0a8d5e7c..9796042f2b2 100644
--- a/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
+++ b/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
@@ -287,18 +287,9 @@ The script is deployed to devices using in Intune. To add and deploy the script,
#### Microsoft Store app
-If you previously removed the Microsoft Store app, you can redeploy it using Microsoft Intune. To re-add the Microsoft Store app (or any other apps you want to re-add), add the Microsoft Store app to your private organization app repository. Then, deploy the app to devices using Intune. The Microsoft Store app helps keep apps updated.
+If you previously removed the Microsoft Store app, you can redeploy it using Microsoft Intune. To re-add the Microsoft Store app (or any other apps you want to re-add), add the Microsoft Store app to your private organization app repository. Then, deploy the app to devices using Intune. The Microsoft Store app helps keep apps updated. For information about how to configure access to the Microsoft Store app, see [Manage access to private store](/microsoft-store/manage-access-to-private-store).
-Your private organization app repository can be:
-
-- The Intune Company Portal app or website (preferred)
-
-- Microsoft Store for Business or Microsoft Store for Education
-
- Previously, the Microsoft Store app had a Microsoft Store for Business tab. This tab is removed. If you use Microsoft Store for Business, then to access your private app repository, go to the [Microsoft Store for Business website](https://businessstore.microsoft.com/). For more information, go to [Manage access to private store](/microsoft-store/manage-access-to-private-store).
-
- > [!NOTE]
- > The Microsoft Store for Business and Microsoft Store for Education will be retired. For more information, go to [Microsoft Store for Business and Microsoft Store for Education](/microsoft-store/microsoft-store-for-business-overview).
+Your private organization app repository can be the Intune Company Portal app or website.
Using Intune, on Windows 10/11 Enterprise and Education devices, you can block end users from installing Microsoft Store apps outside of your organization's private app repository.
diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md
index 6a3920b61a8..4e975e33bbc 100644
--- a/memdocs/intune/fundamentals/in-development.md
+++ b/memdocs/intune/fundamentals/in-development.md
@@ -7,7 +7,7 @@ keywords:
author: dougeby
ms.author: dougeby
manager: dougeby
-ms.date: 10/17/2024
+ms.date: 10/29/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -77,6 +77,14 @@ EPM is available as an [Intune Suite add-on-capability](../fundamentals/intune-a
## App management
+### Additional reporting details for LOB apps on AOSP devices
+
+Additional details will be provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You will be able to see error codes and detailed error messages for LOB apps. For information about app status details, see [Monitor app information and assignments with Microsoft Intune](../apps/apps-monitor.md).
+
+Applies to:
+
+- Android Open Source Project (AOSP) devices
+
### Added protection for iOS/iPadOS app widgets
To protect organizational data for MAM managed accounts and apps, Intune app protection policies now provide the capability to block data sync from policy managed app data to app widgets. App widgets can be added to end-user's iOS/iPadOS device lock screen, which can expose data contained by these widgets, such as meeting titles, top sites, and recent notes. In Intune, you'll be able to set the app protection policy setting **Sync policy managed app data with app widgets** to **Block** for iOS/iPadOS apps. This setting will be available as part of the **Data Protection** settings in app protection policies. This new setting will be an app protection feature similar to the **Sync policy managed app data with native app or add-ins** setting.
@@ -87,7 +95,67 @@ Applies to:
-
+## Device configuration
+
+### Device Firmware Configuration Interface (DFCI) support for Samsung devices
+
+We're adding support to use DFCI profiles to manage UEFI (BIOS) settings for Samsung devices that run Windows 10 or Windows 11. Not all Samsung devices running Windows are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.
+
+You can manage DFCI profiles from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by going to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Templates** > **Device Firmware Configuration Interface** for profile type. For more information about DFCI profiles, see:
+
+- [Configure Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune](../configuration/device-firmware-configuration-interface-windows.md)
+- [Device Firmware Configuration Interface (DFCI) management with Windows Autopilot](../../autopilot/dfci-management.md)
+
+Applies to:
+
+- Windows
+
+### New settings for Windows 24H2 in the Windows settings catalog
+
+The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. You can view these Windows settings in the Microsoft Intune admin center by going to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later for platform** > **Settings catalog** for profile type.
+
+We're working on the addition of new settings for Window 24H2.
+
+Applies to:
+
+- Windows
+
+### New settings available in the Apple settings catalog
+
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
+
+We're adding new settings to the Settings Catalog. To view available settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
+
+#### iOS/iPadOS
+
+**Restrictions**:
+
+- Allow Apps To Be Hidden
+- Allow Apps To Be Locked
+- Allow Call Recording
+- Allow Mail Summary
+- Allow RCS Messaging
+
+##### macOS
+
+**Declarative Device Management (DDM) > Math Settings**:
+
+- Calculator
+ - Input Mode - RPN
+
+**Restrictions**:
+
+- Allow Mail Summary
+- Allow Media Sharing Modification
+
+The following settings have been deprecated by Apple and will be marked as deprecated in the Settings Catalog:
+
+#### macOS
+
+**Security > Firewall**:
+
+- Enable Logging
+- Logging Option
@@ -97,6 +165,14 @@ Applies to:
## Device management
+### Store macOS certificates in user keychain
+
+Soon you'll have the option to store macOS certificates in the user keychain. Currently, Microsoft Intune automatically stores user and device certificates in the *device* keychain. The enhancement will strengthen system security, and will improve the user experience by reducing certificate prompts.
+
+Applies to:
+
+- macOS
+
### Device Inventory for Windows
Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.
@@ -111,6 +187,23 @@ Applies to:
## Device security
+### Linux support for Endpoint detection and response exclusion settings
+
+We are adding a new Endpoint Security template under Endpoint detection and response (EDR) for the Linux platform, that will be supported through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario.
+
+The template will support settings related to global exclusion settings. Applicable to antivirus and EDR engines on the client, the settings can configure exclusions to stop associated real time protection EDR alerts for the excluded items. Exclusions can be defined by the file path, folder, or process explicitly defined by the admin in the policy.
+
+Applies to:
+
+- Linux
+
+### New Microsoft Tunnel readiness check for auditd package
+
+We're updating the [Microsoft Tunnel readiness tool](../protect/microsoft-tunnel-prerequisites.md#run-the-readiness-tool) to detect if the **auditd** package for Linux System Auditing (LSA) is installed on your Linux Server. When this check is in place, the mst-readiness tool will raise a warning if the audit package isn't installed. Auditing isn't a required prerequisite for the Linux Server, but recommended.
+
+For more information on *auditd* and how to install it on your Microsoft Tunnel server, see [Linux system auditing](../protect/microsoft-tunnel-prerequisites.md#linux-system-auditing).
+
+
### Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint
You'll be able to use the endpoint security policy for *Device control* (Attack surface reduction policy) from the Microsoft Intune with the devices you manage through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) capability.
@@ -134,7 +227,40 @@ When this change takes effect, devices that are assigned this policy while manag
-
+## Monitor and troubleshoot
+
+### New device actions for single device query
+
+We're adding the Intune remote device actions to Single device query to help you manage your devices remotely. From the device query interface, you'll be able to run device actions based on query results for faster and more efficient troubleshooting.
+
+Applies to:
+
+- Windows
+
+For more information, see:
+
+- [Device query in Microsoft Intune](../../analytics/device-query.md)
+- [Run remote actions on devices with Microsoft Intune](../remote-actions/device-management.md)
+
+### Device Query for Multiple Devices
+
+We're adding Device query for multiple devices. This feature allows you to gain comprehensive insights about your entire fleet of devices using Kusto Query Language (KQL) to query across collected inventory data for your devices.
+
+Device query for multiple devices will be supported for devices running Windows 10 or later. This feature will be included as part of Advanced Analytics.
+
+Applies to:
+
+- Windows
+
+### ICCID will be inventoried for Android Enterprise Dedicated and Fully Managed
+
+We're adding the ability to view a device's ICCID number for devices enrolled as Android Enterprise Dedicated or Android Fully Managed. Admins can view ICCID numbers in their device inventory.
+
+When available, you can find the ICCID number for Android devices by navigating to **Devices** > **Android**. Select a device of interest. In the side panel, under **Monitor** select **Hardware**. The ICCID number will be in the **Network details** group. The ICCID number isn't supported for Android Corporate-Owned Work Profile devices.
+
+Applies to:
+
+- Android
diff --git a/memdocs/intune/fundamentals/intune-govt-service-description.md b/memdocs/intune/fundamentals/intune-govt-service-description.md
index 1db705490c7..1f49422a6ff 100644
--- a/memdocs/intune/fundamentals/intune-govt-service-description.md
+++ b/memdocs/intune/fundamentals/intune-govt-service-description.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 09/19/2024
+ms.date: 10/30/2024
ms.topic: article
ms.service: microsoft-intune
ms.suite: ems
@@ -73,7 +73,7 @@ The following features are available and supported in Microsoft GCC High and/or
| --- | --- |
| Standard MDM features | ✅
You can use app policies, device configuration profiles, compliance policies, and more. |
| Mobile Threat Defense (MTD) | ✅
Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices with MTD vendors that **also support** the GCC High environment can be used. When you sign in to a GCC High tenant, you see the connectors that are available in these environments. |
-| Microsoft Defender for Endpoint security settings management (public preview)| ✅
On devices onboarded to Defender but not enrolled in Intune, you can use Intune endpoint security policies to manage Defender security settings. For more information on this feature, go to [Defender for Endpoint security settings management](../protect/mde-security-integration.md). |
+| Microsoft Defender for Endpoint security settings management | ✅
On devices onboarded to Defender but not enrolled in Intune, you can use Intune endpoint security policies to manage Defender security settings.
This support extends to the US Government Community Cloud (GCC), US Government Community High (GCC High), and Department of Defense (DoD) environments.
For more information on this feature, go to [Defender for Endpoint security settings management](../protect/mde-security-integration.md). |
| Platform support | ✅
You can use the same operating systems - Android, AOSP, iOS/iPadOS, Linux, macOS, and Windows.
- **Android (AOSP)**: There are some device restrictions. For more information, go to [Supported operating systems and browsers in Intune - AOSP](supported-devices-browsers.md#android).
- **Linux**: Generally available (GA) in February 2024.|
| Remote Help | ✅
Remote Help is supported in GCC on Android, macOS, and Windows devices. It's not supported in GCC High or DoD.
For more information on this feature, go to [Remote Help in Microsoft Intune](../fundamentals/remote-help.md). |
| Windows Autopilot device preparation | ✅
Some features are available now, such as user-driven deployments, and some are still [in the planning phase](#in-the-planning-phase). For more information on the recent changes to Windows Autopilot device preparation, go to [Blog: Windows deployment with the next generation of Windows Autopilot](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/windows-deployment-with-the-next-generation-of-windows-autopilot/ba-p/4148169).
To get started with Windows Autopilot device preparation, go to [Windows Autopilot Device Preparation overview](/autopilot/device-preparation/overview). |
diff --git a/memdocs/intune/fundamentals/intune-planning-guide.md b/memdocs/intune/fundamentals/intune-planning-guide.md
index 82caaf3feb0..2d39a8ba885 100644
--- a/memdocs/intune/fundamentals/intune-planning-guide.md
+++ b/memdocs/intune/fundamentals/intune-planning-guide.md
@@ -623,7 +623,7 @@ Validate the end-user experience with success metrics in your deployment plan. S
- Tools and resources
- Q & A
-The community-based [Intune forum](https://social.technet.microsoft.com/Forums/home) and [end-user documentation](/intune-user-help/use-managed-devices-to-get-work-done) are also great resources.
+The community-based [Intune forum](https://social.technet.microsoft.com/Forums/home) and [end-user documentation](/mem/intune/user-help/use-managed-devices-to-get-work-done) are also great resources.
## Related articles
diff --git a/memdocs/intune/fundamentals/manage-apps.md b/memdocs/intune/fundamentals/manage-apps.md
index f5bcbfb2ed9..beb5c63fd50 100644
--- a/memdocs/intune/fundamentals/manage-apps.md
+++ b/memdocs/intune/fundamentals/manage-apps.md
@@ -125,7 +125,7 @@ The app features in the Intune admin center make it easier to deploy these diffe
- [Win32 app management](../apps/apps-win32-app-management.md)
> [!NOTE]
- > [Microsoft Store for Business](/microsoft-store/microsoft-store-for-business-overview) is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077).
+ > Microsoft Store for Business is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077).
## Configure apps before they're installed
diff --git a/memdocs/intune/fundamentals/reports-export-graph-available-reports.md b/memdocs/intune/fundamentals/reports-export-graph-available-reports.md
index 36153a1962c..a5331e077d2 100644
--- a/memdocs/intune/fundamentals/reports-export-graph-available-reports.md
+++ b/memdocs/intune/fundamentals/reports-export-graph-available-reports.md
@@ -860,6 +860,7 @@ The following table contains the possible output when calling the `AppInvAggrega
| ApplicationShortVersion |
| ApplicationVersion |
| DeviceCount |
+| Platform |
There are no filters for this report.
@@ -884,7 +885,19 @@ The following table contains the possible output when calling the `AppInvRawData
| EmailAddress |
| UserName |
-There are no filters for this report.
+You can filter the `AppInvRawData` report using the `eq` comparison operator on the following properties:
+- ApplicationName
+- ApplicationPublisher
+- ApplicationShortVersion
+- ApplicationVersion
+- DeviceId
+- DeviceName
+- OSDescription
+- OSVersion
+- Platform
+- UserId
+- EmailAddress
+- UserName
## ChromeOSDevices report
@@ -941,7 +954,7 @@ You can check whether the ChromeOSDevices report has completed by using the Micr
Use the output from the above call to determine the status of the ChromeOSDevices report. An example call will look similar to the following:
`https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs('ChromeOSDevices_1223a321-4bcd-5432-efg1-0hi9876h1234') `
-You can continue to run your call to check the status of the report. When the report shows a status of `complete`, you're report is ready to be downloaded.
+You can continue to run your call to check the status of the report. When the report shows a status of `complete`, your report is ready to be downloaded.
### Download the completed ChromeOSDevices report
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
index 3791d16f6de..8e8e34fe44f 100644
--- a/memdocs/intune/fundamentals/whats-new.md
+++ b/memdocs/intune/fundamentals/whats-new.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 10/19/2024
+ms.date: 10/31/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -75,6 +75,15 @@ You can use RSS to be notified when this page is updated. For more information,
### Tenant administration
-->
+## Week of October 28, 2024
+
+### Device security
+
+#### Defender for Endpoint security settings support in government cloud environments (generally available)
+
+Now generally available, customer tenants in the Government Community Cloud (GCC), US Government Community High (GCC High), and Department of Defense (DoD) environments can use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. Previously, support for Defender security settings was in public preview.
+
+This capability is known as [Defender for Endpoint security settings management](../protect/mde-security-integration.md).
## Week of October 14, 2024 (Service release 2410)
diff --git a/memdocs/intune/includes/intune-notices.md b/memdocs/intune/includes/intune-notices.md
index ef1daca0e81..615a5ca2d36 100644
--- a/memdocs/intune/includes/intune-notices.md
+++ b/memdocs/intune/includes/intune-notices.md
@@ -4,7 +4,7 @@ description: include file
author: dougeby
ms.service: microsoft-intune
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 10/30/2024
ms.author: dougeby
manager: dougeby
ms.custom: include file
@@ -12,6 +12,26 @@ ms.custom: include file
These notices provide important information that can help you prepare for future Intune changes and features.
+### Update to the latest Intune App SDK and Intune App Wrapper for Android 15 support
+We've recently released new versions of the Intune App SDK and Intune App Wrapping Tool for Android to support Android 15. We recommend upgrading your app to the latest SDK or wrapper versions to ensure applications stay secure and run smoothly.
+
+#### How does this affect you or your users?
+
+If you have applications using the Intune App SDK or Intune App Wrapping Tool for Android, it's recommended that you update your app to the latest version to support Android 15.
+
+#### How can you prepare?
+
+If you choose to build apps targeting Android API 35, you'll need to adopt the new version of the Intune App SDK for Android (v11.0.0). If you’ve wrapped your app and are targeting API 35 you'll need to use the new version of the App wrapper (v1.0.4549.6).
+
+> [!NOTE]
+> As a reminder, while apps must update to the latest SDK if targeting Android 15, apps do not need to update the SDK to simply run on Android 15.
+
+You should also plan to update your documentation or developer guidance if applicable to include this change in support for the SDK.
+
+Here are the public repositories:
+- [Intune App SDK for Android](https://github.com/microsoftconnect/ms-intune-app-sdk-android)
+- [Intune App Wrapping Tool for Android](https://github.com/microsoftconnect/intune-app-wrapping-tool-android)
+
### Take Action: Update to the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS
To support the upcoming release of iOS/iPadOS 18.1, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. **Important:** If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md
new file mode 100644
index 00000000000..471b12382f2
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md
@@ -0,0 +1,52 @@
+---
+title: Common Education iPads Apple Intelligence configuration
+description: Learn about common iPads Apple Intelligence configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# Apple Intelligence
+
+This article summarizes restrictions for Apple Intelligence introduced in iPadOS 18.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Restrictions payload](https://developer.apple.com/documentation/devicemanagement/restrictions)
+- [iPadOS 18](https://www.apple.com/ipados/ipados-18)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Restrictions | **:::no-loc text="Allow Genmoji":::** | False | Prohibits creating new Genmoji. | [:::no-loc text="allowGenmoji":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Image Playground":::** | False | Prohibits the use of image generation. | [:::no-loc text="allowImagePlayground":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Image Wand":::** | False | Prohibits the use of Image Wand. | [:::no-loc text="allowImageWand":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Personalized Handwriting Results":::** | False | | [:::no-loc text="allowPersonalizedHandwritingResults":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Writing Tool":::** | False | Disables Apple Intelligence writing tools. | [:::no-loc text="allowWritingTools":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Appple Intelligence**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - Apple Intelligence","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowgenmoji","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowgenmoji_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowimageplayground","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowimageplayground_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowimagewand","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowimagewand_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpersonalizedhandwritingresults","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpersonalizedhandwritingresults_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowwritingtools","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowwritingtools_false","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
new file mode 100644
index 00000000000..15dde916548
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
@@ -0,0 +1,145 @@
+---
+title: Common Education iPads restrictions configuration
+description: Learn about common iPads restrictions configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# Common Education iPad device restrictions
+
+This article summarizes the configurations that are most commonly used for student and teacher iPads in educational organizations.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Configure and secure devices with Microsoft Intune](/mem/intune/industry/education/tutorial-school-deployment/configure-device-settings)
+- [Review MDM payloads for Apple devices](https://support.apple.com/guide/deployment/review-mdm-payloads-dep5370d089/web)
+- [MDM payload list for iPhone and iPad devices](https://support.apple.com/guide/deployment/payload-list-for-iphone-and-ipad-depdca795ebd/1/web/1.0)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## General restrictions
+
+### [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Restrictions | **:::no-loc text="Allow Activity Continuation":::** | False | | [:::no-loc text="allowActivityContinuation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Adding Game Center Friends":::** | False | | [:::no-loc text="allowAddingGameCenterFriends":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow AirDrop":::** | False | | [:::no-loc text="allowAirDrop":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow App Cellular Data Modification":::** | False | | [:::no-loc text="allowAppCellularDataModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow App Installation":::** | False | Disables the App Store, and the system removes its icon from the Home screen. Users are unable to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. | [:::no-loc text="allowAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Apple Personalized Advertising":::** | False | | [:::no-loc text="allowApplePersonalizedAdvertising":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Assistant":::** | False | Disables Siri. | [:::no-loc text="allowAssistant":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Assistant User Generated Content":::** | False | | [:::no-loc text="allowAssistantUserGeneratedContent":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Assistant While Locked":::** | False | | [:::no-loc text="allowAssistantWhileLocked":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Auto Unlock":::** | False | | [:::no-loc text="allowAutoUnlock":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Bookstore Erotica":::** | False | | [:::no-loc text="allowBookstoreErotica":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cellular Plan Modification":::** | False | | [:::no-loc text="allowCellularPlanModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Chat":::** | False | Disables the use of iMessage with supervised devices. If the device supports text messaging, the user can still send and receive text messages. | [:::no-loc text="allowChat":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Backup":::** | False | Disables backing up the device to iCloud as it can't be restricted to Managed Apple ID only. | [:::no-loc text="allowCloudBackup":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Document Sync":::** | False | Disables document and key-value syncing to iCloud. | [:::no-loc text="allowCloudDocumentSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Keychain Sync":::** | False | Disables iCloud keychain synchronization. | [:::no-loc text="allowCloudKeychainSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Photo Library":::** | False | Disables iCloud Photo Library. The system removes any photos from local storage that aren't fully downloaded from iCloud Photo Library to the device. | [:::no-loc text="allowCloudPhotoLibrary":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Private Relay":::** | False | Disables iCloud Private Relay. | [:::no-loc text="allowCloudPrivateRelay":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Device Name Modification":::** | False | Prevents the user from changing the device name. Intune Remote Action can override this restriction. | [:::no-loc text="allowDeviceNameModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enabling Restrictions":::** | False | Disables the Enable Restrictions option in the Restrictions UI in Settings. | [:::no-loc text="allowEnablingRestrictions":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enterprise App Trust":::** | False | Removes the Trust Enterprise Developer button in *Settings > General > Profiles & Device Management*, which prevents provisioning apps by universal provisioning profiles. | [:::no-loc text="allowEnterpriseAppTrust":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow ESIM Modification":::** | False | | [:::no-loc text="allowESIMModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Explicit Content":::** | False | | [:::no-loc text="allowExplicitContent":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Files Network Drive Access":::** | False | | [:::no-loc text="allowFilesNetworkDriveAccess":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Files USB Drive Access":::** | False | | [:::no-loc text="allowFilesUSBDriveAccess":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Find My Friends":::** | False | | [:::no-loc text="allowFindMyFriends":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Find My Friends Modification":::** | False | | [:::no-loc text="allowFindMyFriendsModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Game Center":::** | False | | [:::no-loc text="allowGameCenter":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow In App Purchases":::** | False | | [:::no-loc text="allowInAppPurchases":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow iPhone Widgets On Mac":::** | False | | [:::no-loc text="allowiPhoneWidgetsOnMac":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow iTunes":::** | False | | [:::no-loc text="allowiTunes":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Lock Screen Control Center":::** | False | | [:::no-loc text="allowLockScreenControlCenter":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Lock Screen Notifications View":::** | False | | [:::no-loc text="allowLockScreenNotificationsView":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Lock Screen Today View":::** | False | | [:::no-loc text="allowLockScreenTodayView":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Managed Apps Cloud Sync":::** | False | Prevents managed apps from using iCloud sync. | [:::no-loc text="allowManagedAppsCloudSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Marketplace App Installation":::** | False | Prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps.
**Note:** For select markets. | [:::no-loc text="allowMarketplaceAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Multiplayer Gaming":::** | False | | [:::no-loc text="allowMultiplayerGaming":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Music Service":::** | False | | [:::no-loc text="allowMusicService":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow News":::** | False | | [:::no-loc text="allowNews":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Notifications Modification":::** | False | | [:::no-loc text="allowNotificationsModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Paired Watch":::** | False | | [:::no-loc text="allowPairedWatch":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Passbook While Locked":::** | False | Hides Passbook notifications from the lock screen. | [:::no-loc text="allowPassbookWhileLocked":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Password Proximity Requests":::** | False | Disables requesting passwords from nearby devices. | [:::no-loc text="allowPasswordProximityRequests":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Password Sharing":::** | False | | [:::no-loc text="allowPasswordSharing":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Personal Hotspot Modification":::** | False | | [:::no-loc text="allowPersonalHotspotModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Podcasts":::** | False | | [:::no-loc text="allowPodcasts":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Proximity Setup To New Device":::** | False | | [:::no-loc text="allowProximitySetupToNewDevice":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Radio Service":::** | False | | [:::no-loc text="allowRadioService":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Shared Stream":::** | False | Disables Shared Photo Stream. | [:::no-loc text="allowSharedStream":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Spotlight Internet Results":::** | False | Disables Spotlight Internet search results in Siri Suggestions. | [:::no-loc text="allowSpotlightInternetResults":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow System App Removal":::** | False | | [:::no-loc text="allowSystemAppRemoval":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow UI App Installation":::** | False | Disables the App Store, and the systems removes its icon from the Home screen. However, users can continue to use host apps such as iTunes or Configurator to install or update their apps. | [:::no-loc text="allowUIAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow UI Configuration Profile Installation":::** | False | Prohibits the user from installing configuration profiles and certificates interactively. | [:::no-loc text="allowUIConfigurationProfileInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow VPN Creation":::** | False | | [:::no-loc text="allowVPNCreation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Wallpaper Modification":::** | False | | [:::no-loc text="allowWallpaperModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Web Distribution App Installation":::** | False | Prevents installation of apps directly from the web.
**Note:** For select markets. | [:::no-loc text="allowWebDistributionAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force Assistant Profanity Filter":::** | True | Forces the use of the profanity filter assistant. | [:::no-loc text="forceAssistantProfanityFilter":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force Limit Ad Tracking":::** | True | Disables app tracking and the Allow Apps to Request to Track setting. | [:::no-loc text="forceLimitAdTracking":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force WiFi Power On":::** | True | | [:::no-loc text="forceWiFiPowerOn":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Safari Force Fraud Warning":::** | True | | [:::no-loc text="safariForceFraudWarning":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Web Content Filter | **:::no-loc text="Auto Filter Enabled":::** | True | Enables automatic filtering.
**Note:** iPadOS's built-in filter checks for adult content and doesn't cover categories that are educationally inappropriate. A separate filtering solution is recommended. | [:::no-loc text="AutoFilterEnabled":::](https://developer.apple.com/documentation/devicemanagement/webcontentfilter) |
+
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Device restrictions**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - Device restrictions","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowactivitycontinuation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowactivitycontinuation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowaddinggamecenterfriends","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowaddinggamecenterfriends_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowairdrop","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowairdrop_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowappcellulardatamodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowappcellulardatamodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowapplepersonalizedadvertising","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowapplepersonalizedadvertising_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowassistant","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowassistant_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowassistantusergeneratedcontent","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowassistantusergeneratedcontent_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowassistantwhilelocked","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowassistantwhilelocked_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowautounlock","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowautounlock_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowbookstoreerotica","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowbookstoreerotica_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcellularplanmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcellularplanmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowchat","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowchat_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudbackup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudbackup_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowclouddocumentsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowclouddocumentsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudkeychainsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudkeychainsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudphotolibrary","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudphotolibrary_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudprivaterelay","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudprivaterelay_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowdevicenamemodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowdevicenamemodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenablingrestrictions","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenablingrestrictions_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenterpriseapptrust","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenterpriseapptrust_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowesimmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowesimmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowexplicitcontent","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowexplicitcontent_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfilesnetworkdriveaccess","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfilesnetworkdriveaccess_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfilesusbdriveaccess","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfilesusbdriveaccess_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfindmydevice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfindmydevice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfindmyfriends","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfindmyfriends_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfindmyfriendsmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfindmyfriendsmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowgamecenter","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowgamecenter_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowinapppurchases","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowinapppurchases_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowiphonewidgetsonmac","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowiphonewidgetsonmac_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowitunes","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowitunes_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowlockscreencontrolcenter","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowlockscreencontrolcenter_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowlockscreennotificationsview","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowlockscreennotificationsview_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowlockscreentodayview","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowlockscreentodayview_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmanagedappscloudsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmanagedappscloudsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmarketplaceappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmarketplaceappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmultiplayergaming","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmultiplayergaming_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmusicservice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmusicservice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allownews","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allownews_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allownotificationsmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allownotificationsmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpairedwatch","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpairedwatch_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpassbookwhilelocked","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpassbookwhilelocked_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordproximityrequests","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasswordproximityrequests_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordsharing","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasswordsharing_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpersonalhotspotmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpersonalhotspotmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpodcasts","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpodcasts_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowproximitysetuptonewdevice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowproximitysetuptonewdevice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowradioservice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowradioservice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowsharedstream","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowsharedstream_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowspotlightinternetresults","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowspotlightinternetresults_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowsystemappremoval","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowsystemappremoval_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowuiappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowuiappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowuiconfigurationprofileinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowuiconfigurationprofileinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowvpncreation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowvpncreation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowwallpapermodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowwallpapermodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowwebdistributionappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowwebdistributionappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forceassistantprofanityfilter","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forceassistantprofanityfilter_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forcelimitadtracking","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forcelimitadtracking_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forcewifipoweron","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forcewifipoweron_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_safariforcefraudwarning","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_safariforcefraudwarning_true","children":[]}}]}]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.webcontent-filter_com.apple.webcontent-filter","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.webcontent-filter_autofilterenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.webcontent-filter_autofilterenabled_true","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
+
+## Settings that require additional consideration
+
+> [!CAUTION]
+> Enable these settings with caution after carefully evaluating their effect on your environment.
+
+### [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Managed Settings > MDM Options | **:::no-loc text="Activation Lock Allowed While Supervised":::** | False | Does not register a supervised device with Activation Lock. | [:::no-loc text="activationLockAllowedWhileSupervised":::](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions) |
+| Restrictions | **:::no-loc text="Allow App Removal":::** | False | Disables removal of apps from an iOS device.
**Note:** Could result in devices running out of disk space. | [:::no-loc text="allowAppRemoval":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Erase Content And Settings":::** | False | Without an ability to locally reset the device it complicates device recovery. | [:::no-loc text="allowEraseContentAndSettings":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Unpaired External Boot To Recovery":::** | False | Does not allow devices to be booted into recovery by an unpaired device. | [:::no-loc text="allowUnpairedExternalBootToRecovery":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Untrusted TLS Prompt":::** | False | Websites with untrusted certificates will not be displayed. If you use a DNS filtering solution or need to accept certificate changes due to SSL inspection, distribute the root CA certificate of the changed certificate from MDM. | [:::no-loc text="allowUntrustedTLSPrompt":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Video Conferencing":::** | False | Hides the FaceTime app.
**Note:** Disabling may prevent screen sharing in some remote assistant apps used by IT Helpdesk. | [:::no-loc text="allowVideoConferencing":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force WiFi To Allowed Networks Only":::** | True | Limits the device to only join Wi-Fi networks set up through a configuration profile.
**Note:** Could potentially leave the device in an unmanageable state if unable to connect to allowed networks. | [:::no-loc text="forceWiFiToAllowedNetworksOnly":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Device restrictions (require additional consideration)**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - Device restrictions (require additional consideration)","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"settings_item_mdmoptions","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"settings_item_mdmoptions_mdmoptions","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"settings_item_mdmoptions_mdmoptions_activationlockallowedwhilesupervised","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"settings_item_mdmoptions_mdmoptions_activationlockallowedwhilesupervised_false","children":[]}}]}]}]}]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowappremoval","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowappremoval_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowerasecontentandsettings","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowerasecontentandsettings_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowunpairedexternalboottorecovery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowunpairedexternalboottorecovery_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowuntrustedtlsprompt","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowuntrustedtlsprompt_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowvideoconferencing","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowvideoconferencing_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forcewifitoallowednetworksonly","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forcewifitoallowednetworksonly_true","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
new file mode 100644
index 00000000000..8d5c79bbd0a
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
@@ -0,0 +1,57 @@
+---
+title: Common Education iPads with no user affinity configuration
+description: Learn about common iPads with no user affinity configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# iPads with no user affinity
+
+iPads used in earlier grades are commonly enrolled with no user affinity to simplify the user experience for younger students and to allow sharing of devices. For more information, please refer to [Enroll devices with Automated Device Enrollment](/mem/intune/industry/education/tutorial-school-deployment/enroll-ios-ade).
+
+These iPads generally have additional restrictions that are not suitable for 1:1 devices.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Restrictions payload](https://developer.apple.com/documentation/devicemanagement/restrictions)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Restrictions | **:::no-loc text="Allow Account Modification":::** | False | Disables modification of accounts such as Apple IDs and Internet-based accounts such as Mail, Contacts, and Calendar. | [:::no-loc text="allowAccountModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Bookstore":::** | False | Removes the Book Store tab from the Books app. | [:::no-loc text="allowBookstore":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enterprise Book Backup":::** | False | Disables backup of Enterprise books. | [:::no-loc text="allowEnterpriseBookBackup":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enterprise Book Metadata Sync":::** | False | Disables sync of Enterprise books, notes, and highlights. | [:::no-loc text="allowEnterpriseBookMetadataSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Fingerprint For Unlock":::** | False | Prevents Touch ID or Face ID from unlocking a device. | [:::no-loc text="allowFingerprintForUnlock":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Fingerprint Modification":::** | False | Prevents the user from modifying Touch ID or Face ID. | [:::no-loc text="allowFingerprintModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Passcode Modification":::** | False | Prevents adding, changing, or removing the passcode. | [:::no-loc text="allowPasscodeModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Password Auto Fill":::** | False | | [:::no-loc text="allowPasswordAutoFill":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Safari Allow Autofill":::** | False | Disables Safari AutoFill for passwords, contact info, and credit cards and also prevents using the Keychain for AutoFill. | [:::no-loc text="safariAllowAutoFill":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - No user affinity**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - No user affinity","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowaccountmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowaccountmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowbookstore","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowbookstore_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenterprisebookbackup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenterprisebookbackup_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenterprisebookmetadatasync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenterprisebookmetadatasync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfingerprintforunlock","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfingerprintforunlock_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfingerprintmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfingerprintmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasscodemodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasscodemodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordautofill","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasswordautofill_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_safariallowautofill","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_safariallowautofill_false","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md
new file mode 100644
index 00000000000..dff086ba432
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md
@@ -0,0 +1,60 @@
+---
+title: Common Education iPads optional configuration
+description: Learn about common iPads optional configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# Optional restrictions
+
+Optional policies, while relatively common, are provided for more situational use cases.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Restrictions payload](https://developer.apple.com/documentation/devicemanagement/restrictions)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Managed Settings > Bluetooth | **:::no-loc text="Enabled":::** | True | Enable the Bluetooth setting. | [:::no-loc text="Enabled":::](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/bluetooth) |
+| Restrictions | **:::no-loc text="Force Automatic Date And Time":::** | True | Enables the Set Automatically feature in Date & Time and the user can't disable it.
**Note:**