iOS devices (such as iPhones and iPads) can run in two modes—the normal user mode (also referred to as unsupervised) and supervised mode—a special enterprise configuration that allows more control
over organization-managed devices.

Out of Scope
Intune and Defender for Endpoint can be deployed to devices in either normal (unsupervised) or supervised mode. Supervised mode requires additional configuration with Apple Configurator and must be set up prior to a device being activated. Most organizations working with device supervision typically deploy Apple School Manager, Apple Business Manager, or Apple Business Essentials. Configuring supervised mode through Apple School Manager, Apple Business Manager, or Apple Business Essentials is outside the scope of the MS-102 exam. You can learn more about Apple Configurator here: https://support.apple.com/guide/apple-configurator-mac.

MDE on iOS can still be deployed with Intune through the Intune Company Portal app—even if the device isn’t in supervised mode. It can also be individually installed and activated by end users
through the Apple App Store.

All Devices
Users who have devices (whether they are supervised or not) can receive MDE as an application through Intune if they are enrolled. To configure MDE for deployment through the Intune Company
Portal app, follow these steps:

1. Navigate to the Intune admin center (https://intune.microsoft.com).
2. From the navigation menu, select Apps and then select iOS/iPadOS under By platform. See Figure 9.26:

Figure 9.26 – Configuring an iOS app

3. Select Add.
4. On the Select app type flyout, choose iOS store app and click Select.
5. On the App information tab, click the Search the App Store link and locate the Microsoft Defender app. Click Select.
6. Under the Minimum operating system dropdown, select iOS 14.0. That is the minimum operating system that the Defender app supports. Click Next.
7. On the Assignments tab, under Required, click Add group to specify which users will get the app deployed.
8. Click Next.
9. Click Create.

As devices are enrolled (either supervised or unsupervised), Defender will be automatically deployed as long as the user has a MDE license assigned.

Supervised Devices

In addition to the core MDE settings, supervised devices can also enforce network monitoring and safe browsing experiences. Much like the custom macOS configuration profiles deployed earlier, the MDE network settings for supervised devices are deployed as configuration profiles. To create the configuration profile, follow these steps:

1. Download the configuration file from https://aka.ms/mdatpiossupervisedprofile and save it to a temporary location.
2. On the Devices | Configuration profiles page in the Intune admin center (https://endpoint. microsoft.com or https://intune.microsoft.com), click Create profile.
3. On the Create a profile flyout, under Platform, select iOS/iPadOS. Under Profile type, select Templates and then choose Custom. Click Next.
4. On the Basics tab, enter a name and description and click Next.
5. On the Configuration settings tab, enter a custom configuration profile name to identify this configuration.
6. Under Configuration profile name, click the folder icon and browse to the folder containing the downloaded configuration file. Select the Microsoft_Defender_for_Endpoint_ Control_Filter.mobileconfig file and click Next.
7. On the Assignments tab, under Included Groups, choose to add groups containing devices that will be in scope for the policy.
8. On the Review + create tab, verify the settings and click Create.

As supervised devices are onboarded, they will be configured with the networking profile.