Learn about deploying and configuring the Cortex XDR agent app for iOS on iOS-based endpoints.
Learn about the options available for deploying and configuring the Cortex XDR agent app on iOS-based endpoints. Some configuration options are controlled by profiles that the administrator configures on the Cortex XDR or XSIAM tenant, and some are configured using a mobile device management (MDM) solution.
On the device side, the user is responsible for activating most of the security modules offered by the app. For devices running iOS 17 or later, zero touch installation using an MDM solution is supported.
Devices running iOS 16 or earlier require user self-onboarding of the app. MDM solutions for pushing the app to devices are supported.
The Cortex XDR agent app supports both supervised and unsupervised iOS devices. When the Network Shield feature is used, devices must be supervised devices.
Deployment options
Note
This is a brief overview. Refer to detailed steps, here.
Zero touch installation for iOS 17 or later:
The administrator prepares the configuration required for supervising the devices.
On the Cortex XDR or XSIAM tenant, the administrator prepares endpoint profiles and policies for iOS endpoints.
On the Cortex XDR or XSIAM tenant, the administrator prepares an installation package and extracts the app link and Distribution ID.
On the organization's MDM solution, the administrator prepares the configuration required for pushing the Cortex XDR agent app to the iOS endpoints, and for managing them. This includes the parameters for the Network Shield module in the payload configuration profile.
Use the MDM to push the Cortex XDR app to the device. The device runs the app in the background. If, and when, the device user opens the app, inactive security modules are presented to the user, and the app asks the user to activate them.
User self-onboarding:
For supervised iOS devices, the administrator prepares the configuration required for supervising the devices.
On the Cortex XDR or XSIAM tenant, the administrator prepares endpoint profiles and policies for iOS endpoints.
On the Cortex XDR or XSIAM tenant, the administrator prepares an installation package.
For devices managed by an MDM:
On the organization's MDM solution, the administrator prepares the configuration required for pushing the Cortex XDR agent app to the iOS endpoints, and for managing them.
Optionally, for the Network Shield module, the payload configuration profile must be configured with the relevant parameters for the module. We recommend using this option, because it is designed for gating against phishing, unsanctioned, and malicious network activity. This feature can only be used on supervised devices.
The MDM pushes the app to the managed iOS device.
The administrator sends onboarding instructions to the device user.
The device user opens the app and follows on-screen onboarding instructions. Inactive security modules are presented to the user, and the app asks the user to activate them.
For devices not managed by an MDM, the administrator prepares instructions, extracts the app link and Distribution ID, and sends them to the device user.
The device user downloads the app from the App Store and installs the app.
The device user follows the onboarding instructions. Inactive security modules are presented to the user, and the app asks the user to activate them.
Note
If the administrator enforces security modules, but the device user does not activate them, the status of the device will be reported as Partially Protected.
Security modules and features
The Cortex XDR agent app for iOS contains the following security features:
Network Shield
Profiles can be configured to provide granular control and monitoring of network traffic on iOS-based supervised devices.
Profiles can be configured to analyze, and block or report malicious URLs, and to block or allow custom URLs.
Widget
If the Network Shield module is not activated, the widget must be used.
Safari Safeguard
This security module can provide proactive gating of suspicious sites accessed using Safari, and provides informative site analysis to the device user. We recommend this option for iOS devices that do not use the Network Shield feature.
Telephony and SMS protection
Telephone calls: unknown callers can be blocked, based on the block list that is defined by the administrator.
Spam messages: automatically block and move SMS messages from unknown sources to the Junk folder, based on the content of the message or the block list that is defined by the administrator.
Call and message reporting: the device user can report information about blocked messages and calls to Cortex analysts.
Stationary device protection
Security profiles can be configured to protect devices that are expected to remain in fixed locations, such as iPads. This configuration is performed during profile configuration on the tenant, and is not visible or configurable on the device itself.