This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 97%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
Hello everyone,
I am currently a student and intern in cybersecurity, and I am curious about how Defender operates on mobile devices, particularly on iOS (after deployed with Intune).
I have been trying to find a flow chart that outlines the workings of web application protection with local self-looping VPN, and other stuff but I didn't found anything (It would have been too easy, of course...).
For example, when a user sends a request to a website (not necessarily malicious), at what point does Defender analyze the packets or website content?
I assume that the packets are sent to the ATP (Advanced Threat Protection) module via the self-looping VPN.
Additionally, Microsoft documentation states, "To detect malicious websites, Microsoft Defender for Endpoint uses on-device capabilities, and in some cases, remote services." What exactly are these remote services, and in what scenarios are they employed?
Does Intune also play a role in security in addition to Defender? (with portal entreprise) Or does Intune use Defender for the security ?
Does anyone know the main steps involved in this process, or recommend any tools (to analyse log/phone trafics) or forums that might help me understand this better?
Have a nice day
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Loïc Thank you for reaching out to us, As I understand you have queries on MDE for iOS devices.
Regarding deployment refer to this doc - https://learn.microsoft.com/en-us/defender-endpoint/ios-install?view=o365-worldwide#configure-supervised-mode-via-microsoft-intune
When a user sends a request to a website, the packets are sent through the local self-looping VPN to the ATP module, which analyzes the packets and website content for any malicious activity. - Reference
Regarding the remote services used by Microsoft Defender for Endpoint, these are cloud-based services that provide additional threat intelligence and analysis capabilities. These services include Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Cloud App Security.
As for tools to analyze log/phone traffic, there are many options available, including Wireshark, Fiddler, and Charles Proxy. These tools can help you capture and analyze network traffic to better understand how Defender for Endpoint works on mobile devices.
I hope this helps! Let me know if you have any further questions.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.