Global Secure Access client for iOS (Preview)

Important

The Global Secure Access client for iOS is currently in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

This article explains how to set up and deploy the Global Secure Access client app onto iOS and iPadOS devices. For simplicity, this article refers to both iOS and iPadOS as iOS.

Caution

Running other third-party endpoint protection products alongside Defender for Endpoint on iOS is likely to cause performance problems and unpredictable system errors.

Note

  • The Global Secure Access client is deployed via Microsoft Defender for Endpoint on iOS.
  • The Global Secure Access client on iOS uses a VPN. This VPN is not a regular VPN. Instead, it's a local/self-looping VPN.

Prerequisites

Requirements

Network requirements

For Microsoft Defender for Endpoint on iOS (available in the Apple App Store) to function when connected to a network, you must configure the firewall/proxy to Enable access to Microsoft Defender for Endpoint service URLs.

Note

Microsoft Defender for Endpoint on iOS isn't supported on userless or shared devices.

System requirements

The iOS device (phone or tablet) must meet the following requirements:

  • The device has iOS 15.0 or newer installed.
  • The device has the Microsoft Authenticator app or the Intune Company Portal app installed.
  • The device is enrolled to enforce Intune device compliance policies.

Supported modes

The Global Secure Access client for iOS supports installation on both modes of enrolled devices: supervised and unsupervised devices.

Supported traffic forwarding profiles

The Global Secure Access client for iOS supports the Microsoft traffic forwarding profile and the Private Access traffic forwarding profile. For more information, see Global Secure Access traffic forwarding profiles.

Known limitations

This feature has one or more known limitations. For more detailed information about the known issues and limitations of this feature, see Known Limitations for Global Secure Access.

Installation Steps

Deploy on Device Administrator enrolled devices with Microsoft Intune

  1. In the Microsoft Intune admin center, go to Apps > iOS/iPadOS > Add > iOS store app and select Select.
    Screenshot of the Microsoft Intune admin center with the steps to add an iOS store app highlighted.

  2. On the Add app page, select Search the App Store and type Microsoft Defender in the search bar.

  3. In the search results, select Microsoft Defender and select Select.

  4. Select iOS 15.0 as the minimum operating system. Review the rest of information about the app and select Next.

  5. In the Assignments section, go to the Required section and select Add group.
    Screenshot of the Add App screen with the Add group option highlighted.

  6. Choose the user groups that you would like to target with the Defender for Endpoint on iOS app.

Note

The selected user group should consist of Microsoft Intune enrolled users.

  1. Select Select and then Next.
  2. In the Review + Create section, verify that all the information entered is correct and then select Create. After a few moments, the Defender for Endpoint app is created successfully, and a notification appears at the top-right corner of the page.
  3. On the app information page, in the Monitor section, select Device install status to verify that the device installation is completed successfully.
    Screenshot of the Device install status screen showing a list of installed devices.

Create a VPN profile and configure Global Secure Access for Microsoft Defender for Endpoint

  1. In the Microsoft Intune admin center, go to Devices > Configuration Profiles > Create Profile.

  2. Set the Platform to iOS/iPadOS, the Profile type to Templates, and the Template name to VPN.

  3. Select Create.

  4. Type a name for the profile and select Next.

  5. Set the Connection Type to Custom VPN.

  6. In the Base VPN section, enter the following:

    • Connection Name: Microsoft Defender for Endpoint
    • VPN server address: 127.0.0.1
    • Auth method: "Username and password"
    • Split Tunneling: Disable
    • VPN identifier: com.microsoft.scmx
  7. In the key-value pairs fields:

    • Add the key SilentOnboard and set the value to True.

    • Add the key EnableGSA and set the appropriate value from the following table:

      Key Value Details
      EnableGSA No value Global Secure Access isn't enabled and tile isn't visible.
      0 Global Secure Access in not enabled and tile isn't visible.
      1 The tile is visible and defaults to false (disabled state). User can enable or disable Global Secure Access using the toggle from the app.
      2 The tile is visible and defaults to true (enabled state). User can override. User can enable or disable Global Secure Access using the toggle from the app.
      3 The tile is visible and defaults to true (enabled state). User cannot disable Global Secure Access.
    • Add more key-value pairs as required (optional):

      Key Value Details
      EnableGSAPrivateChannel No value Global Secure Access is enabled by default. User can enable or disable.
      0 Global Secure Access isn't enabled and toggle isn't visible to user.
      1 Toggle is visible and defaults to false (disabled state). User can enable or disable.
      2 Tile is visible and defaults to true (enabled state). User can enable or disable.
      3 Toggle is visible and grayed out and defaults to true (enabled state). User cannot disable Global Secure Access.
  8. Continue filling out the VPN form:

    • Type of Automatic VPN: On-demand VPN
    • On Demand Rules: select Add and then:
      • Set I want to do the following to Connect VPN.
      • Set I want to restrict to All domains. Screenshot of the VPN screen showing example setup parameters.
  9. To prevent end users from disabling VPN, set Block users from disabling automatic VPN to Yes. By default, this setting isn't configured and users can disable VPN only in the Settings.

  10. To allow users to use the VPN toggle from within the app, add the key-value pair EnableVPNToggleInApp = TRUE. By default, users can't change the toggle from within the app.

  11. Select Next and assign the profile to targeted users.

  12. In the Review + Create section, verify that all the information is correct and then select Create.

Once the configuration is complete and synced with the device, the following actions take place on the targeted iOS devices:

  • Microsoft Defender for Endpoint is deployed and silently onboarded.
  • The device is listed in the Defender for Endpoint portal.
  • A provisional notification is sent to the user device.
  • Global Secure Access and other Microsoft Defender for Endpoint (MDE)-configured features are activated.

Confirm Global Secure Access appears in Defender app

Because the Global Secure Access client for iOS is integrated with Microsoft Defender for Endpoint, it's helpful to understand the end user experience. The client appears in the Defender dashboard after onboarding to Global Secure Access.
Screenshot of the iOS Microsoft Defender dashboard.

You can enable or disable the Global Secure Access client for iOS by setting the EnableGSA key in the VPN profile. Depending on the configuration settings, end users can enable or disable individual Services or the client itself using the appropriate toggles.
Screenshot of the Global Secure Access client on iOS showing both the Enabled and Disabled status screens.

If the client is unable to connect, a toggle appears to disable the service. Users can come back later to try enabling the client.
Screenshot of the Global Secure Access client on iOS showing the message, Unable to connect.

Troubleshooting

  • The Global Secure Access tile doesn't appear in the Defender app after onboarding the tenant:
    • Force stop the Defender app and relaunch it.
  • Access to the Private Access application shows a connection time-out error after a successful interactive sign-in.
    • Reload the application (or refresh the web browser).