diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index d04735e349..10354d8762 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -28,40 +28,11 @@ ms.technology: mde > [!NOTE] > Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. -## Configure compliance policy against jailbroken devices +## Conditional Access with Defender for Endpoint for iOS +Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. - -> [!NOTE] -> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally - -Follow the steps below to create a compliance policy against jailbroken devices. - -1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. - - > [!div class="mx-imgBorder"] - > ![Create Policy](images/ios-jb-policy.png) - -1. Specify a name of the policy, example "Compliance Policy for Jailbreak". -1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. - - > [!div class="mx-imgBorder"] - > ![Policy Settings](images/ios-jb-settings.png) - -1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**. - - > [!div class="mx-imgBorder"] - > ![Policy Actions](images/ios-jb-actions.png) - -1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**. -1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. - -## Configure custom indicators - -Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators. - -> [!NOTE] -> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune] (https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Web Protection and VPN @@ -79,10 +50,46 @@ While enabled by default, there might be some cases that require you to disable > [!NOTE] > Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**. -### Co-existence of multiple VPN profiles +## Co-existence of multiple VPN profiles Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. + +## Configure compliance policy against jailbroken devices + +To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. + +> [!NOTE] +> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally + +Follow the steps below to create a compliance policy against jailbroken devices. + +1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. + + > [!div class="mx-imgBorder"] + > ![Create Policy](images/ios-jb-policy.png) + +2. Specify a name of the policy, for example "Compliance Policy for Jailbreak". +3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. + + > [!div class="mx-imgBorder"] + > ![Policy Settings](images/ios-jb-settings.png) + +4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**. + + > [!div class="mx-imgBorder"] + > ![Policy Actions](images/ios-jb-actions.png) + +5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**. +6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. + +## Configure custom indicators + +Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). + +> [!NOTE] +> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. + ## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.