Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft 365 Defender

Want to experience Defender for Endpoint? Sign up for a free trial.

This topic describes deploying Defender for Endpoint on iOS on Microsoft Intune Company Portal enrolled devices. For more information about Microsoft Intune device enrollment, see Enroll iOS/iPadOS devices in Intune.

Before you begin

• Ensure you have access to the Microsoft Intune admin center.

• Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint on iOS. Refer to Assign licenses to users for instructions on how to assign licenses.

Note

Microsoft Defender for Endpoint on iOS is available in the Apple App Store.

This section covers:

1. Deployment steps (applicable for both Supervised and Unsupervised devices)- Admins can deploy Defender for Endpoint on iOS via Microsoft Intune Company Portal. This step is not needed for VPP (volume purchase) apps.

2. Complete deployment (only for Supervised devices)- Admins can select to deploy any one of the given profiles.

   1. Zero touch (Silent) Control Filter - Provides Web Protection without the local loopback VPN and also enables silent onboarding for users. App is automatically installed and activated without the need for user to open the app.
   2. Control Filter - Provides Web Protection without the local loopback VPN.

3. Automated Onboarding setup (only for Unsupervised devices) - Admins can automate the Defender for Endpoint onboarding for users in two different ways:

   1. Zero touch (Silent) Onboarding - App is automatically installed and activated without the need for users to open the app.
   2. Auto Onboarding of VPN - Defender for Endpoint VPN profile is automatically setup without having the user to do so during onboarding. This step is not recommended in Zero touch configurations.

Deployment steps (applicable for both Supervised and Unsupervised devices)

Deploy Defender for Endpoint on iOS via Microsoft Intune Company Portal.

Add iOS store app

1. In the Microsoft Intune admin center, go to Apps > iOS/iPadOS > Add > iOS store app and click Select.

   

2. On the Add app page, click on Search the App Store and type Microsoft Defender in the search bar. In the search results section, click on Microsoft Defender and click Select.

3. Select iOS 14.0 as the Minimum operating system. Review the rest of information about the app and click Next.

4. In the Assignments section, go to the Required section and select Add group. You can then choose the user group(s) that you would like to target Defender for Endpoint on iOS app. Click Select and then Next.

   Note

   The selected user group should consist of Microsoft Intune enrolled users.

   

5. In the Review + Create section, verify that all the information entered is correct and then select Create. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page.

6. In the app information page that is displayed, in the Monitor section, select Device install status to verify that the device installation has completed successfully.

   

Complete deployment for supervised devices

The Microsoft Defender for Endpoint on iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. It can also provide Web Protection without setting up a local VPN on the device. This gives end-users a seamless experience while still being protected from phishing and other web-based attacks.

Admins can use the following steps to configure supervised devices.

Configure Supervised Mode via Microsoft Intune

Configure the supervised mode for Defender for Endpoint app through an App configuration policy and Device configuration profile.

App configuration policy

Note

This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for ALL managed iOS devices as a best practice.

1. Sign in to the Microsoft Intune admin center and go to Apps > App configuration policies > Add. Select Managed devices.

   

2. In the Create app configuration policy page, provide the following information:

   • Policy Name
   • Platform: Select iOS/iPadOS
   • Targeted app: Select Microsoft Defender for Endpoint from the list

   

3. In the next screen, select Use configuration designer as the format. Specify the following properties:

   • Configuration Key: issupervised
   • Value type: String
   • Configuration Value: {{issupervised}}

   

4. Select Next to open the Scope tags page. Scope tags are optional. Select Next to continue.

5. On the Assignments page, select the groups that will receive this profile. For this scenario, it is best practice to target All Devices. For more information on assigning profiles, see Assign user and device profiles.

   When deploying to user groups, a user must sign in to a device before the policy applies.

   Click Next.

6. On the Review + create page, when you're done, choose Create. The new profile is displayed in the list of configuration profiles.

Device configuration profile (Control Filter)

Note

For devices that run iOS/iPadOS (in Supervised Mode), there is custom .mobileconfig profile, called the ControlFilter profile available. This profile enables Web Protection without setting up the local loopback VPN on the device. This gives end-users a seamless experience while still being protected from phishing and other web-based attacks.

Admins deploy any one of the given profiles.

1. Zero touch (Silent) Control Filter - This profile enables silent onboarding for users. Download the config profile from ControlFilterZeroTouch

2. Control Filter - Download the config profile from ControlFilter.

Once the profile has been downloaded, deploy the custom profile. Follow the steps below:

1. Navigate to Devices > iOS/iPadOS > Configuration profiles > Create Profile.

2. Select Profile Type > Templates and Template name > Custom.

   

3. Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded from the previous step.

4. In the Assignment section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Select Next.

   Note

   Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2.

5. On the Review + create page, when you're done, choose Create. The new profile is displayed in the list of configuration profiles.

Automated Onboarding setup (only for Unsupervised devices)

Admins can automate the Defender onboarding for users in two different ways with Zero touch(Silent) Onboarding or Auto Onboarding of VPN.

Zero-touch (Silent) onboarding of Microsoft Defender for Endpoint

Note

Zero-touch cannot be configured on iOS devices that are enrolled without user affinity (user-less devices or shared devices).

Admins can configure Microsoft Defender for Endpoint to deploy and activate silently. In this flow, the administrator creates a deployment profile and the user is simply notified of the installation. Defender for Endpoint is automatically installed without the need for the user to open the app. Follow the steps below to set up zero-touch or silent deployment of Defender for Endpoint on enrolled iOS devices:

1. In the Microsoft Intune admin center, go to Devices > Configuration Profiles > Create Profile.

2. Choose Platform as iOS/iPadOS, Profile type as Templates and Template name as VPN. Select Create.

3. Type a name for the profile and select Next.

4. Select Custom VPN for Connection Type and in the Base VPN section, enter the following:

   • Connection Name = Microsoft Defender for Endpoint
   • VPN server address = 127.0.0.1
   • Auth method = "Username and password"
   • Split Tunneling = Disable
   • VPN identifier = com.microsoft.scmx
   • In the key-value pairs, enter the key SilentOnboard and set the value to True.
   • Type of Automatic VPN = On-demand VPN
   • Select Add for On Demand Rules and select I want to do the following = Connect VPN, I want to restrict to = All domains.

   

   • To mandate that VPN can't be disabled in users device, Admins can select Yes from Block users from disabling automatic VPN. By default, it's not configured and users can disable VPN only in the Settings.
   • To allow Users to Change the VPN toggle from within the app, add EnableVPNToggleInApp = TRUE, in the key-value pairs. By default, users can't change the toggle from within the app.

5. Select Next and assign the profile to targeted users.

6. In the Review + Create section, verify that all the information entered is correct and then select Create.

Once the above configuration is done and synced with the device, the following actions take place on the targeted iOS device(s):

• Microsoft Defender for Endpoint will be deployed and silently onboarded and the device will be seen in the Defender for Endpoint portal.
• A provisional notification will be sent to the user device.
• Web Protection and other features will be activated.

Note

For supervised devices, admins can setup Zero touch onboarding with the new ZeroTouch Control Filter Profile. Defender for Endpoint VPN Profile will not be installed on the device and Web protection will be provided by the Control Filter Profile.

Auto-Onboarding of VPN profile (Simplified Onboarding)

Note

This step simplifies the onboarding process by setting up the VPN profile. If you are using Zero touch, you do not need to perform this step.

For unsupervised devices, a VPN is used to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.

Admins can configure auto-setup of VPN profile. This will automatically set up the Defender for Endpoint VPN profile without having the user to do so while onboarding.

1. In the Microsoft Intune admin center, go to Devices > Configuration Profiles > Create Profile.

2. Choose Platform as iOS/iPadOS and Profile type as VPN. Click Create.

3. Type a name for the profile and click Next.

4. Select Custom VPN for Connection Type and in the Base VPN section, enter the following:

   • Connection Name = Microsoft Defender for Endpoint

   • VPN server address = 127.0.0.1

   • Auth method = "Username and password"

   • Split Tunneling = Disable

   • VPN identifier = com.microsoft.scmx

   • In the key-value pairs, enter the key AutoOnboard and set the value to True.

   • Type of Automatic VPN = On-demand VPN

   • Select Add for On Demand Rules and select I want to do the following = Connect VPN, I want to restrict to = All domains.

     

   • To require that VPN cannot be disabled on a users' device, Admins can select Yes from Block users from disabling automatic VPN. By default, this setting not configured and users can disable VPN only in the Settings.

   • To allow Users to Change the VPN toggle from within the app, add EnableVPNToggleInApp = TRUE, in the key-value pairs. By default, users cannot change the toggle from within the app.

5. Click Next and assign the profile to targeted users.

6. In the Review + Create section, verify that all the information entered is correct and then select Create.

Complete onboarding and check status

1. Once Defender for Endpoint on iOS has been installed on the device, you will see the app icon.

   

2. Tap the Defender for Endpoint app icon (MSDefender) and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint on iOS.

Note

Skip this step if you configure zero touch (silent) onboarding. Manually launching application is not necessary if zero touch (silent) onboarding is configured.

3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft 365 Defender portal.

   

Next Steps

• Configure app protection policy to include Defender for Endpoint risk signals (MAM)
• Configure Defender for Endpoint on iOS features