Merge pull request #6971 from Brenduns/13683598-new-ios-tunnel-migration-path

Brenduns · web-flow · commit 8538cb4c7221 · 2022-03-09T07:13:02.000-08:00
Core content update for new migration path
diff --git a/memdocs/intune/protect/microsoft-tunnel-migrate-app.md b/memdocs/intune/protect/microsoft-tunnel-migrate-app.md
@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 01/31/2022
+ms.date: 03/08/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -38,22 +38,14 @@ The following device platforms support Microsoft Defender for Endpoint as the tu
 - **Android Enterprise**:
   - Fully managed
   - Corporate-owned work profile
-  - Personally-owned work Profile
+  - Personally owned work Profile
 
   On June 14, 2021, Microsoft Defender for Endpoint became generally available as the Microsoft Tunnel client app for Android for use with the Microsoft Tunnel Gateway in Microsoft Intune.
 
   If you've previously configured Microsoft Tunnel for Android using the standalone Microsoft Tunnel client app, you must migrate your devices to use Microsoft Defender for Endpoint as the Tunnel client app before support for the Android standalone Tunnel client app ends on October 26, 2021.
 
   When using Microsoft Defender for Endpoint to connect to Tunnel for Android, use [custom settings](../protect/microsoft-tunnel-configure.md#use-custom-settings-for-microsoft-defender-for-endpoint) in the VPN profile to manage Defender for Endpoint instead of using a separate app configuration profile. If you don't intend to use any Defender functionality, including web protection, use [custom settings](../protect/microsoft-tunnel-configure.md#use-custom-settings-for-microsoft-defender-for-endpoint) in the VPN profile and set the **defendertoggle** setting to **0**.
 
-<!-- Hiding the following info box, but keeping it for historical context and in case these issues resurface in the future >
-
-  > [!IMPORTANT]
-  > If you are using per-app VPN and also have Defender web protection enabled, you may experience connectivity issues for apps outside your per-app VPN list in the following scenarios, which may prevent devices from communicating with Intune:
-  > - You are using an internal proxy. In this case, you must disable web protection in the VPN profile by adding the **antiphishing** setting in the [custom settings](../protect/microsoft-tunnel-configure.md#use-custom-settings-for-microsoft-defender-for-endpoint) section and entering a value of **0**.
-  > - You are using internal DNS servers. You must include the IP address of at least one publicly-accessible DNS server, like 1.1.1.1, in your Tunnel Gateway [server configurations](../protect/microsoft-tunnel-configure.md#create-a-server-configuration).
--->
-
 - **iOS/iPadOS devices (in public preview)**:
 
   In January 2022, a preview version of Microsoft Defender for Endpoint became available as the Microsoft Tunnel client app for iOS/iPadOS devices for use with the Microsoft Tunnel Gateway in Microsoft Intune.
@@ -119,12 +111,6 @@ Screenshot of the Defender for Endpoint app on Android:
 
 :::image type="content" source="./media/microsoft-tunnel-migrate-app/defender-app-android.png" alt-text="Screenshot of the Defender for Endpoint app on Android.":::
 
-<!--
-Screenshot of the Defender for Endpoint app on iOS/iPadOS:
-
-:::image type="content" source="./media/microsoft-tunnel-migrate-app/defender-app-ios.png" alt-text="Screenshot of the Defender for Endpoint app on iOS/iPadOS.":::
--->
-
 For information about license requirements for Microsoft Defender for Endpoint, see [Get Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare#get-microsoft-defender-for-endpoint).
 
 ## Migrate Android devices to Defender for Endpoint
@@ -138,16 +124,6 @@ Migrating to Microsoft Defender for Endpoint requires the following broad action
 3. Create new VPN profiles.
 4. Clean up your previous deployments.
 
-<!-- No longer needed due to fix made in early September, 2021, but retaining for history and in case issues arise again 
-
-> [!IMPORTANT]
->
-> If you use *Always-on VPN* with the standalone Tunnel client app today, during migration to Microsoft Defender for Endpoint:
->
-> - Set *Always-on VPN* to **Not configured** in profiles for **Microsoft Tunnel (standalone client)**, which is the old client app.
-> - Set *Always-on VPN* to **Enable** in profiles for **Microsoft Tunnel**, which is the new Microsoft Defender for Endpoint client app.
--->
-
 ### Deploy Defender for Endpoint for Android
 
 Microsoft Defender for Endpoint with support for Microsoft Tunnel on Android, is available from the Managed Google Play store.
@@ -189,7 +165,7 @@ To enable devices to use Microsoft Defender for Endpoint to connect to Microsoft
 
    If you’re using only the Tunnel functionality from the Defender for Endpoint app, and not Defender-specific functionality, add a [custom setting](../protect/microsoft-tunnel-configure.md#use-custom-settings-for-microsoft-defender-for-endpoint) of **defendertoggle** that is set to **0**. This configuration disables the Defender functionality, leaving only the Tunnel capabilities.
 
-> [!NOTE]
+> [!NOTE]  
 > If you are using the Microsoft Defender for Endpoint app for Android, have web protection enabled, and are using per-app VPN, web protection will only apply to the apps in the per-app VPN list. On devices with a work profile, in this scenario we recommend adding all web browsers in the work profile to the per-app VPN list to ensure all work profile web traffic is protected.
 
 ### Clean up previous deployments for Android
@@ -212,14 +188,14 @@ Migrating to Defender for Endpoint requires the following broad actions, which a
 
 1. Deploy Microsoft Defender for Endpoint to supported devices.
 2. Review and record your current Tunnel configurations.
-3. Create new VPN profiles that use *Microsoft Tunnel (preview)* as the connection type.
+3. Create new VPN profiles or reconfigure existing profiles to use *Microsoft Tunnel (preview)* as the connection type.
 4. Clean up your previous deployments.
 
 The server settings stay exactly the same regardless of the client you’re using.
 
 ### Install the preview version of Defender for Endpoint
 
-The preview version of Microsoft Defender for Endpoint with support for Microsoft Tunnel on iOS, is available from the Apple app store.
+The preview version of Microsoft Defender for Endpoint with support for Microsoft Tunnel on iOS is available from the Apple app store.
 
 1. Locate and **Approve** the app in the Apple app store for your tenant, and then **Sync** it. For information on this process, see [Add iOS store apps to Microsoft Intune](../apps/store-apps-ios.md).
 2. **Assign** the app to groups.
@@ -241,9 +217,34 @@ Before you begin your migration to Defender for Endpoint, use the [Microsoft End
 
   2. From Properties, record the available values including those that are assigned as *required* or are assigned as *available*. This information will help you to create similar deployments for the Microsoft Defender for Endpoint app.
 
-### Create new VPN profiles for iOS/iPadOS
+### Manage VPN profiles for iOS/iPadOS
+
+To enable devices to use Microsoft Defender for Endpoint to connect to Microsoft Tunnel Gateway, deploy VPN profiles that use the **Microsoft Tunnel (preview)** connection type. During migration you can choose to edit your existing profiles to use the new connection type, or create new VPN profiles with the new connection type.
+
+#### Modify a VPN Profile for Microsoft Tunnel
+
+Use the following steps to modify a VPN profile to migrate devices from  the standalone tunnel client app to Microsoft Defender for Endpoint as the tunnel client app.
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to > **Devices** > **Configuration profiles** > **iOS/iPadOS**.
+2. Select the VPN profile you want to edit, and then select **Properties**, and then **Edit** the *Configuration settings*.
+3. On the *Configuration settings* page:
+
+   1. Review the current settings for each category. When you change the *Connection type* the profiles settings are cleared and you’ll need to restore them.
+   2. Change the *Connection type* from *Microsoft Tunnel (standalone client)(preview)* to **Microsoft Tunnel(preview)**.
+   3. Reenter the applicable settings for this VPN profile.
+
+      > [!IMPORTANT]  
+      > Even when a setting appears to remain configured and not cleared, reenter each setting to ensure the correct values are applied.
+
+   4. If you’re using only the Tunnel functionality from the Defender for Endpoint app, and not Defender-specific functionality, add a [custom setting](../protect/microsoft-tunnel-configure.md#use-custom-settings-for-microsoft-defender-for-endpoint) of **TunnelOnly** that is set to **True**. This configuration disables the Defender functionality, leaving only the Tunnel capabilities.
+
+4. Select **Review + save** to save the profile.
+5. After the profile redeploys, wait for devices to check in or force devices to sync to get the new policies.
+6. Verify that users can connect to Tunnel manually in the Defender for Endpoint app. If your VPN profile includes on-demand rules, users must open the Defender for Endpoint app one time before the new on-demand rules can apply.
+
+#### Create a new VPN profile for Microsoft Tunnel
 
-To enable devices to use Microsoft Defender for Endpoint to connect to Microsoft Tunnel Gateway, deploy new VPN profiles with the **Microsoft Tunnel (preview)** connection type. Editing the connection type of an existing profile isn’t supported.
+Use the following steps to create a new VPN profile for devices that will use *Microsoft Defender for Endpoint* as the tunnel client app. When the profile is configured as a per-app VPN, the last step requires you to restart devices after they receive the VPN profile. To avoid this you can choose to [modify an existing VPN profile](#modify-a-vpn-profile-for-microsoft-tunnel) instead of creating and deploying a new one.
 
 1. Use the information from [Create a VPN Profile](../protect/microsoft-tunnel-configure.md#create-a-vpn-profile) to create and deploy new VPN profiles for your iOS/iPadOS devices.
 
@@ -252,12 +253,12 @@ If you’re using only the Tunnel functionality from the Defender for Endpoint a
 
 3. After the profile deploys, wait for devices to check in or force devices to sync to get the new policies.
 
-4. Verify that users can connect to Tunnel manually in the Defender for Endpoint app. If your VPN Profile includes on-demand rules, users must open the Defender for Endpoint app one time before the new on-demand rules can apply.
+4. Verify that users can connect to Tunnel manually in the Defender for Endpoint app. If your VPN profile includes on-demand rules, users must open the Defender for Endpoint app one time before the new on-demand rules can apply.
 
 5. If you’re using per-app VPN:
-   1. Wait at least 10 minutes after creating the new VPN profile. After 10 minutes you can then change the app deployment assignments from the *Microsoft Tunnel (standalone client) (preview)* VPN profile to the new VPN Profile for *Microsoft Tunnel (preview)*.
+   1. Wait at least 10 minutes after creating the new VPN profile. After 10 minutes you can then change the app deployment assignments from the *Microsoft Tunnel (standalone client) (preview)* VPN profile to the new VPN profile for *Microsoft Tunnel (preview)*.
 
-   2. For each app that is assigned as *available*, users must reinstall the app ***after the new VPN profile is installed on their device*** so that the VPN profile assignment can update. This can be done by going to Company Portal, going to **Apps**, tapping the app, and tapping **Install**.
+   2. After the new VPN profile deploys to a device, that device must restart before the new VPN profile is used. To restart a device, see [remotely restart devices with Intune](/intune/remote-actions/device-restart.md). 
 
 ## Next Steps
 
