Update: Microsoft Tunnel Gateway and Microsoft Defender for Endpoint with Microsoft Tunnel client functionality now generally available for Android as of June 14, 2021.
Mobile productivity is more important than ever. As employees access work data from all their devices, organizations need to secure not only the data at rest and in transit, but also the devices themselves, before granting access to these resources. Organizations also want their users’ experiences to be simple and frictionless to be both secure and productive. The Microsoft Tunnel client, as part of Microsoft Endpoint Manager, enables organizations’ users to access on-premises apps and resources through their iOS and Android devices.
We’re excited to simplify the user experience for mobile security by joining the Microsoft Tunnel client with the Microsoft Defender for Endpoint on Android and iOS is Microsoft’s mobile threat defense solution, which:
Protects against phishing coming from browsing, email, apps, and messaging platforms
Scans for malware and potentially unwanted apps (on Android)
Blocks unsafe connections as well as access to sensitive data (on Android)
Offers a single-pane-of-glass experience for SecOps
By combining Microsoft Tunnel VPN capabilities with the Microsoft Defender for Endpoint app on iOS and Android, your users enjoy a simpler mobile experience with just one app, and your organization gains a more holistic mobile threat defense solution that enables secure and productive remote work. There is no change to existing Tunnel features, which will now appear within the Defender for Endpoint app. IT administrators can also continue to use the Microsoft Endpoint Manager admin center to configure both Defender and Tunnel features.
What does this mean for existing Defender customers?
If you now use Defender without Tunnel, you won’t need to make any changes. Defender for Endpoint will work as it already does. However, we’ve updated the user experience by adding separate tabs:
Dashboard shows a quick summary of the device’s overall health, app security status, web protection status, and Tunnel status.
App security is where users can see the status of auto scans run on the device, uninstall the apps identified as threats, and run a manual scan.
Web Protection shows the status of the feature enabled or disabled by administrator and details of the feature described in the flip cards.
Tunnel is where users connect to Tunnel Gateway and can see connection statistics and client configuration settings.
Your admins will configure Defender settings the same way they do today. If you’re licensed for Microsoft Endpoint Manager, you’ll be able to set up Tunnel Gateway servers and configure the Defender for Endpoint app for Tunnel connections. This will simplify the user experience without the organization needing to deploy a separate VPN client.
What does this mean for existing Tunnel customers?
If you currently use the Tunnel app, you’ll need to create a new VPN profile to switch users to the Defender for Endpoint app. If you have deployed per-app VPN or iOS, you will need to switch your app assignments to the Defender for Endpoint VPN profile in the admin center. If the apps are assigned as “available”, users will need to reinstall the associated apps in order to open the connection using Defender for Endpoint. From a user-interface perspective, your users will stop using the Tunnel app and see a new Tunnel tab in the Defender for Endpoint app. You can read more about migrating to Tunnel here: https://aka.ms/tunnelmigrate.
No other server-side changes are required as the Defender app supports all settings available in the Tunnel server today.
When Tunnel VPN profile is configured in Microsoft Defender for Endpoint app but Defender functionality is not enabled, users will only see the Tunnel screen and no other tabs.
If there is no Tunnel VPN profile configured for Microsoft Defender for Endpoint, but Defender functionality is enabled, users will only see the Dashboard, App Security, and Web Protection tabs.
Is there any change in licensing?
No, there is no change to existing licensing for the two products. This change only impacts the user experience. If you’re licensed for Intune, you will receive the Tunnel capabilities in the Defender for Endpoint app. You will need to be licensed for Microsoft Defender for Endpoint separately to use Defender functionality in the app. Download the Defender app for free from app stores. Talk to your account team for more details on the licensing required to activate the features.
How do I sign up for the public preview?
(Edit 6/14/2021) The Microsoft Tunnel Gateway and Microsoft Defender for Endpoint with Microsoft Tunnel client functionality now generally available for Android. Public preview for iOS is expected next quarter.