You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Device conditions | SafetyNet device attestation | Basic integrity and certified devices / Block access | Android | <p>This setting configures Google Play’s device integrity check on end-user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. </p><p> Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check.</p> |
61
+
| Device conditions | SafetyNet device attestation | Basic integrity and certified devices / Block access | Android | <p>This setting configures Google Play's device integrity check on end-user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. </p><p> Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check.</p> |
62
62
| Device conditions | Require threat scan on apps | N/A / Block access | Android | This setting ensures that Google's Verify Apps scan is turned on for end user devices. If configured, the end-user will be blocked from access until they turn on Google's app scanning on their Android device. |
63
63
| Device conditions | Max allowed device threat level | Low / Block access | Windows ||
64
64
| Device conditions | Require device lock | Low/Warn | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
| App conditions | Offline grace period | 30 / Wipe data (days) | iOS/iPadOS, Android, Windows ||
37
38
| Device conditions | Min OS version |*Format: Major.Minor.Build <br>Example: 14.8* / Block access | iOS/iPadOS | Microsoft recommends configuring the minimum iOS major version to match the supported iOS versions for Microsoft apps. Microsoft apps support an N-1 approach where N is the current iOS major release version. For minor and build version values, Microsoft recommends ensuring devices are up to date with the respective security updates. See [Apple security updates](https://support.apple.com/en-us/HT201222) for Apple's latest recommendations |
38
39
| Device conditions | Min OS version |*Format: Major.Minor<br> Example: 9.0* / Block access | Android | Microsoft recommends configuring the minimum Android major version to match the supported Android versions for Microsoft apps. OEMs and devices adhering to Android Enterprise recommended requirements must support the current shipping release + one letter upgrade. Currently, Android recommends Android 9.0 and later for knowledge workers. See [Android Enterprise Recommended requirements](https://www.android.com/enterprise/recommended/requirements/) for Android's latest recommendations |
39
40
| Device conditions | Min OS version |*Format: Build<br> Example: 10.0.26200.6899* / Block access | Windows | Microsoft recommends configuring the minimum Windows build to match the supported Windows versions for Microsoft apps. Currently, Microsoft recommends the following build:<ul><li>**Windows 11**: Build *10.0.26200.6899*. For more information, see [KB5066835 (25H2)](https://support.microsoft.com/help/5066835) and [Windows 11 release information](/windows/release-health/windows11-release-information).</li></ul> |
40
41
| Device conditions | Min patch version |*Format: YYYY-MM-DD <br> Example: 2020-01-01* / Block access | Android | Android devices can receive monthly security patches, but the release is dependent on OEMs and/or carriers. Organizations should ensure that deployed Android devices do receive security updates before implementing this setting. See [Android Security Bulletins](https://source.android.com/security/bulletin/) for the latest patch releases. |
41
42
| Device conditions | Required SafetyNet evaluation type | Hardware-backed key | Android | Hardware backed attestation enhances the existing Google's Play Integrity service check by applying a new [Hardware Backed](https://developer.android.com/training/safetynet/attestation#evaluation-types) evaluation type. It offers stronger root detection to address newer rooting tools and techniques that software-only solutions might not reliably identify.<p> As its name implies, hardware backed attestation uses a hardware-based component, which shipped with devices installed with Android 8.1 and later. Devices that were upgraded from an older version of Android to Android 8.1 are unlikely to have the hardware-based components necessary for hardware backed attestation. While this setting should be widely supported starting with devices that shipped with Android 8.1, Microsoft strongly recommends testing devices individually before enabling this policy setting broadly.</p> |
42
43
| Device conditions | Require device lock | Medium/Block Access | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
43
44
| Device conditions | Samsung Knox device attestation | Block Access | Android | Microsoft recommends configuring the **Samsung Knox device attestation** setting to **Block access** to ensure the user account is blocked from access if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device. <p> This setting applies to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](/intune/intune-service/fundamentals/filters).|
44
-
| App conditions | Offline grace period | 30 / Wipe data (days) | iOS/iPadOS, Android, Windows ||
45
45
46
46
> [!NOTE]
47
47
> Windows conditional launch settings are labeled as **Health Checks**.
| Data Transfer | Transfer telecommunication data to | Any policy-managed dialer app | Android | Administrators can also configure this setting to use a dialer app that doesn't support App Protection Policies by selecting **A specific dialer app** and providing the **Dialer App Package ID** and **Dialer App Name** values. |
19
19
| Data Transfer | Transfer telecommunication data to | A specific dialer app | iOS/iPadOS ||
20
20
| Data Transfer | Dialer App URL Scheme |*replace_with_dialer_app_url_scheme*| iOS/iPadOS | On iOS/iPadOS, this value must be replaced with the URL scheme for the custom dialer app being used. If the URL scheme isn't known, contact the app developer for more information. For more information on URL schemes, see [Defining a Custom URL Scheme for Your App](https://developer.apple.com/documentation/uikit/inter-process_communication/allowing_apps_and_websites_to_link_to_your_content/defining_a_custom_url_scheme_for_your_app).|
@@ -28,8 +28,8 @@ Level 3 is the data protection configuration recommended as a standard for organ
| App conditions | Offline grace period | 30 / Block access (days) | iOS/iPadOS, Android, Windows ||
44
45
| Device conditions | Require device lock | High/Block Access | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
45
46
| Device conditions | Max allowed device threat level | Secured / Block access | Windows |
@@ -49,5 +50,3 @@ Level 3 is the data protection configuration recommended as a standard for organ
49
50
| Device conditions | Max OS version |*Format: Major.Minor.Build <br>Example: 15.0* / Block access | iOS/iPadOS | Microsoft recommends configuring the maximum iOS/iPadOS major version to ensure beta or unsupported versions of the operating system aren't used. See [Apple security updates](https://support.apple.com/en-us/HT201222) for Apple's latest recommendations |
50
51
| Device conditions | Max OS version |*Format: Major.Minor<br> Example: 22631.* / Block access | Windows | Microsoft recommends configuring the maximum Windows major version to ensure beta or unsupported versions of the operating system aren't used. |
51
52
| Device conditions | Samsung Knox device attestation | Wipe data | Android | Microsoft recommends configuring the **Samsung Knox device attestation** setting to **Wipe data** to ensure the org data is removed if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device. <p> This setting will apply to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](/mem/intune-service/fundamentals/filters).|
52
-
| App conditions | Offline grace period | 30 / Block access (days) | iOS/iPadOS, Android, Windows ||
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments