Getting started with Microsoft Defender for Endpoint for iOS

Microsoft recently declared Microsoft Defender for Endpoint (MDE) for iOS – previously known as Microsoft Defender ATP for iOS – general available. That’s really good news and also a really good trigger for a new blog post. This post will be similar to my post earlier about MDE for Android. MDE for iOS provides protection against phishing and unsafe network connections. All events and alerts around those subjects will be available in the Microsoft Defender Security Center and will be used to determine the risk level of the device. To add-on to that, through the connection with Microsoft Intune that risk information can be used to determine the compliance of the device with the company policies and to determine the eventual access of the device to company data.

In this post I want to start with a short introduction about MDE for iOS, followed by the required configurations. I’ll end this post by having a look at the experience. That means that the following will be addressed.

Important: For supervised devices, enhanced anti-phishing capabilities are available via an app configuration policy and a custom device configuration profile. Due to the lack of supervised devices, at this moment, please refer to the docs for the required steps.

Note: At this moment many configurations still refer to Microsoft Defender ATP. This will change over time.

Introduction to Microsoft Defender for Endpoint for iOS

Let’s start with a short introduction about MDE for iOS. At this moment the main capability of MDE for iOS is Web protection. The Web protection capability relies on a local/self-looping VPN that does not take traffic outside of the device. That capability helps with addressing the challenge of phishing, by instantly blocking access to unsafe websites (coming from SMS, email, browsers and other apps). It also helps with addressing the challenge of unsafe network connections that some apps automatically make, by immediately blocking access to unsafe network connections. The key service that is leveraged for providing this functionality is Microsoft Defender SmartScreen. Besides that default functionality, an administrator can also configure custom indicators for allowing or blocking access to specific URLs and domains.

In addition to that capability, MDE can also integrate with Microsoft Intune. That integration can provide information about the device risk to Microsoft Intune. That information about the risk level of the device can be used in a compliance policy in Microsoft Intune, to determine if a device is compliant with the company policies. That compliance state can be used in Conditional Access to determine the access of a device to company apps and data.

Integration of Microsoft Defender for Endpoint with Microsoft Intune

One of the main benefits of using MDE, is the integration with Microsoft Intune. That integration makes sure that the information about the risk level of a device, of any supported platform, can be provided to Microsoft Intune for usage in compliance policies. To achieve that integration, the following two configurations are required.

Enable Microsoft Intune connection in Microsoft Defender Security Center

The connection with Microsoft Intune should be enabled in Microsoft Defender Security Center. This is a generic configuration that is applicable to any supported platform. When this connection is already used for another platform, these actions can be ignored. To enable the Microsoft Intune connection, follow the two steps below.

  1. Open the Microsoft Defender Security Center portal and navigate to Settings Advanced features to open the Settings page for the advanced features
  2. On the Settings page, scroll down to Microsoft Intune connection (as shown in Figure 1) and switch the slider to On

Enable iOS devices in Microsoft Endpoint Manager admin center

When the connection between MDE and Microsoft Intune is established, a configuration can be done per platform to use risk information that is provided via the connection. To enable that for iOS, follow the two steps below.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Endpoint security > Microsoft Defender for ATP to open the Endpoint security | Microsoft Defender ATP blade
  2. On the Endpoint security | Microsoft Defender ATP blade, navigate to the setting Connect iOS devices of version 8.0 and above to Microsoft Defender ATP (as shown in Figure 2) and switch the slider to On

Distribution of the Microsoft Defender for Endpoint for iOS

The MDE for iOS app can be distributed by using Microsoft Intune. That will help with a smoother adoption of MDE on iOS devices. Distribution of that app can be achieved by following the seven steps below.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Apps > All apps > iOS/iPadOS to open the iOS/iPadOS| iOS/iPadOS apps blade
  2. On the iOS/iPadOS| iOS/iPadOS apps blade, click Add to open the Select app type page
  3. On the Select app type page, select iOS store app as App type and click Select to open the Add App wizard
  4. On the App information page, search the app store for Microsoft Defender ATP (as shown in Figure 3), select the app and click Next
  1. On the Scope tags page, configure the applicable scope tags and click Next
  2. On the Assignments page, configure the assignment by selecting the applicable group and click Next
  3. On the Review + create page, review the configuration and click Create

Configuration of the device risk compliance policy for iOS devices

The device compliance policy can be used to actively take advantage of the integration between MDE and Microsoft Intune. That policy can mark a device as noncompliant when the device risk is above the configured score. Eventually, that compliance state can be used with conditional access to determine the access of a device to company apps and data. Creation of such a device compliance policy can be achieved by following the nine steps below.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Device compliance policies to open the Compliance policies | Policies blade
  2. On the Compliance policies | Policies blade, click Create Policy to open the Create a policy page
  3. On the Create a policy page, select iOS/iPadOS with Platform and click Create
  4. On the Basics page, provide a valid name for the device compliance policy and click Next
  5. On the Compliance settings page, navigate to the Microsoft Defender ATP section, select the required risk score with Require the device to be at or under the machine risk score (see also Figure 4) and click Next
  1. On the Actions for noncompliance page, leave the default configuration of Action on Mark device noncompliant with Schedule (days after noncompliance) on Immediately and click Next
  2. On the Scope tags page, configure the applicable scope tags and click Next
  3. On the Assignments page, configure the assignment by selecting the applicable group and click Next
  4. On the Review + create page, review the configuration and click Create

Note: Configure a conditional access policy that requires a compliant device to use this compliance state for verifying access to company apps and data.

Experience with Microsoft Defender for Endpoint for iOS

When the integration is configured between MDE and Microsoft Intune, the MDE for iOS app is distributed and the compliance policy is in place, it’s time to look at the experience. Both, from an end-user perspective and from an administrator perspective.

End-user experience with the Microsoft Defender for Endpoint for iOS app

When looking at the end-user experience, it starts with the initial start of the MDE for iOS app. After the MDE for iOS app is installed, users should start it the first time to get it up-and-running. This does require the user to have the correct license (Windows 10 E5/A5, Microsoft 365 E5/A5, or Microsoft 365 E5 Security). When initially starting the MDE for iOS app, the user needs to agree with the license agreement and privacy statement, by clicking Get started (as shown in Figure 5). That will bring the user to the VPN configuration. Once the VPN is configured and notifications are allowed, the MDE for iOS app is up-and-running (as shown in Figure 6).

For testing the Web protection capability, Microsoft provides the smartscreentestratings2.net site. When navigating to that site, or any other phishing site, the user receives the “Malicious Site Blocked” notification. That will be logged in the Microsoft Defender Security Center portal as “Informational“. When the user clicks on that notification, the “This site has been reported as unsafe” page will be shown (as shown in Figure 7) and once the user ignores that message and still continues to the site, the action will be logged as “Low“.

Administrator experience

When looking at the administrator experience, I want to focus on the information that’s generated by the user. For an overview of the alerts, I’ve opened the Microsoft Defender Security Center portal and navigated to the Alerts of the device of the user. That provides the suspicious activity and severity of visiting the test site.

Note: With the phishing site alone it was nearly impossible to get the device also marked as noncompliant, which is why there is no information to be shown about the device compliance in Microsoft Intune.

More information

For more information about MDE for iOS, the naming, the availability and the configuration, refer to the following docs.

5 thoughts on “Getting started with Microsoft Defender for Endpoint for iOS”

  1. Thank you for the guide! I have a quick question about the “Get started” part. I have tested this on our tenant, but when I open Defender app on iOS I have to login. I was hoping for SSO to simplyfi the process, but seems like uses have to login again. The license are OK, and everything runs fine after login. Any tips?

    Reply
    • Hi Tore,
      You do need to “configure” the app at first start. Meaning, sign in – should be SSO like – and accepting the required permissions. You can preconfigure a few permissions, but not all at this moment.
      Regards, Peter

      Reply
  2. App type install in Endpoint:

    iOS store app
    Vs
    iOS Volume-Purchased Program

    Any preference? In DEP setup, the VPP seems quicker and more integrated.

    Reply
    • Hi Ed,

      It indeed depends on the management that you’re using for the devices. When you’re using ABM, it might be a logic choice to use VPP. That provides a more seamless experience for the user and doesn’t require a personal Apple Id for the user.

      Regards, Peter

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.