Using the Microsoft Defender for Endpoint app for connecting to Microsoft Tunnel Gateway

This week is something completely different, compared to the last couple of weeks. This week is back to Microsoft Tunnel. Microsoft Tunnel is the VPN gateway solution for Microsoft Intune that fully integrates with Azure AD (and Conditional Access) for providing access to on-premises resources on iOS and Android devices. In the early stages of Microsoft Tunnel, there used to be a separate Microsoft Tunnel app for iOS and Android devices. One of the challenges with those devices is that there can only be one active VPN at the same time. That’s especially challenging when using it in combination with Microsoft Defender for Endpoint. That makes the combination of both products into a single app, a logic move. That’s been the case for Android already for a while now, and is now also available in preview for iOS. This post will go through the configuration options for the Microsoft Defender for Endpoint app, the deployment of a VPN profile and the user experience.

Important: At the moment of writing this blog post, the Microsoft Defender for Endpoint app for iOS is still in preview for the Microsoft Tunnel functionality.

Configuration options for the Microsoft Defender for Endpoint app

The Microsoft Defender for Endpoint app provides the IT administrator with different configuration options. Depending on the platform, there might be slightly more or less configuration options. These configuration options enable the IT administrator, to enable the web protection (ant-phishing) functinality, to automatically onboard and/or to configure a local VPN, or to only use the app for Microsoft Tunnel functionality. Besides that, the latest version of the Microsoft Defender for Endpoint app for iOS even provides the option to silently onboard into Microsoft Defender for Endpoint. That saves a lot of required user interaction. The table below provides an overview of the available key-value pairs for configuring the Microsoft Defender for Endpoint app on iOS and Android. Specifically related to Microsoft Tunnel, defendertoggle (Android) and TunnelOnly (iOS) are the most interesting.

PlatformKeyValueDescription
Androidvpn1 – Enable (default)
0 – Disable
This key and value pair can be used to allow the Microsoft Defender for Endpoint anti-phishing capability to use a local VPN.
Androidantiphishing1 – Enable (default)
0 – Disable
This key and value pair can be used to turn on the Microsoft Defender for Endpoint anti-phishing capability.
Androiddefendertoggle1 – Enable (default)
0 – Disable
This key and value pair can be used to turn on the Microsoft Defender for Endpoint functionality.
iOSTunnelOnlyTrue – Enable
False – Disable (default)
This key and value pair can be used to limit the Microsoft Defender for Endpoint app to Microsoft Tunnel capabilities only.
iOSWebProtectionTrue – Enable (default)
False – Disable
This key and value pair can be used to turn on the Microsoft Defender for Endpoint web protection (anti-phishing) functionality.
iOSAutoOnboardTrue – Enable
False – Disable (default)
This key and value pair can be used to turn on Microsoft Defender for Endpoint web protection without prompting the user to add a (local) VPN connection.
iOSSilentOnboardTrue – Enable
False – Disable (default)
This key and value pair can be used to turn on Microsoft Defender for Endpoint automatic activation and onboarding without interaction of the user.

Note: The vpn, AutoOnboard and SilentOnboard keys are (currently) only applicable to scenarios without Microsoft Tunnel. The VPN profile for configuring Microsoft Tunnel on the device, already automatically configures a VPN profile on the device without user interaction. Silently onboarding to Microsoft Defender for Endpoint would be a nice addition.

Deploying VPN profile for the Microsoft Defender for Endpoint app

After getting familiar with the different configuration options for the Microsoft Defender for Endpoint app, it’s time to get familiar with deploying the app with the required configuration options. From the perspective of Microsoft Tunnel, that can be achieved by using a VPN profile for iOS and/or Android devices.

Note: When only looking at silently onboarding to Microsoft Defender for Endpoint – without Microsoft Tunnel – use a custom VPN profile with the SilentOnboard key. That is currently only available for iOS and only without Microsoft Tunnel.

A VPN profile for Android Enterprise

When looking at Android devices, there is a VPN profile template available that can be used for configuring Microsoft Tunnel within the Microsoft Defender for Endpoint app. That can be achieved by going through the following eight steps.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Android > Configuration profiles
  2. On the Android | Configuration profiles blade, select Create profile
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select Android Enteprise
  • Profile: Select Fully Managed, Dedicated, and Corporate-Owned Work Profile > VPN or select Work Profile > VPN, depending on the Android Enterprise deployment scenario
  1. On the Basics page, provide a valid name for the VPN profile and click Next
  2. On the Configuration settings page, provide the following information and click Next
  • Connection type: Select Microsoft Tunnel
  • Base VPN > Connection name: Provide a valid name for the VPN profile that will be shown to the user
  • Base VPN > Microsoft Tunnel site: Select the Site that will be used by this VPN profile
  • Per-app VPN > Select apps that would be allowed to use this VPN connection: (Optional) Add the allowed apps
  • Always-on VPN > Always-on VPN: (Optional) Select Enable to make sure that the VPN will automatically connect
  • Proxy > Automatic configuration script: (Optional) Configure the location of the automatic configuration script
  • Proxy > Address: (Optional) Configure the address of the proxy server
  • Proxy > Port number: (Optional) Configure the port number of the proxy server
  • Custom settings > Add the Configuration key, Value type and Configuration value of the configuration options

Note: The custom settings can be used to configure the defendertoggle key to only use the Microsoft Defender for Endpoint app for Microsoft Tunnel only.

  1. On the Scope tags page, add any required scope tags and click Next
  2. On the Assignments page, configure the assignment to the required users and/or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

A VPN profile for iOS/iPadOS

When looking at iOS devices, there is a new VPN profile template available that can be used for configuring Microsoft Tunnel within the Microsoft Defender for Endpoint app. That can be achieved by going through the following eight steps.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices iOS/iPadOS Configuration profiles
  2. On the iOS/iPadOS | Configuration profiles blade, select Create profile
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select iOS/iPadOS
  • Profile: Select VPN
  1. On the Basics page, provide a valid name for the VPN profile and click Next
  2. On the Configuration settings page, provide the following information and click Next
  • Connection type: Select Microsoft Tunnel
  • Base VPN > Connection name: Provide a valid name for the VPN profile that will be shown to the user
  • Base VPN > Microsoft Tunnel site: Select the Site that will be used by this VPN profile
  • Base VPN > Disconnect on sleep: (Optional) Select Enable to disconnect the VPN connection on sleep
  • Per-app VPN > Per-app VPN: (Optional) Select Enable to use this VPN profile for specific apps
  • On-Demand VPN Rules > On-demand rules: (Optional) Add rules to configure the behavior for any network connection
  • On-Demand VPN Rules > Block users from disabling automatic VPN: (Optional) Select Yes to prevent users from disablig
  • Proxy > Automatic configuration script: (Optional) Configure the location of the automatic configuration script
  • Proxy > Address: (Optional) Configure the address of the proxy server
  • Proxy > Port number: (Optional) Configure the port number of the proxy server
  • Custom settings > Add the Key and Value of the required configuration options

Note: The custom settings can be used to configure the TunnelOnly key to only use the Microsoft Defender for Endpoint app for Microsoft Tunnel only.

  1. On the Scope tags page, add any required scope tags and click Next
  2. On the Assignments page, configure the assignment to the required users and/or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

Experiencing the Microsoft Defender for Endpoint app for connecting to Microsoft Tunnel Gatey

Once the device is enrolled into Microsoft Intune, the Microsoft Defender for Endpoint app will be pushed and the VPN profile will be applied. Depending on the configuration of the VPN profile, the device will automatically connect to Microsoft Tunnel and might even only apply the Microsoft Tunnel functionality. Below on the left (Figure 3) is an example of the Microsoft Defender for Endpoint app for iOS with Microsoft Tunnel only, while below on the right (Figure 4) is an example of the combination of Microsoft Tunnel and Microsoft Defender for Endpoint web protection in a single app. The experience on Android is similar, just not that new anymore.

More information

For more information about Microsoft Tunnel in the Microsoft Defender for Endpoint app, refer to the following docs.

8 thoughts on “Using the Microsoft Defender for Endpoint app for connecting to Microsoft Tunnel Gateway”

  1. Thanks for the detailed instructions.
    One small correction, for the iOS VPN profile the “Connection type” is missing (=Microsoft Tunnel (preview) ).

    Reply
  2. Hi Peter,

    Thanks for your amazing working as usual. 😉

    Can SilentOnboard and AutoOnboard be deployed together? MSFT Docs its little confuse since they repeat processes like different config for each one.

    Reply
  3. Hey Peter,
    How do enforce VPN traffic to go via Enterprise proxy? I have configured the VPN profile with pac file and I do see the same in the Defender app (in the proxy > script section) on a managed iOS device.
    Any suggestions?

    Reply

Leave a Reply to HG Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.