iOS Defender for Endpoint Zero Touch Control Filter

The Zero Touch Control Filter have had it fair share of issues lately, the provided solution was not created by me, but this is the only way I can get this work properly even if you use the new Just In Time Registration.

When using the Microsoft provided config file for Zero Touch Control Filter, I have had no luck of getting it to work properly on iOS 16.3. In this post we will be editing the config file with some extra values to solve the issue where Web Protection does not automatically start.

iOS Defender bug
Control Filter bug

Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS | Microsoft Learn

Ongoing issue with Web Protection for Supervised iOS devices without local VPN · Issue #10551 · MicrosoftDocs/microsoft-365-docs (github.com)

Microsoft Defender for Endpoint Application

First make sure you have added the Microsoft Defender for Endpoint application and assigned it to your devices or users as required.

Make sure you set the License type to Device

Device license

App configuration policy

Create a new App configuration policy with the settings below.

Enrollment profile iOS Intune
Enrollment profile
Configuration key issupervised

Assign it to Devices (You can use filters to assign it to only company owned devices etc.)

Device configuration profile (Zero Touch Control Filter)

Deploy Microsoft Defender for Endpoint on iOS with Microsoft Endpoint Manager | Microsoft Learn

Microsoft provides the config profile on the site above or you can use the link below to download it.

https://aka.ms/mdeiosprofilesupervisedzerotouch

Creating the Zero Touch Control Filter Profile

Create a new device configuration profile, select templates, custom.

Custom configuration profile iOS
Custom configuration profile

Now we will add the Zero Touch Control Filter that we downloaded before to the custom device configuration.

Zero Touch Control Filter Defender iOS
Zero Touch Control Filter

Assign the profile to managed iOS devices.

It’s not working for me, Web Protection does not automatically start.

As I mention before I have had no luck using this profile to get it to work properly, the bug described in the start of this post is basically stating that the attribute “issupervised” is not correctly set. Microsoft have stated that this have been fixed in iOS 16.3, however I still have had issues, so with the help of the initial GitHub post creator I was told to try the following solution, and I have had 100% success rate using the modified version of the Zero Touch Control Filter.

Modifying the Zero Touch Control Filter

For more info on app configuration XML format:
Add app configuration policies for managed iOS/iPadOS devices – Microsoft Intune | Microsoft Learn

We will be adding two lines to the configuration file

After you have downloaded the Zero Touch COntrol FIlter config file, open it in your favourite text editor. On line 37 we should see the following:

<key>SilentOnboard</key>
<string>true</string>

This is where we will add the extra lines, the end result should look like this:

<key>VendorConfig</key>
<dict>
<key>issupervised</key>
<string>true</string>

<key>SilentOnboard</key>
<string>true</string>
</dict>
</dict>

Save the edited file and upload it to your custom configuration profile in Intune

Make sure you assign the profile to Devices

Configuring notifications for Defender for Endpoint

This is optional but provides a good user experience, if this is not configured the user needs to manually allow the Defender application to send notifications.

Create a Device features profile

iOS device feature profile
Device feature profile

Under App Notifications add the following.

App bundle ID: com.microsoft.scmx
App name: Microsoft Defender for Endpoint
Publisher: Microsoft
Notifications: Enable

Defender iOS Notifications configuration
Notifications

You can control how the notification should look, the settings below can be used to provide a good user experience.

App Notifications Settings iOS Defender for Endpoint
App Notification Settings

Make sure you assign the profile to Devices.

You are done, remember that the device must have completed the enrollment process, if you are using the Company Portal during enrollment then you do not have to do anything else.

If you are using modern authentication during enrollment then you need to configure a Conditional Access policy to check if the device is compliant, this will force the user to sign into company portal and complete the enrollment process.

If you do not want to use a Conditional Access policy, I would recommend using the Just In Time Registration where the user does not need to sign into company portal to complete the enrollment of the device. You can read more about setting up Just In Time Access here

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments