In the previous article How to deploy Microsoft Defender for Endpoint on macOS via Intune I described how to deploy Microsoft Defender for Endpoint on macOS. In today’s article, we’ll look at how to deploy Microsoft Defender for Endpoint on iOS using Microsoft Intune.
Unlike Android, Microsoft Defender for Endpoint can be installed and configured on iOS in a completely zero-touch mode for the end user. The end user does not need to confirm any settings, permissions or anything else on their iOS/iPadOS device afterwards.

Configuration of a VPN tunnel for Microsoft Defender for Endpoint on iOS
Microsoft Defender for Endpoint on iOS uses a local VPN tunnel to the loopback address 127.0.0.1 to filter network traffic. This active VPN tunnel is required on all devices that are not in the supervised mode (managed under Apple Business Manager / Apple School Manager).
In Microsoft Intune admin center, go to Devices – iOS/iPadOS – Configuration and create a new configuration profile. The configuration profile type will be Template and select VPN from the menu.

Fill in any profile name. The next page is the actual configuration of the VPN profile. Select Custom VPN as the Connection type.

Base VPN
In the Connection name, type Microsoft Defender for Endpoint. The VPN server address is 127.0.0.1
. As the Authentication method, select Username and password. Split tunneling is Disabled. In VPN identifier, type com.microsoft.scmx
.
Next, you need to fill in the Enter key and value pairs for the custom VPN attributes section according to the table below.
Key | Value |
---|---|
SilentOnboard | True |
SingleSignOn | True |
Automatic VPN
From the Automatic VPN menu, select Type of automatic VPN: On-demand VPN. Add one new on-demand rule below, select I want to do the following: Connect VPN and I want to restrict to: All domains.

Set Block users from disabling VPN to Yes.

Publish the Microsoft Defender for Endpoint app
Before we can configure the Microsoft Defender for Endpoint app, we need to add the app to Microsoft Intune. Go to Apps – iOS/iPadOS and click Add. Select iOS store app in the App type dropdown menu.

On the next page, click the Search the App Store link and search Microsoft Defender: Security.

App configuration policy for Microsoft Defender for Endpoint on iOS
The last part is to configure the Microsoft Defender for Endpoint app itself on iOS. So go to Apps – App configuration policies and create a new policy for managed devices.

Give the policy some name. Select iOS/iPadOS as the platform. Then click Targeted app and select Microsoft Defender: Security.

On the next page, select Use configuration designer from the Configuration settings format dropdown menu.
All configuration options are described in the official documentation. I am going to focus only on the important settings that you should configure as shown in the table bellow.
Configuration key | Value type | Configuration value |
---|---|---|
DefenderNetworkProtectionEnable | String | true |
DefenderOpenNetworkDetection | Integer | 2 |
DefenderEndUserTrustFlowEnable | String | false |
DefenderNetworkProtectionAutoRemediation | String | true |
DefenderNetworkProtectionPrivacy | String | false |
WebProtection | String | true |
DefenderExcludeURLInReport | Boolean | false |
DefenderOptionalVPN | Boolean | false |
DefenderTVMPrivacyMode | String | false |
DisableSignOut | String | true |
DefenderSendFeedback | Boolean | false |

