From c859ead1b4b06d5694cd0e88055939ce83ca59bb Mon Sep 17 00:00:00 2001 From: Conrad Gryba <111100824+cgryba@users.noreply.github.com> Date: Fri, 31 Oct 2025 14:15:08 -0700 Subject: [PATCH 1/2] Updated conditional launch offline grace period data wipe Updated line 52 to make level 3 conditional launch settings more aggressive than level 2 --- .../intune-service/includes/app-protection-framework-level3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/intune/intune-service/includes/app-protection-framework-level3.md b/intune/intune-service/includes/app-protection-framework-level3.md index e735d5cc4d..633aeb56f8 100644 --- a/intune/intune-service/includes/app-protection-framework-level3.md +++ b/intune/intune-service/includes/app-protection-framework-level3.md @@ -49,5 +49,5 @@ Level 3 is the data protection configuration recommended as a standard for organ | Device conditions | Max OS version | *Format: Major.Minor.Build
Example: 15.0* / Block access | iOS/iPadOS | Microsoft recommends configuring the maximum iOS/iPadOS major version to ensure beta or unsupported versions of the operating system aren't used. See [Apple security updates](https://support.apple.com/en-us/HT201222) for Apple's latest recommendations | | Device conditions | Max OS version | *Format: Major.Minor
Example: 22631.* / Block access | Windows | Microsoft recommends configuring the maximum Windows major version to ensure beta or unsupported versions of the operating system aren't used. | | Device conditions | Samsung Knox device attestation | Wipe data | Android | Microsoft recommends configuring the **Samsung Knox device attestation** setting to **Wipe data** to ensure the org data is removed if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device.

This setting will apply to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](/mem/intune-service/fundamentals/filters).| -| App conditions | Offline grace period | 30 / Block access (days) | iOS/iPadOS, Android, Windows | | +| App conditions | Offline grace period | 14 / Wipe data (days) | iOS/iPadOS, Android, Windows | | From e803b84d2ccc3fa65446358d87ab01e67882ccb3 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger <3229224+MandiOhlinger@users.noreply.github.com> Date: Tue, 2 Dec 2025 20:06:30 -0500 Subject: [PATCH 2/2] Remove offline grace period setting from conditional launch Removed 'App conditions' setting for offline grace period from the conditional launch section. --- .../intune-service/includes/app-protection-framework-level3.md | 1 - 1 file changed, 1 deletion(-) diff --git a/intune/intune-service/includes/app-protection-framework-level3.md b/intune/intune-service/includes/app-protection-framework-level3.md index 347729bea1..cc3dbf835f 100644 --- a/intune/intune-service/includes/app-protection-framework-level3.md +++ b/intune/intune-service/includes/app-protection-framework-level3.md @@ -41,7 +41,6 @@ Level 3 is the data protection configuration recommended as a standard for organ | Setting | Setting description | Value / Action | Platform | Notes | |---|---|---|---|---| -| App conditions | Offline grace period | 30 / Block access (days) | iOS/iPadOS, Android, Windows | | | Device conditions | Require device lock | High/Block Access | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. | | Device conditions | Max allowed device threat level | Secured / Block access | Windows | | Device conditions | Jailbroken/rooted devices | N/A / Wipe data | iOS/iPadOS, Android | |