Defender for Endpoint auto-onboarding for iOS & iPadOS

The Web Content Filtering and Web Threat Protection features of Microsoft Defender for Endpoint require a local (self-loop) Virtual Private Network (VPN) connection on iOS & iPadOS devices. Microsoft Endpoint Manager (Intune) offers the capability to configure local VPN profiles. Immediately after installing the Defender app and VPN profile, the VPN connection will be established automatically.


Auto-onboarding of devices through VPN profiles is currently in Public Preview.


In case if you would like to see how to integrate Defender for Endpoint with Intune , check out my earlier post


Pre-requisites

  • End user (s) of the app is assigned a Microsoft Defender for Endpoint license. Licensing requirements for Microsoft Defender for Endpoint can be found here.

  • Using the Intune Company Portal app, device(s) are enrolled so Intune device compliance policies can be enforced. Microsoft Intune licenses must be assigned to end users.

  1. Apple App Store users can download the Intune Company Portal app.

  2. It should be noted that Apple does not allow you to send users to another app store and, therefore, this step must be done by the user before they can use Microsoft Defender for Endpoint.

  • You can access the Microsoft Defender Security Center through the online portal.

System Requirements

  • iOS devices running iOS 11.0 and above. iPad devices are officially supported from version 1.1.15010101 onward.

  • Device is enrolled with the Intune Company Portal app.


Create Device Configuration.

Create VPN Profile for Microsoft Defender for Endpoint – iOS / iPadOS


Select "Profile Type"& Click “Create”



Provide meaningful name for the Policy.



Provide following details in the “Custom VPN” Profile

Base VPN

  • Connection name: MS Defender for Intune or Any other VPN name you want to opt

  • VPN server address: 127.0.0.1

  • Authentication method: Username and password

  • Split tunnelling: Disabled

  • VPN identifier: com.microsoft.scmx


custom VPN attributes.

AutoOnboard = True



Automatic VPN

Select – On-demand VPN

Click – ADD



Choose On-demand rules.



Assign VPN profile to respective group.




Add Microsoft Defender Endpoint App in the App portal



Assign App to respective group.




To configure and deploy the App configuration policy and custom profile on supervised devices, conduct the following steps:


Create App configuration policy for Defender.



On the Settings page, set the Configuration key as issupervised, then Value type as string with the {{issupervised}} as the Configuration value.





Create a Custom profile



Download the .mobile profile from: https://aka.ms/mdatpiossupervisedprofile


This .mobileconfig profile will be used to analyze network traffic to ensure a safe browsing experience - a feature of Defender for iOS




End User Experience

Once the new device has been enrolled with Automated Device Enrollment via iOS Setup Assistant (OOBE), the device is ready for use.


Apps and profiles will be downloaded to the device while the Company Portal apps are installed automatically (via VPP).




Complete the Setup process for Supervised device



Launch Defender app on device and follow instruction to complete the setup


Upon completing registration via Company Portal app, users' email addresses should automatically be populated, and SSO (Microsoft Enterprise SSO) can be used for even more convenience.





End users will see the Local VPN icon on the Home screen.



Finally validate the Device status on Defender security portal (securitycenter.windows.com).

profile on supervised devices


922 views