Merge pull request #13830 from MicrosoftDocs/release-intune-2401

Release intune 2401

Author: dstrome

memdocs/configmgr/comanage/quickstart-remote-actions.md

@@ -45,7 +45,7 @@ The global consulting firm Avanade regularly uses remote actions to manage the d
 > *Our immediate win from having the Intune functionality was the ability to remotely reset Windows on a machine. This is important to us for lost or stolen machines, which is more common in our highly mobile workforce.*
 > *This is functionality that we otherwise would have had to build and maintain in a custom ConfigMgr package.*
 
-For more information on how to use these remote actions, see [Available device actions](../../intune/remote-actions/device-management.md#available-device-actions).
+For more information on how to use these remote actions, see [Available device actions](../../intune/remote-actions/device-management.md#available-remote-actions).
 
 ## Value proposition
 

memdocs/intune/apps/app-configuration-managed-home-screen-app.md

@@ -112,11 +112,11 @@ For Android Enterprise app configuration policies, you can select the device enr
 Enrollment type can be one of the following:
 
 - **All Profile Types**: If a new profile is created and **All Profile Types** is selected for device enrollment type, you will not be able to associate a certificate profile with the app config policy. This option supports username and password authentication. If you use certificate-based authentication, don't use this option.
-- **Fully Managed, Dedicated, and Corporate-Owned Work Profile Only**: If a new profile is created and **Fully Managed, Dedicated, and Corporate-Owned Work Profile Only** is selected, **Fully Managed, Dedicated, and Corporate-Owned Work Profile** certificate policies created under **Device** > **Configuration profiles** can be utilized. This option supports certificate-based authentication, and username and password authentication. **Fully Managed** relates to Android Enterprise fully managed devices (COBO). **Dedicated** relates to Android Enterprise dedicated devices (COSU). **Corporate-Owned Work Profile** relates to Android Enterprise corporate-owned work profile (COPE).
-- **Personally-Owned Work Profile Only**: If a new profile is created and **Personally-Owned Work Profile Only** is selected, Work Profile certificate policies created under **Device** > **Configuration profiles** can be utilized. This option supports certificate-based authentication, and username and password authentication.
+- **Fully Managed, Dedicated, and Corporate-Owned Work Profile Only**: If a new profile is created and **Fully Managed, Dedicated, and Corporate-Owned Work Profile Only** is selected, **Fully Managed, Dedicated, and Corporate-Owned Work Profile** certificate policies created under **Devices** > **Configuration** can be utilized. This option supports certificate-based authentication, and username and password authentication. **Fully Managed** relates to Android Enterprise fully managed devices (COBO). **Dedicated** relates to Android Enterprise dedicated devices (COSU). **Corporate-Owned Work Profile** relates to Android Enterprise corporate-owned work profile (COPE).
+- **Personally-Owned Work Profile Only**: If a new profile is created and **Personally-Owned Work Profile Only** is selected, Work Profile certificate policies created under **Devices** > **Configuration** can be utilized. This option supports certificate-based authentication, and username and password authentication.
 
 > [!NOTE]
-> If you deploy a Gmail or Nine configuration profile to an Android Enterprise dedicated device work profile which doesn’t involve a user, it will fail because Intune can’t resolve the user.
+> If you deploy a Gmail or Nine configuration profile to an Android Enterprise dedicated device work profile which doesn't involve a user, it will fail because Intune can't resolve the user.
 
 > [!IMPORTANT]
 > Existing policies created prior to the release of this feature (April 2020 release - 2004) that do not have any certificate profiles associated with the policy will default to **All Profile Types** for device enrollment type. Also, existing policies created prior to the release of this feature that have certificate profiles associated with them will default to Work Profile only.

memdocs/intune/apps/app-configuration-policies-overview.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 11/03/2023
+ms.date: 01/12/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps

memdocs/intune/apps/app-protection-framework.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 11/01/2023
+ms.date: 01/12/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -53,6 +53,9 @@ There are three categories of policy settings: data protection settings, access
 |<ul><b>**Transfer telecommunications data to** |Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app:<ul><li>**None, do not transfer this data between apps**: Don't transfer communication data when a phone number is detected.</li><li>**A specific dialer app**: Allow a specific dialer app to initiate contact when a phone number is detected.</li><li>**Any policy-managed dialer app**: Allow any policy managed dialer app to initiate contact when a phone number is detected.</li><li>**Any dialer app**: Allow any dialer app to be used to initiate contact when a phone number is detected.</li></ul>|**Any dialer app** |
 |<ul><b><ul><b>**Dialer App Package ID** |When a specific dialer app has been selected, you must provide the [app package ID](../apps/app-configuration-vpn-ae.md#get-the-app-package-id). |**Blank** |
 |<ul><b><ul><b>**Dialer App Name** |When a specific dialer app has been selected, you must provide the name of the dialer app. |**Blank** |
+|<ul><b>**Transfer messaging data to** | Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app:<ul><li>**None, do not transfer this data between apps**: Don't transfer communication data when a phone number is detected.</li><li>**A specific messaging app**: Allow a specific messaging app to be used to initiate contact when a phone number is detected.</li><li>**Any policy-managed messaging app**: Allow any policy-managed messaging app to be used to initiate contact when a phone number is detected.</li><li>**Any messaging app**: Allow any messaging app to be used to initiate contact when a phone number is detected.</li></ul>|**Any messaging app** |
+|<ul><b><ul><b>**Messaging App Package ID** |When a specific messaging app has been selected, you must provide the [app package ID](../apps/app-configuration-vpn-ae.md#get-the-app-package-id). |**Blank** |
+|<ul><b><ul><b>**Messaging App Name** |When a specific messaging app has been selected, you must provide the name of the messaging app. |**Blank** |
 |**Receive data from other apps** |Specify what apps can transfer data to this app: <ul><li>**Policy managed apps**: Allow transfer only from other policy-managed apps.</li><li>**All apps**: Allow data transfer from any app.</li><li>**None**: Don't allow data transfer from any app, including other policy-managed apps. </li></ul> <p>There are some exempt apps and services from which Intune may allow data transfer. See  [Data transfer exemptions](app-protection-policy-settings-android.md#data-transfer-exemptions) for a full list of apps and services. |**All apps** |
 |<ul><b>**Open data into Org documents** |Select **Block** to disable the use of the *Open* option or other options to share data between accounts in this app. Select **Allow** if you want to allow the use of *Open*. <br><br>When set to **Block** you can configure the **Allow user to open data from selected services** to specific which services are allowed for Org data locations.<br><br>**Note:**<ul><li><i>This setting is only configurable when the setting **Receive data from other apps** is set to **Policy managed apps**.</i></li><li><i>This setting will be "Allow" when the setting **Receive data from other apps** is set to **All apps**.</i></li><li><i>This setting will be "Block" with no allowed service locations when the setting **Receive data from other apps** is set to **None**.</i></li><li><i>The following apps support this setting:</i><ul><li><i>OneDrive 6.14.1 or later.</i></li><li><i>Outlook for Android 4.2039.2 or later.</i></li><li><i>Teams for Android 1416/1.0.0.2021173701 or later.</i></li></ul></li></ul> |<br><br> **Allow**   |
 |<ul><b><ul><b>**Allow users to open data from selected services** |Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.<br><br>Supported services:<ul><li>OneDrive for Business</li><li>SharePoint Online</li><li>Camera</li><li>Photo Library</li></ul>**Note:** Camera doesn't include Photos or Photo Gallery access. When selecting **Photo Library** (includes Android's [Photo picker](https://developer.android.com/training/data-storage/shared/photopicker) tool) in the **Allow users to open data from selected services** setting within Intune, you can allow managed accounts to allow *incoming* image/video from their device's local storage to their managed apps. |**All selected**  |
@@ -118,7 +121,7 @@ For more information, see [Data transfer policy exceptions for apps](app-protect
 
 |Setting |How to use |
 |:------ |:------|
-|**PIN for access** |Select **Require** to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. <br><br> Default value = **Require**<br><br> You can configure the PIN strength using the settings available under the PIN for access section.
+|**PIN for access** |Select **Require** to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. <br><br> Default value = **Require**<br><br> You can configure the PIN strength using the settings available under the PIN for access section.<br><br> **Note:** End-users that are allowed to access the app can reset the app PIN.
 |<ol><br>**PIN type** |Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter **or** at least 1 special character. <br><br> Default value = **Numeric**<br><br> **Note:** Special characters allowed include the special characters and symbols on the Android English language keyboard. |
 |<ul><b> **Simple PIN** |Select **Allow** to allow users to use simple PIN sequences like *1234*, *1111*, *abcd* or *aaaa*. Select **Blocks** to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. If **Block** is configured, 1235 or 1112 wouldn't be accepted as PIN set by the end user, but 1122 would be allowed. <br><br>Default value = **Allow** <br><br>**Note:** If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter **or** at least one special character in their PIN. If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number **and** one letter **and** at least one special character in their PIN. </li> |
 |<ul><b> **Select minimum PIN length** |Specify the minimum number of digits in a PIN sequence. <br><br>Default value = **4** |
@@ -147,7 +150,7 @@ By default, several settings are provided with pre-configured values and actions
 |Setting |How to use |
 |:----|:-----|
 |**Max PIN attempts** |Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. If the user fails to successfully enter their PIN after the maximum PIN attempts, the user must reset their pin after successfully logging into their account and completing a Multi-Factor Authentication (MFA) challenge if required. This policy setting format supports a positive whole number.<p>*Actions* include: <br><ul><li>**Reset PIN** - The user must reset their PIN.</li><li>**Wipe data** - The user account that is associated with the application is wiped from the device.</li></ul>Default value = **5** |
-|**Offline grace period** |The number of minutes that MAM apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked.<p>*Actions* include: <br><ul><li>**Block access (minutes)** - The number of minutes that MAM apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. After this period expires, the app requires user authentication to Microsoft Entra ID so that the app can continue to run. <br><br>This policy setting format supports a positive whole number. <br><br>Default value = **720** minutes (12 hours) <br><br><b>Note:</b> Configuring the Offline grace period timer for blocking access to be less than the default value may result in more frequent user interruptions as policy is refreshed. Choosing a value of less than 30 mins is not recommended as it may result in user interruptions at each application launch or resume.</li><li>**Wipe data (days)** - After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and reauthenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset.  If the user fails to authenticate, the app will perform a selective wipe of the user's account and data. For more information, see [How to wipe only corporate data from Intune-managed apps](apps-selective-wipe.md). This policy setting format supports a positive whole number. <br><br> Default value = **90 days** </li></ul> This entry can appear multiple times, with each instance supporting a different action. |
+|**Offline grace period** |The number of minutes that MAM apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked.<p>*Actions* include: <br><ul><li>**Block access (minutes)** - The number of minutes that MAM apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. After this period expires, the app requires user authentication to Microsoft Entra ID so that the app can continue to run. <br><br>This policy setting format supports a positive whole number. <br><br>Default value = **1440** minutes (24 hours) <br><br><b>Note:</b> Configuring the Offline grace period timer for blocking access to be less than the default value may result in more frequent user interruptions as policy is refreshed. Choosing a value of less than 30 mins is not recommended as it may result in user interruptions at each application launch or resume.</li><li>**Wipe data (days)** - After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and reauthenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset.  If the user fails to authenticate, the app will perform a selective wipe of the user's account and data. For more information, see [How to wipe only corporate data from Intune-managed apps](apps-selective-wipe.md). This policy setting format supports a positive whole number. <br><br> Default value = **90 days** </li></ul> This entry can appear multiple times, with each instance supporting a different action. |
 |**Min app version** |Specify a value for the minimum application version value.<p>*Actions* include: <br><ul><li>**Warn** - The user sees a notification if the app version on the device doesn't meet the requirement. This notification can be dismissed.</li><li>**Block access** - The user is blocked from access if the app version on the device doesn't meet the requirement. </li><li>**Wipe data** - The user account that is associated with the application is wiped from the device. </li></ul> </li></ul> As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, *Outlook version policy*).<br><br> This entry can appear multiple times, with each instance supporting a different action.<br><br> This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.<br><br> Additionally, you can configure **where** your end users can get an updated version of a line-of-business (LOB) app. End users will see this in the **min app version** conditional launch dialog, which will prompt end users to update to a minimum version of the LOB app. On Android, this feature uses the Company Portal. To configure where an end user should update a LOB app, the app needs a managed [app configuration policy](app-configuration-policies-managed-app.md) sent to it with the key, `com.microsoft.intune.myappstore`. The value sent will define which store the end user will download the app from. If the app is deployed via the Company Portal, the value must be `CompanyPortal`. For any other store, you must enter a complete URL. |
 |**Disabled account** |There is no value to set for this setting.<p>*Actions* include: <br><ul><li>**Block access** - The user is blocked from access because their account has been disabled.</li><li>**Wipe data** - The user account that is associated with the application is wiped from the device.</li></ul> |