Microsoft Defender for Endpoint (MDE) is a unified endpoint security platform that helps protect your devices from advanced threats. MDE on iOS/iPadOS devices provides protection against phishing and unsafe network connections. To use MDE on iOS devices, you need to enroll them in Microsoft Intune, a cloud-based service that helps you manage and secure your mobile devices.
This blog post helps you prepare your environment for zero-touch aka silent enrollment of MDE on your Intune managed iOS/iPadOS devices. Zero Touch enrollment is not available for all scenarios, below is a matrix for reference:
In this post, we will discuss the two selected scenarios which support silent onboarding of MDE. This does not include Shared/Kiosk or user-less devices.
Before you enroll MDE on iOS/iPadOS devices, make sure you have the following:
Tip: You may want to create a Device group for these target devices since the configuration policies below are recommended to be deployed against devices.
You may choose to deploy the Microsoft Defender App from Intune either via VPP (volume purchasing programs) or the Public App Store. What’s important is to ensure that the App Configuration Policy you will create later targets the same app source (VPP Or Public App Store).
These are company owned devices enrolled via the Apple Device Enrollment Program (ADE formerly DEP) or using Apple Configurator profiles. When you onboard a Supervised Device into MDE, it does not create a local loopback VPN.
At a high-level, you need an App Configuration Policy and a Device Configuration Policy targeted to these devices.
The next step is to create a Custom Configuration Profile which enables Web Protection without the need for any local loopback VPN.
Screenshot of the custom .mobileconfig file highlighting the silent onboarding configuration.
Since this is a silent enrollment of MDE, the end user would only notice the MDE App installed. They do not need to launch the app for any activation. In the GIF below you will notice before the MDE App is installed, I am able to browse a malicious site (https://smartscreentestratings2.net) and after the deployment and silent configuration of MDE the same site is immediately blocked by Defender.
These devices are primarily BYOD or Corporate owned devices however not enrolled via Apple ADE/Configurator profiles. These devices are enrolled through App or Web-based Device Enrollment scenario.
Please note that Apple User Enrollment does not support MDE Zero-Touch silent enrollment, refer my previous blog post for deployment guidance: Onboarding Intune Managed iOS User Enrollment Devices to Microsoft Defender for Endpoint - Microsoft...
A VPN is created for Web Protection Feature on Unsupervised devices. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
Guidance: Use a Per-App VPN profile to allow your Enterprise Apps access to corporate resources while leaving the Defender Device-Wide VPN to protect the device. Alternatively, if you switch to Microsoft Tunnel as your corporate VPN gateway, the Defender App will suffice both the requirements.
For these devices all you need is a Configuration Profile of type VPN.
The key differentiator is the Key-value pair highlighted in the screenshot below which enables Silent onboarding of the Defender VPN profile.
The device onboarding experience is like Supervised device as called out in the GIF above. As an end user one would only notice the MDE App installed. They do not need to launch the app for any activation.
Post enrollment the device reports to the Microsoft Defender Security Portal.
The device name in Defender for Endpoint console is of the format <username_iPhone/iPad model>. You can also use Microsoft Entra device ID to identify the device in the Defender for Endpoint console.
Additionally, you will see an active Alert from the suspicious site browsed by the user on that device.
Thanks,
Arnab Mitra
Special thanks to Michael and Yuji for their valuable inputs in this blog post.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.