Merge pull request #15984 from MicrosoftDocs/main

Publish main to live, Thursday 3:30PM PDT, 08/22

.openpublishing.redirection.json

@@ -2714,6 +2714,11 @@
       "source_path": "autopilot/autopilot-faq.yml",
       "redirect_url": "/autopilot/faq",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "memdocs/intune/protect/endpoint-security-firewall-rule-tool.md",
+      "redirect_url": "/mem/intune/protect/endpoint-security-firewall-policy",
+      "redirect_document_id": false
     }
   ]
 }

memdocs/intune/configuration/preference-file-settings-macos.md

@@ -8,7 +8,7 @@ keywords: preference file, property list file, plist, macOS, microsoft intune, e
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 01/16/2024
+ms.date: 08/22/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -37,7 +37,10 @@ This feature applies to:
 
 Property list files, also called preference files, include information about your macOS apps. You define app properties or settings that you want to preconfigure. When the file is ready, you can use Intune to deploy the file to your devices and configure the app settings in your file.
 
-Property list files are typically used for web browsers, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac), and custom apps.
+Property list files are typically used for web browsers, like Google Chrome, [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac), and custom apps.
+
+> [!WARNING]
+> There are sample `.plist` files at [ManagedPreferencesApplications examples on GitHub](https://github.com/ProfileCreator/ProfileManifests/tree/master/Manifests/ManagedPreferencesApplications). This GitHub repository is not owned, not maintained, and not created by Microsoft. Use the information at your own risk.
 
 > [!TIP]
 > For Microsoft Edge version 77 and newer, you can use the settings catalog. You don't have to use a preference file. For more information, go to [Settings catalog](settings-catalog.md).
@@ -55,16 +58,16 @@ These settings are added to a device configuration profile in Intune, and then a
 
 ## What you need to know
 
-- These settings aren't validated. Test your changes before assigning the profile to your devices.
-- If you're not sure how to enter an app key, change the setting within the app. Then, review the app's preference file using [Xcode](https://developer.apple.com/xcode/) to see how the setting is configured.
+- Test your changes before assigning the profile to your devices. Intune doesn't validate the settings in the property list file.
+- Review the app's preference file using [Xcode](https://developer.apple.com/xcode/) to see how the setting is configured. If you're not sure how to enter an app key, change the setting within the app. Then, review the app's preference file using [Xcode](https://developer.apple.com/xcode/).
 
   Apple recommends removing nonmanageable settings using Xcode before importing the file.
 
 - Only some apps work with managed preferences, and might not allow you to manage all settings.
 - Be sure you upload property list files that target device channel settings, not user channel settings. Property list files target the entire device.
-- If you're configuring the Microsoft Edge version 77 and newer app, then use the [Settings catalog](settings-catalog.md). For a list of the settings you can configure, go to [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies) (opens another Microsoft website).
+- Use the [Settings catalog](settings-catalog.md) to configure Microsoft Edge version 77 and newer. For a list of the settings you can configure, go to [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies) (opens another Microsoft website).
 
-  Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the preference file.
+  Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then use the preference file.
 
 ## Create the profile
 

memdocs/intune/protect/advanced-threat-protection-manage-android.md

@@ -1,13 +1,13 @@
 ---
 # required metadata
 
-title: Configure Defender for Endpoint Web protection on Android devices in Intune - Azure 
-description: Use Intune policy to manage  Microsoft Defender for Endpoint web protection settings on Android devices managed by Microsoft Intune.
+title: Configure Defender for Endpoint Web protection on Android devices in Microsoft Intune
+description: Use Intune policy to manage Microsoft Defender for Endpoint web protection settings on Android devices managed by Microsoft Intune.
 keywords:
 author: brenduns 
 ms.author: brenduns
 manager: dougeby
-ms.date: 10/09/2023
+ms.date: 08/22/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -32,13 +32,13 @@ ms.collection:
 
 When you integrate [Microsoft Defender for Endpoint](../protect/advanced-threat-protection-configure.md) with Microsoft Intune, you can use device configuration profiles to modify some Defender for Endpoint settings on Android devices.
 
-By default, Microsoft Defender for Endpoint for Android includes and enables the [Web protection](/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) feature that can help to secure devices against web threats and protect users from phishing attacks.
+By default, Microsoft Defender for Endpoint for Android includes and enables the Microsoft Defender for Endpoint [Web protection](/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) feature that can help to secure devices against web threats and protect users from phishing attacks.
 
-While this protection is enabled by default, there are valid reasons to disable it on some Android devices. For example, you might decide to use only the Defender for Endpoint app scan feature or to prevent web protection from using your VPN while it scans for harmful URLs.
+While enabled by default, there are valid reasons to disable it on some Android devices. For example, you might decide to use only the Defender for Endpoint app scan feature or to prevent web protection from using your VPN while it scans for harmful URLs.
 
 With Intune device configuration policy, you can turn off all or part of the web protection feature. The method you use and the capabilities you can disable depend on how the Android device is enrolled with Intune:
 
-- **Android device administrator**. Use a configuration profile to set custom OMA-URI settings on the device that disable the entire web protection feature or that disable only the use of VPNs. For general information about custom settings for Android devices, see [Custom settings](../configuration/custom-settings-android.md).
+- **Android device administrator**. Use a configuration profile to set custom OMA-URI settings on the device that disable the entire web protection feature or that disable only the use of VPNs. For general information about custom settings for Android devices, see [Use custom settings for Android devices in Microsoft Intune](../configuration/custom-settings-android.md).
 
 - **Android Enterprise personally owned work profile**. Use an app configuration profile and the configuration designer to disable web protection. This method and enrollment type support disabling all web protection capabilities but don't support disabling only the use of VPNs. For general information about app configuration policies, see [Use the configuration designer](../apps/app-configuration-policies-use-android.md#use-the-configuration-designer).
 
@@ -80,13 +80,13 @@ To configure web protection on devices, use the following procedures to create a
    - **Disable only the use of VPN by web protection**:
      - **Name**: Enter a unique name for this OMA-URI setting so you can find it easily. For example, **Disable Microsoft Defender for Endpoint web protection VPN**.
      - **Description**: (Optional) Enter a description that provides an overview of the setting and any other important details.
-     - **OMA-URI**: Enter  `./Vendor/MSFT/DefenderATP/Vpn`
+     - **OMA-URI**: Enter `./Vendor/MSFT/DefenderATP/Vpn`
      - **Data type**: Select **Integer** in the drop-down list.
      - **Value**: To disable the VPN-based scan, set *Value* to **0**. To enable the VPN-based scan, enter **1**, which is the default.
 
    Select **Add** to save the OMA-URI settings configuration, and then select **Next** to continue.
 
-6. In **Assignments**, specify the groups that will receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+6. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
 7. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
 
@@ -126,7 +126,7 @@ To configure web protection on devices, use the following procedures to create a
 
    Select **Next** to continue.
 
-8. In **Assignments**, specify the groups that will receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+8. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
 9. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
 
@@ -149,14 +149,14 @@ To configure web protection on devices, use the following procedures to create a
 
    Select **Next** to continue.
 
-2. In **Assignments**, specify the groups that will receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+2. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
 3. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you
    created.
 
 ## Next steps
 
-- [Monitor compliance for risk levels](../protect/advanced-threat-protection-monitor.md)
+- [Monitor device compliance status for risk levels](../protect/advanced-threat-protection-monitor.md)
 - [Use security tasks with Defender for Endpoints Vulnerability Management to remediate problems on devices](../protect/atp-manage-vulnerabilities.md)
 
 - Learn more from the Microsoft Defender for Endpoint documentation:

memdocs/intune/protect/checkpoint-sandblast-mobile-mobile-threat-defense-connector.md

@@ -8,7 +8,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 11/17/2023
+ms.date: 08/22/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -49,12 +49,12 @@ You can configure Conditional Access policies based on Check Point Harmony Mobil
 
 - Microsoft Intune Plan 1 subscription
 
-- Check Point Harmony Mobile Threat Defense subscription
+- Check Point Harmony Mobile Threat Defense subscription  
   - See the [CheckPoint Harmony website](https://www.checkpoint.com/harmony).
 
 ## How do Intune and Check Point Harmony Mobile help protect your company resources?
 
-Check Point Harmony Mobile app for Android and iOS/iPadOS captures file system, network stack, device and application telemetry where available, then sends the telemetry data to the Check Point Harmony cloud service to assess the device's risk for mobile threats.
+Check Point Harmony Mobile app for Android and iOS/iPadOS captures file system, network stack, and device and application telemetry where available, then sends the telemetry data to the Check Point Harmony cloud service to assess the device's risk for mobile threats.
 
 The Intune device compliance policy includes a rule for Check Point Harmony Mobile Threat Defense, which is based on the Check Point Harmony risk assessment. When this rule is enabled, Intune evaluates device compliance with the policy that you enabled. If the device is found noncompliant, users are blocked access to corporate resources like Exchange Online and SharePoint Online. Users also receive guidance from the Harmony Mobile Protect app installed in their devices to resolve the issue and regain access to corporate resources.
 

memdocs/intune/protect/mtd-device-compliance-policy-create.md

@@ -8,7 +8,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 11/01/2023
+ms.date: 08/22/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -52,13 +52,13 @@ With integration complete and the partner policy in place, you can then create I
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-2. Select **Endpoint security** > **Device Compliance** > **Create policy**.
+2. Select **Endpoint security** > **Device compliance** > **Create policy**.
 
 3. Select the **Platform**:
    - For most platforms, the *Profile type* is automatically set. If not automatically set, select the appropriate Profile type.
    - To continue, select **Create**.
 
-4. On **Basics**, specify  a device compliance policy **Name**, and **Description** (optional). Select **Next** to continue.
+4. On **Basics**, specify a device compliance policy **Name**, and **Description** (optional). Select **Next** to continue.
 
 5. On **Compliance settings**, expand and configure **Device Health**. Choose a threat-level from the drop-down list for **Require the device to be at or under the Device Threat Level**.
 
@@ -74,7 +74,7 @@ With integration complete and the partner policy in place, you can then create I
 
 6. On the **Actions for noncompliance** tab, specify a sequence of actions to apply automatically to devices that don't meet this compliance policy.
 
-   You can add multiple actions and configure schedules and other details for some actions. For example, you might change the schedule of the default action *Mark device noncompliant* to occur after one day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status. You can also add  actions that lock or retire devices that remain noncompliant.
+   You can add multiple actions and configure schedules and other details for some actions. For example, you might change the schedule of the default action *Mark device noncompliant* to occur after one day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status. You can also add actions that lock or retire devices that remain noncompliant.
 
    For information about the actions you can configure, see [Add actions for noncompliant devices](actions-for-noncompliance.md), including how to create notification emails to send to your users.
 
@@ -88,7 +88,7 @@ With integration complete and the partner policy in place, you can then create I
 
 ## Monitoring risk score sent by Mobile Threat Defense partner
 
-Your Mobile Threat Defense partner can send a risk score for each device for which the MTD app is installed. You can view this under **Reports** > **Device compliance** > **Reports** > **Device Compliance**. Make sure **Device threat level** is selected when opening the **Columns** tab, this may require you to hit **Generate** first. 
+Your Mobile Threat Defense partner can send a risk score for each device for which the MTD app is installed. You can view this under **Reports** > **Device compliance** > **Reports** > **Device Compliance**. Make sure **Device threat level** is selected when opening the **Columns** tab, this may require you to hit **Generate** first.
 
 > [!IMPORTANT]
 >