The Web Content Filtering and Web Threat Protection features of Microsoft Defender for Endpoint require a local (self-loop) Virtual Private Network (VPN) connection on iOS & iPadOS devices. Microsoft Endpoint Manager (Intune) offers the capability to configure local VPN profiles. Immediately after installing the Defender app and VPN profile, the VPN connection will be established automatically.
Auto-onboarding of devices through VPN profiles is currently in Public Preview.
In case if you would like to see how to integrate Defender for Endpoint with Intune , check out my earlier post
Pre-requisites
End user (s) of the app is assigned a Microsoft Defender for Endpoint license. Licensing requirements for Microsoft Defender for Endpoint can be found here.
Using the Intune Company Portal app, device(s) are enrolled so Intune device compliance policies can be enforced. Microsoft Intune licenses must be assigned to end users.
Apple App Store users can download the Intune Company Portal app.
It should be noted that Apple does not allow you to send users to another app store and, therefore, this step must be done by the user before they can use Microsoft Defender for Endpoint.
You can access the Microsoft Defender Security Center through the online portal.
System Requirements
iOS devices running iOS 11.0 and above. iPad devices are officially supported from version 1.1.15010101 onward.
Device is enrolled with the Intune Company Portal app.
Create Device Configuration.
Create VPN Profile for Microsoft Defender for Endpoint – iOS / iPadOS
Select "Profile Type"& Click “Create”
Provide meaningful name for the Policy.
Provide following details in the “Custom VPN” Profile
Base VPN
Connection name: MS Defender for Intune or Any other VPN name you want to opt
VPN server address: 127.0.0.1
Authentication method: Username and password
Split tunnelling: Disabled
VPN identifier: com.microsoft.scmx
custom VPN attributes.
AutoOnboard = True
Automatic VPN
Select – On-demand VPN
Click – ADD
Choose On-demand rules.
Assign VPN profile to respective group.
Add Microsoft Defender Endpoint App in the App portal
Assign App to respective group.
To configure and deploy the App configuration policy and custom profile on supervised devices, conduct the following steps:
Create App configuration policy for Defender.
On the Settings page, set the Configuration key as issupervised, then Value type as string with the {{issupervised}} as the Configuration value.
Create a Custom profile
Download the .mobile profile from: https://aka.ms/mdatpiossupervisedprofile
This .mobileconfig profile will be used to analyze network traffic to ensure a safe browsing experience - a feature of Defender for iOS
End User Experience
Once the new device has been enrolled with Automated Device Enrollment via iOS Setup Assistant (OOBE), the device is ready for use.
Apps and profiles will be downloaded to the device while the Company Portal apps are installed automatically (via VPP).
Complete the Setup process for Supervised device
Launch Defender app on device and follow instruction to complete the setup
Upon completing registration via Company Portal app, users' email addresses should automatically be populated, and SSO (Microsoft Enterprise SSO) can be used for even more convenience.
End users will see the Local VPN icon on the Home screen.
Finally validate the Device status on Defender security portal (securitycenter.windows.com).
profile on supervised devices
Commentaires