Skip to content
Defender for Business for iOS
Home » Defender for Business for iOS Deployment – zero-touch

Defender for Business for iOS Deployment - zero-touch

The Defender for Business allows protection including a web filter on iOS devices and also checks the health status - all with a zero-touch configuration! Central administration is possible with Intune / MEM. MDM and MAM devices are supported.
A device can also be configured manually for test purposes or as an unmanaged device.

Table of Contents

Defender for iOS - Manual installation

The Defender can also be installed individually and manually on an iOS device. All you have to do is use the app "Microsoft Defender Endpoint" in the Appstore, log in with a licensed user and confirm the VPN settings.

If you are already registered with a Microsoft 365 account on your iPad or iPhone, you can select this immediately or alternatively register with another account.
After logging in, you must accept the license terms and configure the local VPN connection. The VPN connection is the interface between the browser and applications on the device for web filtering.

Defender iOS login
Defender iOS license agreement
Defender iOS local VPN connection
Defender iOS Add VPN Configurations
Defender iOS allow notifications

At the end you will see an overview of the filtered websites and the device health status. You will also notice that a VPN connection is active.

Defender iOS app status
Defender iOS VPN Connection active

It takes a little while for the iPhone to appear in the device overview of Defender for Business or for Endpoint. In my case it was showing as "not boarded" for about 3 hours before it was indexed correctly.

Defender inventory

Defender for iOS - Deployment with Intune (zero-touch)

The deployment of Defender for Business and Defender for Endpoint has recently been working "silently" and without much effort.

Requirements

  • Licenses:
    • Defender for Business or Endpoint and Intune license assigned
    • or Microsoft 365 Business Premium
  • Device is enrolled in MEM / Intune with Company Portal
  • iOS 12+

Defender-Intune integration

You must ensure that the Intune connection is active. You can find these in the Advanced settings of the Defender.
If you do the initial setup as described here (Defender for Business onboarding/setup), you can skip these steps.

Defender Intune connection

You must also activate the connection for iOS devices in the Endpoint Manager.
You can find the option in Endpoint Manager > Endpoint security > Microsoft Defender for Endpoint.

Install Microsoft Defender App

First you need to distribute the Defender App. You do not necessarily have to buy this as a VPP app. You can do it under "Apps > iOS/iPadOS" Add.

iOS store app Microsoft defender
iOS store app Microsoft defender

You can select "iOS 12" for the minimum OS requirement, since the "zero-touch" configuration is only possible from this OS onwards.

iOS store app Microsoft defender - minimum ios

In the next step you assign the app to a group or all devices and save the configuration.

Defender VPN configuration

For the VPN configuration, which enables the web filter, we create a new VPN profile.
This under: Devices > iOS/iPadOS > Configuration profiles

You can create the VPN configuration using the screenshot or the table below.

settingvalue
connectionnameMicrosoft Defender for Endpoint
VPN server address127.0.0.1
auth methodUsername and password
Split tunnelingDisable
VPN identifiercom.microsoft.scmx
Key: SilentOnboardValue: True
Type of automatic VPNOn demand VPN
I want to restrict toEstablishVPN

outcome and behavior

The zero-touch distribution of Defender for Business / Endpoint for iOS works very quickly and with little configuration effort. Once the configuration is active on the end device, we see the VPN connection as with the manual installation. If a risk is detected while browsing, the corresponding page is immediately blocked with a corresponding message. In Safari, the page remains white, the Edge also displays a SmartScreen message. However, the SmartScreen error message is a function of the Edge browser and also of Defender for iOS.

Defender for iOS - Safari
Defender for iOS - Edge

The end user cannot actually do anything in the Defender app. However, he sees what is active and how many URLs have been scanned and blocked. Because we have distributed Defender via policy, the web filter cannot be switched off manually (possible with manual installation).

Defender for iOS - Device is protected
Defender for iOS - Web Protection

3 thoughts on “Defender for Business for iOS Deployment - zero-touch”

  1. Pingback: Defender for Business for Android - MAM | scloud

  2. my device is protected (all green ticks in defender). i tried to access a test malicious site but defender does not pop up block alert. so i am able to load the test malicious site using safari and i get the red page ms defender smartscreen in edge browser.

    do you know if there is such setting in defender portal causing this behaviour? i check in intune and everything is configured properly such as vpn loopback and defender app is all green tick.

Leave a Reply

Your email address will not be published. Required fields are marked *