Zero Touch Onboarding & Activation of Microsoft Defender for Endpoint
Overview
You can now configure your iOS devices to be silently onboarded and activated on Microsoft Defender for Endpoint without requiring interaction from the end user. In this flow, you will create a few configuration profiles, and the user will be notified of the installation. Defender for Endpoint is automatically
You can now configure your iOS devices to be silently onboarded and activated on Microsoft Defender for Endpoint without requiring interaction from the end user. In this flow, you will create a few configuration profiles, and the user will be notified of the installation. Defender for Endpoint is automatically installed and activated without the user needing to open the app. Follow the steps below to set up zero-touch or silent deployment and activation of Defender for Endpoint on enrolled iOS devices:
Pre-requisites
Access to Intune portal
Access to Apple Business Manager
Devices are enrolled in Intune
Defender for Endpoint license is assigned to the user
Deploy the App
You have two options for deploying MDE app to your user’s devices:
App Store App
VPP App
Deploy Defender as App Store App
In Intune portal, go to Apps > iOS/iPadOS > Add > iOS store app and click Select.
Select the app as public store app
Click on Search the App Store on the Add app page and type Microsoft Defender in the search bar. In the search results section, click on Microsoft Defender and click Select.
Select iOS 12.0 as the Minimum operating system. Review the rest of the information about the app and click Next.
app info
In the Assignments section, go to the Required section and select Add group. You can then choose the user group(s) you would like to target Defender for Endpoint on the iOS app. Click Select and then Next.
Deploy Defender as VPP App (Recommended way)
Log in to Apple Business Manager and click Apps and Books, then search for “Microsoft
defender” in the app or book in the search field.
Add app in ABM
Select the app or book in the search results list that you want to purchase.
Select the location where the app or book licenses will be initially assigned.
Enter the number of licenses, and if necessary, change the payment method, then click Buy
Availability of app licenses depends on the amount purchased. If you purchased:
5000 licenses or fewer, they are immediately processed
5001 to 19,999 licenses, they are processed daily after 1:00 p.m., Pacific time
20,000 licenses or more, they are processed daily after 4:00 p.m., Pacific time
Force sync your VPP token in Intune to immediately sync for processing the purchase.
On the list of apps pane, choose the app you want to assign and then choose Properties
On the Assignments tab, choose whether the app will be Required or Available for enrolled devices.
Assing it tothe groups you want to assign the app.
Configure Supervised Mode via Intune
For configuring the supervised mode for Defender for Endpoint app, we would need an app configuration policy and device configuration profile. Follow the below steps to configure them:
App Configuration Policy
Sign in to the Intune portal and go to Apps > App configuration policies > Add. Select Managed devices.
App configuration policy
In the Create app configuration policy page, provide the following information:
Policy Name
Platform: Select iOS/iPadOS
Targeted app: Select Microsoft Defender for Endpoint from the list
add the app
In the next screen, select Use configuration designer as the format. Specify the following properties:
Configuration Key: issupervised
Value type: String
Configuration Value: {{issupervised}}
Assign the policy to the same group to which the app is assigned.
Device Configuration Profile
This profile is for enabling enhanced Anti-phishing capabilities. Follow the steps below:
Select Profile Type > Templates and Template name > Custom
Provide the name of the profile. When prompted to import a Configuration profile file, select the one downloaded from the previous step.
Assign the policy to the same group to which APP is assigned.
Zero-touch Onboarding & Activation
In Intune portal, go to Devices > Configuration Profiles > Create Profile.
Choose Platform as iOS/iPadOS and Profile type as VPN. Select Create.
Type a name for the profile and select Next.
Select Custom VPN for Connection Type and in the Base VPN section, enter the following:
Connection Name = Microsoft Defender for Endpoint
VPN server address = 127.0.0.1
Auth method = “Username and password”
Split Tunneling = Disable
VPN identifier = com.microsoft.scmx
In the key-value pairs, enter the key SilentOnboard and set the value to True.
Type of Automatic VPN = On-demand VPN
Select Add for On Demand Rules and select I want to do the following = Connect VPN, I want to restrict to = All domains.
The configurations for the custom vpn profile are case sensitive. Any slight mistake will disable auto-activation of MDE.
End User Experience
The VPN configuration profile is pushed to the device as soon as the device is enrolled. Until Microsoft Defender is installed and activated on the device, the connection is just a self-loop.
You will see the blue dot on the MDE app icon within a few minutes and a notification in the device’s notification center that the device has been successfully onboarded to MDE.
Device silently onboarded
Tap the Defender for Endpoint app icon (MSDefender), and you will notice that the app is activated with web protection auto-enabled.
Wrapping-Up
When looking from the end-user perspective, the experience is super cool. No interaction is required, as the onboarding and activation are 100% silent.
At the same time, from the administrator’s perspective, these features give you complete visibility of the device’s security, and the ease of onboarding devices is also what we have been looking forward from many years. I hope that Android Enterprise will also have the same experience soon.
