Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to set up and deploy the Global Secure Access client app on iOS and iPadOS devices. For simplicity, this article refers to both iOS and iPadOS as iOS.
The Global Secure Access client is deployed through Microsoft Defender for Endpoint on iOS. The Global Secure Access client on iOS uses a VPN that isn't a regular VPN. Instead, it's a local/self-looping VPN.
Caution
Running non-Microsoft endpoint protection products alongside Defender for Endpoint on iOS is likely to cause performance problems and unpredictable system errors.
Prerequisites
- To use the Global Secure Access iOS client, configure the iOS endpoint device as a Microsoft Entra registered device.
- To enable Global Secure Access for your tenant, refer to the licensing requirements. If necessary, you can purchase licenses or get trial licenses.
- Onboard the tenant to Global Secure Access, and configure one or more traffic forwarding profiles. For more information, see Access the Global Secure Access area of the Microsoft Entra admin center.
- To enable a Kerberos single sign-on (SSO) experience, create and deploy a profile for the iOS SSO app extension.
Requirements
Network requirements
For Microsoft Defender for Endpoint on iOS to function when it's connected to a network, you must configure the firewall/proxy to enable access to Microsoft Defender for Endpoint service URLs. Microsoft Defender for Endpoint on iOS is available in the Apple App Store.
Note
Microsoft Defender for Endpoint on iOS isn't supported on userless or shared devices.
System requirements
The iOS device (phone or tablet) must meet the following requirements:
- The device runs iOS 16.0 or newer.
- The device has the Microsoft Authenticator app or the Intune Company Portal app.
- If the device is supervised, it must be enrolled to apply Intune device compliance policies.
Known limitations
For detailed information about known issues and limitations, see Known limitations for Global Secure Access.
Installation steps
Deploy on Device Administrator enrolled devices with Microsoft Intune
In the Microsoft Intune admin center, go to Apps > iOS/iPadOS > Add > iOS store app. Then choose Select.
On the Add app page, select Search the App Store and enter Microsoft Defender on the search bar.
In the search results, select Microsoft Defender and then choose Select.
Select iOS 16.0 as the minimum operating system. Review the rest of the information about the app, and then select Next.
In the Assignments section, go to the Required section and select Add group.
Choose the user groups to target with the Defender for Endpoint on iOS app.
Note
Selected user groups should consist of Microsoft Intune enrolled users.
Choose Select, and then select Next.
In the Review + Create section, verify that all the entered information is correct and then select Create. After a few moments, the Defender for Endpoint app is created successfully, and a notification appears at the upper-right corner of the page.
On the app information page, in the Monitor section, select Device install status to verify that the device installation finished successfully.
Create a VPN profile and configure Global Secure Access for Microsoft Defender for Endpoint
In the Microsoft Intune admin center, go to Devices > Configuration > Create > New Policy.
Set Platform to iOS/iPadOS, Profile type to Templates, and Template name to VPN.
Select Create.
Enter a name for the profile, and then select Next.
Set Connection type to Custom VPN.
In the Base VPN section, enter the following information:
- Connection name: Microsoft Defender for Endpoint
- VPN server address: 127.0.0.1
- Authentication method: Username and password
- Split tunneling: Disable
- VPN identifier: com.microsoft.scmx
In the boxes for key/value pairs:
Add the
EnableGSAkey and set the appropriate value from the following table:Key Value Details EnableGSANo value Global Secure Access isn't enabled and the tile isn't visible. 0Global Secure Access isn't enabled and the tile isn't visible. 1Global Secure Access tile is visible and defaults to a disabled state. The user can enable or disable the tile by using the toggle. 2Global Secure Access tile is visible and defaults to an enabled state. The user can enable or disable the tile by using the toggle from the app. 3Global Secure Access tile is visible and defaults to an enabled state. The user can't disable Global Secure Access. Add the
SilentOnboardkey and set the value toTrue.Add more key/value pairs as required (optional). If you add the
EnableGSAPrivateChannelkey, select one of the following values:Key Value Details EnableGSAPrivateChannelNo value Use the EnableGSAconfigured option.0Private Access isn't enabled and the toggle option isn't visible to the user. 1The Private Access toggle is visible and defaults to a disabled state. The user can enable or disable it. 2The Private Access toggle is visible and defaults to an enabled state. The user can enable or disable it. 3The Private Access toggle is visible but unavailable, and it defaults to an enabled state. The user can't disable Private Access.
For Type of automatic VPN, select On-demand VPN.
For On-demand rules, select Add and then:
- Set I want to do the following to Connect VPN.
- Set I want to restrict to All domains.
To prevent users from disabling the VPN, set Block users from disabling automatic VPN to Yes. By default, this setting isn't configured, and users can disable the VPN only in the settings.
Select Next and assign the profile to targeted users.
In the Review + Create section, verify that all the information is correct and then select Create.
After the configuration is complete and synced with the device, the following actions take place on the targeted iOS devices:
- Microsoft Defender for Endpoint is deployed and silently onboarded.
- The device is listed in the Defender for Endpoint portal.
- A provisional notification is sent to the user device.
- Global Secure Access and other Microsoft Defender for Endpoint-configured features are activated.
Confirm Global Secure Access appears in the Defender app
Because the Global Secure Access client for iOS is integrated with Microsoft Defender for Endpoint, it's helpful to understand the user experience. The client appears in the Defender dashboard after you onboard to Global Secure Access.
You can enable or disable the Global Secure Access client for iOS by setting the EnableGSA key in the VPN profile. Users can enable or disable individual services or the client itself based on the configuration settings, by using the appropriate toggles.
Troubleshooting
If the Global Secure Access tile doesn't appear in the Defender app after you onboard the tenant, reopen the Defender app.
If access to the Private Access application shows a connection timeout error after a successful interactive sign-in, reload the application (or refresh the web browser).
Related content
- Troubleshoot the Global Secure Access mobile client: Advanced diagnostics
- Troubleshoot the Global Secure Access mobile client with Health check utility
- Microsoft Defender for Endpoint on iOS
- Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune
- Install the Global Secure Access client for macOS
- Install the Global Secure Access client for Windows
- Install the Global Secure Access client for Android