Global Secure Access (GSA) Microsoft Traffic profile dive part 2 - iOS / iPadOS

Hello everyone!

In my previous blog post from 27.01.25 I explained what GSA is and we dived into Microsoft Traffic profile on Windows.

No it's time to show you the functionality on iOS / iPadOS devices. It's still in preview for Apple users , but it works fine.

Let's look at prerequisites and requirements once again

Prerequisites

• iOS / iPadOS devices need to be enrolled in Intune, at least as personal owned devices with work profile and need to have minimum iOS/ iPadOS version 15.0

• Users need to have at least Business Premium license which includes Entra P1 and Defender for Business

  
  

Requirements

• GSA needs to be activated on tenant with configured Microsoft traffic profile

• We need to push Defender application as required with Intune to iOS/ iPadOS devices

• We need to create configuration profile policy for silent VPN profile onboarding and GSA onboarding

Let's go

First of all, make sure that your Apple enrollment certificate is ok in Intune.

1. Go to intune.microsoft.com -> Devices -> iOS/iPadOS -> Enrollment and press on Apple MDM Push Certificate

2. Check that status is Active

   

   If not, than you need to setup the certificate by following all the required steps in this windows

   
   

3. Setup your preferred enrollment methods, restrictions, deploy applications, configuration and compliance policies it they not already exist.
   

4. Now, go to Apps-> iOS/iPadOS and click Add

5. 

   Press on Search the App Store and search for "Microsoft Defender" hit enter, select Microsoft Defender: Security and press Select

   

6. Choose iOS 15.0 and press Next

   

7. Select group, devices or users in Required scope and press Next.

   

8. Review your configuration and press Create. This will push the application to end users devices automatically without need of install this manually from Company portal app

9. Now Go to Devices -> iOS/iPadOS -> Configuration and press Create -> New Policy

   

   
   
   
   

10. Choose Templates, VPN and press Create

    

11. I'll call my policy like this "[TEST] iOS/iPadOS - Personal owned work profile - Defender silent onboarding and GSA profile" because this is my standard .

    

Press Next when ready

7. Now configure this settings

   

PS: Under VPN attributes and Enable GSA , you can choose from various Value's

Here is the table (Microsoft Learn)

Here is another table for Private Access, but we will skip those settings because we'll only focus on our Traffic profile

I will just use EnableGSA - 1, because I prefer to use this method under testing

8. Now , configure this settings here

   

On Demand Rules: select Add and then:

• Set I want to do the following to Connect VPN.

• Set I want to restrict to All domains.

Proxy settings is not necessary to configure.

9. Scope this policy to group, users or devices, review and Save.

   
   

   

   
   

   By doing this we will now push VPN profile and GSA settings to our device and onboard device to Defender portal.

   
   

   PS: My recommendation is also to to add this setting in Apps if you don't want users to be able to uninstall the app from their devices and if they unenroll device from Intune, app automatically uninstalls.

   

10. Let's take a look how it looks like on iOS / iPad device

    Since my device is already enrolled in Intune with work profile and I have pushed Defender application with configuration policy to this device, I got a prompt saying that

After pressing Install, Defender application will be installed on our device.

As we have pushed the VPN configuration profiles as SilentOnboard, the VPN should turn on automatically and device should be onboarded to Defender portal without need to open the application first. BUT, the reality shows us something different. First, after I opened the application manually, I got a notification saying if I want to allow Defender activate the VPN connection. After allowing this, VPN symbol came up and my device showed as onboarded in Defender portal. This have been an issue before as well on personal owned devices with work profile and I actually don't know if this this ever have worked properly. Maybe the silent onboarding of VPN profile and onboarding only works on corporate owned devices...Let me test that later

11. If we open the Defender application we can now also find our Global Secure Access client here

    

    
    

    Now, let's press on Global Secure Access button and see which options we got. Remember, that we configured this settings

    

    
    

    

    
    

    So, we have ON/OFF slide and our activated and scoped services.

    
    

    Let's turn it ON

    

    
    

Ok that looks fine , let's test our Conditional Access policy which we created in our last post. We want to get same result here. We want only to allow sign in to Office 365 applications with enabled GSA client, all sign-ins without GSA client should be blocked.

I have now turned the Conditional Access policy ON again

If you want to look at all configurations in this policy, than please look at my previous post

This policy blocks all access to Office 365 applications without enabled GSA client from all platforms and locations.

Ok, so now let's disable our GSA client and log in to Outlook on web. Remember to give Conditional Access policies some minutes before you test them. Sometimes it may take longer time , but usually it's enough with couple of minutes

Here is the result with disabled GSA client on our iPad

And here is result with GSA enabled

Let's try another apps on office.com page just to make sure that we can access mostly everything in Office 365 world

Here is Microsoft Forms for example

Ok, the conclusion is - client is working fine on iOS / iPadOS as well, no matter that this is still in preview

Let's try to edit our GSA settings in our Configuration policy in Intune

We will now edit our value from 1 to 3 , now we can switch it on and off and it's default in off state, but with 3 it should be enabled by default and we should not be able to turn it off.

Ok, now we have edited this setting in Intune

Let's review and save. Sync our update policy and test it

Ok, so after couple of minutes we can see that our device have checked in and recieved new policy

Let's check our GSA settings now

AND , BINGO

Now, the slide is greyed out and we can't turn it off

Actually, very impressive... It seems that those settings works fine as well and we can deploy this to our test users.

My first impression is good, but I hoped that we could get an standalone client vs need to deploy this with Defender app. But, this is not a problem actually , because if someone needs Defender only or GSA only it's not a big deal to just separate those products. Only one settings and nothing more...

And of course, we are able to see all our traffic through GSA from iOS/ iPadOS devices in Entra too

I hope I covered most of it and I hope you enjoyed reading this post. Thanks and have a nice day everyone!