How Defender ATP works on IOS ?

Loïc 85 Reputation points
2024-05-02T12:23:41.01+00:00

Hello everyone,

I am currently a student and intern in cybersecurity, and I am curious about how Defender operates on mobile devices, particularly on iOS (after deployed with Intune).

I have been trying to find a flow chart that outlines the workings of web application protection with local self-looping VPN, and other stuff but I didn't found anything (It would have been too easy, of course...).

For example, when a user sends a request to a website (not necessarily malicious), at what point does Defender analyze the packets or website content?

I assume that the packets are sent to the ATP (Advanced Threat Protection) module via the self-looping VPN.

Additionally, Microsoft documentation states, "To detect malicious websites, Microsoft Defender for Endpoint uses on-device capabilities, and in some cases, remote services." What exactly are these remote services, and in what scenarios are they employed?

Does Intune also play a role in security in addition to Defender? (with portal entreprise) Or does Intune use Defender for the security ?

Does anyone know the main steps involved in this process, or recommend any tools (to analyse log/phone trafics) or forums that might help me understand this better?

Have a nice day

Thanks

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,420 questions
Microsoft Intune iOS
Microsoft Intune iOS
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.iOS: An Apple mobile operating system.
237 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 33,391 Reputation points Microsoft Employee
    2024-05-06T07:16:35.6366667+00:00

    @Loïc Thank you for reaching out to us, As I understand you have queries on MDE for iOS devices.

    Regarding deployment refer to this doc - https://learn.microsoft.com/en-us/defender-endpoint/ios-install?view=o365-worldwide#configure-supervised-mode-via-microsoft-intune

    When a user sends a request to a website, the packets are sent through the local self-looping VPN to the ATP module, which analyzes the packets and website content for any malicious activity. - Reference

    Regarding the remote services used by Microsoft Defender for Endpoint, these are cloud-based services that provide additional threat intelligence and analysis capabilities. These services include Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Cloud App Security.

    As for tools to analyze log/phone traffic, there are many options available, including Wireshark, Fiddler, and Charles Proxy. These tools can help you capture and analyze network traffic to better understand how Defender for Endpoint works on mobile devices.

    I hope this helps! Let me know if you have any further questions.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.