Overview
Microsoft Defender for Endpoint is a unified endpoint security platform that provides protection, detection, investigation, and response capabilities. To use Microsoft Defender for Endpoint on iOS devices, you need to onboard them to the service and assign licenses to users.
This blog post explains the onboarding process of the recently announced support of Microsoft Defender for Endpoint on Intune managed iOS/iPadOS devices enrolled with Apple User Enrollment mode. This enrollment method was introduced with iOS 13 that allows users to enroll their personal devices in a way that protects their privacy and separates work data (stored on a separate volume) from personal data. User Enrollment devices are managed by Intune with a limited set of policies and configurations.
Apple User Enrollment Methods
Intune supports two User Enrollment methods, for new deployments, choose one that best meets your requirements. This blog post does not focus on one enrollment type.
OR
Screenshot of a User Enrollment screen.
Device Configuration Profile – SSO App Extension (For Account Driven User Enrollment)
You can skip this step if you are using User Enrollment with Company Portal. This step involves creating an Intune device configuration profile of type Device Features with the configurations below:
- App bundle ID: Include the Defender App bundle ID in this list “com.microsoft.scmx”
- Additional configuration: Key: device_registration ; Type: String ; Value: {{DEVICEREGISTRATION}}
- Assign the policy to the target User/Device Group for assignment.
Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.
App Configuration Policy – Managed devices
We need to create an App Configuration policy of Managed devices type with Microsoft Defender as the target App.
- In the Settings page, select Use configuration designer and add UserEnrolmentEnabled as the key, value type as String, value as True.
- Assign the policy to the target User/Device Group for assignment.
Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.
Deploy Defender App
The final step is to deploy the Microsoft Defender App from Intune either via VPP or the Public App Store. What’s important is to ensure that the App Configuration Policy created above targets the same app source (VPP Or Public App Store) .
- Assign the App to the target User/Device Group for assignment.
Important: When you deploy VPP Apps, the default License Type is set to Device, this needs to be changed to User to match the device Enrollment type or else they will fail with error code 0x87D13BA9
Onboarding Experience
Here’s a quick overview of the Microsoft Defender onboarding experience with Apple User Enrollment. In the GIF below you will see the following:
- Launch MDE App to Tap and Sign-In.
- Accept the License Terms
- Allow the creation of local loop-back VPN & App Notifications.
- Next you will see a quick view of the VPN profile in the Settings App
- Followed by a quick test of MDE by launching a phishing site https://smartscreentestratings2.net which is successfully blocked by MDE.
Note: This enrollment scenario does not support Zero-Touch Silent-Onboarding.
As an Admin you can check the onboarding state of the device from the Microsoft Defender Security Portal
Thanks,
Arnab Mitra