Onboarding Intune Managed iOS User Enrollment Devices to Microsoft Defender for Endpoint

Microsoft for Endpoint is a unified endpoint security platform that provides protection, detection, investigation, and response capabilities. To use Microsoft for Endpoint on iOS devices, you need to onboard them to the service and assign licenses to users.

This blog post explains the onboarding process of the recently announced support of Microsoft for Endpoint on Intune managed iOS/iPadOS devices enrolled with Apple User Enrollment mode. This enrollment method was introduced with iOS 13 that allows users to enroll their personal devices in a way that protects their privacy and separates work data (stored on a separate volume) from personal data. User Enrollment devices are managed by Intune with a limited set of policies and configurations.

Intune supports two User Enrollment methods, for new deployments, choose one that best meets your requirements. This blog post does not focus on one enrollment type.

  1. Account Driven User Enrollment

OR

  1. User Enrollment with Company Portal

ArnabMitra_0-1704316382617.png

Screenshot of a User Enrollment screen.

You can skip this step if you are using User Enrollment with Company Portal. This step involves creating an Intune device configuration profile of type Device Features with the configurations below:

  • App bundle ID: Include the Defender App bundle ID in this list “com.microsoft.scmx”
  • Additional configuration: Key: device_registration ; Type: String ; Value: {{DEVICEREGISTRATION}}
  • Assign the policy to the target User/Device Group for assignment.

Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.

ArnabMitra_1-1704316382628.png

We need to create an App Configuration policy of Managed devices type with Microsoft Defender as the target App.

  • In the Settings page, select Use configuration designer and add UserEnrolmentEnabled as the key, value type as String, value as True.
  • Assign the policy to the target User/Device Group for assignment.

Tip: For a faster evaluation, create a Device Filter of Managed Device type matching the “Enrollment Profile Name” you specified for the Apple User Enrollment method.

ArnabMitra_2-1704316382631.png

The final step is to deploy the Microsoft Defender App from Intune either via VPP or the Public App Store. What's important is to ensure that the App Configuration Policy created above targets the same app source (VPP Or Public App Store) .

  • Assign the App to the target User/Device Group for assignment.

ArnabMitra_3-1704316382634.png

Important: When you deploy VPP Apps, the default License Type is set to Device, this needs to be changed to User to match the device Enrollment type or else they will fail with error code 0x87D13BA9

Here's a quick overview of the Microsoft Defender onboarding experience with Apple User Enrollment. In the GIF below you will see the following:

  • Launch MDE App to Tap and Sign-In.
  • Accept the License Terms
  • Next you will see a quick view of the profile in the Settings App
  • Followed by a quick test of MDE by launching a phishing site https://smartscreentestratings2.net which is successfully blocked by MDE.

2023-12-20_22-45-00.gif

Note: This enrollment scenario does not support Zero-Touch Silent-Onboarding.

As an Admin you can check the onboarding state of the device from the Microsoft Defender Security Portal

ArnabMitra_5-1704316382752.png

Thanks,

Arnab Mitra

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.