Merge pull request #8733 from sunasing/sunasing-ios-ga

Changes in Deployment steps for GA

windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md

@@ -27,20 +27,12 @@ ms.topic: conceptual
 > [!NOTE]
 > Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
 
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
 ## Configure compliance policy against jailbroken devices
 
 To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
 
 > [!NOTE]
-> Currently Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. Some data like your corporate email id and corporate profile picture (if available) will be exposed to the attacker on the jailbroken device.
+> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
 
 Follow the steps below to create a compliance policy against jailbroken devices.
 
@@ -73,3 +65,7 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i
 ## Web Protection
 
 By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
+
+## Report unsafe site
+
+Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.

windows/security/threat-protection/microsoft-defender-atp/ios-install.md

@@ -20,44 +20,50 @@ ms.collection:
 ms.topic: conceptual
 ---
 
-# App-based deployment for Microsoft Defender for Endpoint for iOS
+# Deploy Microsoft Defender for Endpoint for iOS
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-> [!IMPORTANT]
+This topic describes deploying Defender for Endpoint for iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll).
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-Defender for Endpoint for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
-
-Deployment devices need to be enrolled on Intune Company portal. Refer to
-[Enroll your
-device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
-learn more about Intune device enrollment
 
 ## Before you begin
 
--   Ensure you have access to [Microsoft Endpoint manager admin
+- Ensure you have access to [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-    center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
--   Ensure iOS enrollment is done for your users. Users need to have Defender for Endpoint
+- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint for iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses.
-    license assigned in order to use Defender for Endpoint for iOS. Refer [Assign licenses to
-    users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
-    for instructions on how to assign licenses.
 
+> [!NOTE]
+> Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore).
 
 ## Deployment steps
 
-To install Defender for Endpoint for iOS, end-users can visit
+Deploy Defender for Endpoint for iOS via Intune Company Portal.
-<https://aka.ms/defenderios> on their iOS devices. This link will open the
-TestFlight application on their device or prompt them to install TestFlight. On
-the TestFlight app, follow the onscreen instructions to install Defender for Endpoint.
 
+### Add iOS store app
 
-![Image of deployment steps](images/testflight-get.png)
+1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** -> **iOS/iPadOS** -> **Add** -> **iOS store app** and click **Select**.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-1.png)
+
+1. On the Add app page, click on **Search the App Store** and type **Microsoft Defender ATP** in the search bar. In the search results section, click on *Microsoft Defender ATP* and click **Select**.
+
+1. Select **iOS 11.0** as the Minimum operating system. Review the rest of information about the app and click **Next**.
+
+1. In the *Assignments* section, go to the **Required** section and select **Add group**. You can then choose the user group(s) that you would like to target Defender for Endpoint for iOS app. Click **Select** and then **Next**.
+
+    > [!NOTE]
+    > The selected user group should consist of Intune enrolled users.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-2.png)
+
+1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page.
+
+1. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-3.png)
 
 ## Complete onboarding and check status
 
@@ -66,16 +72,66 @@ the TestFlight app, follow the onscreen instructions to install Defender for End
 
     ![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png)
 
-2.  Tap the Defender for Endpoint app icon and follow the on-screen
+2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint for iOS.
-    instructions to complete the onboarding steps. The details include end-user
-    acceptance of iOS permissions required by Defender for Endpoint for iOS.
 
-3.  Upon successful onboarding, the device will start showing up on the Devices
+3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
-    list in Microsoft Defender Security Center.
 
     > [!div class="mx-imgBorder"]
     > ![A screenshot of a cell phone Description automatically generated](images/e07f270419f7b1e5ee6744f8b38ddeaf.png)
 
+## Configure Microsoft Defender for Endpoint for Supervised Mode
+
+The Microsoft Defender for Endpoint for iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode.
+
+### Configure Supervised Mode via Intune
+
+Intune allows you to configure the Defender for iOS app through an App Configuration policy.
+
+    > [!NOTE]
+    > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add**. Click on **Managed devices**.
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-4.png)
+
+1. In the *Create app configuration policy* page, provide the following information:
+    - Policy Name
+    - Platform: Select iOS/iPadOS
+    - Targeted app: Select **Microsoft Defender ATP** from the list
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-5.png)
+
+1. In the next screen, select **Use configuration designer** as the format. Specify the following property:
+    - Configuration Key: issupervised
+    - Value type: String
+    - Configuration Value: {{issupervised}}
+    
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-6.png)
+
+1. Click **Next** to open the **Scope tags** page. Scope tags are optional. Click **Next** to continue.
+
+1. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it is best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).
+
+   When deploying to user groups, a user must sign in to a device before the policy applies.
+
+   Click **Next**.
+
+1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
+
+1. Next, for enhanced Anti-phishing capabilities, you can deploy a custom profile on the supervised iOS devices. Follow the steps below:
+    - Download the config profile from [https://aka.ms/mdatpiossupervisedprofile](https://aka.ms/mdatpiossupervisedprofile)
+    - Navigate to **Devices** -> **iOS/iPadOS** -> **Configuration profiles** -> **Create Profile**
+
+    > [!div class="mx-imgBorder"]
+    ![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-7.png)
+
+    - Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded above.
+    - In the **Assignment** section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Click **Next**.
+    - On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
+
 ## Next Steps
 
 [Configure Defender for Endpoint for iOS features](ios-configure-features.md)

windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md

@@ -24,53 +24,51 @@ ms.topic: conceptual
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
+**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
-> 
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
-> 
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
-The public preview of Defender for Endpoint for iOS will offer protection
-against phishing and unsafe network connections from websites, emails, and apps.
-All alerts will be available through a single pane of glass in the Microsoft
-Defender Security Center. The portal gives security teams a centralized view of threats on
 iOS devices along with other platforms.
 
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
+
 ## Pre-requisites
 
-
 **For End Users**
 
--   Defender for Endpoint license assigned to the end user(s) of the app. Refer
+- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).
-    [Assign licenses to
+
-    users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
+- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
-    for instructions on how to assign licenses.
+    - Intune Company Portal app can be downloaded from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
+
+- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
 
 **For Administrators**
 
--   Access to the Microsoft Defender Security Center portal
+- Access to the Microsoft Defender Security Center portal.
 
--   Access to [Microsoft Endpoint Manager admin
+    > [!NOTE]
-    center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
+    > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune.
-    to enrolled user groups in your organization
+
+- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
 
 **System Requirements**
 
--   iOS devices running iOS 11.0 and later
+- iOS devices running iOS 11.0 and above.
 
--   Device is enrolled with Intune Company Portal
+- Device is enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358).
-    [app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
+
+> [!NOTE]
+> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
+
+## Installation instructions
+
+Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported.
+For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md).
 
 ## Resources
 
--   Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
+- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
-
--   Provide feedback through in-app feedback system or through [SecOps
-    portal](https://securitycenter.microsoft.com)
 
+- Provide feedback through in-app feedback system or through [SecOps portal](https://securitycenter.microsoft.com)
 
 ## Next steps