Deploy Security Connector with Intune

Introduction

This document describes how to deploy the Security Connector using Intune.

Overview

This is a step-by-step guide on how to get your iOS/iPadOS device MDM-manage via Intune, and push the profile via Apple Configurator

You can also reference our Intune Registration documentation and PDF guide here

Note: this method shows you how to MDM your devices via Intune and Apple Configurator

Important Notes:

If you are MDM-ing your supervised devices via the Company Portal App, then you can start at Step 14.

This article is provided as-is as of 04/12/2023, Umbrella support does not guarantee these instructions will remain valid after this date and is subject to change based on updates from Microsoft Intune and Apple iOS. 

Procedure

1. Log into the Azure Portal and search for "Intune". Alternatively, go to https://intune.microsoft.com/Error/UE_404?aspxerrorpath=/ and login 
2. Once you are on the Intune homepage, go to Devices --> iOS/iPadOS --> iOS/iPadOS enrollment --> Apple MDM Push certificate and click "Download your CSR"11752925317012
3. Then, click on "Create your MDM push Certificate", which redirects you to https://identity.apple.com/pushcert/
4. On the Apple Push Certificates Portal, go to "Create a Certificate" and upload the IntuneCSR.csr file you just downloaded. Once the CSR file has been uploaded successfully, click "Download" to download the Privacy Enhanced Mail (.pem file) and proceed to the next step
   11752968667924
5. Enter the email address of your Apple ID account that you used to sign into the Apple Push Certificates Portal and upload the .pem file under "Apple MDM push certificate" and press "Upload". If the upload is successful, you see the other options for the "Bulk enrollment methods" unlock.
   11752971407380
6. Go to Apple Configurator --> Profiles --> Create and create a new profile. Give it a meaningful name and for User affinity select "Enroll without user affinity". Once that profile has been created, click into your newly created profile and select "Export Profile" and then "Download Profile" on the right hand side11753020728596
7. Download and launch "Apple Configurator" on your macOS from the App Store and connect your phone via Lightning Cable. Right click on your device within Apple Configurator select Add --> Profiles and then select the profile.mobileconfig file you just downloaded11753024446100             
   Windows alternate: iPhone Configuration Utility
8. Once the sync has finished, on your iOS/iPadOS device go to Settings app and go to General --> VPN & Device Management --> Management Profile
     11753486730900
9. On the top right, click Install
   11753538844948
10. If you get a Remote Management prompt, hit Trust and let the profile finish installing
    11753535457044
11. To confirm the profile was exported and installed successfully on your iOS device, go back to Intune and under "Devices" you now see your new iOS device added
    11753595983892
12. Now that your device is MDM enrolled, go to Groups --> All Groups --> New Group and create a new group and assign your device. Make sure your Group type is "Security" and not Microsoft 36511753690347284
13. Click into the group you have just created and go to Members --> Add Members. Find your MDM-device you want to install the Cisco Security Connector app on, on the list and add it to the group you have just created11753692550036
14. Go to Apps --> All apps --> Add. Then for App type, select "iOS store app" and confirm by clicking "Select"
    11753797372436
15. Select "Search for App Store" and enter "Cisco Security Connector" in the search bar and select the "Cisco Security Connector" app by clicking "Select"
    11753844054420
16. Under Assignments, add the group you have created in the earlier steps which contains your MDM-device then proceed with Review and Create
    11753839516692
17. [Optional step] Go to Devices --> iOS/iPadOS --> iOS/iPadOS devices --> Properties --> Device Category, create a profile and assign it to the device
    11753916236820
18. Log into your Cisco Umbrella dashboard, under Deployments --> Core Identities --> Mobile Devices --> top right: Manage --> Managed by MDM
    11753923081492
19. Then go to iOS --> Microsoft Intune Config download. Enter your email address that you want emails to go to when users select "Report a problem" within the Cisco Security Connector app
    11753924523540
20. Go back to your Intune portal, under Devices --> iOS/iPadOS --> Configuration Profiles --> Create Profile --> Templates --> Custom
    11753988354964
21. Give it a meaningful name for your configuration profile. In Step 2 - Configuration settings, upload the XML file you have just downloaded from your Cisco Umbrella dashboard11754000962196
22. Under Assignments, assign the group you have created earlier that contains your MDM-device and select "Review and Create"
23. Go back to iOS/iPadOS devices and select your MDM-device and hit sync at the top and you get a pop-up on your MDM iOS/iPadOS device to install the Cisco Security Connector app
    11754070231572
24. Launch the Cisco Security Connector app on your iOS/iPadOS device. You might see the "Not Protected by Umbrella"
    11754074006164
25. When you click into it the IPv4 Status and IPv6 Status might show "Limited". You need to turn on/off your WiFi or LTE cellular network in order to see a status change. The next steps involves deploying the Cisco Umbrella Root Certificate - it is required in order for block pages to be properly displayed. 
    11754133161492
26. Go to your Umbrella dashboard, under Deployments --> Root Certificate, download the Umbrella Root Certificate (.cer file)
27. Go back to your Intune portal, under Devices --> iOS/iPadOS --> Configuration Profiles, create a new profile (just like in Step 21) for the Umbrella Root Certificate
28. For "Profile type", select Templates --> Trusted certificate
    11754159037460
29. In Step 2 - Configuration settings, upload the Umbrella Root Certificate you have just downloaded from Step 27
    11754204605460
30. For Step 3 - Assignments, select the group that contains your MDM iOS/iPadOS device and click "Next" and "Create"
31. Go back to iOS/iPadOS devices and select your MDM-device and hit sync at the top once again (like step 24) 
32. Close and relaunch the Cisco Security Connector app again. You now see the status as "Protected by Umbrella"
    11754354334868
33. You can verify you are being protected by Cisco Umbrella by going to welcome.umbrella.com in Safari
    11754461786132
    NOTE: you might have to disconnect and reconnect to WiFI to see the change in status. Alternatively, connect to your mobile hotspot and/or a different WiFi network, then back to the same one to see a change in status

Limitations

• If you have removed your iOS/iPadOS device from Intune MDM within the last 24 hours, and try to re-add it, it does not populate under "Members" for when you are trying to locate the device for your "Groups" in Step 14.
• You cannot have any "Restricted Apps" setting restricting the Umbrella app, and/or any "Show or Hide" setting to hide the Umbrella app applied in your device configuration profile.(Under your Intune admin center > Devices > iOS/iPadOS > Configuration)

Troubleshooting

•  How to Collect Cisco Security Connector Diagnostics Logs
• CSC Log "Report A Problem" Function "No Admin Email" Error
• CSC: "Unprotected" status on mobile networks

If you are getting an Error: "User Name not recognized. This user is not authorized to use Microsoft Intune", go to the Azure Portal, under "Users" and select the username or account you are using to configure Intune, go to "Licenses" and make sure you have an active Intune License assigned to the user

11754557401748

Logs

By default, the logs password is bypass_email_filters . This can also be located in the UmbrellaProblemReport.txt