Configure Network Protection for Defender for Endpoint for Android and iOS Devices

Somesh Pathak -

Overview

As part of its Defender for Endpoint (MDE) enterprise endpoint security platform, Microsoft recently announced that the Mobile Network Protection functionality is generally available to assist organizations in identifying network vulnerabilities affecting Android and iOS devices.

As soon as the device is onboarded to MDE and network protection is enabled, MDE will provide protection and alerts for all network-related suspicious events and activities. Let’s configure these features and see how the network protection works.

Network Safety

The way companies operate has seen a significant transformation in recent years as a result of people working from home or using a hybrid work style. Users are now more dependent on network connections for personal and professional obligations, which expose users & their devices to new security dangers—as such, protecting the data becomes the utmost priority for organizations.

With the addition of network safety capabilities to MDE for mobile devices, you can now protect your enrolled and unenrolled devices from all network attacks. These features include:

  • MITM
  • Fake SSL Certificate
  • SSL Strip
  • Rogue Access Point
  • Unsecured Wi-Fi
  • Captive Portal
  • Malicious certificates
  • Remediation options to change networks when a network is determined as suspicious

Configure MDE Network Protection Features for iOS Supervised Devices

Network protection in Microsoft Defender for Endpoint is disabled by default. You must follow these steps to configure Network protection in iOS devices. (Authenticator device registration is required for MAM configuration) in iOS devices. Network Protection initialization will require the end user to open the app once.

  • Navigate to Apps > App configuration policies.
  • Click Add and select “Managed Apps” to create a new App configuration policy
Create a policy for managed app
  • Provide a name and description to identify the policy uniquely
  • Then click on ‘Select Public apps’ and choose ‘Microsoft Defender’ for Platform iOS/IPadOS
Select Defender as a public app
  • In the Settings page, add the following keys:
Configuration keys for network protection
Configuration policy
  • Assign the policy to the required group.

Configure MDE Network Protection Features for Android Enterprise Device

  • Navigate to Apps > App configuration policies.
  • Click Add and select “Managed Device” to create a new App configuration policy
Create a policy for managed devices
  • Provide a name and description to identify the policy uniquely
  • Then click on the platform and select ‘Android Enterprise’; profile type as “All” and choose ‘Microsoft Defender’ as the target app.
Configure device platform
  • In the settings page, select ‘Use configuration designer’ and add ‘Enable Network Protection in Microsoft Defender’ as the key and value as ‘1’ to enable Network Protection. (Network protection is disabled by default).
Configuration keys for network protection

If you push your enterprise CA certificate to your devices then make sure that you use ‘Trusted CA certificate list for Network Protection’ as the key and in value add the ‘comma separated list of certificate thumbprints (SHA 1)’ to establish trust for the root CA(s).

Configuration profile
  • Assign the policy to the required group.

MDE App Permissions On The Device

iOS

  • After successful login to the app, users need to grant pre-existing onboarding permissions for allowing notification permission to enable Defender for Endpoint to notify them when a threat is found. 
  • Once permission is accepted, the user will see a page where permission is asked to collect diagnostic data for future product improvements. If the user opts out, no data will be sent. 
  • Upon successful onboarding, users will see a new card and a tab labelled “Network Protection”. If Wi-Fi is OFF – In-app messaging will guide users to turn on the Wi-Fi from within the app. Once the Wi-Fi has been enabled, the Wi-Fi networks are scanned for threats, and the scan results determine the device’s state. 

Android

  • Users need to enable location permissions; this allows Defender for Endpoint to scan their networks and alert the users when there are WIFI-related threats. If the user denies the location permissions, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates. 
  • Once permission is accepted, the user will see a page where permission is asked to collect diagnostic data for future product improvements. If the user opts out, no data will be sent. 
  • Once the app is installed, users will see a new card and a tab labelled “Network Protection”. Tapping on the feature card will take users to a page where they can initiate a scan for all available networks and certificates. 
  • If Wi-Fi is OFF – In-app messaging will guide users to turn on the Wi-Fi from within the app. Once the Wi-Fi has been enabled, the Wi-Fi networks are scanned for threats, and the scan results determine the device’s state. 

Network Protection in Action

By this point, all of the policies have been set up, and users have also logged into the MDE app. The device will be onboarded in Microsoft Defender for Endpoint and visible in the Defender admin console a few minutes after launching the app.

Now, to simulate a network attack, I have not trusted the enterprise root certificate for Android devices. This means that as soon as the MDE policy sync is completed, an alert for a suspicious certificate should be generated, and the device should be reported.

And voila! It’s immediate and works!

Device in defender admin center
Alert classification

Wrapping Up

As the world continues to make sense of digital transformation, the mobile network protection feature in Defender for Endpoint will help us to identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence.

And with this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms.

It is recommended that you should configure alerts in Defender for this network protection.

I’d love to know what you think, so do leave your comments below, and if you liked it, then do share it.

Cheers/

Somesh

Ref:

Announcing the public preview of Mobile Network Protection for Microsoft Defender on Android and iOS

Configure Microsoft Defender for Endpoint on iOS features | Microsoft Learn