The Zero Touch Control Filter have had it fair share of issues lately, the provided solution was not created by me, but this is the only way I can get this work properly even if you use the new Just In Time Registration.
When using the Microsoft provided config file for Zero Touch Control Filter, I have had no luck of getting it to work properly on iOS 16.3. In this post we will be editing the config file with some extra values to solve the issue where Web Protection does not automatically start.
Microsoft Defender for Endpoint Application
First make sure you have added the Microsoft Defender for Endpoint application and assigned it to your devices or users as required.
Make sure you set the License type to Device
App configuration policy
Create a new App configuration policy with the settings below.
Assign it to Devices (You can use filters to assign it to only company owned devices etc.)
Device configuration profile (Zero Touch Control Filter)
Deploy Microsoft Defender for Endpoint on iOS with Microsoft Endpoint Manager | Microsoft Learn
Microsoft provides the config profile on the site above or you can use the link below to download it.
https://aka.ms/mdeiosprofilesupervisedzerotouch
Creating the Zero Touch Control Filter Profile
Create a new device configuration profile, select templates, custom.
Now we will add the Zero Touch Control Filter that we downloaded before to the custom device configuration.
Assign the profile to managed iOS devices.
It’s not working for me, Web Protection does not automatically start.
As I mention before I have had no luck using this profile to get it to work properly, the bug described in the start of this post is basically stating that the attribute “issupervised” is not correctly set. Microsoft have stated that this have been fixed in iOS 16.3, however I still have had issues, so with the help of the initial GitHub post creator I was told to try the following solution, and I have had 100% success rate using the modified version of the Zero Touch Control Filter.
Modifying the Zero Touch Control Filter
For more info on app configuration XML format:
Add app configuration policies for managed iOS/iPadOS devices – Microsoft Intune | Microsoft Learn
We will be adding two lines to the configuration file
After you have downloaded the Zero Touch COntrol FIlter config file, open it in your favourite text editor. On line 37 we should see the following:
<key>SilentOnboard</key>
<string>true</string>
This is where we will add the extra lines, the end result should look like this:
<key>VendorConfig</key>
<dict>
<key>issupervised</key>
<string>true</string>
<key>SilentOnboard</key>
<string>true</string>
</dict>
</dict>
Save the edited file and upload it to your custom configuration profile in Intune
Make sure you assign the profile to Devices
Configuring notifications for Defender for Endpoint
This is optional but provides a good user experience, if this is not configured the user needs to manually allow the Defender application to send notifications.
Create a Device features profile
Under App Notifications add the following.
App bundle ID: com.microsoft.scmx
App name: Microsoft Defender for Endpoint
Publisher: Microsoft
Notifications: Enable
You can control how the notification should look, the settings below can be used to provide a good user experience.
Make sure you assign the profile to Devices.
You are done, remember that the device must have completed the enrollment process, if you are using the Company Portal during enrollment then you do not have to do anything else.
If you are using modern authentication during enrollment then you need to configure a Conditional Access policy to check if the device is compliant, this will force the user to sign into company portal and complete the enrollment process.
If you do not want to use a Conditional Access policy, I would recommend using the Just In Time Registration where the user does not need to sign into company portal to complete the enrollment of the device. You can read more about setting up Just In Time Access here