Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Onboarding Intune Managed iOS User Enrollment Devices to Microsoft Defender for Endpoint
Published Jan 03 2024 01:39 PM 4,551 Views
Microsoft

Overview

Microsoft Defender for Endpoint is a unified endpoint security platform that provides protection, detection, investigation, and response capabilities. To use Microsoft Defender for Endpoint on iOS devices, you need to onboard them to the service and assign licenses to users.

This blog post explains the onboarding process of the recently announced support of Microsoft Defender for Endpoint on Intune managed iOS/iPadOS devices enrolled with Apple User Enrollment mode. This enrollment method was introduced with iOS 13 that allows users to enroll their personal devices in a way that protects their privacy and separates work data (stored on a separate volume) from personal data. User Enrollment devices are managed by Intune with a limited set of policies and configurations.

 

Apple User Enrollment Methods

Intune supports two User Enrollment methods, for new deployments, choose one that best meets your requirements. This blog post does not focus on one enrollment type.

  1. Account Driven User Enrollment

OR

  1. User Enrollment with Company Portal

ArnabMitra_0-1704316382617.png

 

Screenshot of a User Enrollment screen.

 

Device Configuration Profile – SSO App Extension (For Account Driven User Enrollment)

You can skip this step if you are using User Enrollment with Company Portal. This step involves creating an Intune device configuration profile of type Device Features with the configurations below:

  • App bundle ID: Include the Defender App bundle ID in this list “com.microsoft.scmx”
  • Additional configuration: Key: device_registration ; Type: String ; Value: {{DEVICEREGISTRATION}}
  • Assign the policy to the target User/Device Group for assignment.

Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.

ArnabMitra_1-1704316382628.png

 

 

App Configuration Policy – Managed devices

We need to create an App Configuration policy of Managed devices type with Microsoft Defender as the target App.

  • In the Settings page, select Use configuration designer and add UserEnrolmentEnabled as the key, value type as String, value as True.
  • Assign the policy to the target User/Device Group for assignment.

Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.

ArnabMitra_2-1704316382631.png

 

 

Deploy Defender App

The final step is to deploy the Microsoft Defender App from Intune either via VPP or the Public App Store. What’s important is to ensure that the App Configuration Policy created above targets the same app source (VPP Or Public App Store) .

  • Assign the App to the target User/Device Group for assignment.

ArnabMitra_3-1704316382634.png

 

Important: When you deploy VPP Apps, the default License Type is set to Device, this needs to be changed to User to match the device Enrollment type or else they will fail with error code 0x87D13BA9

 

Onboarding Experience

Here’s a quick overview of the Microsoft Defender onboarding experience with Apple User Enrollment. In the GIF below you will see the following:

  • Launch MDE App to Tap and Sign-In.
  • Accept the License Terms
  • Allow the creation of local loop-back VPN & App Notifications.
  • Next you will see a quick view of the VPN profile in the Settings App
  • Followed by a quick test of MDE by launching a phishing site https://smartscreentestratings2.net which is successfully blocked by MDE.

 

2023-12-20_22-45-00.gif

 

Note: This enrollment scenario does not support Zero-Touch Silent-Onboarding.

As an Admin you can check the onboarding state of the device from the Microsoft Defender Security Portal

ArnabMitra_5-1704316382752.png

 

 

 

Thanks,

Arnab Mitra

3 Comments
Co-Authors
Version history
Last update:
‎Jan 04 2024 08:15 AM
Updated by: