Select Yes to disable the app PIN when a device lock is detected on an enrolled device.
", "targetAllApps1": "Use this option to target your policy to apps on devices of any management state.", "targetAllApps2": "During policy conflict resolution this setting will be superseded if a user has policy targeted for a specific management state.", "touchId2": "Select {0} to require fingerprint identity instead of a PIN for app access." }, "Tap": { "pinResetAfterNumberOfDays": "Specify the number of days that must pass before the user must reset the PIN.", "previousPinBlockCount": "This setting specifies the number of previous PINs that Intune will maintain. Any new PINs must be different from those that Intune is maintaining." }, "WipPolicySettings": { "25": "", "allowWindowsSearch": "This will allow Windows Search to continue to search through encrypted data.", "authoritativeIpRanges": "Enable this setting if you want to override Windows auto-detection of IP ranges.", "authoritativeProxyServers": "Enable this setting if you want to override Windows auto-detection of proxy servers.", "checkInput": "Check input for validity", "dataRecoveryCert": "A recovery certificate is a special Encrypting File System (EFS) certificate you can use to recover encrypted files if your encryption key is lost or damaged. You need to create the recovery certificate, and specify it here. More information is here", "enterpriseCloudResources": "Specify cloud resources to be treated as corporate and be protected with Windows Information Protection policy. Multiple resources can be specified by separating individual entries with the '|' character.
If you have a proxy configured in your company, then you can specify the proxy through which traffic to cloud resources you specified will be routed.
URL[,Proxy]|URL[,Proxy]
Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
With proxy: contoso.sharepoint.com,proxy.contoso.com|contoso.visualstudio.com,proxy.contoso.com
Specify the IPv4 ranges that form your corporate network. These are used in conjunction with the Enterprise Network Domain Names that you specify to define your corporate network boundary.
This setting is required to have Windows Information Protection enabled.
Multiple ranges can be specified by separating individual entries with a comma.
For example: 3.4.0.1-3.4.255.255,192.168.1.1-192.168.255.255
", "enterpriseIPv6Ranges": "Specify the IPv6 ranges that form your corporate network. These are used in conjunction with the Enterprise Network Domain Names that you specify to define your corporate network boundary.
Multiple ranges can be specified by separating individual entries with a comma.
For example: 2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
", "enterpriseInternalProxyServers": "If you have a proxy configured in your company, then you can specify the proxy through which traffic to cloud resources specified in the Enterprise Cloud Resources settings are to be routed.
Multiple values can be specified by separating individual entries with a semi-colon.
For example: contoso.internalproxy1.com;contoso.internalproxy2.com
", "enterpriseNetworkDomainNames": "Specify the DNS names that form your corporate network. These are used in conjunction with the IP ranges that you specify to define your corporate network boundary. Multiple values can be specified by separating individual entries with a comma.
This setting is required to have Windows Information Protection enabled.
For example: corp.contoso.com,region.contoso.com
", "enterpriseProtectedDomainNames": "Specify the DNS names that form your corporate network. These are used in conjunction with the IP ranges that you specify to define your corporate network boundary. Multiple values can be specified by separating individual entries with a '|'.
This setting is required to have Windows Information Protection enabled.
For example: corp.contoso.com|region.contoso.com
", "enterpriseProxyServers": "If you have external facing proxies in your corporate network, specify them here. When specifying a proxy server address, you should also specify the port through which traffic should be allowed and protected through Windows Information Protection.
Note: This list must not include servers in your Enterprise Internal Proxy Server list. Multiple values can be specified by separating individual entries with a semi-colon.
For example: proxy.contoso.com:80;proxy2.contoso.com:80
", "maxInactivityTime1": "Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.", "maxInactivityTime2": "0 (default) - No timeout is defined. The default of '0' is interpreted as 'No timeout is defined.'", "maxPasswordAttempts1": "This policy has different behaviors on the mobile device and desktop.", "maxPasswordAttempts2": "On a mobile device, when the user reaches the value set by this policy, then the device is wiped.", "maxPasswordAttempts3": "On a desktop, when the user reaches the value set by this policy, it is not wiped.Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable.If BitLocker is not enabled, then the policy cannot be enforced.", "maxPasswordAttempts4": "Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer.When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page.This page prompts the user for the BitLocker recovery key.", "maxPasswordAttempts5": "0 (default) - The device is never wiped after an incorrect PIN or password is entered.", "maxPasswordAttempts6": "Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.", "mdmDiscoveryUrl": "Specify the URL for the MDM enrollment endpoint that users who enroll to MDM will use. By default, this is specified for Intune.", "minimumPinLength1": "Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.", "minimumPinLength2": "If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4.", "name": "The name of this network boundary", "neutralResources": "If you have authentication redirection endpoints in your company, specify those here. The locations specified here are considered to be either personal or corporate depending on the context of the connection prior to the redirection.
Multiple values can be specified by separating individual entries with a comma.
For example: sts.contoso.com,sts.contoso2.com
", "passportForWork1": "Value that sets Windows Hello for Business as a method for signing into Windows.", "passportForWork2": "Default value is true.If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required.", "pinExpiration": "The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire.", "pinHistory1": "The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.", "pinHistory2": "The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset.", "protectUnderLock": "Protects app content while the device is in a locked state.", "protectionModeBlock": "Block: Blocks enterprise data from leaving protected apps.
", "protectionModeOff": "Off: User is free to relocate data off of protected apps. No actions are logged.
", "protectionModeOverride": "Allow overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If they choose to override this prompt, the action will be logged.
", "protectionModeSilent": "Silent: User is free to relocate data off of protected apps. These actions are logged.
", "required": "Required", "revokeOnMdmHandoff": "Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to “Off”, the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.", "revokeOnUnenroll": "This will cause encryption keys to be revoked when a device un-enrolls from this policy.", "rmsTemplateForEdp": "TemplateID GUID to use for RMS encryption. The Azure RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.", "showWipIcon": "This will let the user know when they are acting in a corporate context, by overlaying an icon.", "useRmsForWip": "Specifies whether to allow Azure RMS encryption for WIP." }, "requireAppPin": "Select Yes to disable the app PIN when a device lock is detected on an enrolled device.
Note: Intune cannot detect device enrollment with a third-party EMM solution on iOS/iPadOS.
" }, "Autopilot": { "AssignResourceAccount": { "createNewCommandMenu": "Create new", "createNewResourceAccountInfo": "\nCreate a new resource account during enrollment. The Resource account will be added to the Resource account table right away, but won't be active until the device is enrolled, and the Surface Hub subscription is verified. Learn more about Resource Accounts
\n ", "createNewResourceTitle": "Create new resource account", "deviceNameInvalid": "Device name is in an invalid format", "deviceNameRequired": "A device name is required", "editResourceAccountLabel": "Edit", "selectExistingCommandMenu": "Select existing" }, "Device": { "ComputerName": { "validFormat": "Names must be 15 characters or less, and can contain letters (a-z, A-Z), numbers (0-9), and hyphens. Names must not contain only numbers. Names cannot include a blank space." }, "Header": { "addressableUserName": "User friendly name", "azureADDevice": "Associated Azure AD device", "batch": "Group tag", "dateAssigned": "Date assigned", "deviceAccountFriendlyName": "Device account friendly name", "deviceAccountPwd": "Device account password", "deviceAccountUpn": "Device account", "deviceDisplayName": "Device name", "deviceName": "Device name", "deviceUseType": "Device-use type", "enrollmentState": "Enrollment state", "intuneDevice": "Associated Intune device", "lastContacted": "Last contacted", "make": "Manufacturer", "model": "Model", "profile": "Assigned profile", "profileStatus": "Profile status", "purchaseOrderId": "Purchase order", "resourceAccount": "Resource account", "serialNumber": "Serial number", "userPrincipalName": "User" }, "SurfaceHub": { "friendlyNameRequired": "A friendly name is required", "pwdRequired": "A password is required", "upnRequired": "A device account is required", "upnValidFormat": "Values can contain letters (a-z, A-Z), numbers (0-9), and hyphens. Values cannot include a blank space." } }, "DeviceUseType": { "meetingAndPresentation": "Meeting and presentation", "teamCollaboration": "Team collaboration" }, "Devices": { "featureDescription": "Windows Autopilot lets you customize the out-of-box experience (OOBE) for your users.", "importErrorStatus": "Some devices were not imported. Click here for more information.", "importPendingStatus": "Import in progress. Elapsed time: {0} min. This process can take up to {1} min." }, "DirectoryService": { "activeDirectoryAD": "Hybrid Azure AD joined", "activeDirectoryADLabel": "Hybrid Azure AD width Autopilot", "azureAD": "Azure AD joined", "unknownType": "Unknown Type" }, "Filter": { "enrollmentState": "State", "profile": "Profile status" }, "OOBE": { "AddressableUserName": { "validateEmpty": "User friendly name cannot be empty." }, "ApplyComputerNameTemplate": { "infoBalloon": "Create a naming template to add names to your devices during enrollment.", "label": "Apply device name template" }, "ApplyComputerNameTemplateDisabled": { "label": "For Hybrid Azure AD joined type of Autopilot deployment profiles, devices are named using settings specified in Domain Join configuration." }, "ComputerNameTemplate": { "emptyValue": "MyCompany-%RAND:4%", "label": "Enter a name", "noDisallowedChars": "Name must only contain alphanumeric characters, hyphens, %SERIAL%, or %RAND:x%", "serialLength": "Cannot use more than 7 characters with %SERIAL%", "validateLessThan15Chars": "Name must be 15 characters or less", "validateNoSpaces": "Computer names cannot contain spaces", "validateNotAllNumbers": "Name must also contain letters and/or hyphens", "validateNotEmpty": "Name cannot be empty", "validateOnlyOneMacro": "Name must only contain one of %SERIAL% or %RAND:x%" }, "ConfigureComputerNameTemplate": { "description": "Create a unique name for your devices. Names must be 15 characters or less, and can contain letters (a-z, A-Z), numbers (0-9), and hyphens. Names must not contain only numbers. Names cannot include a blank space. Use the %SERIAL% macro to add a hardware-specific serial number. Alternatively, use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add." }, "EnableWhiteGlove": { "infoBalloon": "Enable pressing Windows key 5 times to run OOBE without user authentication to enroll device and provision all system-context apps and settings. User-context apps and settings will be delivered when the user signs in.", "label": "Allow pre-provisioned deployment" }, "HybridAzureADSkipConnectivityCheck": { "infoBalloon": "The Autopilot Hybrid Azure AD join flow will continue even if it does not establish domain controller connectivity during OOBE.", "label": "Skip AD connectivity check (preview)" }, "accountType": "User account type", "accountTypeInfo": "Specify whether users are administrators or standard users on the device. Note that this setting does not apply to Global Administrator or Company Administrator accounts. These accounts cannot be standard users because they have access to all administrative features in Azure AD.", "configOOBEInfo": "\nConfigure the out-of-box experience for your Autopilot devices\n
", "configureDevice": "Deployment mode", "configureDeviceHintForSurfaceHub2": "Autopilot only supports self-deploying mode for Surface Hub 2. This mode doesn't associate the user with the enrolled device, so it doesn't require user credentials.", "configureDeviceHintForWindowsPC": "\n Deployment mode controls if a user needs to provide credentials in order to provision the device.\n
\n\nThe following options are automatically enabled for Autopilot devices in self-deploying mode:\n
\nTo deploy this profile to a device, you must assign the device a Resource account. Select one device at a time to assign an existing Resource account or to create a new one. Learn more about Resource Accounts
", "assignedDevicesResourceAccountStatusBarMessage": "This table only lists the Surface Hub 2 devices that have been assigned this profile.", "assigningDescription": "Updating assignments for {0}.", "assigningTitle": "Updating Autopilot profile assignments.", "autoremediationContext": "We've detected a hardware change on this device. We're trying to automatically register the new hardware. You don't need to do anything now; the status will be updated at the next check in with the result. Learn more about resetting the profile.", "autoremediationTitle": "Device {0} has a fix pending", "cannotDeleteMessage": "This profile is assigned to groups. You must unassign all groups from this profile before you can delete it.", "cannotDeleteTitle": "Cannot delete {0}", "createdDateTime": "Created", "deleteMessage": "If you delete this Autopilot profile, any devices assigned to this profile will display Unassigned.", "deleteMessageWithPolicySet": "{0} is included in one more more policy sets. If you delete {0}, you'll no longer be able to assign it via these policy sets.", "deleteTitle": "Are you sure you want to delete this profile?", "description": "Description", "deviceType": "Device type", "deviceUse": "Device use", "directoryServiceHintForSurfaceHub2": "\n Autopilot only supports Azure AD Joined for Surface Hub 2 devices. Specify how devices join Active Directory (AD) in your organization.\n
\n\n Specify how devices join Active Directory (AD) in your organization:\n
\nEnter the protocol for a single unmanaged browser. Web content (http/s) from policy managed applications will open in any app that supports this protocol.
\n \nNote: Include only the protocol prefix. If your browser requires links of the form \"mybrowser://www.microsoft.com\", enter \"mybrowser\".
" }, "CustomDialerAppDisplayName": { "label": "Dialer App Name" }, "CustomDialerAppPackageId": { "label": "Dialer App Package ID" }, "CustomDialerAppProtocol": { "label": "Dialer App URL Scheme" }, "Cutcopypaste": { "label": "Restrict cut, copy, and paste between other apps", "tooltip": "Cut, copy, and paste data between your app and other approved apps installed on the device. Choose to block these actions completely between apps, allow these actions for use with any app, or restrict use to apps that your organization manages.
\n\nPolicy-managed apps with paste in gives you the option to accept incoming content pasted from another app. However, it blocks users from sharing content outwardly, unless sharing with a managed app.
" }, "DialerRestrictionLevel": { "iosTooltip": "Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app. Additional steps may be necessary in order for this setting to take effect. First, verify that tel and telprompt have been removed from the Select apps to exempt list. Then, ensure the application is using a newer version of Intune SDK (Version 12.7.0+).", "label": "Transfer telecommunication data to", "tooltip": "Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app." }, "EncryptData": { "label": "Encrypt org data", "link": "https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-android#data-relocation-settings", "tooltip": "Select {0} to enforce encrypting org data with Intune app layer encryption.\nChoose Require to enable encryption of work or school data in this app. Intune uses an OpenSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted. The SDK will continue to provide support of 128-bit keys for compatibility with content and apps that use older SDK versions.
\n\nThe encryption method is FIPS 140-2 compliant.
" }, "EncryptDataIos": { "tooltip1": "Choose Require to enable encryption of work or school data in this app. Intune enforces iOS/iPadOS device encryption to protect app data while the device is locked. Applications may optionally encrypt app data using Intune APP SDK encryption. Intune APP SDK uses iOS/iPadOS cryptography methods to apply 128-bit AES encryption to app data.", "tooltip2": "When you enable this setting, the user may be required to set up and use a PIN to access their device. If there's no device PIN and encryption is required, the user is prompted to set a PIN with the message \"Your organization has required you to first enable a device PIN to access this app.\"", "tooltip3": "Go to the official Apple documentation to see which iOS encryption modules are FIPS 140-2 compliant or pending FIPS 140-2 compliance." }, "EncryptDataOnEnrolledDevices": { "label": "Encrypt org data on enrolled devices", "tooltip": "Select {0} to enforce encrypting org data with Intune app layer encryption on all devices.Select one of the following options to specify how notifications for org accounts are shown for this app and any connected devices such as wearables:
\n{0}: Do not share notifications.
\n{1}: Do not share org data in notifications. If not supported by the application, notifications are blocked.
\n{2}: Share all notifications.
\nAndroid only:\n Note: This setting does not apply to all applications. For more information see {3}
\n \niOS only:\nNote: This setting does not apply to all applications. For more information see {4}
" }, "OpenLinksManagedBrowser": { "label": "Restrict web content transfer with other apps", "tooltip": "Select one of the following options to specify the apps that this app can open web content in:
\nEdge: Allow web content to open only in Edge
\nUnmanaged browser: Allow web content to open only in the unmanaged browser defined by \"Unmanaged browser protocol\" setting
\nAny app: Allow web links in any app
" }, "OverrideBiometric": { "tooltip": "If required, depending on the timeout (minutes of inactivity), a PIN prompt will override biometric prompts. If this timeout value is not met, the biometric prompt will continue to show. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'. " }, "PinAccess": { "label": "PIN for access", "tooltip": "If required, a PIN must be used to access the policy-managed app. Users must create an access PIN the first time that they open the app from a work or school account." }, "PinLength": { "label": "Select minimum PIN length", "tooltip": "This setting specifies the minimum number of digits of a PIN." }, "PinType": { "label": "PIN type", "tooltip": "Numeric PINs are made up of all numbers. Passcodes are made up of alphanumeric characters and special characters. " }, "Printing": { "label": "Printing org data", "tooltip": "If blocked, the app cannot print protected data." }, "ReceiveData": { "label": "Receive data from other apps", "tooltip": "Select one of the following options to specify the apps that this app can receive data from:If you defer software updates, newly released updates won't become visible to users until after the deferral period (which you'll configure in the next settings). Deferring software updates doesn't impact scheduled updates.
OS-related updates can be deferred on devices running macOS 10.13 or later; non OS-related updates (such as Safari updates) can be deferred on devices running macOS 11 or later.
", "updateDelayPolicyName": "Defer software updates", "updateEveryWeek": "Every week", "updateFirstWeekOfMonth": "First week of the month", "updateFourthWeekOfMonth": "Fourth week of the month", "updateNotificationLevelDescription": "Specifies what Windows Update notifications users see.", "updateNotificationLevelName": "Change notification update level", "updateSecondWeekOfMonth": "Second week of the month", "updateSettingsName": "Update settings", "updateThirdWeekOfMonth": "Third week of the month", "updatesClassificationName": "Minimum classification of updates to install automatically", "upperIPv4AddressName": "Upper IPv4 address", "upperPortName": "Upper port", "url": "URL", "urlPathHashOption": "Hash", "usbTypeAPortName": "USB type A", "usbTypeCPortName": "USB Type C", "useDeadlineSettingsDescription": "Allows user to use deadline settings", "useDeadlineSettingsName": "Use deadline settings", "useInternalSubnetName": "Use IPv4/IPv6 internal subnet attributes", "useOAuth": "OAuth", "useOAuthDescription": "Specifies whether the connection should use OAuth for authentication.", "usePACName": "Use (PAC)", "useWindows10ForcedUpdates": "Force restart apps on update failure", "useWindows10ForcedUpdatesTooltip": "To ensure apps are always up-to-date, use this setting to configure a recurring or one time date to restart apps whose update failed due to the app being in use.", "userAccountControlDescription": "How is user notified about device changes (recommend Always notify).", "userAccountControlName": "User Account Control", "userApprovedAndAutomatedDeviceEnrollmentHeaderDescriptionMac": "These settings work for devices that were enrolled in Intune with user approval, and for devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices.", "userApprovedAndAutomatedDeviceEnrollmentHeaderNameMac": "User approved and automated device enrollment", "userAuthentication": "User authentication", "userCanConfigure": "User can configure", "userControlOption": "User in control", "userCustomDomainDescription": "The value Intune uses for the user domain name that will be used by this profile e.g. contoso.com or contoso.", "userCustomDomainName": "Custom domain name to use", "userCustomDomainNameExample": "e.g. contoso.com", "userDefined": "User defined", "userDomainAADAttributeDescription": "The attribute Intune gets from Azure AD to dynamically generate the user domain name that will be used by this profile e.g. contoso.com (full domain name) or contoso (NetBIOS name).", "userDomainAADAttributeLinkText": "Learn more about AAD attributes for email profiles.", "userDomainAADAttributeName": "User domain name attribute from AAD", "userExperienceSettingsName": "User experience settings", "userNameOption": "User name", "userNameTypeDescription": " The attribute Intune gets from Azure AD to dynamically generate the username that will be used by this profile e.g. MyName@contoso.com (UPN) or MyName (username).", "userNameTypeLinkText": "Learn more about AAD attributes for Email profiles.", "userNameTypeName": "Username attribute from AAD", "userPauseAccessDescription": "An option in Windows Update that, when enabled, lets device users pause updates for a certain number of days.", "userPauseAccessName": "Option to pause Windows updates", "userPrincipalNameOption": "User Principal Name", "userRightsAccessCredentialManagerAsTrustedCallerDesc": "This user right is used by Credential Manager during Backup/Restore. Users' saved credentials might be compromised if this privilege is given to other entities. ", "userRightsAccessCredentialManagerAsTrustedCallerName": "Access Credential Manager as trusted caller", "userRightsActAsPartOfTheOperatingSystemDesc": "This user right allows a process to impersonate any user without authentication. ", "userRightsActAsPartOfTheOperatingSystemName": "Act As Part Of The OS", "userRightsAddSidBladeTitle": "Other local users or groups", "userRightsAddSidBladeTitleName": "Add local users or groups by SID", "userRightsAddSidTableDescriptionDesc": "Admin’s description of this local user or group.", "userRightsAddSidTableDescriptionName": "Description", "userRightsAddSidTableNameDesc": "The name of this local user or group.", "userRightsAddSidTableNameName": "Name", "userRightsAddSidTableSidDesc": "The security identifier of this local user or group (e.g. *S-1-5-32-544).", "userRightsAddSidTableSidName": "SID", "userRightsAdministratorsName": "Administrators", "userRightsAllowAccessFromNetworkDesc": "This user right determines which users and groups are allowed to connect to the computer over the network. ", "userRightsAllowAccessFromNetworkName": "Allow Access From Network", "userRightsAllowLocalLogOnDesc": "This user right determines which users can log on to the computer.", "userRightsAllowLocalLogOnName": "Allow local log on", "userRightsAuthenticatedUsersName": "Authenticated users", "userRightsBackupFilesAndDirectoriesDesc": "This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.", "userRightsBackupFilesAndDirectoriesName": "Backup files and directories", "userRightsBlockAccessFromNetworkDesc": "This user right determines which users are prevented from accessing a computer over the network.", "userRightsBlockAccessFromNetworkName": "Deny Access From Network", "userRightsChangeSystemTimeDesc": "This user right determines which users and groups can change the time and date on the internal clock of the computer.", "userRightsChangeSystemTimeName": "Change the system time", "userRightsCreateGlobalObjectsDesc": "This security setting determines whether users can create global objects that are available to all sessions. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.", "userRightsCreateGlobalObjectsName": "Create global objects", "userRightsCreatePageFileDesc": "This user right determines which users and groups can call an internal API to create and change the size of a page file.", "userRightsCreatePageFileName": "Create pagefile", "userRightsCreatePermanentSharedObjectsDesc": "This user right determines which accounts can be used by processes to create a directory object using the object manager.", "userRightsCreatePermanentSharedObjectsName": "Create permanent shared objects", "userRightsCreateSymbolicLinksDesc": "This user right determines if the user can create a symbolic link from the computer to which they are logged on.", "userRightsCreateSymbolicLinksName": "Create symbolic links", "userRightsCreateTokenDesc": "This user right determines which users/groups can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal API to create an access token.", "userRightsCreateTokenName": "Create tokens", "userRightsDebugProgramsDesc": "This user right determines which users can attach a debugger to any process or to the kernel.", "userRightsDebugProgramsName": "Debug programs", "userRightsDelegationDesc": "This user right determines which users can set the Trusted for Delegation setting on a user or computer object.", "userRightsDelegationName": "Enable delegation", "userRightsDenyLocalLogOnDesc": "This security setting determines which service accounts are prevented from registering a process as a service.", "userRightsDenyLocalLogOnName": "Deny log on as a service", "userRightsDescriptionExample": "(BUILTIN\\Event Log Readers)", "userRightsGenerateSecurityAuditsDesc": "This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access.", "userRightsGenerateSecurityAuditsName": "Generate security audits", "userRightsGuestsName": "Guests", "userRightsImpersonateClientDesc": "Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.", "userRightsImpersonateClientName": "Impersonate a client", "userRightsIncreaseSchedulingPriorityDesc": "This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process", "userRightsIncreaseSchedulingPriorityName": "Increase scheduling priority", "userRightsLoadUnloadDriversDesc": "This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode.", "userRightsLoadUnloadDriversName": "Load and unload device drivers", "userRightsLocalAccountAndMemberOfAdministratorsGroupName": "Local account and member of Administrators group", "userRightsLocalAccountName": "Local account", "userRightsLocalServicesName": "Local services", "userRightsLockMemoryDesc": "This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.", "userRightsLockMemoryName": "Lock pages in memory", "userRightsManageAuditingAndSecurityLogsDesc": "This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.", "userRightsManageAuditingAndSecurityLogsName": "Manage auditing and security log", "userRightsManageVolumesDesc": "This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation.", "userRightsManageVolumesName": "Perform volume maintenance tasks", "userRightsModifyFirmwareEnvironmentDesc": "This user right determines who can modify firmware environment values.", "userRightsModifyFirmwareEnvironmentName": "Modify firmware environment values", "userRightsModifyObjectLabelsDesc": "This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users.", "userRightsModifyObjectLabelsName": "Modify an object label", "userRightsNameExample": "Event Log Readers", "userRightsNetworkServicesName": "Network services", "userRightsProfileSingleProcessDesc": "This user right determines which users can use performance monitoring tools to monitor the performance of system processes.", "userRightsProfileSingleProcessName": "Profile single process", "userRightsRemoteDesktopServicesLogOnDesc": "This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.", "userRightsRemoteDesktopServicesLogOnName": "Deny log on through Remote Desktop Services", "userRightsRemoteDesktopUsersName": "Remote desktop users", "userRightsRemoteShutdownDesc": "This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.", "userRightsRemoteShutdownName": "Remote shutdown", "userRightsRestoreDataDesc": "This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object.", "userRightsRestoreDataName": "Restore files and directories", "userRightsServicesName": "Services", "userRightsSidDesc": "User or Group Sid", "userRightsSidExample": "*S-1-5-21-2146773085", "userRightsSidName": "SIDs", "userRightsTakeOwnershipDesc": "This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.", "userRightsTakeOwnershipName": "Take ownership of files or objects", "userRightsUsersName": "Users", "userToggleEnabledName": "User to disable VPN configuration", "userToggleEnabledToolTip": "Unless allowed, users can’t turn off always-on VPN. The default value for this setting is the most secure option.", "userWindowsUpdateScanAccessDescription": "A button in Windows Update that, when enabled, lets device users check the update service for updates.", "userWindowsUpdateScanAccessName": "Option to check for Windows updates", "usernameAndPasswordOption": "Username and password", "usernameFormat": "Username format:", "usernameFormatDescription": "Username format example - abcd{{WifiMacAddress}}", "utcMinusEightOption": "UTC-8", "utcMinusElevenOption": "UTC-11", "utcMinusFiveOption": "UTC-5", "utcMinusFourOption": "UTC-4", "utcMinusNineOption": "UTC-9", "utcMinusNineThirtyOption": "UTC-9:30", "utcMinusOneOption": "UTC-1", "utcMinusSevenOption": "UTC-7", "utcMinusSixOption": "UTC-6", "utcMinusTenOption": "UTC-10", "utcMinusThreeOption": "UTC-3", "utcMinusThreeThirtyOption": "UTC-3:30", "utcMinusTwelveOption": "UTC-12", "utcMinusTwoOption": "UTC-2", "utcPlusEightFourtyFiveOption": "UTC+8:45", "utcPlusEightOption": "UTC+8", "utcPlusEightThirtyOption": "UTC+8:30", "utcPlusElevenOption": "UTC+11", "utcPlusFiveFourtyFiveOption": "UTC+5:45", "utcPlusFiveOption": "UTC+5", "utcPlusFiveThirtyOption": "UTC+5:30", "utcPlusFourOption": "UTC+4", "utcPlusFourThirtyOption": "UTC+4:30", "utcPlusFourteenOption": "UTC+14", "utcPlusNineOption": "UTC+9", "utcPlusOneOption": "UTC+1", "utcPlusSevenOption": "UTC+7", "utcPlusSixOption": "UTC+6", "utcPlusSixThirtyOption": "UTC+6:30", "utcPlusTenOption": "UTC+10", "utcPlusTenThirtyOption": "UTC+10:30", "utcPlusThirteenOption": "UTC+13", "utcPlusThreeOption": "UTC+3", "utcPlusThreeThirtyOption": "UTC+3:30", "utcPlusTwelveFourtyFiveOption": "UTC+12:45", "utcPlusTwelveOption": "UTC+12", "utcPlusTwoOption": "UTC+2", "utcZeroOption": "UTC±00", "vPNAddressExample": "10.0.0.3, vpn.contoso.com", "vPNAppsDescription": "When at least one app is selected, the VPN connection will be limited to the apps in the list.", "vPNAppsName": "Select apps that would be allowed to use this VPN connection", "vPNAuthMethodDescription": "Select how you want users to authenticate to the VPN server. Using certificate-based authentication provides enhanced capabilities such as zero-touch experience, on-demand VPN, and per-app VPN.", "vPNCitrixData": "Citrix data", "vPNCitrixDataDescription": "Enter key and value pairs for the Citrix VPN attributes.", "vPNConditionTypeColumnName": "Restrict to", "vPNConditionTypeName": "I want to restrict to", "vPNConnectionExample": "Contoso VPN", "vPNCustomData": "Attributes for custom VPN", "vPNCustomDataDescription": "Enter key and value pairs for the custom VPN attributes.", "vPNCustomKeyExample": "SingleSignOn", "vPNCustomValueExample": "True", "vPNDnsAutoTriggerDescription": "Automatically connect to the VPN when the device connects to this domain", "vPNDnsAutoTriggerName": "Automatically Connect", "vPNDnsPersistentDescription": "Keep this rule active even when the VPN is not connected: Select Enable to keep this rule in the Name Resolution Policy table (NRPT) until the rule is manually removed from the device, even after the VPN is disconnected. By default, NRPT rules in the VPN profile are removed from the device when the VPN is disconnected.", "vPNDnsPersistentName": "Persistent", "vPNEAPXMLDescription": "Enter the extensible authentication protocol (EAP) configuration in XML format. ", "vPNEAPXMLHelpLinkDescription": "Learn more about creating an EAP configuration for your VPN profile.", "vPNFQDNExample": "vpn.contoso.com", "vPNIKEv2RemoteIdentifierDescription": "Specify the address of the IKEv2 server. This is usually the same value used in the IP address or FQDN field under Base VPN. The address must be a FQDN, UserFQDN, network address, or ASN1DN.", "vPNIKEv2RemoteIdentifierName": "Remote identifier", "vPNIdentifier": "VPN identifier", "vPNIdentifierExample": "e.g. com.cisco.anyconnect.applevpn.plugin", "vPNNetMotionMobilityCustomData": "Attributes for NetMotion Mobility VPN", "vPNNetMotionMobilityCustomDataDescription": "Enter key and value pairs for the NetMotion Mobility VPN attributes.", "vPNPerAppDescription": "When users start using the selected apps, traffic will automatically route through the VPN connection if the connection is configured to be Always On or if the connection has been manually started by the user.", "vPNPolicyAddressDescription": "Proxy server address (fully-qualified host, or IP address).", "vPNPolicyAddressName": "Address", "vPNPolicyAssociatedAppsDescription": "Apps added here will automatically start this VPN connection.", "vPNPolicyAssociatedAppsName": "Associated Apps", "vPNPolicyAssociatedDomainsUrlsDescription": "Associated domains require additional setup outside of this VPN profile. Learn more.Get the Microsoft Edge app for your users on iOS or Android so they can browse seamlessly across their corporate devices! Edge lets users cut through the clutter of the web with built-in features that help them consolidate, arrange and manage work content. Users of iOS and Android devices who sign-in with their corporate Azure AD accounts in the Edge application will find their browser pre-loaded with workplace Favorites and website filters you define.
If you have blocked users from enrolling either iOS or Android devices, this scenario will not enable enrollment, and the users will need to install Edge for themselves.
", "edgeGSIntroPrereqHTML": "We'll ask you about the workplace favorites your users need, and the filters you require for web browsing. Make sure you complete the following tasks before you continue:
\nI need to add my own line-of-business app
", "guidedTemplate2": "We’ll ask you which protection level you would like to deploy to your users. For more information, see Data protection framework with app protection policies. ", "guidediOSLabel": "iOS app protection", "hardwareBackedKey": "Hardware-backed key", "helpAndSupport": "Help and support", "hideOverrides": "Hide Overrides", "highDataProtectionGuidedString": "High data protection – expand upon the settings defined in enhanced data protection by introducing more complex access requirements settings (e.g., disables simple PIN), data protection settings (for example, disabling third-party keyboards).", "iOSAppEncryptionStatus": "iOS device independent encryption is enabled for compatible applications. The App protection policy setting \"Encrypt Org Data\" must be configured to \"Require\" to enforce encryption.", "iOSPlatformLabel": "iOS/iPadOS", "importedApps": "Imported apps", "include": "Include", "includedPolicyManagedApps": "Included policy-managed apps", "instanceDisplayName": "Instance display name", "introduction": "Introduction", "intuneAppProtection": "Intune App Protection", "intuneAppProtectionHasMergedIntoMobileApps": "Intune App Protection has merged into the Intune mobile apps experience", "intuneAppProtectionLegacy": "Intune App Protection (Legacy)", "intuneManagedDevices": "Intune managed devices", "invalidBundleId": "Valid characters are: alphanumeric, '-' and '.'", "invalidPackageId": "Valid characters are: alphanumeric, '_' and '.'", "invalidTokenUsageError": "Invalid token", "iosAndroidMacPlatformLabel": "iOS, Android, Mac", "iosAndroidPlatformLabel": "iOS, Android", "isMamEnabled": "Is MAM enabled?", "itemsCount": "{0} items", "jailbrokenRootedDevices": "Jailbroken/rooted devices", "lastReportedDate": "Last reported date", "lastSync": "Last sync", "lastSyncGmt": "Last sync (GMT)", "learnMoreAboutMamAndWipHere": "Learn more about MAM and WIP here.", "learnMoreAboutWip": "Learn more about app protection policies in Windows 10 and later", "learnMoreAboutWipHere": "Learn more about WIP here", "legacy": "Legacy", "loadMore": "Load more", "localStorage": "Local Storage", "mAMShortTitle": "Intune MAM", "mAMSummaryBladeTitle": "App protection status", "macPlatformLabel": "Mac", "mamGSTitle": "Protect Microsoft Office mobile apps (preview)", "manage": "Manage", "manageUsers": "Manage Users", "managedAppCRUDpermission": "Managed Apps Create,Read,Assign,Delete Permission", "managedAppsOptionText": "Managed apps", "managedAppsWithOSSharing": "Policy managed apps with OS sharing", "managedAppsWithOpenInSharing": "Policy managed apps with Open-In/Share filtering", "managedUniversalLinks": "Managed universal links", "managementType": "Management type", "maxMinValidation": "Maximum OS version has to be lower than the Minimum OS version, when the action is the same.", "maxOsVersion": "Max OS version", "maxPinAttempts": "Max PIN attempts", "maximumAllowedDeviceThreatLevel": "Max allowed device threat level", "maximumCompanyPortalVersionAge": "Max Company Portal version age (days)", "mdm": "MDM", "mdmDeviceId": "MDM Device ID", "mdmWipInvalidVersionSettings": "One or more apps have invalid minimum/maximum version definitions.If advanced data protection controls are enforced, users will not be able to share work or school content with personal apps or personal accounts and will be required to use Microsoft Edge.
", "userIsBlocked": "This user is blocked by user-level wipe.", "userIsLicensedIntune": "User is licensed for Microsoft Intune.", "userIsLicensedO365": "User is licensed for Office 365.", "userIsNotLicensedIntune": "User is not licensed for Microsoft Intune. Click here to learn more.", "userIsNotLicensedIntuneNoLink": "User is not licensed for Microsoft Intune. Click here to learn more.", "userIsNotLicensedO365": "User is not licensed for Office 365. Click here to learn more.", "userIsNotLicensedO365NoLink": "User is not licensed for Office 365. Click here to learn more.", "userLevelWipe": "User-Level Wipe", "userLicensingUnknownIntune": "Unable to determine if a Microsoft Intune license is assigned to this user. Click here to learn more.", "userLicensingUnknownIntuneNoLink": "Unable to determine if a Microsoft Intune license is assigned to this user. Click here to learn more.", "userLicensingUnknownO365": "Unable to determine if an Office 365 license is assigned to this user. Click here to learn more.", "userLicensingUnknownO365NoLink": "Unable to determine if an Office 365 license is assigned to this user. Click here to learn more.", "userName": "User name", "userNotFound": "User not found", "userNotLicensed": "This user is not licensed for Microsoft Intune.", "userNotTargetedForAppPolicies": "This user is not targeted for any app policies", "userPrincipalName": "User principal name", "userReport": "User report", "userSelectorDisplayText": "{0} selected", "userSelectorLabel": "User", "userStatusesTableGroupingDropdownLabel": "Table grouping", "userStatusesTableGroupingDropdownTooltip": "Select a column to aggregate data by", "users": "Users", "usersCheckedInTitle": "Users checked in", "usersThatIDontInclude": "What happens to the users that I don't include?", "usersWithLicense": "Assigned and licensed", "usersWithPotentiallyHarmfulApps": "Users with potentially harmful apps", "usersWithoutLicense": "Assigned and not licensed", "validationResult": "Validation result", "valueColumnHeader": "Value", "valueMustNotContainCharsError": "Value must not contain the following characters: {0}", "versionValidationExample": "Format: [Major].[Minor] or [Major].[Minor].[Build].[Revision]
Example: 1.5 or 1.5.50.101
", "versionValidationWith2To4Segments": "Format: [Major].[Minor] or [Major].[Minor].[Build] or [Major].[Minor].[Build].[Revision]
Example: 1.5 or 1.5.50 or 1.5.50.101
", "versionValidationWithDateFormat": "Must be a valid date format (YYYY-MM-DD).", "warn": "Warn", "warning": "Warning", "weMovedToANewLocation": "We moved to a new location", "windows10AppProtectionPolicy": "Windows 10 and later app protection policy", "windows10PlatformLabel": "Windows 10 and later", "windowsPlatformLabel": "Windows", "windowsProtectionReport": "Windows protection report", "wipAddAppsSubtitle": "Add recommended Microsoft apps, or manually add store or desktop apps to be allowed in this policy.", "wipAllowIndexingTitle": "Allow Windows Search Indexer to search encrypted items", "wipAllowIndexingTooltip": "Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.", "wipAllowedAppsInfo": "These are the apps that must adhere to this policy.", "wipAppLockerFileUploadInfoBaloonText": "Allowed files are AppLocker files, which are XML.", "wipAppLockerFileUploadInfoText": "Please specify the file path to the file you want to import.", "wipCorpIdentityTooltip": "This field should contain only the primary domain. Any additional domains are to be added as 'Protected domains' under the 'Network perimeter' in the 'Advanced settings' tab.", "wipDesktopApps": "Desktop apps", "wipExemptAppsInfo": "These apps are exempt from this policy, and can freely access corporate data.", "wipLearnMore": "Learn more about WIP", "wipLearningTitle": "App learning report for Windows Information Protection", "wipMaxVersion": "Max Version", "wipMinVersion": "Min Version", "wipNoAppsSelected": "No apps selected.", "wipPolicyAddAps": "Add apps", "wipPolicyExemptAppsTitle": "Exempt apps", "wipPolicyImportApps": "Import apps", "wipPolicyProtectedAppsTitle": "Protected apps", "wipPotocolsWarningMessage": "Caution: modifying these settings changes how Intune blocks or allows data transfer to other applications. Do not modify these settings unless you understand the potential for data leaks. You can learn more here.", "wipPotocolsWarningMessageIos": "Caution: modifying these settings changes how Intune blocks or allows data transfer to other applications. Do not modify these settings unless you understand the potential for data leaks. You can learn more here.