diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 9339cde733..2020c4cd07 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 08/12/2024 +ms.date: 12/12/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -206,11 +206,14 @@ Enter JSON data to configure all available settings for Managed Home Screen, and In addition to the list of configurable settings listed in the **Configuration Designer** table (above), the following table provides the configuration keys you can only configure via JSON data. -| Configuration Key | Value Type | Default Value | Description | +| Configuration Key | Value Type | Details | Description | |-|-|-|-| -| Set allow-listed applications | bundleArray | | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | -| Set pinned web links | bundleArray | | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | -| Create Managed Folder for grouping apps | bundleArray | | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. Note: all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | +| Set allow-listed applications | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | +| Set pinned web links | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | +| Create Managed Folder for grouping apps | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically.
**NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | +| Widget | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to add widgets to the home screen. Managed Home Screen provides and maintains a **Time** and **Weather** widget. You can also add a custom LOB widget or a third-party widget using JSON data. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the **Time** widget, define the package name as `com.microsoft.launcher.enterprise` and widget class as **Time**. | + +### JSON Data Examples The following syntax is an example JSON script with all the available configuration keys included: diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md index 866d264d2a..51028584a4 100644 --- a/memdocs/intune/configuration/device-profile-troubleshoot.md +++ b/memdocs/intune/configuration/device-profile-troubleshoot.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 11/11/2024 +ms.date: 11/25/2024 ms.topic: troubleshooting ms.service: microsoft-intune ms.subservice: configuration @@ -46,41 +46,55 @@ This article applies to the following policies: ## Policy refresh intervals -Intune notifies the device to check in with the Intune service. The notification times vary, including immediately up to a few hours. These notification times also vary between platforms. On Android devices, [Google Mobile Services (GMS) can affect policy refresh intervals](../apps/manage-without-gms.md#some-tasks-can-be-delayed). +When a device checks-in, it immediately checks for compliance, non-compliance and configuration for the current user/device context, receiving any pending actions, policies and apps assigned to it. -If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts. An offline device, such as turned off, or not connected to a network, might not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service. The same applies to checks for noncompliance, including devices that move from a compliant to a noncompliant state. +There are 4 main types of check-ins: -**Estimated** frequencies: +**Scheduled check-ins** - These check-ins happen at predetermined intervals and can be initiated by the client or service depending on the platform. The check-ins are estimated as follows: -| Platform | Refresh cycle| +| Platform | Estimated refresh cycle| | --- | --- | | Android, AOSP | About every 8 hours | | iOS/iPadOS | About every 8 hours | | macOS | About every 8 hours | | Windows 10/11 PCs enrolled as devices | About every 8 hours | -If devices recently enroll, then the compliance, noncompliance, and configuration check-in runs more frequently. The check-ins are **estimated** at: +**End user driven check-ins** – These check-ins are driven by end users when they perform certain actions in the Company Portal app like going into **Devices** > **Check Status** or **Settings** > **Sync** to check for policy or profile updates or selecting an app for download. -| Platform | Frequency | +**Admin check-ins** - These check-ins are driven by admins when they perform certain actions on a single device from the Intune portal, like [device sync](../remote-actions/device-sync.md), [remote lock](../remote-actions/device-remote-lock.md) or [reset passcode](../remote-actions/device-passcode-reset.md). Other actions like [remotely assist users](../fundamentals/remote-help.md) do not cause a device check-in. + +**Notification-based check-ins** - These check-ins happen through different actions that trigger a notification. For example, when a policy, profile, or app is assigned (or unassigned), updated, deleted, or when certain behind the scenes changes like Microsoft Entra group membership updates are made. Other changes don't cause an immediate notification to devices, like adding an app as available to your users. + +Intune notifies online devices to check-in with the Intune service. The notification times vary from immediately up to a few hours. +These notification times also vary between platforms. + +- On Android devices, [Google Mobile Services (GMS) can affect policy refresh intervals](../apps/manage-without-gms.md#some-tasks-can-be-delayed). + +- On iOS devices, [Specific conditions can affect policy refresh intervals](/troubleshoot/mem/intune/device-configuration/2016341112-ios-device-is-currently-busy). + +An offline device, such as a powered off, or a disconnected device, might not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with Intune. + +> [!NOTE] +> It might take additional time for Intune reports to reflect the latest status of the policy on the device in the Intune portal. + +Additionally, when devices first enroll, configuration check-ins run more frequently to perform configuration, compliance and non-compliance checks. The check-ins are estimated as follows: + +| Platform | Estimated refresh cycle| | --- | --- | | Android, AOSP | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours | | iOS/iPadOS | Every 15 minutes for 1 hour, and then around every 8 hours | | macOS | Every 15 minutes for 1 hour, and then around every 8 hours | | Windows 10/11 PCs enrolled as devices | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours | -For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md). - -At any time, users can open the Company Portal app, **Devices** > **Check Status** or **Settings** > **Sync** to immediately check for policy or profile updates. For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md). - -## Intune actions that immediately send a notification to a device +For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md). -There are different actions that trigger a notification. For example, when a policy, profile, or app is assigned (or unassigned), updated, deleted, and so on. These action times vary between platforms. +## Company portal -Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in. When you target a device or user with an action, then Intune immediately notifies the device to check in to receive these updates. For example, a notification happens when a lock, passcode reset, app, or policy assignment action runs. +At any time, users can open the Company Portal app and navigate to **Devices** > **Check Status** to evaluate your device's settings and verify access to work or school resources or navigate to **Settings** > **Sync** to get the latest updates, requirements, and communications from your organization. -Other changes don't cause an immediate notification to devices, including revising the contact information in the Company Portal app or updates to an `.ipa` file. +For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md). -The settings in the policy or profile are applied at every check-in. A [Windows 10 MDM policy refresh customer blog post](https://www.petervanderwoude.nl/post/windows-10-mdm-policy-refresh/) might be a good resource. +For related information, see [Sync enrolled device for Windows](../user-help/sync-your-device-manually-windows.md) and [Check device access in Company Portal for Windows](../user-help/check-device-access-windows-cpapp.md). ## Conflicts diff --git a/memdocs/intune/enrollment/create-device-platform-restrictions.md b/memdocs/intune/enrollment/create-device-platform-restrictions.md index c41c68d321..8c7f70a2fc 100644 --- a/memdocs/intune/enrollment/create-device-platform-restrictions.md +++ b/memdocs/intune/enrollment/create-device-platform-restrictions.md @@ -132,6 +132,9 @@ For example, you can use a filter to allow personal Windows devices to enroll wh For more information about creating filters, see [Create a filter](../fundamentals/filters.md). +> [!NOTE] +> It takes extra time to process assignment filters during enrollment. The update between Microsoft Entra and Intune that processes user, group, and filter assignments typically happens within 15 minutes. It's not instant. This amount of time can affect enrollment assignments. You should wait and enroll devices several minutes after adding the enrolling users to a group, not immediately after. + ### Supported filter properties Enrollment restrictions support fewer filter properties than other group-targeted policies. This is because devices aren't yet enrolled, so Intune doesn't have the device info to support all properties. The limited selection of properties become available when you: diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md index aa12007f24..1361b00c32 100644 --- a/memdocs/intune/enrollment/enrollment-restrictions-set.md +++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md @@ -8,7 +8,7 @@ keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 04/02/2024 +ms.date: 12/12/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment @@ -79,7 +79,12 @@ Block devices running on a specific device platform. You can apply this restrict In groups where both Android platforms are allowed, devices that support work profile will enroll with a work profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither work profile nor device administrator enrollment will work until you complete all prerequisites for Android enrollment. -This restriction is in the admin center under **Enrollment device platform restrictions**. + +This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. + +> [!NOTE] +> Device platform enrollment restrictions use assignment filters. The update between Microsoft Entra and Intune that processes user, group, and filter assignments typically happens within 15 minutes. It's not instant. This amount of time can affect enrollment assignments. You should wait and enroll devices several minutes after adding the enrolling users to a group, not immediately after. + ### OS version This restriction enforces your maximum and minimum OS version requirements. This type of restriction works with the following operating systems: @@ -91,10 +96,10 @@ This restriction enforces your maximum and minimum OS version requirements. This \* Version restrictions are supported on these operating systems for devices enrolled via Intune Company Portal only. -This restriction is in the admin center under **Enrollment device platform restrictions**. +This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. ### Device manufacturer -This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Enrollment device platform restrictions**. +This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. ### Personally owned devices This restriction helps prevent device users from accidentally enrolling their personal devices, and applies to devices running: @@ -104,7 +109,7 @@ This restriction helps prevent device users from accidentally enrolling their pe * macOS * Windows 10/11 -This restriction is in the admin center under **Enrollment device platform restrictions**. +This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. #### Blocking personal Android devices By default, until you manually make changes in the admin center, your Android Enterprise work profile device settings and Android device administrator device settings are the same.