Merge branch 'main' into release-cm2403-cb

memdocs/intune/apps/app-protection-policies-monitor.md

@@ -45,27 +45,6 @@ App protection data is retained for a minimum of 90 days. Any app instances that
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Apps** > **Monitor** > **App protection status**.
 
-The following list provides details about app protection status: 
-
-- **Assigned users**: The total number of assigned users in your company who are using an app that is associated with a policy in a work context and are protected and licensed, as well as the assigned users that are unprotected and unlicensed.
-- **Flagged users**: The number of users who are experiencing issues with their devices. Jailbroken (iOS/iPadOS) and rooted (Android) devices are reported under **Flagged users**. Also, users with devices that are flagged by the Google Play’s device integrity check (if turned on by the IT admin) are reported here. 
-- **Users with potentially harmful apps**: The number of users who may have a harmful app on their Android device detected by Google Play Protect. 
-- **User status for iOS** and **User status for Android**: The number of users who have used an app who have a policy assigned to them in a work context for the related platform. This information shows the number of users managed by the policy, as well as the number of users who are using an app that is not targeted by any policy in a work context. You might consider adding these users to the policy.
-- **Top Protected iOS/iPadOS Apps** and **Top Protected Android Apps**: Based on the most used iOS/iPadOS and Android apps, this information shows the number of protected and unprotected apps by platform.
-- **Top Configured iOS/iPadOS Apps Without Enrollment** and **Top Configured Android Apps Without Enrollment**: Based on the most used iOS/iPadOS and Android apps for unenrolled devices, this information shows the number of configured apps by platform  (as in, using an app configuration policy).
-
-    > [!NOTE]
-    > If you have multiple policies per platform, a user is considered managed by policy when they have at least one policy assigned to them.
-
-## Detailed view
-You can get to the detailed view of the summary by choosing the **Flagged users** tile, and the **Users with potentially harmful apps** tile.
-
-### Flagged users
-The detailed view shows the error message, the app that was accessed when the error happened, the device OS platform affected, and a time stamp. The error is typically for jailbroken (iOS/iPadOS) or rooted (Android) devices. Also, users with devices that are flagged by the 'Play integrity verdict' conditional launch check are reported here with the reason as reported by Google. For a user to be removed from the report, the status of the device itself needs to have changed, which happens after the next root detection check (or jailbreak check/Play integrity verdict happens) that needs to report a positive result. If the device is truly remediated, the refresh on the Flagged Users report will happen when the pane reloads.
-
-### Users with potentially harmful apps
-Users with devices that are flagged by the **Require threat scan on apps** conditional launch check are reported here, with the threat category as reported by Google. If there are apps listed in this report that are being deployed through Intune, contact the app developer for the app, or remove the app from being assigned to your users. The detailed view shows:
-
 - **User**: The name of the user.
 - **Email**: The email of the user.
 - **App**: The name of the app that is being protected.

memdocs/intune/enrollment/ios-device-enrollment.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 01/23/2024
+ms.date: 04/11/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -94,7 +94,9 @@ Intune enrollment with Apple device enrollment has the following known issues an
 
 * If your organization uses Microsoft Defender for Endpoint, that app can't be the first app users sign in to after enrollment. JIT registration and compliance remediation may not work as expected if users authenticate in Microsoft Defender for Endpoint first. Users should authenticate in another Microsoft app to complete enrollment. We are actively working to fix this experience.   
 
-* Web based device enrollment can be used without JIT registration. We recommend using the Web Company Portal instead of the iOS Company Portal to deploy apps to the device. If you are planning to use the iOS Company Portal for app deployment, MS Authenticator and the SSO extension policy must be sent to the device post web enrollment.  
+* Web-based device enrollment can be used without JIT registration. We recommend using the web version of Company Portal instead of Company Portal for iOS to deploy apps to the device. If you are planning to use the Company Portal app for app deployment, MS Authenticator and the SSO extension policy must be sent to the device post web enrollment. 
+
+* There is a known issue with web-based enrollment and JIT registration that prevents the Company Portal app from recognizing enrolled devices. When a user tries to sign in to Company Portal for iOS on a device that doesn't have the SSO extension policy, Company Portal is unable to determine that the device has been enrolled. We are actively working to resolve this issue. To avoid this issue, we recommend deploying the SSO extension policy to enrolling devices. Or, as a temporary workaround, you can deploy a web clip for the web version of Company Portal, as described under [Best practices for web enrollment](web-based-device-enrollment-ios.md#best-practices).    
 
 ## Next steps  
 

memdocs/intune/includes/intune-notices.md

@@ -11,6 +11,35 @@ ms.custom: include file
 
 These notices provide important information that can help you prepare for future Intune changes and features.
 
+### Update to the latest Company Portal for Android, Intune App SDK for iOS, and Intune App Wrapper for iOS
+
+Starting **June 1, 2024**, we're making updates to improve the Intune mobile application management (MAM) service. This update will require iOS wrapped apps, iOS SDK integrated apps, and the Company Portal for Android to be updated to the latest versions to ensure applications stay secure and run smoothly. 
+
+> [!IMPORTANT]
+> If you don't update to the latest versions, users will be blocked from launching your app.
+
+Note that the way Android updates, once one Microsoft application with the updated SDK is on the device and the Company Portal is updated to the latest version, Android apps will update. So, this message is focused on iOS SDK/app wrapper updates. We recommend always updating your Android and iOS apps to the latest SDK or app wrapper to ensure that your app continues to run smoothly.  
+
+#### How does this affect you or your users?
+If your users haven't updated to the latest Microsoft or third-party app protection supported apps, they'll be blocked from launching their apps. If you have iOS line-of-business (LOB) applications that are using the Intune wrapper or Intune SDK, you must be on Wrapper/SDK version 17.7.0 or later to avoid your users being blocked.
+
+#### How can you prepare?
+Plan to make the changes below before **June 1, 2024**:
+
+* Any of your iOS line-of-business (LOB) apps using older versions of the Intune SDK or wrapper must be updated to v17.7.0 or later.
+  * For apps using the Intune iOS SDK, use [Release 19.2.0 · msintuneappsdk/ms-intune-app-sdk-ios (github.com)](https://github.com/msintuneappsdk/ms-intune-app-sdk-ios/releases/tag/19.2.0)
+  * For apps using the Intune iOS wrapper, use [Release 19.2.0 · msintuneappsdk/intune-app-wrapping-tool-ios (github.com)](https://github.com/msintuneappsdk/intune-app-wrapping-tool-ios/releases/tag/19.2.0)
+* For tenants with policies targeted to iOS apps: 
+  * Notify your users that they need to upgrade to the latest version of the Microsoft apps. You can find the latest version of the apps in the [App store](https://www.apple.com/app-store/). For example, you can find the latest version of Microsoft Teams [here](https://apps.apple.com/app/microsoft-teams/id1113153706) and Microsoft Outlook [here](https://apps.apple.com/app/microsoft-outlook/id951937596).
+  * Additionally, you have the option to enable the following [conditional launch](../apps/app-protection-policy-settings-ios.md#conditional-launch) settings:  
+    * The **Min OS version** setting to warn users using iOS 15 or older so that they can download the latest apps. 
+    * The **Min SDK version** setting to block users if the app is using Intune SDK for iOS older than 17.7.0. 
+    * The **Min app version** setting to warn users on older Microsoft apps. Note that this setting must be in a policy targeted to only the targeted app. 
+* For tenants with policies targeted to Android apps: 
+  * Notify your users that they need to upgrade to the latest version (v5.0.6198.0) of the [Company Portal](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) app.
+  * Additionally, you have the option to enable the following [conditional launch](../apps/app-protection-policy-settings-ios.md#conditional-launch) device condition setting:  
+    * The **Min Company Portal version** setting to warn users using a Company Portal app version older than 5.0.6198.0.
+
 ### Plan for Change: Ending support for Intune App SDK Xamarin Bindings in May 2024<!--27143739-->
 With the [end of support for Xamarin Bindings](https://dotnet.microsoft.com/platform/support/policy/xamarin), Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on **May 1, 2024**.
 

memdocs/intune/protect/actions-for-noncompliance.md

@@ -145,7 +145,7 @@ When you enable this action:
 
 > [!NOTE]
 > The following actions for noncompliance are not supported for devices that are managed by a [device compliance management partner](../protect/device-compliance-partners.md):  
-> - Send push notification to end user
+> - Send email to end user
 > - Remotely lock the noncompliant device
 > - Add device to retire list
 > - Send push notification to end user

memdocs/intune/protect/device-compliance-partners.md

@@ -41,7 +41,7 @@ Third-party partners support one or more of the following platforms:
 
 By default, Intune is set up to be the Mobile Device Management (MDM) authority for your devices. When you add a compliance partner to Microsoft Entra ID and Intune, you're configuring that partner to be a source of Mobile Device Management (MDM) authority for the devices you assign to that partner through a Microsoft Entra user group.
 
-To enable use data from device compliance partners, complete the following tasks:
+To enable user data from device compliance partners, complete the following tasks:
 
 1. **Configure Intune to work with the device compliance partner**, and then configure groups of users whose devices are managed by that compliance partner.
 

memdocs/intune/protect/microsoft-tunnel-prerequisites.md

@@ -44,12 +44,16 @@ After configuring the prerequisites, we recommend you run the [readiness tool](#
 
 The following sections detail the prerequisites for the Microsoft Tunnel, and provide guidance on using the readiness tool.
 
+> [!NOTE]
+> Tunnel and Global Secure Access (GSA) cannot be use simultaneously on the same device.
+
+
 ## Linux server
 
 Set up a Linux based virtual machine or a physical server on which to install the Microsoft Tunnel Gateway.
 
 > [!NOTE]
-> Only the operating systems and container versions that are listed in the following table are supported. Versions not listed are not supported. Only after testing and supportability are verified are newer versions added to this list.
+> Only the operating systems and container versions that are listed in the following table are supported. Versions not listed are not supported. Only after testing and supportability are verified are newer versions added to this list. Keep OS up to date with security updates as well.
 
 - **Supported Linux distributions** - The following table details which versions of Linux are supported for the Tunnel server, and the container they require:
 

windows-365/enterprise/whats-new.md

@@ -61,9 +61,9 @@ For more information about public preview items, see [Public preview in Windows
 <!-- vvvvvvvvvvvvvvvvvvvvvv -->
 ### Partners
 
-#### Use HP Anyware with Windows 365 Enterprise (preview)<!--48782170-->
+#### Use HP Anyware for Windows 365 Enterprise (preview)<!--48782170-->
 
-You can now use HP Anyware with Windows 365 Enterprise Cloud PCs. For more information, see [Set up HP Anyware for Windows 365 Enterprise](hp-anyware-set-up.md).
+You can now use HP Anyware for Windows 365 Enterprise Cloud PCs. For more information, see [Set up HP Anyware for Windows 365 Enterprise](hp-anyware-set-up.md).
 
 <!-- ########################## -->
 ## Week of April 1, 2024