Defender for Endpoint on iOS
Prerequisites¶
- Intune and Defender correctly set up. See Fresh Tenant Setup for how to prepare a test tenant.
- Test devices. You'll want at least 2 iOS devices to compare unsupervised vs supervised on iOS.
The deployment and configuration varies based on if the iOS devices are supervised or unsupervised.
Deploy Defender Endpoint App to iOS devices¶
Applies to: Supervised and unsupervised devices
- Add the iOS store app for Microsoft Defender, target all users you want to have Defender for Endpoint. As of writing, the name in the App Store is Microsoft Defender: Security.
Configure Defender for Endpoint¶
App Supervision Policy¶
Applies to: Supervised and unsupervised devices
This is confusing in the docs, but because it uses a token that will be resolved on the device, you can safely deploy this policy to both supervised and unsupervised devices.
- Create an app configuration policy for Managed Devices for platform iOS and targeted app Microsoft Defender: Security
- Use the configuration designer to set a string key/value pair
Key:
issupervised
Type:string
Value:{{issupervised}}
- Target both supervised and unsupervised devices.
Onboarding Profiles¶
*Applies to: Unsupervised devices
For unsupervised devices, there are two ways to finalize the configuration of Defender for Endpoint after its been deployed.
Zero-Touch onboarding: This automatically configures Defender for Endpoint without any user interaction. Recommended.
Simplified onboarding: This requires users to open Defender to finalize onboarding before the VPN functions.
- Create an device configuration policy for iOS/iPadOS devices with the template type VPN with the following settings
Connection Name =
Microsoft Defender for Endpoint
VPN server address =127.0.0.1
Auth method =Username and password
Split Tunneling =Disable
VPN identifier =com.microsoft.scmx
For Zero-Touch onboarding:
Key/Value Pairs:
Key:SilentOnboard
Value:True
For Simplified onboarding:
Key/Value Pairs:
Key:AutoOnboard
Value:True
Type of Automatic VPN = On-demand VPN
Add a on-demand rule:
I want to do the following:Connect VPN
I want to restrict to:All domains
- To prevent users from disabling the VPN in iOS Settings, set
Block users from disabling automatic VPN:Yes
- To disable the On/Off Toggle for the VPN in the Defender app itself, add the following key/value pair:
Key:EnableVPNToggleInApp
Value:TRUE
- Target unsupervised devices
Control Filter¶
Applies to: Supervised devices
The Control Filter allows Defender for Endpoint's Web Protection without the loopback VPN whatsoever. This does not work with other always-on VPNs.
- Create a Device Config profile with the following settings:
Platform:iOS/iPadOS
Profile Type:Templates
Template Name:Custom
- Download the ControlFilterZeroTouch .mobileconfig profile and upload it.
- Target supervised devices. If you accidently target unsupervised it won't apply on those.