Zero Touch Onboarding & Activation of Microsoft Defender for Endpoint

Somesh Pathak -

Overview

You can now configure your iOS devices to be silently onboarded and activated on Microsoft Defender for Endpoint without requiring interaction from the end user. In this flow, you will create a few configuration profiles, and the user will be notified of the installation. Defender for Endpoint is automatically installed and activated without the user needing to open the app. Follow the steps below to set up zero-touch or silent deployment and activation of Defender for Endpoint on enrolled iOS devices:

Pre-requisites

  • Access to Intune portal
  • Access to Apple Business Manager
  • Devices are enrolled in Intune
  • Defender for Endpoint license is assigned to the user

Deploy the App

You have two options for deploying MDE app to your user’s devices:

  1. App Store App
  2. VPP App

Deploy Defender as App Store App

  • In Intune portal, go to Apps > iOS/iPadOS > Add > iOS store app and click Select.
Select the app as public store app
  • Click on Search the App Store on the Add app page and type Microsoft Defender in the search bar. In the search results section, click on Microsoft Defender and click Select.
  • Select iOS 12.0 as the Minimum operating system. Review the rest of the information about the app and click Next.
app info
  • In the Assignments section, go to the Required section and select Add group. You can then choose the user group(s) you would like to target Defender for Endpoint on the iOS app. Click Select and then Next.

Deploy Defender as VPP App (Recommended way)

  • Log in to Apple Business Manager and click Apps and Books, then search for “Microsoft
  • defender” in the app or book in the search field.
Add app in ABM
  •  Select the app or book in the search results list that you want to purchase.
  • Select the location where the app or book licenses will be initially assigned.
  • Enter the number of licenses, and if necessary, change the payment method, then click Buy

Availability of app licenses depends on the amount purchased. If you purchased:

  • 5000 licenses or fewer, they are immediately processed
  • 5001 to 19,999 licenses, they are processed daily after 1:00 p.m., Pacific time
  • 20,000 licenses or more, they are processed daily after 4:00 p.m., Pacific time
  • Force sync your VPP token in Intune to immediately sync for processing the purchase.
  • Select Apps > All apps.
  • On the list of apps pane, choose the app you want to assign and then choose Properties 
  • On the Assignments tab, choose whether the app will be Required or Available for enrolled devices.
  • Assing it to the groups you want to assign the app.

Configure Supervised Mode via Intune

For configuring the supervised mode for Defender for Endpoint app, we would need an app configuration policy and device configuration profile. Follow the below steps to configure them:

App Configuration Policy

  • Sign in to the Intune portal and go to Apps > App configuration policies > Add. Select Managed devices.
App configuration policy
  • In the Create app configuration policy page, provide the following information:
    • Policy Name
    • Platform: Select iOS/iPadOS
    • Targeted app: Select Microsoft Defender for Endpoint from the list
add the app
  • In the next screen, select Use configuration designer as the format. Specify the following properties:
    • Configuration Key: issupervised
    • Value type: String
    • Configuration Value: {{issupervised}}
  • Assign the policy to the same group to which the app is assigned.

Device Configuration Profile

This profile is for enabling enhanced Anti-phishing capabilities. Follow the steps below:

  • Navigate to Devices > iOS/iPadOS > Configuration profiles > Create Profile
  • Select Profile Type > Templates and Template name > Custom
  • Provide the name of the profile. When prompted to import a Configuration profile file, select the one downloaded from the previous step.
  • Assign the policy to the same group to which APP is assigned.

Zero-touch Onboarding & Activation

  • In Intune portal, go to Devices > Configuration Profiles > Create Profile.
  • Choose Platform as iOS/iPadOS and Profile type as VPN. Select Create.
  • Type a name for the profile and select Next.
  • Select Custom VPN for Connection Type and in the Base VPN section, enter the following:
    • Connection Name = Microsoft Defender for Endpoint
    • VPN server address = 127.0.0.1
    • Auth method = “Username and password”
    • Split Tunneling = Disable
    • VPN identifier = com.microsoft.scmx
    • In the key-value pairs, enter the key SilentOnboard and set the value to True.
    • Type of Automatic VPN = On-demand VPN
    • Select Add for On Demand Rules and select I want to do the following = Connect VPNI want to restrict to = All domains.

The configurations for the custom vpn profile are case sensitive. Any slight mistake will disable auto-activation of MDE.

End User Experience

The VPN configuration profile is pushed to the device as soon as the device is enrolled. Until Microsoft Defender is installed and activated on the device, the connection is just a self-loop.

You will see the blue dot on the MDE app icon within a few minutes and a notification in the device’s notification center that the device has been successfully onboarded to MDE.

Device silently onboarded

Tap the Defender for Endpoint app icon (MSDefender), and you will notice that the app is activated with web protection auto-enabled.

Wrapping-Up

When looking from the end-user perspective, the experience is super cool. No interaction is required, as the onboarding and activation are 100% silent.

At the same time, from the administrator’s perspective, these features give you complete visibility of the device’s security, and the ease of onboarding devices is also what we have been looking forward from many years. I hope that Android Enterprise will also have the same experience soon.

Ref:

App-based deployment for Microsoft Defender for Endpoint on iOS | Microsoft Learn