problems with MS Defender for Endpoint on iOS device

Copper Contributor

Hi. We recently deployed MS Defender for Endpoint on all our iOS devices through Intune. However, since then, people are complaining their internet browsing experience is not good. It's slow, some sites take forever to load (when they do), etc. When we manually disable the Defender VPN connection, it's working again. How can we fix this issue? Thanks.

18 Replies

@bjork6 Can you please send an in app feedback regarding this issue. For sending the feedback, you can click on Profile picture at the top left -> Send Feedback -> I don't like something. Please enable "diagnostics data" switch in this page. It will allow us to investigate this issue further.

 

Thanks,

Akash

We've been experiencing the same thing. Since MS Defender was deployed to iOS Devices via Intune, the devices connection becomes almost unusable.

As soon as the app is removed, the connection returns to normal and device is usable again.

Hopefully a fix can be found soon.

Hi, @MarkTheITGuy ,

Apologies for the inconvenience. This is not an expected behaviour, and we will like to investigate this issue further. It will be helpful if you can send us an in-app feedback using the steps outlined here along with Diagnostics Data enabled to allow us to identify the issue better: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/ios-troubleshoot?view=o365...

Please do mention the issues you are facing in the feedback such as network latencies, or if any particular set of apps is being affected by Defender.

 

Thanks,

Akash

Microsoft Defender for Endpoint team

Thanks, Akash.
I've sent a couple of feedback requests. I needed to reinstall the app and sent another feedback request.

As mentioned in the tickets. When the app is installed and enabled, we get many connection timeouts on a host of different sites using different browsers.

I would say on average, 8/10 URLs visited, throw a connection error and time out.

Thanks again for your reply.

Thanks @MarkTheITGuy . We will investigate the issue and reach out to you with our findings and remediations on our feedback channel.

@MarkTheITGuy The problem is not with Defender on iOS per se but instead with the ATP module (web content filtering). Microsoft provides a script for that. It can be downloaded here. The problem is, once a policy that contains that script is created in InTune and is applied to iOS devices, traffic becomes very slow and some sites don't even load (bank sites, news sites, etc.). If you let ATP enabled but remove the policy to filter the traffic it will work fine. However, the outbound traffic will not be inspected anymore.

Thanks for the reply @rickside - It makes sense what you're saying. The downside is that if we remove the policy, and leave the outbound traffic un-inspected, would that then mean that malicious links clicked from emails, that redirect to a malicious site, would then be allowed to load as normal?

We've had a few incidents recently, where unaware users, clicked links in email, and also a couple from website popups, that were blocked by ATP so the user was protected.

Just thinking if we turn it off, would these users (and there will be more) fall pray to these links?

Thanks again, mate.
From what I understand, ATP will still do its job (meaning it will block malicious websites that it already knows) but you are correct, it will not analyze outbound traffic on the fly. Unless Microsoft provides a better way to do this, I am afraid you'll just have to live with it or search for another product/solution. I am not a big fan of the way the traffic inspection works on iOS (i.e. VPN-THAT-POINTS-TO-LOCAL-LOOPBACK) but it seems that's the way they decided to go.

@rickside @MarkTheITGuy , Currently there is a known issue with the content profile (script that you deploy from Intune) which is causing internet connectivity problems. We are looking into this issue. Meanwhile, you can un-deploy this profile to help resolve the internet connectivity problems. Please find more details here.

 

Also, even without the profile, Defender for Endpoint will still protect you from phishing in real-time leveraging the VPN capabilities. Hope this helps. Please revert back for further questions.

 

 

@sunayanasingh Thanks for the update. Out of curiosity, any ETA currently for the updated profile to be released?

@MarkTheITGuy No definitive ETA as of now. But we will keep this thread posted.

@sunayansingh Awesome. Thank You.

Is this problem now resolved?

@mohan_infosec not that i'm aware of.

This issue does not seem to be resolved for unsupervised devices. If users leave the VPN enabled they still cannot browse simple websites, use Outlook or Teams apps and some other apps. If the device is supervised it works without issue. Anyone aware of when the issue would be resolved for Unsupervised phones?

@MWilkins you are absolutely right. On unsupervised devices, the VPN is still present, and it prevents access to random sites (news, banks, etc.). I tried to figure out a way to get rid of the VPN without breaking up Defender status and compliance policy in Intune without any success yet. For the moment, we told our affected users to temporarily disable the VPN when it is not working.

@rickside is their any news regarding the vpn issue with the unsupervised iphone?