Microsoft Defender for Endpoint is a unified endpoint security platform that provides protection, detection, investigation, and response capabilities. To use Microsoft Defender for Endpoint on iOS devices, you need to onboard them to the service and assign licenses to users.
This blog post explains the onboarding process of the recently announced support of Microsoft Defender for Endpoint on Intune managed iOS/iPadOS devices enrolled with Apple User Enrollment mode. This enrollment method was introduced with iOS 13 that allows users to enroll their personal devices in a way that protects their privacy and separates work data (stored on a separate volume) from personal data. User Enrollment devices are managed by Intune with a limited set of policies and configurations.
Intune supports two User Enrollment methods, for new deployments, choose one that best meets your requirements. This blog post does not focus on one enrollment type.
OR
Screenshot of a User Enrollment screen.
You can skip this step if you are using User Enrollment with Company Portal. This step involves creating an Intune device configuration profile of type Device Features with the configurations below:
Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.
We need to create an App Configuration policy of Managed devices type with Microsoft Defender as the target App.
Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.
The final step is to deploy the Microsoft Defender App from Intune either via VPP or the Public App Store. What’s important is to ensure that the App Configuration Policy created above targets the same app source (VPP Or Public App Store) .
Important: When you deploy VPP Apps, the default License Type is set to Device, this needs to be changed to User to match the device Enrollment type or else they will fail with error code 0x87D13BA9
Here’s a quick overview of the Microsoft Defender onboarding experience with Apple User Enrollment. In the GIF below you will see the following:
Note: This enrollment scenario does not support Zero-Touch Silent-Onboarding.
As an Admin you can check the onboarding state of the device from the Microsoft Defender Security Portal
Thanks,
Arnab Mitra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.