Merge pull request #17033 from MicrosoftDocs/main

Publish main to live, 01/08/25, 3:30 PM PT
MicrosoftDocs · Jan 8, 2025 · a3c7d85 · a3c7d85
2 parents 71910cd + b32c332
commit a3c7d85
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 52 deletions.
diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md
diff --git a/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md b/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md
@@ -18,7 +18,7 @@ ms.localizationpriority: medium
 #audience:
 params:
   siblings_only: true
-ms.reviewer: andreibiswas, anuragjain
+ms.reviewer: arnab, anuragjain
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:

diff --git a/memdocs/intune/configuration/device-restrictions-android-for-work.md b/memdocs/intune/configuration/device-restrictions-android-for-work.md
@@ -18,7 +18,7 @@ ms.localizationpriority: medium
 #audience:
 params:
   siblings_only: true
-ms.reviewer: andreibiswas, anuragjain
+ms.reviewer: arnab, anuragjain
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:

diff --git a/memdocs/intune/configuration/platform-sso-macos.md b/memdocs/intune/configuration/platform-sso-macos.md
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 09/03/2024
+ms.date: 01/08/2025
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -249,6 +249,12 @@ To configure the Platform SSO policy, use the following steps to create an [Intu
 
 11. In **Assignments**, select the user or device groups that receive your profile. For devices with user affinity, assign to users or user groups. For devices with multiple users that are enrolled without user affinity, assign to devices or device groups.
 
+    > [!IMPORTANT]
+    > For Platform SSO settings on devices with user affinity, it's not supported to assign to device groups or filters. When using device group assignment or user group assignment with filters on devices with user affinity, the user might be unable to access resources protected by Conditional Access. This issue can happen:
+    >
+    > - If the Platform SSO settings are applied incorrectly. Or,
+    > - If the Company Portal app bypasses Microsoft Entra device registration when Platform SSO isn't enabled.
+
     For more information on assigning profiles, go to [Assign user and device profiles](device-profile-assign.md).
 
     Select **Next**.

diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md
@@ -288,7 +288,7 @@ The following tables list the ports and services that the Intune client accesses
 |Domains    |IP address      |
 |-----------|----------------|
 | login.microsoftonline.com <br> *.officeconfig.msocdn.com <br> config.office.com <br> graph.windows.net <br> enterpriseregistration.windows.net | More information [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) |
-|*.manage.microsoft.com <br> manage.microsoft.com <br>|104.46.162.96/27<br>13.67.13.176/28<br>13.67.15.128/27<br>13.69.231.128/28<br>13.69.67.224/28<br>13.70.78.128/28<br>13.70.79.128/27<br>13.71.199.64/28<br>13.73.244.48/28<br>13.74.111.192/27<br>13.77.53.176/28<br>13.86.221.176/28<br>13.89.174.240/28<br>13.89.175.192/28<br>20.189.172.160/27<br>20.189.229.0/25<br>20.191.167.0/25<br>20.37.153.0/24<br>20.37.192.128/25<br>20.38.81.0/24<br>20.41.1.0/24<br>20.42.1.0/24<br>20.42.130.0/24<br>20.42.224.128/25<br>20.43.129.0/24<br>20.44.19.224/27<br>20.49.93.160/27<br>20.192.174.216/29<br>20.192.159.40/29<br>20.204.193.12/30<br>20.204.193.10/31<br>40.119.8.128/25<br>40.67.121.224/27<br>40.70.151.32/28<br>40.71.14.96/28<br>40.74.25.0/24<br>40.78.245.240/28<br>40.78.247.128/27<br>40.79.197.64/27<br>40.79.197.96/28<br>40.80.180.208/28<br>40.80.180.224/27<br>40.80.184.128/25<br>40.82.248.224/28<br>40.82.249.128/25<br>52.150.137.0/25<br>52.162.111.96/28<br>52.168.116.128/27<br>52.182.141.192/27<br>52.236.189.96/27<br>52.240.244.160/27|
+|*.manage.microsoft.com <br> manage.microsoft.com <br>|104.46.162.96/27<br>13.67.13.176/28<br>13.67.15.128/27<br>13.69.231.128/28<br>13.69.67.224/28<br>13.70.78.128/28<br>13.70.79.128/27<br>13.74.111.192/27<br>13.77.53.176/28<br>13.86.221.176/28<br>13.89.174.240/28<br>13.89.175.192/28<br>20.189.172.160/27<br>20.189.229.0/25<br>20.191.167.0/25<br>20.37.153.0/24<br>20.37.192.128/25<br>20.38.81.0/24<br>20.41.1.0/24<br>20.42.1.0/24<br>20.42.130.0/24<br>20.42.224.128/25<br>20.43.129.0/24<br>20.44.19.224/27<br>20.192.174.216/29<br>20.192.159.40/29<br>20.204.193.12/30<br>20.204.193.10/31<br>40.119.8.128/25<br>40.67.121.224/27<br>40.70.151.32/28<br>40.71.14.96/28<br>40.74.25.0/24<br>40.78.245.240/28<br>40.78.247.128/27<br>40.79.197.64/27<br>40.79.197.96/28<br>40.80.180.208/28<br>40.80.180.224/27<br>40.80.184.128/25<br>40.82.248.224/28<br>40.82.249.128/25<br>52.150.137.0/25<br>52.162.111.96/28<br>52.168.116.128/27<br>52.182.141.192/27<br>52.236.189.96/27<br>52.240.244.160/27|
 -->
 
 ## Network requirements for PowerShell scripts and Win32 apps  

diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md
@@ -44,6 +44,27 @@ With Intune device configuration policy, you can turn off all or part of the web
 
 - **Android Enterprise Fully Managed profile**. Use an app configuration profile and the [configuration designer](../apps/app-configuration-policies-use-android.md#use-the-configuration-designer) to disable the entire web protection feature or to disable only the use of VPNs.
 
+**The following browsers are supported with Defender loopback VPN:** 
+- Chrome- 
+- Microsoft Edge
+- Opera
+- Samsung Internet
+- Firefox
+- Brave
+- Tor
+- Browser Leopard
+- DuckDuckGo
+- Dolphin
+
+**The following browsers are supported with accessibility service without Defender loopback VPN:**
+- Chrome
+- Edge
+- Opera
+- Samsung Internet
+
+> [!IMPORTANT]
+> Work profile scenarios (Android Enterprise personally owned devices using a work profile and Android Enterprise corporate owned work profile) do not support the accessibility service.
+
 To configure web protection on devices, use the following procedures to create and deploy the applicable configuration.
 
 ## Disable web protection for Android device administrator
@@ -114,18 +135,16 @@ To configure web protection on devices, use the following procedures to create a
 
 6. Find and select configuration keys **Anti-Phishing** and **VPN**, and then select **OK** to return to the **Settings** page.
 
-7. For the **Configuration values** of both configuration keys (**Anti-Phishing** and **VPN**), enter **0** to disable web protection.
+1. For the **Configuration values** of both configuration keys (**Anti-Phishing** and **VPN**), enter **0** to disable web protection and enter **1** to enable web protection. By default, web protection is enabled.
 
    > [!NOTE]
-   >
-   > The **Web Protection** configuration key is deprecated. If you've used this key in the past, complete the previous steps to re-configure the setting by setting the keys **Anti-Phishing** and **VPN** to enable or disable web protection.
-
+   > Values for Anti-Phishing and VPN should be same either to be 0 to disable or 1 to enable, otherwise both features will automatically be disabled.
+   
    > [!NOTE]
-   >
-   > Enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. This setting is the default.
-
+   > The **Web Protection** configuration key is deprecated. If you've used this key in the past, complete the previous steps to re-configure the setting by setting the keys **Anti-Phishing** and **VPN** to enable or disable web protection.
+   
    Select **Next** to continue.
-
+   
 8. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
 9. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
@@ -134,21 +153,21 @@ To configure web protection on devices, use the following procedures to create a
 
 1. Complete the same configuration steps [described previously](#disable-web-protection-for-the-android-enterprise-personally-owned-work-profile), and add web protection configuration keys **Anti-phishing** and **VPN**. The only difference is the **Profile Type** value. For this value, select **Fully Managed, Dedicated, and Corporate-Owned Work Profile Only**.
 
-   - To disable web protection, enter **0** for configuration values **Anti-Phishing** and **VPN**.
+   - To disable web protection, enter **0** for configuration values **Anti-Phishing** and **VPN** and enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. By default, web protection is enabled.
+
    - To disable only the use of VPN by web protection, enter these configuration values:
-     - **0** for **VPN**
-     - **1** for **Anti-Phishing**
-
+      - **0** for **VPN**
+
+      - **1** for **Anti-Phishing**
+
    > [!NOTE]
-   >
-   > You can't disable VPN for the Android Enterprise Fully Managed profile if you've configured the Auto Setup of Always-on VPN device configuration     policy on the enrolled devices.
-
+   > For 'Android Enterprise corporate owned work profile' enrollment scenario values for VPN and Anti-Phishing should be same either both 0 to disable or 1 to enable, otherwise both features will automatically be disabled, but for 'Android Enterprise corporate owned fully managed - no work profile' enrollment scenario need not to have the same value for VPN and Anti-Phishing, each feature can work individually.
+   
    > [!NOTE]
-   >
-   > Enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. This setting is the default.
-
+   > You can't disable VPN for the Android Enterprise Fully Managed profile if you've configured the Auto Setup of Always-on VPN device configuration     policy on the enrolled devices.
+   
    Select **Next** to continue.
-
+   
 2. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
 3. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you
@@ -162,4 +181,6 @@ To configure web protection on devices, use the following procedures to create a
 - Learn more from the Microsoft Defender for Endpoint documentation:
 
   - [Microsoft Defender for Endpoint Conditional Access](/windows/security/threat-protection/microsoft-defender-atp/conditional-access)
+
   - [Microsoft Defender for Endpoint risk dashboard](/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
+
diff --git a/memdocs/intune/protect/endpoint-security-app-control-policy.md b/memdocs/intune/protect/endpoint-security-app-control-policy.md
@@ -70,7 +70,7 @@ The following devices are supported for App Control for Business policies when t
 
 - **Windows Enterprise or Education**:
   - Windows 10 version 1903 or later
-  - Windows 11 version 1903 or later
+  - Windows 11
 
 - **Windows Professional**:
   - Windows 10 with [KB5019959](https://support.microsoft.com/topic/november-8-2022-kb5019959-os-builds-19042-2251-19043-2251-19044-2251-and-19045-2251-f65e0600-2135-4efd-a979-08d1df34dce8)